graph TB
classDef action fill:#99ccff
classDef operator fill:#ff9900
classDef condition fill:#99ff99
classDef builtin fill:#cccccc
attack_action__2a8b2d9c_c1cb_44e8_9c18_e146fdb28c3b["Action - T1566.001
Spearphishing Attachment: -
Malicious Microsoft Excel file is
attached to a phishing email. -
Confidence Very Probable"]
class attack_action__2a8b2d9c_c1cb_44e8_9c18_e146fdb28c3b action
attack_asset__14a9c069_abae_41d2_8615_8ca20ba0ca68["Attack Asset - Name: User
of Patient Zero workstation -
Description: The user compromised
by the spearfishing email. -
Extensions: {'extension-
definition--
fb9c968a-745b-4ade-9b25-c324172197f4':
{'extension_type': 'new-sdo'}}"]
class attack_asset__14a9c069_abae_41d2_8615_8ca20ba0ca68 builtin
attack_action__803b8f27_1c9b_4d83_b155_b443b69672f8["Action - T1204.002 Malicious
File: - User of the Patient Zero
Workstation clicks on malicious Excel
file, compromising the workstation. -
Confidence Very Probable"]
class attack_action__803b8f27_1c9b_4d83_b155_b443b69672f8 action
attack_action__08dfcf4a_96c4_487e_8531_3ddd7fbb6e70["Action - T1558.003
Kerberoasting: - Actors use
Kerberos attacks to attempt to get the
Admin hash to conduct brute force
attacks. - Confidence Very
Probable"]
class attack_action__08dfcf4a_96c4_487e_8531_3ddd7fbb6e70 action
attack_action__4c0e9ba3_e5ad_4215_8b41_6636f9ec90b2["Action - Lateral Movement:
- Lateral movement to 1 statutory and 6
voluntary hospitals - Confidence
Very Probable"]
class attack_action__4c0e9ba3_e5ad_4215_8b41_6636f9ec90b2 action
attack_action__fda03654_388a_45e1_b3c5_36a0593aec6d["Action - T1486 Data Encrypted
for Impact: - Threat actors encrypt
sensitive data by detonating Conti
ransomware. - Confidence Very
Probable"]
class attack_action__fda03654_388a_45e1_b3c5_36a0593aec6d action
attack_asset__6c3bf979_882d_49ad_8cb5_43a59f42d32e["Attack Asset - Name:
Exfiltrated Data - Description:
Data exfiltrated by threat actor. -
Extensions: {'extension-
definition--
fb9c968a-745b-4ade-9b25-c324172197f4':
{'extension_type': 'new-sdo'}}"]
class attack_asset__6c3bf979_882d_49ad_8cb5_43a59f42d32e builtin
attack_action__8956f5e4_bfaf_4709_83fa_309275967a30["Action - Exfiltration: -
Threat actors often use the open-source
Rclone command line program for data
exfiltration, such as Rclone. -
Confidence Very Probable"]
class attack_action__8956f5e4_bfaf_4709_83fa_309275967a30 action
attack_asset__bce29a7e_123b_4e98_a7ae_f3590236d856["Attack Asset - Name:
Encrypted Data - Description:
Data encrypted by Conti ransomware. -
Extensions: {'extension-
definition--
fb9c968a-745b-4ade-9b25-c324172197f4':
{'extension_type': 'new-sdo'}}"]
class attack_asset__bce29a7e_123b_4e98_a7ae_f3590236d856 builtin
attack_condition__f8f14cd5_8cb3_41eb_a7de_d13c92afd312["Condition: User of Patient Zero
workstation is compromised"]
class attack_condition__f8f14cd5_8cb3_41eb_a7de_d13c92afd312 condition
attack_condition__a32b0dae_0b41_472b_9c23_fd234955beca["Condition: Patient Zero
workstation is compromised"]
class attack_condition__a32b0dae_0b41_472b_9c23_fd234955beca condition
attack_action__57dca417_5fce_4cb6_9392_c23d24ba8c83["Action - T1608.006 Fake
Software: - Fake software promoted
via search engine optimization -
Confidence Very Probable"]
class attack_action__57dca417_5fce_4cb6_9392_c23d24ba8c83 action
attack_action__0cf0c85b_c2e5_4dfd_9a92_547357784bd1["Action - T1598.004 Social
Engineering: - Actors may get user
information via phone calls -
Confidence Very Probable"]
class attack_action__0cf0c85b_c2e5_4dfd_9a92_547357784bd1 action
attack_action__e51a777f_14ba_4aac_8e6d_d95b93389173["Action - T1566.002
Spearphishing Link: - Malicious
Microsoft Excel file is attached to a
phishing email. - Confidence Very
Probable"]
class attack_action__e51a777f_14ba_4aac_8e6d_d95b93389173 action
attack_operator__7686e85f_53e7_4e22_b799_cd068137d4c8(("OR"))
class attack_operator__7686e85f_53e7_4e22_b799_cd068137d4c8 operator
attack_asset__12823850_2efb_44c5_be26_ac34703683b8["Attack Asset - Name:
Microsoft Office document -
Description: The document is a
downloader-dropper. Examples include
Cobalt Strike, IcedID, and TrickBot. -
Extensions: {'extension-
definition--
fb9c968a-745b-4ade-9b25-c324172197f4':
{'extension_type': 'new-sdo'}}"]
class attack_asset__12823850_2efb_44c5_be26_ac34703683b8 builtin
attack_action__8c673d05_35b9_4563_a19c_612225ba58f2["Action - T1078 Valid
Accounts: - User reveals
credentials - Confidence Very
Probable"]
class attack_action__8c673d05_35b9_4563_a19c_612225ba58f2 action
attack_asset__b25c46f7_e302_4bcc_a75f_7b97913dedeb["Attack Asset - Name: User
credentials - Description: User
credentials for a valid account -
Extensions: {'extension-
definition--
fb9c968a-745b-4ade-9b25-c324172197f4':
{'extension_type': 'new-sdo'}}"]
class attack_asset__b25c46f7_e302_4bcc_a75f_7b97913dedeb builtin
attack_action__7a4205e1_043e_4c6d_8a9f_89f9a3a8ec83["Action - T1076 Remote Desktop
Protocol: - Stolen or weak Remote
Desktop Protocol (RDP) credentials -
Confidence Very Probable"]
class attack_action__7a4205e1_043e_4c6d_8a9f_89f9a3a8ec83 action
attack_asset__ad245cbc_08a4_4a73_a0fd_cd49205b5721["Attack Asset - Name: RDP
account - Description:
Compromised RDP account -
Extensions: {'extension-
definition--
fb9c968a-745b-4ade-9b25-c324172197f4':
{'extension_type': 'new-sdo'}}"]
class attack_asset__ad245cbc_08a4_4a73_a0fd_cd49205b5721 builtin
attack_action__11575ef5_332b_4719_9283_ad0988becfef["Action - T1057 Process
Discovery: - Actors run a getuid
payload before using a more aggressive
payload to reduce the risk of triggering
antivirus engines. - Confidence
Very Probable"]
class attack_action__11575ef5_332b_4719_9283_ad0988becfef action
attack_action__e972b38b_5e0c_43f6_a578_f904dab23a64["Action - T1110 Brute
Force: - Use Router Scan, a
penetration testing tool, to maliciously
scan for and brute force [T1110]
routers, cameras, and network-attached
storage devices with web interfaces. -
Confidence Very Probable"]
class attack_action__e972b38b_5e0c_43f6_a578_f904dab23a64 action
attack_operator__ee2f9478_ca65_4b3c_9c77_77cd2a277a91(("OR"))
class attack_operator__ee2f9478_ca65_4b3c_9c77_77cd2a277a91 operator
attack_condition__060bac6c_30cd_4cef_93e2_04c1939f3fc2["Condition: HSE Server is
compromised"]
class attack_condition__060bac6c_30cd_4cef_93e2_04c1939f3fc2 condition
attack_operator__ad5f81ee_b495_4efb_b6f9_d62fe07cfe0b(("OR"))
class attack_operator__ad5f81ee_b495_4efb_b6f9_d62fe07cfe0b operator
attack_action__51d84486_8f49_40aa_a3ef_65ab544dff0f["Action - T1110 Brute
Force: - Actors get the Admin hash
to conduct brute force attacks. -
Confidence Very Probable"]
class attack_action__51d84486_8f49_40aa_a3ef_65ab544dff0f action
attack_action__2a78a7b6_4cf3_4a8e_9856_e34935a18dbd["Action - Persistence: -
Threat actors exploit legitimate
software to maintain persistence. -
Confidence Very Probable"]
class attack_action__2a78a7b6_4cf3_4a8e_9856_e34935a18dbd action
attack_asset__68bf90ee_2a96_48e3_8acc_cb3068e20db0["Attack Asset - Name:
Software - Description: Remote
desktop software or remote monitoring
and management software. -
Extensions: {'extension-
definition--
fb9c968a-745b-4ade-9b25-c324172197f4':
{'extension_type': 'new-sdo'}}"]
class attack_asset__68bf90ee_2a96_48e3_8acc_cb3068e20db0 builtin
attack_action__9955f520_81f0_4826_a04f_e29c222cf214["Action - Privilege
Escalation: - Threat actors use
tools already on the victim network to
obtain users' hashes and clear-text
credentials - Confidence Very
Probable"]
class attack_action__9955f520_81f0_4826_a04f_e29c222cf214 action
attack_action__21b2ccee_d3ed_4866_b931_87c37f98dc93["Action - T1203 Exploitation
for Client Execution: - Threat
actors exploit vulnerabilities in
unpatched assets to escalate privileges
and move laterally. - Confidence
Very Probable"]
class attack_action__21b2ccee_d3ed_4866_b931_87c37f98dc93 action
attack_condition__759ddb9f_c0a6_4fa4_bc83_f20a4ae8ea35["Condition: Network Asset A is
compromised"]
class attack_condition__759ddb9f_c0a6_4fa4_bc83_f20a4ae8ea35 condition
attack_condition__1a4cb2c8_008f_4bec_8659_6a4cccb638b4["Condition: Network Asset B is
compromised"]
class attack_condition__1a4cb2c8_008f_4bec_8659_6a4cccb638b4 condition
attack_condition__623bc1c8_fc38_4a2d_a3d0_d925f073af53["Condition: Network Asset C is
compromised"]
class attack_condition__623bc1c8_fc38_4a2d_a3d0_d925f073af53 condition
attack_condition__223e9388_26aa_4cd7_88a3_bc192aa13622["Condition: Admin hash is
compromised"]
class attack_condition__223e9388_26aa_4cd7_88a3_bc192aa13622 condition
attack_action__c3c4d3ba_ee40_437d_92a7_224bdb5cfaa0["Action - Privilege
Escalation: - Threat actors exploit
vulnerabilities in unpatched asset to
escalate privileges. - Confidence
Very Probable"]
class attack_action__c3c4d3ba_ee40_437d_92a7_224bdb5cfaa0 action
attack_action__2a8b2d9c_c1cb_44e8_9c18_e146fdb28c3b -->|effect| attack_operator__7686e85f_53e7_4e22_b799_cd068137d4c8
attack_action__803b8f27_1c9b_4d83_b155_b443b69672f8 -->|effect| attack_operator__ee2f9478_ca65_4b3c_9c77_77cd2a277a91
attack_action__08dfcf4a_96c4_487e_8531_3ddd7fbb6e70 -->|effect| attack_condition__223e9388_26aa_4cd7_88a3_bc192aa13622
attack_action__4c0e9ba3_e5ad_4215_8b41_6636f9ec90b2 -->|effect| attack_condition__623bc1c8_fc38_4a2d_a3d0_d925f073af53
attack_condition__f8f14cd5_8cb3_41eb_a7de_d13c92afd312 -->|on_true| attack_action__803b8f27_1c9b_4d83_b155_b443b69672f8
attack_condition__f8f14cd5_8cb3_41eb_a7de_d13c92afd312 -->|on_true| attack_action__8c673d05_35b9_4563_a19c_612225ba58f2
attack_condition__a32b0dae_0b41_472b_9c23_fd234955beca -->|on_true| attack_action__11575ef5_332b_4719_9283_ad0988becfef
attack_condition__a32b0dae_0b41_472b_9c23_fd234955beca -->|on_true| attack_action__08dfcf4a_96c4_487e_8531_3ddd7fbb6e70
attack_condition__a32b0dae_0b41_472b_9c23_fd234955beca -->|on_true| attack_action__e972b38b_5e0c_43f6_a578_f904dab23a64
attack_action__57dca417_5fce_4cb6_9392_c23d24ba8c83 -->|effect| attack_operator__7686e85f_53e7_4e22_b799_cd068137d4c8
attack_action__0cf0c85b_c2e5_4dfd_9a92_547357784bd1 -->|effect| attack_operator__7686e85f_53e7_4e22_b799_cd068137d4c8
attack_action__e51a777f_14ba_4aac_8e6d_d95b93389173 -->|effect| attack_operator__7686e85f_53e7_4e22_b799_cd068137d4c8
attack_operator__7686e85f_53e7_4e22_b799_cd068137d4c8 -->|effect| attack_condition__f8f14cd5_8cb3_41eb_a7de_d13c92afd312
attack_action__8c673d05_35b9_4563_a19c_612225ba58f2 -->|effect| attack_operator__ee2f9478_ca65_4b3c_9c77_77cd2a277a91
attack_action__7a4205e1_043e_4c6d_8a9f_89f9a3a8ec83 -->|effect| attack_operator__ee2f9478_ca65_4b3c_9c77_77cd2a277a91
attack_action__11575ef5_332b_4719_9283_ad0988becfef -->|effect| attack_operator__ad5f81ee_b495_4efb_b6f9_d62fe07cfe0b
attack_action__e972b38b_5e0c_43f6_a578_f904dab23a64 -->|effect| attack_operator__ad5f81ee_b495_4efb_b6f9_d62fe07cfe0b
attack_operator__ee2f9478_ca65_4b3c_9c77_77cd2a277a91 -->|effect| attack_condition__a32b0dae_0b41_472b_9c23_fd234955beca
attack_condition__060bac6c_30cd_4cef_93e2_04c1939f3fc2 -->|on_true| attack_action__2a78a7b6_4cf3_4a8e_9856_e34935a18dbd
attack_condition__060bac6c_30cd_4cef_93e2_04c1939f3fc2 -->|on_true| attack_action__9955f520_81f0_4826_a04f_e29c222cf214
attack_condition__060bac6c_30cd_4cef_93e2_04c1939f3fc2 -->|on_true| attack_action__21b2ccee_d3ed_4866_b931_87c37f98dc93
attack_operator__ad5f81ee_b495_4efb_b6f9_d62fe07cfe0b -->|effect| attack_condition__060bac6c_30cd_4cef_93e2_04c1939f3fc2
attack_action__51d84486_8f49_40aa_a3ef_65ab544dff0f -->|effect| attack_operator__ad5f81ee_b495_4efb_b6f9_d62fe07cfe0b
attack_action__9955f520_81f0_4826_a04f_e29c222cf214 -->|effect| attack_condition__1a4cb2c8_008f_4bec_8659_6a4cccb638b4
attack_action__21b2ccee_d3ed_4866_b931_87c37f98dc93 -->|effect| attack_condition__759ddb9f_c0a6_4fa4_bc83_f20a4ae8ea35
attack_condition__759ddb9f_c0a6_4fa4_bc83_f20a4ae8ea35 -->|on_true| attack_action__c3c4d3ba_ee40_437d_92a7_224bdb5cfaa0
attack_condition__1a4cb2c8_008f_4bec_8659_6a4cccb638b4 -->|on_true| attack_action__fda03654_388a_45e1_b3c5_36a0593aec6d
attack_condition__1a4cb2c8_008f_4bec_8659_6a4cccb638b4 -->|on_true| attack_action__8956f5e4_bfaf_4709_83fa_309275967a30
attack_condition__1a4cb2c8_008f_4bec_8659_6a4cccb638b4 -->|on_true| attack_action__4c0e9ba3_e5ad_4215_8b41_6636f9ec90b2
attack_condition__223e9388_26aa_4cd7_88a3_bc192aa13622 -->|on_true| attack_action__51d84486_8f49_40aa_a3ef_65ab544dff0f
attack_action__c3c4d3ba_ee40_437d_92a7_224bdb5cfaa0 -->|effect| attack_condition__1a4cb2c8_008f_4bec_8659_6a4cccb638b4