graph TB
classDef action fill:#99ccff
classDef operator fill:#ff9900
classDef condition fill:#99ff99
classDef builtin fill:#cccccc
attack_action__0fc122a5_7f3b_4a0d_81b4_f841e1d01e1c["Action - T1566.002
Spearphishing Link: - Email
campaign aimed to trick the user into
enabling macros on a malicious document;
delivered via a link to Google's Feed
Proxy service - Confidence Very
Probable"]
class attack_action__0fc122a5_7f3b_4a0d_81b4_f841e1d01e1c action
infrastructure__9dc784c0_f64e_41c6_815f_d515675071f6["Infrastructure - Name:
Google's Feed Proxy service -
Description: hosted the malicious
document - Infrastructure Types:
anonymization"]
class infrastructure__9dc784c0_f64e_41c6_815f_d515675071f6 builtin
attack_action__1d851bc1_c568_463d_8e5e_270e997a65bd["Action - T1204.002 Malicious
File: - User enabled macros -
Confidence Very Probable"]
class attack_action__1d851bc1_c568_463d_8e5e_270e997a65bd action
attack_action__7f226db5_d7a2_4af5_aa98_b2bc3bac699a["Action - T1059.005 Visual
Basic: - Macro downloads ier.dll
and executes it - Confidence Very
Probable"]
class attack_action__7f226db5_d7a2_4af5_aa98_b2bc3bac699a action
attack_action__8ec450fa_b704_40d2_8560_94d5a8fd677a["Action - T1218.011
Rundll32: - ier.dll executed -
Confidence Very Probable"]
class attack_action__8ec450fa_b704_40d2_8560_94d5a8fd677a action
attack_action__5d55cc3d_c059_4937_a4c6_c1b5a48c3fc1["Action - T1105 Ingress Tool
Transfer: - Hancitor downloaded 2
Cobalt Strike payloads (including a
stager) and Ficker Stealer -
Confidence Very Probable"]
class attack_action__5d55cc3d_c059_4937_a4c6_c1b5a48c3fc1 action
infrastructure__246d0643_cd96_4eef_9ceb_e198a3780450["Infrastructure - Name:
Stager - Description: IP address
of C2 associated with stager -
Infrastructure Types: command-
and-control, staging"]
class infrastructure__246d0643_cd96_4eef_9ceb_e198a3780450 builtin
infrastructure__050084ef_b861_4ebb_9269_c28b064268b3["Infrastructure - Name: C2
- Description: IP address/URL of
C2 that downloaded the additional tools
- Infrastructure Types: command-
and-control, hosting-malware"]
class infrastructure__050084ef_b861_4ebb_9269_c28b064268b3 builtin
attack_action__264c553e_266e_4143_983b_35bee0e23a63["Action - T1055 Process
Injection: - Multiple instances of
svchost.exe launched and injected with
Cobalt Strike - Confidence Very
Probable"]
class attack_action__264c553e_266e_4143_983b_35bee0e23a63 action
tool__ad23cf1d_72aa_40d7_a66a_4e95305cb0ed["Tool - Name: svchost.exe -
Description: process injection
with Cobalt Strike - Tool Types:
unknown"]
class tool__ad23cf1d_72aa_40d7_a66a_4e95305cb0ed builtin
attack_asset__435e40bd_19a7_4099_8a32_0c268760b218["Attack Asset - Name: Port
Scanning - Description: scanned
SMB, TCP 5000, TCP 9392, and TCP 6106.
Actors were looking for backup products
Synology, Backup Exec, and Veeam -
Extensions: {'extension-
definition--
fb9c968a-745b-4ade-9b25-c324172197f4':
{'extension_type': 'new-sdo'}}"]
class attack_asset__435e40bd_19a7_4099_8a32_0c268760b218 builtin
attack_asset__de81d71c_8f3f_43db_9d07_c03f5937e028["Attack Asset - Name: Ping
- Description: Actors pinged
190.114.254.116 and used the IP later in
the attack - Object Ref:
ipv4-addr--
8c8019bc-8d35-48de-b21f-6b3293b7a82f -
Extensions: {'extension-
definition--
fb9c968a-745b-4ade-9b25-c324172197f4':
{'extension_type': 'new-sdo'}}"]
class attack_asset__de81d71c_8f3f_43db_9d07_c03f5937e028 builtin
attack_asset__e4fb987f_6460_40a3_9a6a_bc66641eaf47["Attack Asset - Name:
Enumerated local administrative access -
Description: Attackers enumerated
local admin access on remote systems by
checking the C$ share for hosts
discovered after the port scan -
Extensions: {'extension-
definition--
fb9c968a-745b-4ade-9b25-c324172197f4':
{'extension_type': 'new-sdo'}}"]
class attack_asset__e4fb987f_6460_40a3_9a6a_bc66641eaf47 builtin
attack_action__d53ce876_ead2_4d68_a864_e340bdc1aa31["Action - T1105 Ingress Tool
Transfer: - Hancitor downloaded
Cobalt Strike DLL and batch file on
victim machine - Confidence Very
Probable"]
class attack_action__d53ce876_ead2_4d68_a864_e340bdc1aa31 action
infrastructure__ea1c5706_9374_48ab_bf54_5c1572b4c4ac["Infrastructure - Name: C2
for Cobalt Strike beacons -
Description: C2 associated with
the Cobalt Strike beacon -
Infrastructure Types: command-
and-control"]
class infrastructure__ea1c5706_9374_48ab_bf54_5c1572b4c4ac builtin
tool__7df9e692_418b_4d07_81bc_bd16693656b0["Tool - Name: cor.bat -
Description: batch file that
executes the Cobalt Strike DLL using
rundll32.exe with a specific parameter -
Tool Types: exploitation"]
class tool__7df9e692_418b_4d07_81bc_bd16693656b0 builtin
attack_action__615f4282_5407_44e4_b0e1_b68198baadd3["Action - T1497
Virtualization/Sandbox Evasion: -
Cobalt Strike DLL stager does not run
unless it is given a specific command
line parameter - Confidence Very
Probable"]
class attack_action__615f4282_5407_44e4_b0e1_b68198baadd3 action
attack_condition__a2793461_43b8_4b30_966f_71295f564b75["Condition: Multiple instances of
rundll32.exe spawning svchost.exe and
svchost.exe spawning cmd.exe"]
class attack_condition__a2793461_43b8_4b30_966f_71295f564b75 condition
attack_action__6c4ed453_8eec_4b2b_9ff0_5b45edb1a804["Action - T1218.011
Rundll32: - cor.dll executed -
Confidence Very Probable"]
class attack_action__6c4ed453_8eec_4b2b_9ff0_5b45edb1a804 action
attack_action__9c595315_eb12_4643_85be_33986d8c031b["Action - T1059.001
PowerShell: - PowerShell loader
deobfuscates shellcode and runs it in
memory as a thread in the same
PowerShell process; shellcode includes a
PE file embedded inside -
Confidence Very Probable"]
class attack_action__9c595315_eb12_4643_85be_33986d8c031b action
tool__9f0f8035_5d6a_44e8_8c66_125db8a30a25["Tool - Name: agent1.ps1 -
Description: PowerShell loader -
Tool Types: unknown"]
class tool__9f0f8035_5d6a_44e8_8c66_125db8a30a25 builtin
attack_action__8c95b74c_07b8_4277_989f_ff499ff32ae4["Action - T1027 Obfuscated
Files or Information: -
Base64-encoded PowerShell dropped onto
the machine - Confidence Very
Probable"]
class attack_action__8c95b74c_07b8_4277_989f_ff499ff32ae4 action
attack_action__75818fd9_2ca6_43b1_9dd7_08be16fec19c["Action - T1105 Ingress Tool
Transfer: - PE file is loaded into
memory and executed; beacons out at
regular intervals to C2 server for
instructions - Confidence Very
Probable"]
class attack_action__75818fd9_2ca6_43b1_9dd7_08be16fec19c action
tool__30bce16b_b3a2_4efe_9024_3a26d7df320c["Tool - Name: PE file -
Tool Types: unknown"]
class tool__30bce16b_b3a2_4efe_9024_3a26d7df320c builtin
infrastructure__5cb78035_4d30_4c6e_bc3b_458b3c19fb4e["Infrastructure - Name: C2
server - Infrastructure Types:
command-and-control"]
class infrastructure__5cb78035_4d30_4c6e_bc3b_458b3c19fb4e builtin
attack_action__15d89326_a900_4881_9811_5881bd05fb1d["Action - T1027.004 Compile
After Delivery: - Visual C# Command
Line Compiler invoked by PowerShell
script; most likely instructions that
the PE file retrieved from the C2 server
- Confidence Very Probable"]
class attack_action__15d89326_a900_4881_9811_5881bd05fb1d action
attack_action__ba5d97f4_f1d8_4a42_8634_a43483c57389["Action - T1105 Ingress Tool
Transfer: - Attacker used a custom
implementation of Zerologon -
Confidence Very Probable"]
class attack_action__ba5d97f4_f1d8_4a42_8634_a43483c57389 action
vulnerability__2b660706_ac74_475d_af2d_7be8315a9056["Vulnerability - Name:
CVE-2020-1472"]
class vulnerability__2b660706_ac74_475d_af2d_7be8315a9056 builtin
tool__22800f67_08d5_42ce_95cf_1b39eff410c1["Tool - Name: zero.exe -
Description: custom
implementation of Zerologon - Tool
Types: unknown"]
class tool__22800f67_08d5_42ce_95cf_1b39eff410c1 builtin
attack_action__5c8d3aac_79ac_4ef8_81dd_7046b5355e9c["Action - T1212 Exploitation
for Credential Access: - Zero.exe
executes and obtains the NTLM hash of a
Domain Administrator account -
Confidence Very Probable"]
class attack_action__5c8d3aac_79ac_4ef8_81dd_7046b5355e9c action
attack_action__42530d17_73ed_4f57_86f4_de1b3f85eae1["Action - T1550.002 Pass the
Hash: - Attackers use the Domain
Administrator's NTLM hash to
authenticate to other domain controllers
- Confidence Very Probable"]
class attack_action__42530d17_73ed_4f57_86f4_de1b3f85eae1 action
attack_action__75aac24f_ecf5_4981_9349_2e1d9c9eb38a["Action - T1105 Ingress Tool
Transfer: - Attackers deployed
Cobalt Strike beacons on the domain
controllers - Confidence Very
Probable"]
class attack_action__75aac24f_ecf5_4981_9349_2e1d9c9eb38a action
attack_action__858fd8b8_6914_4c92_9a7d_66277e7224e4["Action - T1059.001
PowerShell: - PowerShell executed
on every Domain Controller and used the
Active Directory RSAT module to get a
list of computers and compiled this list
into a file - Confidence Very
Probable"]
class attack_action__858fd8b8_6914_4c92_9a7d_66277e7224e4 action
tool__3380b981_3dae_4b0e_9fd9_9abee266f383["Tool - Name: comp2.ps1 -
Description: PowerShell script;
uses the file with theĀ enumerated list
of computers - Tool Types:
information-gathering"]
class tool__3380b981_3dae_4b0e_9fd9_9abee266f383 builtin
attack_action__c0a8d30d_8908_49ea_be12_61e7dc39c9a8["Action - T1595.001 Scanning IP
Blocks: - Executable uses IPs and
hostnames from comps.txt and checks if
they are online using ICMP scans -
Confidence Very Probable"]
class attack_action__c0a8d30d_8908_49ea_be12_61e7dc39c9a8 action
attack_condition__55bbea0f_65dd_404a_bfeb_3751297f369e["Condition: Online hosts are
directed to check.txt file"]
class attack_condition__55bbea0f_65dd_404a_bfeb_3751297f369e condition
tool__5d91d93a_1071_4a5d_93f5_be75d5b7d1c1["Tool - Name: check.exe -
Description: executable
conducting ICMP scans, searching for
online systems - Tool Types:
information-gathering"]
class tool__5d91d93a_1071_4a5d_93f5_be75d5b7d1c1 builtin
attack_action__93d9e541_add1_4515_b288_b163a60efea4["Action - Lateral Movement:
- Attackers moved lateral throughout the
network to additional domain
controllers, backup servers, and file
shares using Cobalt Strike -
Confidence Very Probable"]
class attack_action__93d9e541_add1_4515_b288_b163a60efea4 action
malware__13146797_18cc_43b6_8bab_9a88c0e4a6e2["Malware - Name: ier.dll -
Description: Hancitor DLL file -
Malware Types: downloader, trojan
- Is Family: False -
Capabilities: communicates-
with-c2, exfiltrates-data, installs-
other-components"]
class malware__13146797_18cc_43b6_8bab_9a88c0e4a6e2 builtin
directory__6be350c5_1f9d_4e2b_a29a_37bd155d185f["Directory - Path:
%APPDATA%\Microsoft\templates\ -
Defanged: False"]
class directory__6be350c5_1f9d_4e2b_a29a_37bd155d185f builtin
url__a6ebeb18_dc18_47f7_b64c_07ac5828c492["Url - Value: 4a5ikol.ru -
Defanged: False"]
class url__a6ebeb18_dc18_47f7_b64c_07ac5828c492 builtin
ipv4_addr__1f0a42b3_e753_41a6_8151_1b2751b4b914["Ipv4 Addr - Value:
8.211.241.0 - Defanged: False"]
class ipv4_addr__1f0a42b3_e753_41a6_8151_1b2751b4b914 builtin
ipv4_addr__2ffb5de4_b7c9_4c18_a931_6b24a5cef301["Ipv4 Addr - Value:
207.148.23.64 - Defanged: False"]
class ipv4_addr__2ffb5de4_b7c9_4c18_a931_6b24a5cef301 builtin
malware__32f888c6_86a8_42bf_828d_44c5b398207f["Malware - Name: Cobalt
Strike payloads - Malware Types:
exploit-kit - Is Family: False -
Capabilities: accesses-remote-
machines, communicates-with-c2,
escalates-privileges, exfiltrates-data,
fingerprints-host, installs-other-
components, probes-network-environment,
steals-authentication-credentials"]
class malware__32f888c6_86a8_42bf_828d_44c5b398207f builtin
malware__c7408153_96a8_4a66_be6f_ac881bb187cc["Malware - Name: Ficker
Stealer - Description: steals
information - Malware Types:
trojan - Is Family: False -
Capabilities: fingerprints-host,
probes-network-environment, steals-
authentication-credentials, exfiltrates-
data"]
class malware__c7408153_96a8_4a66_be6f_ac881bb187cc builtin
tool__cafb8768_db59_4764_9ea1_702ccc4337f2["Tool - Name: rundll32.exe
- Tool Types: unknown"]
class tool__cafb8768_db59_4764_9ea1_702ccc4337f2 builtin
ipv4_addr__8c8019bc_8d35_48de_b21f_6b3293b7a82f["Ipv4 Addr - Value:
190.114.254.116 - Defanged: False"]
class ipv4_addr__8c8019bc_8d35_48de_b21f_6b3293b7a82f builtin
ipv4_addr__4986f18c_5013_43e6_9934_3504b2a457fc["Ipv4 Addr - Value:
190.114.254.116 - Defanged: False"]
class ipv4_addr__4986f18c_5013_43e6_9934_3504b2a457fc builtin
malware__4e771a07_6800_4fb4_86e7_73718a3aa8bf["Malware - Name: cor.dll -
Description: Cobalt Strike DLL -
Malware Types: exploit-kit -
Is Family: False -
Capabilities: accesses-remote-
machines, communicates-with-c2,
escalates-privileges, exfiltrates-data,
fingerprints-host, installs-other-
components, probes-network-environment,
steals-authentication-credentials"]
class malware__4e771a07_6800_4fb4_86e7_73718a3aa8bf builtin
ipv4_addr__a850619d_655c_4b2a_aaf0_60ae42998c7c["Ipv4 Addr - Value:
64.235.39.32 - Defanged: False"]
class ipv4_addr__a850619d_655c_4b2a_aaf0_60ae42998c7c builtin
malware__fe0b4d3c_79f7_4562_9fd9_73f5922bc489["Malware - Name: Cobalt
Strike beacons - Malware Types:
exploit-kit - Is Family: False -
Capabilities: accesses-remote-
machines, communicates-with-c2,
escalates-privileges, exfiltrates-data,
fingerprints-host, installs-other-
components, probes-network-environment,
steals-authentication-credentials"]
class malware__fe0b4d3c_79f7_4562_9fd9_73f5922bc489 builtin
file__88d6adf8_19db_4920_afc5_896c2ebc26e8["File - Name: comps.txt -
Defanged: False"]
class file__88d6adf8_19db_4920_afc5_896c2ebc26e8 builtin
attack_action__f6ff7411_18b2_412f_ae4b_c72f8b6def69["Action - T1087.001 Local
Account: - enumerated local access
- Confidence Very Probable"]
class attack_action__f6ff7411_18b2_412f_ae4b_c72f8b6def69 action
attack_action__1720c263_4ec3_4c13_b637_10336d59fcea["Action - T1016.001 Internet
Connection Discovery: - checks for
internet connection - Confidence
Very Probable"]
class attack_action__1720c263_4ec3_4c13_b637_10336d59fcea action
attack_action__625c956c_e084_488f_a592_fdee309b883a["Action - T1046 Network Service
Discovery: - scans ports -
Confidence Very Probable"]
class attack_action__625c956c_e084_488f_a592_fdee309b883a action
attack_action__0fc122a5_7f3b_4a0d_81b4_f841e1d01e1c -->|effect| attack_action__1d851bc1_c568_463d_8e5e_270e997a65bd
attack_action__1d851bc1_c568_463d_8e5e_270e997a65bd -->|effect| attack_action__7f226db5_d7a2_4af5_aa98_b2bc3bac699a
attack_action__7f226db5_d7a2_4af5_aa98_b2bc3bac699a -->|effect| attack_action__8ec450fa_b704_40d2_8560_94d5a8fd677a
attack_action__8ec450fa_b704_40d2_8560_94d5a8fd677a -->|effect| attack_action__5d55cc3d_c059_4937_a4c6_c1b5a48c3fc1
attack_action__5d55cc3d_c059_4937_a4c6_c1b5a48c3fc1 -->|effect| attack_action__264c553e_266e_4143_983b_35bee0e23a63
attack_action__264c553e_266e_4143_983b_35bee0e23a63 -->|effect| attack_condition__a2793461_43b8_4b30_966f_71295f564b75
attack_action__d53ce876_ead2_4d68_a864_e340bdc1aa31 -->|effect| attack_action__615f4282_5407_44e4_b0e1_b68198baadd3
attack_action__615f4282_5407_44e4_b0e1_b68198baadd3 -->|effect| attack_action__6c4ed453_8eec_4b2b_9ff0_5b45edb1a804
attack_condition__a2793461_43b8_4b30_966f_71295f564b75 -->|on_true| attack_action__1720c263_4ec3_4c13_b637_10336d59fcea
attack_condition__a2793461_43b8_4b30_966f_71295f564b75 -->|on_true| attack_action__f6ff7411_18b2_412f_ae4b_c72f8b6def69
attack_condition__a2793461_43b8_4b30_966f_71295f564b75 -->|on_true| attack_action__625c956c_e084_488f_a592_fdee309b883a
attack_action__6c4ed453_8eec_4b2b_9ff0_5b45edb1a804 -->|effect| attack_action__8c95b74c_07b8_4277_989f_ff499ff32ae4
attack_action__9c595315_eb12_4643_85be_33986d8c031b -->|effect| attack_action__75818fd9_2ca6_43b1_9dd7_08be16fec19c
attack_action__8c95b74c_07b8_4277_989f_ff499ff32ae4 -->|effect| attack_action__9c595315_eb12_4643_85be_33986d8c031b
attack_action__75818fd9_2ca6_43b1_9dd7_08be16fec19c -->|effect| attack_action__15d89326_a900_4881_9811_5881bd05fb1d
attack_action__15d89326_a900_4881_9811_5881bd05fb1d -->|effect| attack_action__ba5d97f4_f1d8_4a42_8634_a43483c57389
attack_action__ba5d97f4_f1d8_4a42_8634_a43483c57389 -->|effect| attack_action__5c8d3aac_79ac_4ef8_81dd_7046b5355e9c
attack_action__5c8d3aac_79ac_4ef8_81dd_7046b5355e9c -->|effect| attack_action__42530d17_73ed_4f57_86f4_de1b3f85eae1
attack_action__42530d17_73ed_4f57_86f4_de1b3f85eae1 -->|effect| attack_action__75aac24f_ecf5_4981_9349_2e1d9c9eb38a
attack_action__75aac24f_ecf5_4981_9349_2e1d9c9eb38a -->|effect| attack_action__93d9e541_add1_4515_b288_b163a60efea4
attack_action__858fd8b8_6914_4c92_9a7d_66277e7224e4 -->|effect| attack_action__c0a8d30d_8908_49ea_be12_61e7dc39c9a8
attack_action__c0a8d30d_8908_49ea_be12_61e7dc39c9a8 -->|effect| attack_condition__55bbea0f_65dd_404a_bfeb_3751297f369e
attack_action__93d9e541_add1_4515_b288_b163a60efea4 -->|effect| attack_action__858fd8b8_6914_4c92_9a7d_66277e7224e4
attack_action__f6ff7411_18b2_412f_ae4b_c72f8b6def69 -->|effect| attack_action__d53ce876_ead2_4d68_a864_e340bdc1aa31
attack_action__1720c263_4ec3_4c13_b637_10336d59fcea -->|effect| attack_action__d53ce876_ead2_4d68_a864_e340bdc1aa31
attack_action__625c956c_e084_488f_a592_fdee309b883a -->|effect| attack_action__d53ce876_ead2_4d68_a864_e340bdc1aa31
attack_action__0fc122a5_7f3b_4a0d_81b4_f841e1d01e1c -->|related-to| infrastructure__9dc784c0_f64e_41c6_815f_d515675071f6
attack_action__7f226db5_d7a2_4af5_aa98_b2bc3bac699a -->|related-to| directory__6be350c5_1f9d_4e2b_a29a_37bd155d185f
attack_action__7f226db5_d7a2_4af5_aa98_b2bc3bac699a -->|related-to| malware__13146797_18cc_43b6_8bab_9a88c0e4a6e2
attack_action__5d55cc3d_c059_4937_a4c6_c1b5a48c3fc1 -->|related-to| malware__c7408153_96a8_4a66_be6f_ac881bb187cc
attack_action__5d55cc3d_c059_4937_a4c6_c1b5a48c3fc1 -->|related-to| malware__32f888c6_86a8_42bf_828d_44c5b398207f
attack_action__5d55cc3d_c059_4937_a4c6_c1b5a48c3fc1 -->|related-to| infrastructure__050084ef_b861_4ebb_9269_c28b064268b3
attack_action__5d55cc3d_c059_4937_a4c6_c1b5a48c3fc1 -->|related-to| infrastructure__246d0643_cd96_4eef_9ceb_e198a3780450
infrastructure__246d0643_cd96_4eef_9ceb_e198a3780450 -->|related-to| ipv4_addr__2ffb5de4_b7c9_4c18_a931_6b24a5cef301
infrastructure__050084ef_b861_4ebb_9269_c28b064268b3 -->|related-to| url__a6ebeb18_dc18_47f7_b64c_07ac5828c492
infrastructure__050084ef_b861_4ebb_9269_c28b064268b3 -->|related-to| ipv4_addr__1f0a42b3_e753_41a6_8151_1b2751b4b914
attack_action__264c553e_266e_4143_983b_35bee0e23a63 -->|related-to| tool__ad23cf1d_72aa_40d7_a66a_4e95305cb0ed
attack_action__d53ce876_ead2_4d68_a864_e340bdc1aa31 -->|related-to| malware__4e771a07_6800_4fb4_86e7_73718a3aa8bf
attack_action__d53ce876_ead2_4d68_a864_e340bdc1aa31 -->|related-to| infrastructure__ea1c5706_9374_48ab_bf54_5c1572b4c4ac
attack_action__d53ce876_ead2_4d68_a864_e340bdc1aa31 -->|related-to| tool__7df9e692_418b_4d07_81bc_bd16693656b0
infrastructure__ea1c5706_9374_48ab_bf54_5c1572b4c4ac -->|related-to| ipv4_addr__4986f18c_5013_43e6_9934_3504b2a457fc
attack_condition__a2793461_43b8_4b30_966f_71295f564b75 -->|related-to| tool__cafb8768_db59_4764_9ea1_702ccc4337f2
attack_action__8c95b74c_07b8_4277_989f_ff499ff32ae4 -->|related-to| tool__9f0f8035_5d6a_44e8_8c66_125db8a30a25
attack_action__75818fd9_2ca6_43b1_9dd7_08be16fec19c -->|related-to| tool__30bce16b_b3a2_4efe_9024_3a26d7df320c
attack_action__75818fd9_2ca6_43b1_9dd7_08be16fec19c -->|related-to| infrastructure__5cb78035_4d30_4c6e_bc3b_458b3c19fb4e
infrastructure__5cb78035_4d30_4c6e_bc3b_458b3c19fb4e -->|related-to| ipv4_addr__a850619d_655c_4b2a_aaf0_60ae42998c7c
attack_action__ba5d97f4_f1d8_4a42_8634_a43483c57389 -->|related-to| vulnerability__2b660706_ac74_475d_af2d_7be8315a9056
attack_action__ba5d97f4_f1d8_4a42_8634_a43483c57389 -->|related-to| tool__22800f67_08d5_42ce_95cf_1b39eff410c1
attack_action__75aac24f_ecf5_4981_9349_2e1d9c9eb38a -->|related-to| malware__fe0b4d3c_79f7_4562_9fd9_73f5922bc489
attack_action__858fd8b8_6914_4c92_9a7d_66277e7224e4 -->|related-to| tool__3380b981_3dae_4b0e_9fd9_9abee266f383
tool__3380b981_3dae_4b0e_9fd9_9abee266f383 -->|related-to| file__88d6adf8_19db_4920_afc5_896c2ebc26e8
attack_action__c0a8d30d_8908_49ea_be12_61e7dc39c9a8 -->|related-to| tool__5d91d93a_1071_4a5d_93f5_be75d5b7d1c1