digraph {
label=<Marriott Breach
A data breach at the Marriott hotel group in 2018.
Author: Lauren Parker <lparker@mitre.org>
Created: 2022-10-27 02:44:54.520000+00:00
Modified: 2024-01-24 15:57:08.402000+00:00>;
labelloc="t";
"attack-action--2bf2f95c-5d35-4c50-850a-f81c31470ca9" [label=<
Action: T1566 |
Name | Phishing |
Description | Phishing email used to gain access to Starwood brands reservation system |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--2bf2f95c-5d35-4c50-850a-f81c31470ca9" -> "attack-action--ccc7e534-0ab7-4301-b666-9f86f8985863" [label=effect]
"attack-action--2bf2f95c-5d35-4c50-850a-f81c31470ca9" -> "attack-action--9f740818-914e-44cc-8914-5c3cefc0e1d7" [label=effect]
"threat-actor--fee4c680-4992-488b-b1bb-0fc6e076a303" [label=<Threat Actor |
Name | Individuals on behalf of the Chinese Government |
Description | Unknown individuals believed to be acting on behalf of the Chinese government; they exfiltrated personal information from customers |
Sophistication | strategic |
Resource Level | government |
Primary Motivation | organizational-gain |
> shape=plaintext]
"attack-action--ccc7e534-0ab7-4301-b666-9f86f8985863" [label=<Action: T1555 |
Name | Credentials from Password Stores |
Description | Attackers obtained valid passwords/accounts to move laterally within the network |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--ccc7e534-0ab7-4301-b666-9f86f8985863" -> "attack-condition--1c852859-2281-4682-8cc4-1a51e2f50f46" [label=effect]
"tool--a84c8c94-f07d-48b4-862b-4b7fc5901042" [label=<> shape=plaintext]
"attack-action--9f740818-914e-44cc-8914-5c3cefc0e1d7" [label=<Action: T1219 |
Name | Remote Access Software |
Description | A remote access trojan was found during investigation. Generally, RATs allow an attacker to covertly access, surveil, and even gain control over a computer. However, it is unknown how attackers used the RAT in this attack. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--9f740818-914e-44cc-8914-5c3cefc0e1d7" -> "attack-operator--1b533799-bd2f-4dd8-b24d-ea98a5a1b9e8" [label=effect]
"attack-condition--1c852859-2281-4682-8cc4-1a51e2f50f46" [label=<Condition |
Description | Attackers obtained credentials, including for an admin account |
> shape=plaintext]
"attack-condition--1c852859-2281-4682-8cc4-1a51e2f50f46" -> "attack-operator--1b533799-bd2f-4dd8-b24d-ea98a5a1b9e8" [label=on_true]
"attack-operator--1b533799-bd2f-4dd8-b24d-ea98a5a1b9e8" [label=AND fillcolor="#ff9900" shape=circle style=filled]
"attack-operator--1b533799-bd2f-4dd8-b24d-ea98a5a1b9e8" -> "attack-action--704d2b3a-4d25-41bd-9461-260e960840dc" [label=effect]
"attack-action--704d2b3a-4d25-41bd-9461-260e960840dc" [label=<Action: T1590.004 |
Name | Network Topology |
Description | Attackers used an administrator account to query for data within the network. Attackers searched for databases with relevant customer information. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--704d2b3a-4d25-41bd-9461-260e960840dc" -> "attack-condition--560b08e3-81b6-4f48-a804-783a82fd35c1" [label=effect]
"attack-condition--560b08e3-81b6-4f48-a804-783a82fd35c1" [label=<Condition |
Description | Discovered databases |
> shape=plaintext]
"attack-condition--560b08e3-81b6-4f48-a804-783a82fd35c1" -> "attack-action--65436923-b069-45f9-af06-9e67998aab8b" [label=on_true]
"attack-condition--560b08e3-81b6-4f48-a804-783a82fd35c1" -> "attack-action--cb29bb1b-eee2-4457-80b7-aee3c3182517" [label=on_true]
"attack-action--65436923-b069-45f9-af06-9e67998aab8b" [label=<Action: T1001 |
Name | Data Obfuscation |
Description | Attackers obfuscated data that they removed from the network |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--65436923-b069-45f9-af06-9e67998aab8b" -> "attack-operator--09f14bbb-64f9-4f9e-a16a-42684794b0e1" [label=effect]
"attack-action--cb29bb1b-eee2-4457-80b7-aee3c3182517" [label=<Action: T1560 |
Name | Archive Collected Data |
Description | Attackers obfuscated data that they removed from the network by compressing and encrypting files |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--cb29bb1b-eee2-4457-80b7-aee3c3182517" -> "attack-operator--09f14bbb-64f9-4f9e-a16a-42684794b0e1" [label=effect]
"attack-operator--09f14bbb-64f9-4f9e-a16a-42684794b0e1" [label=AND fillcolor="#ff9900" shape=circle style=filled]
"attack-operator--09f14bbb-64f9-4f9e-a16a-42684794b0e1" -> "attack-action--7239ab4c-fb5c-46b6-a2ba-637d9a2b12e9" [label=effect]
"attack-action--7239ab4c-fb5c-46b6-a2ba-637d9a2b12e9" [label=<Action |
Name | Exfiltration |
Description | Attackers exfiltrated customer data through unknown means |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--7239ab4c-fb5c-46b6-a2ba-637d9a2b12e9" -> "attack-asset--828cdfdb-8815-4383-af0d-72b0e5f81c12" [label=asset]
"attack-action--7239ab4c-fb5c-46b6-a2ba-637d9a2b12e9" -> "attack-asset--b526faf5-34f3-4b40-a073-04fd16d7d82e" [label=asset]
"attack-action--7239ab4c-fb5c-46b6-a2ba-637d9a2b12e9" -> "attack-asset--852df8b6-8f7e-4424-8c36-617a16643a6a" [label=asset]
"attack-action--7239ab4c-fb5c-46b6-a2ba-637d9a2b12e9" -> "attack-action--0ed7f887-8cc8-4339-b91b-f7ace1f67ad7" [label=effect]
"attack-asset--b526faf5-34f3-4b40-a073-04fd16d7d82e" [label=<Asset: Encrypted Files |
Description | |
> shape=plaintext]
"attack-asset--852df8b6-8f7e-4424-8c36-617a16643a6a" [label=<Asset: Guest Data |
Description | |
> shape=plaintext]
"attack-asset--828cdfdb-8815-4383-af0d-72b0e5f81c12" [label=<Asset: Passport Information |
Description | |
> shape=plaintext]
"attack-action--0ed7f887-8cc8-4339-b91b-f7ace1f67ad7" [label=<Action: T1070.004 |
Name | File Deletion |
Description | Attackers conducted defense evasion by deleting exfiltrated files |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--0ed7f887-8cc8-4339-b91b-f7ace1f67ad7" -> "attack-asset--b94ac867-4f80-4bf7-81ff-06b77abb1ba7" [label=asset]
"attack-asset--b94ac867-4f80-4bf7-81ff-06b77abb1ba7" [label=<Asset: exfiltrated files |
Description | |
> shape=plaintext]
"attack-action--ccc7e534-0ab7-4301-b666-9f86f8985863" -> "tool--a84c8c94-f07d-48b4-862b-4b7fc5901042" [label="related-to"]
}