{"metadata": {"mapping_version": "", "technology_domain": "enterprise", "attack_version": "19.1", "mapping_framework": "veris", "mapping_framework_version": "1.4.1", "author": null, "contact": null, "organization": null, "creation_date": "01/23/2025", "last_update": "06/05/2026", "mapping_types": {"related_to": {"name": "related-to", "description": ""}}, "capability_groups": {"action.hacking": "action.hacking", "action.malware": "action.malware", "attribute.integrity": "attribute.integrity", "attribute.confidentiality": "attribute.confidentiality", "attribute.availability": "attribute.availability", "action.social": "action.social", "value_chain.development": "value_chain.development"}}, "mapping_objects": [{"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.008", "attack_object_name": "Masquerade File Type", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.009", "attack_object_name": "Break Process Trees", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.001", "attack_object_name": "Invalid Code Signature", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.005", "attack_object_name": "Match Legitimate Resource Name or Location", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.006", "attack_object_name": "Space after Filename", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.007", "attack_object_name": "Double File Extension", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.010", "attack_object_name": "Masquerade Account Name", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036", "attack_object_name": "Masquerading", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.004", "attack_object_name": "Masquerade Task or Service", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.003", "attack_object_name": "Rename Legitimate Utilities", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1027.015", "attack_object_name": "Compression", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1080", "attack_object_name": "Taint Shared Content", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.OS commanding", "capability_description": "OS commanding. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1059", "attack_object_name": "Command and Scripting Interpreter", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1677", "attack_object_name": "Poisoned Pipeline Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1489", "attack_object_name": "Service Stop", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Exploit vuln", "capability_description": "Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.", "mapping_type": "related_to", "attack_object_id": "T1687", "attack_object_name": "Exploitation for Defense Impairment", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1685.003", "attack_object_name": "Modify or Spoof Tool UI", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1685.005", "attack_object_name": "Clear Windows Event Logs", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1684", "attack_object_name": "Social Engineering", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1684.001", "attack_object_name": "Impersonation", "capability_group": "action.social", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1673", "attack_object_name": "Virtual Machine Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1678", "attack_object_name": "Delay Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1679", "attack_object_name": "Selective Exclusion", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1027.011", "attack_object_name": "Fileless Storage", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1001", "attack_object_name": "Data Obfuscation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1680", "attack_object_name": "Local Storage Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Prompt injection", "capability_description": "Malicious actions taken against an LLM model", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.014", "attack_object_name": "Extended Attributes", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1675", "attack_object_name": "ESXi Administration Command", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1578", "attack_object_name": "Modify Cloud Compute Infrastructure", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.DoS", "capability_description": "Denial of service", "mapping_type": "related_to", "attack_object_id": "T1667", "attack_object_name": "Email Bombing", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1569", "attack_object_name": "System Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1564.013", "attack_object_name": "Bind Mounts", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1564.014", "attack_object_name": "Extended Attributes", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.013", "attack_object_name": "Bind Mounts", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.012", "attack_object_name": "File/Path Exclusions", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1518.001", "attack_object_name": "Security Software Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1505.001", "attack_object_name": "SQL Stored Procedures", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Physical access", "capability_description": "Physical access or connection (i.e., at keyboard or via cable)", "mapping_type": "related_to", "attack_object_id": "T1200", "attack_object_name": "Hardware Additions", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Adminware", "capability_description": "System or network utilities (e.g., PsTools, Netcat)", "mapping_type": "related_to", "attack_object_id": "T1219", "attack_object_name": "Remote Access Tools", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.vector.Desktop sharing software", "capability_description": "Superset of 'Desktop sharing' and '3rd party desktop'.  Please use in place of the other two", "mapping_type": "related_to", "attack_object_id": "T1219", "attack_object_name": "Remote Access Tools", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1213", "attack_object_name": "Data from Information Repositories", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1204.004", "attack_object_name": "Malicious Copy and Paste", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1204.001", "attack_object_name": "Malicious Link", "capability_group": "action.malware", "references": []}, {"capability_id": "Action.Malware.Vector.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1176.001", "attack_object_name": "Browser Extensions", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1127.001", "attack_object_name": "MSBuild", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059.012", "attack_object_name": "Hypervisor CLI", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059.009", "attack_object_name": "Cloud API", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1684.002", "attack_object_name": "Email Spoofing", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.002", "attack_object_name": "Right-to-Left Override", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.In-memory", "capability_description": "(malware never stored to persistent storage)", "mapping_type": "related_to", "attack_object_id": "T1036.004", "attack_object_name": "Masquerade Task or Service", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1027.018", "attack_object_name": "Invisible Unicode", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.011", "attack_object_name": "Overwrite Process Arguments", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1027.017", "attack_object_name": "SVG Smuggling", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1027", "attack_object_name": "Obfuscated Files or Information", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.Soap array abuse", "capability_description": "Soap array abuse. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.Soap array abuse", "capability_description": "Soap array abuse. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1210", "attack_object_name": "Exploitation of Remote Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.Soap array abuse", "capability_description": "Soap array abuse. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1071.001", "attack_object_name": "Web Protocols", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.Reverse engineering", "capability_description": "Reverse engineering. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "Value_chain.development.variety.Email", "capability_description": "Develop an email such as for phishing.", "mapping_type": "related_to", "attack_object_id": "T1683.001", "attack_object_name": "Written Content", "capability_group": "value_chain.development", "references": []}, {"capability_id": "Attribute.Integrity.Variety.Hardware tampering", "capability_description": "Hardware tampering or physical alteration", "mapping_type": "related_to", "attack_object_id": "T1200", "attack_object_name": "Hardware Additions", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "Attribute.Availability.Variety.Acceleration", "capability_description": "Acceleration", "mapping_type": "related_to", "attack_object_id": "T1498", "attack_object_name": "Network Denial of Service", "capability_group": "attribute.availability", "references": []}, {"capability_id": "Action.Hacking.Variety.Mail command injection", "capability_description": "Mail command injection. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.In-memory", "capability_description": "(malware never stored to persistent storage)", "mapping_type": "related_to", "attack_object_id": "T1036.011", "attack_object_name": "Overwrite Process Arguments", "capability_group": "action.malware", "references": []}, {"capability_id": "Action.Hacking.Variety.CSRF", "capability_description": "Cross-site request forgery. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.Mail command injection", "capability_description": "Mail command injection. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.Path traversal", "capability_description": "Path traversal. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.Reverse engineering", "capability_description": "Reverse engineering. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.RFI", "capability_description": "Remote file inclusion. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.Special element injection", "capability_description": "Special element injection. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.SSI injection", "capability_description": "SSI injection. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.URL redirector abuse", "capability_description": "URL redirector abuse. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.User breakout", "capability_description": "Elevation of privilege by another customer in shared environment. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.XML attribute blowup", "capability_description": "XML attribute blowup. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1499", "attack_object_name": "Endpoint Denial of Service", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.XML entity expansion", "capability_description": "XML entity expansion. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1499", "attack_object_name": "Endpoint Denial of Service", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.XQuery injection", "capability_description": "XQuery injection. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Variety.XSS", "capability_description": "Cross-site scripting. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Vector.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1669", "attack_object_name": "Wi-Fi Networks", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Malware.Variety.Spam", "capability_description": "Send spam", "mapping_type": "related_to", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "action.malware", "references": []}, {"capability_id": "Action.Malware.Vector.Email autoexecute", "capability_description": "Email via automatic execution. Child of 'Email'", "mapping_type": "related_to", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "Action.Malware.Vector.Email unknown", "capability_description": "Email but sub-variety (attachment, autoexecute, link, etc) not known. Child of 'Email'", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "action.malware", "references": []}, {"capability_id": "Action.Malware.Vector.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1176.002", "attack_object_name": "IDE Extensions", "capability_group": "action.malware", "references": []}, {"capability_id": "Action.Malware.Vector.Unknown", "capability_description": "Unknown", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "action.malware", "references": []}, {"capability_id": "Action.Social.Variety.Baiting", "capability_description": "Prepare malicious content in a location where a victim is likely to interact with it. (e.g. SEO - vect: websites, left usbs- vect: removable media, etc)", "mapping_type": "related_to", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Variety.Bribery", "capability_description": "Bribery or solicitation", "mapping_type": "related_to", "attack_object_id": "T1684", "attack_object_name": "Social Engineering", "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Variety.Elicitation", "capability_description": "Elicitation (subtle extraction of info through conversation)", "mapping_type": "related_to", "attack_object_id": "T1684", "attack_object_name": "Social Engineering", "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Variety.Extortion", "capability_description": "Extortion or blackmail", "mapping_type": "related_to", "attack_object_id": "T1684", "attack_object_name": "Social Engineering", "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Variety.Other", "capability_description": "Other", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Variety.Prompt Bombing", "capability_description": "Bombarding the user with MFA prompts to get them to accept the login request", "mapping_type": "related_to", "attack_object_id": "T1621", "attack_object_name": "Multi-Factor Authentication Request Generation", "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Variety.Propaganda", "capability_description": "Propaganda or disinformation", "mapping_type": "related_to", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Variety.Scam", "capability_description": "Online scam or hoax (e.g., scareware, 419 scam, auction fraud)", "mapping_type": "related_to", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Variety.Spam", "capability_description": "Spam (unsolicited or undesired email and advertisements)", "mapping_type": "related_to", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1684", "attack_object_name": "Social Engineering", "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Vector.Documents", "capability_description": "Documents", "mapping_type": "related_to", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Vector.IM", "capability_description": "Instant messaging", "mapping_type": "related_to", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Vector.In-person", "capability_description": "In-person", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Vector.Other", "capability_description": "Other", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Vector.Phone", "capability_description": "Phone", "mapping_type": "related_to", "attack_object_id": "T1598.004", "attack_object_name": "Spearphishing Voice", "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Vector.SMS", "capability_description": "SMS or texting", "mapping_type": "related_to", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Virtual meeting", "capability_description": "Video call or virtual meeting", "mapping_type": "related_to", "attack_object_id": "T1684", "attack_object_name": "Social Engineering", "capability_group": "action.social", "references": []}, {"capability_id": "Attribute.Availability.Variety.Acceleration", "capability_description": "Acceleration", "mapping_type": "related_to", "attack_object_id": "T1499", "attack_object_name": "Endpoint Denial of Service", "capability_group": "attribute.availability", "references": []}, {"capability_id": "Attribute.Availability.Variety.Other", "capability_description": "Other", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "attribute.availability", "references": []}, {"capability_id": "Attribute.Availability.Variety.Unknown", "capability_description": "Unknown", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "attribute.availability", "references": []}, {"capability_id": "Attribute.Integrity.Variety.Fraudulent transaction", "capability_description": "Initiate fraudulent transaction", "mapping_type": "related_to", "attack_object_id": "T1657", "attack_object_name": "Financial Theft", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "Attribute.Integrity.Variety.Hardware tampering", "capability_description": "Hardware tampering or physical alteration", "mapping_type": "related_to", "attack_object_id": "T1195.003", "attack_object_name": "Compromise Hardware Supply Chain", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "Attribute.Integrity.Variety.Other", "capability_description": "Other", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "attribute.integrity", "references": []}, {"capability_id": "Value_chain.development.variety.NA", "capability_description": "No type of development was necessary", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "value_chain.development", "references": []}, {"capability_id": "Value_chain.development.variety.Physical", "capability_description": "Development of something physical such as a skimming device", "mapping_type": "related_to", "attack_object_id": "T1200", "attack_object_name": "Hardware Additions", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.malware.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1587.001", "attack_object_name": "Malware", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1684.002", "attack_object_name": "Email Spoofing", "capability_group": "action.social", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1674", "attack_object_name": "Input Injection", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1001.001", "attack_object_name": "Junk Data", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1001.002", "attack_object_name": "Steganography", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1001.003", "attack_object_name": "Protocol or Service Impersonation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1071", "attack_object_name": "Application Layer Protocol", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1071.001", "attack_object_name": "Web Protocols", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1071.002", "attack_object_name": "File Transfer Protocols", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1071.003", "attack_object_name": "Mail Protocols", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1071.004", "attack_object_name": "DNS", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1105", "attack_object_name": "Ingress Tool Transfer", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1127.001", "attack_object_name": "MSBuild", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1204.005", "attack_object_name": "Malicious Library", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1204.002", "attack_object_name": "Malicious File", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1204.003", "attack_object_name": "Malicious Image", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1671", "attack_object_name": "Cloud Application Integration", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1027.012", "attack_object_name": "LNK Icon Smuggling", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1027.013", "attack_object_name": "Encrypted/Encoded File", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059.013", "attack_object_name": "Container CLI/API", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059.010", "attack_object_name": "AutoHotKey & AutoIT", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059.011", "attack_object_name": "Lua", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1127.002", "attack_object_name": "ClickOnce", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1098.006", "attack_object_name": "Additional Container Cluster Roles", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1098.007", "attack_object_name": "Additional Local or Domain Groups", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1027.016", "attack_object_name": "Junk Code Insertion", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1027.001", "attack_object_name": "Binary Padding", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1027.002", "attack_object_name": "Software Packing", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1027.003", "attack_object_name": "Steganography", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1027.004", "attack_object_name": "Compile After Delivery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1027.010", "attack_object_name": "Command Obfuscation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1027.011", "attack_object_name": "Fileless Storage", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1027.012", "attack_object_name": "LNK Icon Smuggling", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1027.013", "attack_object_name": "Encrypted/Encoded File", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1027.014", "attack_object_name": "Polymorphic Code", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1070.010", "attack_object_name": "Relocate Malware", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1132.002", "attack_object_name": "Non-Standard Encoding", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.OS commanding", "capability_description": "OS commanding. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1059.009", "attack_object_name": "Cloud API", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.OS commanding", "capability_description": "OS commanding. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1059.010", "attack_object_name": "AutoHotKey & AutoIT", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.OS commanding", "capability_description": "OS commanding. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1059.011", "attack_object_name": "Lua", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.OS commanding", "capability_description": "OS commanding. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1127.002", "attack_object_name": "ClickOnce", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1021.007", "attack_object_name": "Cloud Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1021.008", "attack_object_name": "Direct Cloud VM Connections", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1134.003", "attack_object_name": "Make and Impersonate Token", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1021.008", "attack_object_name": "Direct Cloud VM Connections", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1027.010", "attack_object_name": "Command Obfuscation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1059.009", "attack_object_name": "Cloud API", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1059.010", "attack_object_name": "AutoHotKey & AutoIT", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1059.011", "attack_object_name": "Lua", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1071.005", "attack_object_name": "Publish/Subscribe Protocols", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1016.002", "attack_object_name": "Wi-Fi Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.009", "attack_object_name": "Break Process Trees", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1071.005", "attack_object_name": "Publish/Subscribe Protocols", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1016.002", "attack_object_name": "Wi-Fi Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Spyware/Keylogger", "capability_description": "Spyware, keylogger or form-grabber (capture user input or activity)", "mapping_type": "related_to", "attack_object_id": "T1111", "attack_object_name": "Multi-Factor Authentication Interception", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.008", "attack_object_name": "Masquerade File Type", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.010", "attack_object_name": "Masquerade Account Name", "capability_group": "action.social", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1098.006", "attack_object_name": "Additional Container Cluster Roles", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1098.007", "attack_object_name": "Additional Local or Domain Groups", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1047", "attack_object_name": "Windows Management Instrumentation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1053", "attack_object_name": "Scheduled Task/Job", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1053.002", "attack_object_name": "At", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1053.003", "attack_object_name": "Cron", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1053.005", "attack_object_name": "Scheduled Task", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1053.006", "attack_object_name": "Systemd Timers", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1053.007", "attack_object_name": "Container Orchestration Job", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059", "attack_object_name": "Command and Scripting Interpreter", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059.001", "attack_object_name": "PowerShell", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059.002", "attack_object_name": "AppleScript", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059.003", "attack_object_name": "Windows Command Shell", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059.004", "attack_object_name": "Unix Shell", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059.005", "attack_object_name": "Visual Basic", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059.006", "attack_object_name": "Python", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059.007", "attack_object_name": "JavaScript", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1059.008", "attack_object_name": "Network Device CLI", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1072", "attack_object_name": "Software Deployment Tools", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1105", "attack_object_name": "Ingress Tool Transfer", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1106", "attack_object_name": "Native API", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1112", "attack_object_name": "Modify Registry", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1127", "attack_object_name": "Trusted Developer Utilities Proxy Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1127.003", "attack_object_name": "JamPlus", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1129", "attack_object_name": "Shared Modules", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1137", "attack_object_name": "Office Application Startup", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1137.001", "attack_object_name": "Office Template Macros", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1137.002", "attack_object_name": "Office Test", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1137.003", "attack_object_name": "Outlook Forms", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1137.004", "attack_object_name": "Outlook Home Page", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1137.005", "attack_object_name": "Outlook Rules", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1187", "attack_object_name": "Forced Authentication", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1202", "attack_object_name": "Indirect Command Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1216", "attack_object_name": "System Script Proxy Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1216.001", "attack_object_name": "PubPrn", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1216.002", "attack_object_name": "SyncAppvPublishingServer", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218", "attack_object_name": "System Binary Proxy Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.001", "attack_object_name": "Compiled HTML File", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.002", "attack_object_name": "Control Panel", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.003", "attack_object_name": "CMSTP", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.004", "attack_object_name": "InstallUtil", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.005", "attack_object_name": "Mshta", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.007", "attack_object_name": "Msiexec", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.008", "attack_object_name": "Odbcconf", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.009", "attack_object_name": "Regsvcs/Regasm", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.010", "attack_object_name": "Regsvr32", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.AiTM", "capability_description": "Adversary-in-the-middle attack. Child of 'Exploit vuln'", "mapping_type": "related_to", "attack_object_id": "T1111", "attack_object_name": "Multi-Factor Authentication Interception", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.AiTM", "capability_description": "Adversary-in-the-middle attack. Child of 'Exploit vuln'", "mapping_type": "related_to", "attack_object_id": "T1185", "attack_object_name": "Browser Session Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.AiTM", "capability_description": "Adversary-in-the-middle attack. Child of 'Exploit vuln'", "mapping_type": "related_to", "attack_object_id": "T1187", "attack_object_name": "Forced Authentication", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1037", "attack_object_name": "Boot or Logon Initialization Scripts", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1053", "attack_object_name": "Scheduled Task/Job", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1563.002", "attack_object_name": "RDP Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Brute force", "capability_description": "Brute force or password guessing attacks.", "mapping_type": "related_to", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Brute force", "capability_description": "Brute force or password guessing attacks.", "mapping_type": "related_to", "attack_object_id": "T1222.002", "attack_object_name": "Linux and Mac Permissions", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Brute force", "capability_description": "Brute force or password guessing attacks.", "mapping_type": "related_to", "attack_object_id": "T1565.001", "attack_object_name": "Stored Data Manipulation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Brute force", "capability_description": "Brute force or password guessing attacks.", "mapping_type": "related_to", "attack_object_id": "T1021.003", "attack_object_name": "Distributed Component Object Model", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Buffer overflow", "capability_description": "Buffer overflow. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1001", "attack_object_name": "Data Obfuscation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1102.001", "attack_object_name": "Dead Drop Resolver", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1602.001", "attack_object_name": "SNMP (MIB Dump)", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1584.002", "attack_object_name": "DNS Server", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1008", "attack_object_name": "Fallback Channels", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036.012", "attack_object_name": "Browser Fingerprint", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1071", "attack_object_name": "Application Layer Protocol", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1090", "attack_object_name": "Proxy", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1102", "attack_object_name": "Web Service", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1104", "attack_object_name": "Multi-Stage Channels", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1132", "attack_object_name": "Data Encoding", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1583.007", "attack_object_name": "Serverless", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1205", "attack_object_name": "Traffic Signaling", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1021.007", "attack_object_name": "Cloud Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1053.005", "attack_object_name": "Scheduled Task", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1211", "attack_object_name": "Exploitation for Stealth", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1212", "attack_object_name": "Exploitation for Credential Access", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Exploit vuln", "capability_description": "Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.", "mapping_type": "related_to", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Exploit vuln", "capability_description": "Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.", "mapping_type": "related_to", "attack_object_id": "T1212", "attack_object_name": "Exploitation for Credential Access", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Format string attack", "capability_description": "Format string attack. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Fuzz testing", "capability_description": "Fuzz testing. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1185", "attack_object_name": "Browser Session Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.HTTP request smuggling", "capability_description": "HTTP request smuggling. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1185", "attack_object_name": "Browser Session Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.HTTP request smuggling", "capability_description": "HTTP request smuggling. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.HTTP request splitting", "capability_description": "HTTP request splitting. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1185", "attack_object_name": "Browser Session Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.HTTP request splitting", "capability_description": "HTTP request splitting. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.HTTP response smuggling", "capability_description": "HTTP response smuggling. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1185", "attack_object_name": "Browser Session Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.HTTP response smuggling", "capability_description": "HTTP response smuggling. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.HTTP response splitting", "capability_description": "HTTP response splitting. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1185", "attack_object_name": "Browser Session Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.HTTP response splitting", "capability_description": "HTTP response splitting. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Insecure deserialization", "capability_description": "iterating over sequential or obvious values. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Integer overflows", "capability_description": "Integer overflows. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.LDAP injection", "capability_description": "LDAP injection. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Null byte injection", "capability_description": "Null byte injection. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1027", "attack_object_name": "Obfuscated Files or Information", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Offline cracking", "capability_description": "Offline password or key cracking (e.g., rainbow tables, Hashcat, JtR)", "mapping_type": "related_to", "attack_object_id": "T1565.001", "attack_object_name": "Stored Data Manipulation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.OS commanding", "capability_description": "OS commanding. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1690", "attack_object_name": "Prevent Command History Logging", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.OS commanding", "capability_description": "OS commanding. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1505.005", "attack_object_name": "Terminal Services DLL", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.OS commanding", "capability_description": "OS commanding. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1569", "attack_object_name": "System Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.OS commanding", "capability_description": "OS commanding. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1007", "attack_object_name": "System Service Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1012", "attack_object_name": "Query Registry", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1033", "attack_object_name": "System Owner/User Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1057", "attack_object_name": "Process Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1069", "attack_object_name": "Permission Groups Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1136.003", "attack_object_name": "Cloud Account", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1082", "attack_object_name": "System Information Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1083", "attack_object_name": "File and Directory Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1087", "attack_object_name": "Account Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1573.001", "attack_object_name": "Symmetric Cryptography", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1119", "attack_object_name": "Automated Collection", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1120", "attack_object_name": "Peripheral Device Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1124", "attack_object_name": "System Time Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1201", "attack_object_name": "Password Policy Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1018", "attack_object_name": "Remote System Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1007", "attack_object_name": "System Service Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1046", "attack_object_name": "Network Service Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1049", "attack_object_name": "System Network Connections Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1119", "attack_object_name": "Automated Collection", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1135", "attack_object_name": "Network Share Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Session fixation", "capability_description": "Session fixation. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1185", "attack_object_name": "Browser Session Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Session fixation", "capability_description": "Session fixation. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1212", "attack_object_name": "Exploitation for Credential Access", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.SQLi", "capability_description": "SQL injection. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1190", "attack_object_name": "Exploit Public-Facing Application", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1134", "attack_object_name": "Access Token Manipulation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1127", "attack_object_name": "Trusted Developer Utilities Proxy Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1021", "attack_object_name": "Remote Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1027.007", "attack_object_name": "Dynamic API Resolution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1029", "attack_object_name": "Scheduled Transfer", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1547.004", "attack_object_name": "Winlogon Helper DLL", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1598.003", "attack_object_name": "Spearphishing Link", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1560.001", "attack_object_name": "Archive via Utility", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1583.004", "attack_object_name": "Server", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1011.001", "attack_object_name": "Exfiltration Over Bluetooth", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1550.004", "attack_object_name": "Web Session Cookie", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1601.002", "attack_object_name": "Downgrade System Image", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1569.002", "attack_object_name": "Service Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1134", "attack_object_name": "Access Token Manipulation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1654", "attack_object_name": "Log Enumeration", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1548", "attack_object_name": "Abuse Elevation Control Mechanism", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1041", "attack_object_name": "Exfiltration Over C2 Channel", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1187", "attack_object_name": "Forced Authentication", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.XML external entities", "capability_description": "XML external entities. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1558.002", "attack_object_name": "Silver Ticket", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.XPath injection", "capability_description": "XPath injection. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1010", "attack_object_name": "Application Window Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.3rd party desktop", "capability_description": "3rd party online desktop sharing (LogMeIn, Go2Assist)", "mapping_type": "related_to", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Backdoor", "capability_description": "Hacking actions taken through a backdoor.  C2 is only used by malware.", "mapping_type": "related_to", "attack_object_id": "T1037", "attack_object_name": "Boot or Logon Initialization Scripts", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Backdoor", "capability_description": "Hacking actions taken through a backdoor.  C2 is only used by malware.", "mapping_type": "related_to", "attack_object_id": "T1053", "attack_object_name": "Scheduled Task/Job", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Backdoor", "capability_description": "Hacking actions taken through a backdoor.  C2 is only used by malware.", "mapping_type": "related_to", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Backdoor", "capability_description": "Hacking actions taken through a backdoor.  C2 is only used by malware.", "mapping_type": "related_to", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Backdoor", "capability_description": "Hacking actions taken through a backdoor.  C2 is only used by malware.", "mapping_type": "related_to", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Backdoor", "capability_description": "Hacking actions taken through a backdoor.  C2 is only used by malware.", "mapping_type": "related_to", "attack_object_id": "T1563.002", "attack_object_name": "RDP Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1029", "attack_object_name": "Scheduled Transfer", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1547.004", "attack_object_name": "Winlogon Helper DLL", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1598.003", "attack_object_name": "Spearphishing Link", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1583.004", "attack_object_name": "Server", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1047", "attack_object_name": "Windows Management Instrumentation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1059", "attack_object_name": "Command and Scripting Interpreter", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1552.008", "attack_object_name": "Chat Messages", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1505.005", "attack_object_name": "Terminal Services DLL", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1569", "attack_object_name": "System Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1071.001", "attack_object_name": "Web Protocols", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1127.002", "attack_object_name": "ClickOnce", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1546.013", "attack_object_name": "PowerShell Profile", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Command shell", "capability_description": "Remote shell", "mapping_type": "related_to", "attack_object_id": "T1584.005", "attack_object_name": "Botnet", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Desktop sharing software", "capability_description": "Superset of 'Desktop sharing' and '3rd party desktop'.  Please use in place of the other two", "mapping_type": "related_to", "attack_object_id": "T1027.007", "attack_object_name": "Dynamic API Resolution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Desktop sharing software", "capability_description": "Superset of 'Desktop sharing' and '3rd party desktop'.  Please use in place of the other two", "mapping_type": "related_to", "attack_object_id": "T1560.001", "attack_object_name": "Archive via Utility", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Desktop sharing software", "capability_description": "Superset of 'Desktop sharing' and '3rd party desktop'.  Please use in place of the other two", "mapping_type": "related_to", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Other network service", "capability_description": "Network service that is not remote access or a web application.", "mapping_type": "related_to", "attack_object_id": "T1008", "attack_object_name": "Fallback Channels", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Other network service", "capability_description": "Network service that is not remote access or a web application.", "mapping_type": "related_to", "attack_object_id": "T1071", "attack_object_name": "Application Layer Protocol", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Other network service", "capability_description": "Network service that is not remote access or a web application.", "mapping_type": "related_to", "attack_object_id": "T1090", "attack_object_name": "Proxy", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Other network service", "capability_description": "Network service that is not remote access or a web application.", "mapping_type": "related_to", "attack_object_id": "T1095", "attack_object_name": "Non-Application Layer Protocol", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Other network service", "capability_description": "Network service that is not remote access or a web application.", "mapping_type": "related_to", "attack_object_id": "T1102", "attack_object_name": "Web Service", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Other network service", "capability_description": "Network service that is not remote access or a web application.", "mapping_type": "related_to", "attack_object_id": "T1104", "attack_object_name": "Multi-Stage Channels", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Other network service", "capability_description": "Network service that is not remote access or a web application.", "mapping_type": "related_to", "attack_object_id": "T1105", "attack_object_name": "Ingress Tool Transfer", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Partner", "capability_description": "Partner connection or credential. (Indicates supply chain breach.)", "mapping_type": "related_to", "attack_object_id": "T1195", "attack_object_name": "Supply Chain Compromise", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Partner", "capability_description": "Partner connection or credential. (Indicates supply chain breach.)", "mapping_type": "related_to", "attack_object_id": "T1499.003", "attack_object_name": "Application Exhaustion Flood", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Partner", "capability_description": "Partner connection or credential. (Indicates supply chain breach.)", "mapping_type": "related_to", "attack_object_id": "T1589.001", "attack_object_name": "Credentials", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Partner", "capability_description": "Partner connection or credential. (Indicates supply chain breach.)", "mapping_type": "related_to", "attack_object_id": "T1499.002", "attack_object_name": "Service Exhaustion Flood", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Partner", "capability_description": "Partner connection or credential. (Indicates supply chain breach.)", "mapping_type": "related_to", "attack_object_id": "T1199", "attack_object_name": "Trusted Relationship", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Physical access", "capability_description": "Physical access or connection (i.e., at keyboard or via cable)", "mapping_type": "related_to", "attack_object_id": "T1219.003", "attack_object_name": "Remote Access Hardware", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.VPN", "capability_description": "VPN", "mapping_type": "related_to", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Web application", "capability_description": "Web application", "mapping_type": "related_to", "attack_object_id": "T1090.002", "attack_object_name": "External Proxy", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Adminware", "capability_description": "System or network utilities (e.g., PsTools, Netcat)", "mapping_type": "related_to", "attack_object_id": "T1072", "attack_object_name": "Software Deployment Tools", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Adware", "capability_description": "Adware", "mapping_type": "related_to", "attack_object_id": "T1199", "attack_object_name": "Trusted Relationship", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1037", "attack_object_name": "Boot or Logon Initialization Scripts", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1008", "attack_object_name": "Fallback Channels", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Brute force", "capability_description": "Brute force attack", "mapping_type": "related_to", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Brute force", "capability_description": "Brute force attack", "mapping_type": "related_to", "attack_object_id": "T1222.002", "attack_object_name": "Linux and Mac Permissions", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Brute force", "capability_description": "Brute force attack", "mapping_type": "related_to", "attack_object_id": "T1565.001", "attack_object_name": "Stored Data Manipulation", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Brute force", "capability_description": "Brute force attack", "mapping_type": "related_to", "attack_object_id": "T1021.003", "attack_object_name": "Distributed Component Object Model", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1102.001", "attack_object_name": "Dead Drop Resolver", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1008", "attack_object_name": "Fallback Channels", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1071", "attack_object_name": "Application Layer Protocol", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1584.007", "attack_object_name": "Serverless", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1055.014", "attack_object_name": "VDSO Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1021", "attack_object_name": "Remote Services", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1561", "attack_object_name": "Disk Wipe", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1090", "attack_object_name": "Proxy", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1566.003", "attack_object_name": "Spearphishing via Service", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1070.005", "attack_object_name": "Network Share Connection Removal", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1578.005", "attack_object_name": "Modify Cloud Compute Configurations", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1095", "attack_object_name": "Non-Application Layer Protocol", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1102", "attack_object_name": "Web Service", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1216", "attack_object_name": "System Script Proxy Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1036.003", "attack_object_name": "Rename Legitimate Utilities", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1546.014", "attack_object_name": "Emond", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1104", "attack_object_name": "Multi-Stage Channels", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1132", "attack_object_name": "Data Encoding", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1583.007", "attack_object_name": "Serverless", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1485", "attack_object_name": "Data Destruction", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1056", "attack_object_name": "Input Capture", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1596.003", "attack_object_name": "Digital Certificates", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1547.006", "attack_object_name": "Kernel Modules and Extensions", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1090.002", "attack_object_name": "External Proxy", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1546.017", "attack_object_name": "Udev Rules", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1113", "attack_object_name": "Screen Capture", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1114", "attack_object_name": "Email Collection", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1556.006", "attack_object_name": "Multi-Factor Authentication", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1546.009", "attack_object_name": "AppCert DLLs", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1123", "attack_object_name": "Audio Capture", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1125", "attack_object_name": "Video Capture", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1176", "attack_object_name": "Software Extensions", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1185", "attack_object_name": "Browser Session Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1114", "attack_object_name": "Email Collection", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1587", "attack_object_name": "Develop Capabilities", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1558.003", "attack_object_name": "Kerberoasting", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1565.002", "attack_object_name": "Transmitted Data Manipulation", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1005", "attack_object_name": "Data from Local System", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1010", "attack_object_name": "Application Window Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1025", "attack_object_name": "Data from Removable Media", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1033", "attack_object_name": "System Owner/User Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1039", "attack_object_name": "Data from Network Shared Drive", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1083", "attack_object_name": "File and Directory Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1119", "attack_object_name": "Automated Collection", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Client-side attack", "capability_description": "Client-side or browser attack (e.g., redirection, XSS, AitB)", "mapping_type": "related_to", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Destroy data", "capability_description": "Destroy or corrupt stored data", "mapping_type": "related_to", "attack_object_id": "T1542.002", "attack_object_name": "Component Firmware", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Destroy data", "capability_description": "Destroy or corrupt stored data", "mapping_type": "related_to", "attack_object_id": "T1092", "attack_object_name": "Communication Through Removable Media", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Destroy data", "capability_description": "Destroy or corrupt stored data", "mapping_type": "related_to", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Destroy data", "capability_description": "Destroy or corrupt stored data", "mapping_type": "related_to", "attack_object_id": "T1600.001", "attack_object_name": "Reduce Key Space", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Destroy data", "capability_description": "Destroy or corrupt stored data", "mapping_type": "related_to", "attack_object_id": "T1027.010", "attack_object_name": "Command Obfuscation", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Destroy data", "capability_description": "Destroy or corrupt stored data", "mapping_type": "related_to", "attack_object_id": "T1496.001", "attack_object_name": "Compute Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Destroy data", "capability_description": "Destroy or corrupt stored data", "mapping_type": "related_to", "attack_object_id": "T1218", "attack_object_name": "System Binary Proxy Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1006", "attack_object_name": "Direct Volume Access", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1027", "attack_object_name": "Obfuscated Files or Information", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1563", "attack_object_name": "Remote Service Session Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1111", "attack_object_name": "Multi-Factor Authentication Interception", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1095", "attack_object_name": "Non-Application Layer Protocol", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1499", "attack_object_name": "Endpoint Denial of Service", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1059.011", "attack_object_name": "Lua", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1036", "attack_object_name": "Masquerading", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1505.004", "attack_object_name": "IIS Components", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1195.002", "attack_object_name": "Compromise Software Supply Chain", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1568", "attack_object_name": "Dynamic Resolution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1074.001", "attack_object_name": "Local Data Staging", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1622", "attack_object_name": "Debugger Evasion", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Downloader", "capability_description": "Downloader (pull updates or other malware)", "mapping_type": "related_to", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Downloader", "capability_description": "Downloader (pull updates or other malware)", "mapping_type": "related_to", "attack_object_id": "T1001.002", "attack_object_name": "Steganography", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Downloader", "capability_description": "Downloader (pull updates or other malware)", "mapping_type": "related_to", "attack_object_id": "T1559.002", "attack_object_name": "Dynamic Data Exchange", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Downloader", "capability_description": "Downloader (pull updates or other malware)", "mapping_type": "related_to", "attack_object_id": "T1027.005", "attack_object_name": "Indicator Removal from Tools", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1014", "attack_object_name": "Rootkit", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036", "attack_object_name": "Masquerading", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1558.003", "attack_object_name": "Kerberoasting", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1011", "attack_object_name": "Exfiltration Over Other Network Medium", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1021.006", "attack_object_name": "Windows Remote Management", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1020", "attack_object_name": "Automated Exfiltration", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1055.004", "attack_object_name": "Asynchronous Procedure Call", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1029", "attack_object_name": "Scheduled Transfer", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1030", "attack_object_name": "Data Transfer Size Limits", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1072", "attack_object_name": "Software Deployment Tools", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1048", "attack_object_name": "Exfiltration Over Alternative Protocol", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1070", "attack_object_name": "Indicator Removal", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1552.006", "attack_object_name": "Group Policy Preferences", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1213.005", "attack_object_name": "Messaging Applications", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1052", "attack_object_name": "Exfiltration Over Physical Medium", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1074", "attack_object_name": "Data Staged", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1218.013", "attack_object_name": "Mavinject", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1574.014", "attack_object_name": "AppDomainManager", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1197", "attack_object_name": "BITS Jobs", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.In-memory", "capability_description": "(malware never stored to persistent storage)", "mapping_type": "related_to", "attack_object_id": "T1115", "attack_object_name": "Clipboard Data", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.In-memory", "capability_description": "(malware never stored to persistent storage)", "mapping_type": "related_to", "attack_object_id": "T1055", "attack_object_name": "Process Injection", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.In-memory", "capability_description": "(malware never stored to persistent storage)", "mapping_type": "related_to", "attack_object_id": "T1053.002", "attack_object_name": "At", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.In-memory", "capability_description": "(malware never stored to persistent storage)", "mapping_type": "related_to", "attack_object_id": "T1612", "attack_object_name": "Build Image on Host", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.In-memory", "capability_description": "(malware never stored to persistent storage)", "mapping_type": "related_to", "attack_object_id": "T1560.002", "attack_object_name": "Archive via Library", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.In-memory", "capability_description": "(malware never stored to persistent storage)", "mapping_type": "related_to", "attack_object_id": "T1538", "attack_object_name": "Cloud Service Dashboard", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.In-memory", "capability_description": "(malware never stored to persistent storage)", "mapping_type": "related_to", "attack_object_id": "T1548.006", "attack_object_name": "TCC Manipulation", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.In-memory", "capability_description": "(malware never stored to persistent storage)", "mapping_type": "related_to", "attack_object_id": "T1059.003", "attack_object_name": "Windows Command Shell", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.In-memory", "capability_description": "(malware never stored to persistent storage)", "mapping_type": "related_to", "attack_object_id": "T1585.001", "attack_object_name": "Social Media Accounts", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.In-memory", "capability_description": "(malware never stored to persistent storage)", "mapping_type": "related_to", "attack_object_id": "T1125", "attack_object_name": "Video Capture", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.In-memory", "capability_description": "(malware never stored to persistent storage)", "mapping_type": "related_to", "attack_object_id": "T1546.001", "attack_object_name": "Change Default File Association", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Modify data", "capability_description": "Malware which compromises a legitimate file rather than creating new filess", "mapping_type": "related_to", "attack_object_id": "T1563.002", "attack_object_name": "RDP Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Packet sniffer", "capability_description": "Packet sniffer (capture data from network)", "mapping_type": "related_to", "attack_object_id": "T1007", "attack_object_name": "System Service Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1003", "attack_object_name": "OS Credential Dumping", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1222", "attack_object_name": "File and Directory Permissions Modification", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1114", "attack_object_name": "Email Collection", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1587", "attack_object_name": "Develop Capabilities", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1547", "attack_object_name": "Boot or Logon Autostart Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1598.004", "attack_object_name": "Spearphishing Voice", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1558.003", "attack_object_name": "Kerberoasting", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1115", "attack_object_name": "Clipboard Data", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1565.002", "attack_object_name": "Transmitted Data Manipulation", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1546.017", "attack_object_name": "Udev Rules", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1007", "attack_object_name": "System Service Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1012", "attack_object_name": "Query Registry", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1033", "attack_object_name": "System Owner/User Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1082", "attack_object_name": "System Information Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1083", "attack_object_name": "File and Directory Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.RAM scraper", "capability_description": "RAM scraper or memory parser (capture data from volatile memory)", "mapping_type": "related_to", "attack_object_id": "T1222", "attack_object_name": "File and Directory Permissions Modification", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.RAM scraper", "capability_description": "RAM scraper or memory parser (capture data from volatile memory)", "mapping_type": "related_to", "attack_object_id": "T1114", "attack_object_name": "Email Collection", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.RAM scraper", "capability_description": "RAM scraper or memory parser (capture data from volatile memory)", "mapping_type": "related_to", "attack_object_id": "T1547", "attack_object_name": "Boot or Logon Autostart Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.RAM scraper", "capability_description": "RAM scraper or memory parser (capture data from volatile memory)", "mapping_type": "related_to", "attack_object_id": "T1598.004", "attack_object_name": "Spearphishing Voice", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Rootkit", "capability_description": "Rootkit (maintain local privileges and stealth)", "mapping_type": "related_to", "attack_object_id": "T1014", "attack_object_name": "Rootkit", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Rootkit", "capability_description": "Rootkit (maintain local privileges and stealth)", "mapping_type": "related_to", "attack_object_id": "T1195.002", "attack_object_name": "Compromise Software Supply Chain", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1016", "attack_object_name": "System Network Configuration Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1496.003", "attack_object_name": "SMS Pumping", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1018", "attack_object_name": "Remote System Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1007", "attack_object_name": "System Service Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1046", "attack_object_name": "Network Service Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1049", "attack_object_name": "System Network Connections Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1135", "attack_object_name": "Network Share Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Spyware/Keylogger", "capability_description": "Spyware, keylogger or form-grabber (capture user input or activity)", "mapping_type": "related_to", "attack_object_id": "T1546.017", "attack_object_name": "Udev Rules", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Trojan", "capability_description": "An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor'", "mapping_type": "related_to", "attack_object_id": "T1027.005", "attack_object_name": "Indicator Removal from Tools", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1140", "attack_object_name": "Deobfuscate/Decode Files or Information", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Worm", "capability_description": "Worm (propagate to other systems or devices)", "mapping_type": "related_to", "attack_object_id": "T1080", "attack_object_name": "Taint Shared Content", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Worm", "capability_description": "Worm (propagate to other systems or devices)", "mapping_type": "related_to", "attack_object_id": "T1091", "attack_object_name": "Replication Through Removable Media", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Direct install", "capability_description": "Directly installed or inserted by threat agent (after system access)", "mapping_type": "related_to", "attack_object_id": "T1047", "attack_object_name": "Windows Management Instrumentation", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Email attachment", "capability_description": "Email via user-executed attachment. Child of 'Email'", "mapping_type": "related_to", "attack_object_id": "T1036", "attack_object_name": "Masquerading", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Email attachment", "capability_description": "Email via user-executed attachment. Child of 'Email'", "mapping_type": "related_to", "attack_object_id": "T1071.001", "attack_object_name": "Web Protocols", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Email attachment", "capability_description": "Email via user-executed attachment. Child of 'Email'", "mapping_type": "related_to", "attack_object_id": "T1546.013", "attack_object_name": "PowerShell Profile", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Email attachment", "capability_description": "Email via user-executed attachment. Child of 'Email'", "mapping_type": "related_to", "attack_object_id": "T1203", "attack_object_name": "Exploitation for Client Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Email attachment", "capability_description": "Email via user-executed attachment. Child of 'Email'", "mapping_type": "related_to", "attack_object_id": "T1559.002", "attack_object_name": "Dynamic Data Exchange", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Email link", "capability_description": "Email via embedded link. Child of 'Email'", "mapping_type": "related_to", "attack_object_id": "T1598.004", "attack_object_name": "Spearphishing Voice", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Email link", "capability_description": "Email via embedded link. Child of 'Email'", "mapping_type": "related_to", "attack_object_id": "T1001.002", "attack_object_name": "Steganography", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Network propagation", "capability_description": "Network propagation", "mapping_type": "related_to", "attack_object_id": "T1021", "attack_object_name": "Remote Services", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Partner", "capability_description": "Partner connection or credential. (Indicates supply chain breach.)", "mapping_type": "related_to", "attack_object_id": "T1195", "attack_object_name": "Supply Chain Compromise", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Partner", "capability_description": "Partner connection or credential. (Indicates supply chain breach.)", "mapping_type": "related_to", "attack_object_id": "T1199", "attack_object_name": "Trusted Relationship", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Remote injection", "capability_description": "Remotely injected by agent (i.e. via SQLi)", "mapping_type": "related_to", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Removable media", "capability_description": "Removable storage media or devices", "mapping_type": "related_to", "attack_object_id": "T1091", "attack_object_name": "Replication Through Removable Media", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Removable media", "capability_description": "Removable storage media or devices", "mapping_type": "related_to", "attack_object_id": "T1092", "attack_object_name": "Communication Through Removable Media", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Software update", "capability_description": "Included in automated software update", "mapping_type": "related_to", "attack_object_id": "T1072", "attack_object_name": "Software Deployment Tools", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Software update", "capability_description": "Included in automated software update", "mapping_type": "related_to", "attack_object_id": "T1195", "attack_object_name": "Supply Chain Compromise", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Web application", "capability_description": "Web application. Parent of 'Web application - download' and 'Web application - drive-by.", "mapping_type": "related_to", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Web application - drive-by", "capability_description": "Web via auto-executed or \"drive-by\" infection. Child of 'Web application'.", "mapping_type": "related_to", "attack_object_id": "T1176", "attack_object_name": "Software Extensions", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Web application - drive-by", "capability_description": "Web via auto-executed or \"drive-by\" infection. Child of 'Web application'.", "mapping_type": "related_to", "attack_object_id": "T1189", "attack_object_name": "Drive-by Compromise", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1036", "attack_object_name": "Masquerading", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Forgery", "capability_description": "Forgery or counterfeiting (fake hardware, software, documents, etc)", "mapping_type": "related_to", "attack_object_id": "T1686.001", "attack_object_name": "Cloud Firewall", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1686.001", "attack_object_name": "Cloud Firewall", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1001.002", "attack_object_name": "Steganography", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1559.002", "attack_object_name": "Dynamic Data Exchange", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1027.005", "attack_object_name": "Indicator Removal from Tools", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Pretexting", "capability_description": "Pretexting (dialogue leveraging invented scenario).  Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.", "mapping_type": "related_to", "attack_object_id": "T1027.005", "attack_object_name": "Indicator Removal from Tools", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Email", "capability_description": "Email", "mapping_type": "related_to", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Email", "capability_description": "Email", "mapping_type": "related_to", "attack_object_id": "T1001.002", "attack_object_name": "Steganography", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Email", "capability_description": "Email", "mapping_type": "related_to", "attack_object_id": "T1559.002", "attack_object_name": "Dynamic Data Exchange", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Email", "capability_description": "Email", "mapping_type": "related_to", "attack_object_id": "T1027.005", "attack_object_name": "Indicator Removal from Tools", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Partner", "capability_description": "Partner connection or credential. (Indicates supply chain breach.)", "mapping_type": "related_to", "attack_object_id": "T1499.002", "attack_object_name": "Service Exhaustion Flood", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Partner", "capability_description": "Partner connection or credential. (Indicates supply chain breach.)", "mapping_type": "related_to", "attack_object_id": "T1199", "attack_object_name": "Trusted Relationship", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Removable media", "capability_description": "Removable storage media", "mapping_type": "related_to", "attack_object_id": "T1091", "attack_object_name": "Replication Through Removable Media", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Social media", "capability_description": "Social media or networking", "mapping_type": "related_to", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Social media", "capability_description": "Social media or networking", "mapping_type": "related_to", "attack_object_id": "T1001.002", "attack_object_name": "Steganography", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Social media", "capability_description": "Social media or networking", "mapping_type": "related_to", "attack_object_id": "T1559.002", "attack_object_name": "Dynamic Data Exchange", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Social media", "capability_description": "Social media or networking", "mapping_type": "related_to", "attack_object_id": "T1027.005", "attack_object_name": "Indicator Removal from Tools", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Software", "capability_description": "Software", "mapping_type": "related_to", "attack_object_id": "T1499.003", "attack_object_name": "Application Exhaustion Flood", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Software", "capability_description": "Software", "mapping_type": "related_to", "attack_object_id": "T1589.001", "attack_object_name": "Credentials", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Web application", "capability_description": "Web application", "mapping_type": "related_to", "attack_object_id": "T1189", "attack_object_name": "Drive-by Compromise", "capability_group": "action.social", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1003", "attack_object_name": "OS Credential Dumping", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1222", "attack_object_name": "File and Directory Permissions Modification", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1587", "attack_object_name": "Develop Capabilities", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1547", "attack_object_name": "Boot or Logon Autostart Execution", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1598.004", "attack_object_name": "Spearphishing Voice", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1558.003", "attack_object_name": "Kerberoasting", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1003.008", "attack_object_name": "/etc/passwd and /etc/shadow", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1005", "attack_object_name": "Data from Local System", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1011", "attack_object_name": "Exfiltration Over Other Network Medium", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1011.001", "attack_object_name": "Exfiltration Over Bluetooth", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1020", "attack_object_name": "Automated Exfiltration", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1020.001", "attack_object_name": "Traffic Duplication", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1025", "attack_object_name": "Data from Removable Media", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1029", "attack_object_name": "Scheduled Transfer", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1030", "attack_object_name": "Data Transfer Size Limits", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1039", "attack_object_name": "Data from Network Shared Drive", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1040", "attack_object_name": "Network Sniffing", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1041", "attack_object_name": "Exfiltration Over C2 Channel", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1048", "attack_object_name": "Exfiltration Over Alternative Protocol", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1048.001", "attack_object_name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1048.002", "attack_object_name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1048.003", "attack_object_name": "Exfiltration Over Unencrypted Non-C2 Protocol", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1052", "attack_object_name": "Exfiltration Over Physical Medium", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1052.001", "attack_object_name": "Exfiltration over USB", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1056", "attack_object_name": "Input Capture", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1056.001", "attack_object_name": "Keylogging", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1056.002", "attack_object_name": "GUI Input Capture", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1056.003", "attack_object_name": "Web Portal Capture", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1056.004", "attack_object_name": "Credential API Hooking", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1113", "attack_object_name": "Screen Capture", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1114", "attack_object_name": "Email Collection", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1114.001", "attack_object_name": "Local Email Collection", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1114.002", "attack_object_name": "Remote Email Collection", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1114.003", "attack_object_name": "Email Forwarding Rule", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1115", "attack_object_name": "Clipboard Data", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1119", "attack_object_name": "Automated Collection", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1123", "attack_object_name": "Audio Capture", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1125", "attack_object_name": "Video Capture", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1187", "attack_object_name": "Forced Authentication", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1114.003", "attack_object_name": "Email Forwarding Rule", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Created account", "capability_description": "Created new user account", "mapping_type": "related_to", "attack_object_id": "T1136", "attack_object_name": "Create Account", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Created account", "capability_description": "Created new user account", "mapping_type": "related_to", "attack_object_id": "T1136.001", "attack_object_name": "Local Account", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Created account", "capability_description": "Created new user account", "mapping_type": "related_to", "attack_object_id": "T1136.002", "attack_object_name": "Domain Account", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Created account", "capability_description": "Created new user account", "mapping_type": "related_to", "attack_object_id": "T1136.003", "attack_object_name": "Cloud Account", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Log tampering", "capability_description": "Log tampering or modification", "mapping_type": "related_to", "attack_object_id": "T1685.005", "attack_object_name": "Clear Windows Event Logs", "capability_group": "attribute.integrity", "comments": "see T1685.005 Disable or Modify Tools: Clear Windows Event Logs", "references": []}, {"capability_id": "attribute.integrity.variety.Log tampering", "capability_description": "Log tampering or modification", "mapping_type": "related_to", "attack_object_id": "T1685.006", "attack_object_name": "Clear Linux or Mac System Logs", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1037", "attack_object_name": "Boot or Logon Initialization Scripts", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1037.001", "attack_object_name": "Logon Script (Windows)", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1037.002", "attack_object_name": "Login Hook", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1037.003", "attack_object_name": "Network Logon Script", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1037.004", "attack_object_name": "RC Scripts", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1037.005", "attack_object_name": "Startup Items", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1098.002", "attack_object_name": "Additional Email Delegate Permissions", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1098.004", "attack_object_name": "SSH Authorized Keys", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Software installation", "capability_description": "Software installation or code modification", "mapping_type": "related_to", "attack_object_id": "T1072", "attack_object_name": "Software Deployment Tools", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Software installation", "capability_description": "Software installation or code modification", "mapping_type": "related_to", "attack_object_id": "T1080", "attack_object_name": "Taint Shared Content", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1205", "attack_object_name": "Traffic Signaling", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1205", "attack_object_name": "Traffic Signaling", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.011", "attack_object_name": "Rundll32", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1205.001", "attack_object_name": "Port Knocking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1205.001", "attack_object_name": "Port Knocking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1205.001", "attack_object_name": "Port Knocking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.012", "attack_object_name": "Verclsid", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1207", "attack_object_name": "Rogue Domain Controller", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.013", "attack_object_name": "Mavinject", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1211", "attack_object_name": "Exploitation for Stealth", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1211", "attack_object_name": "Exploitation for Stealth", "capability_group": "action.social", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.014", "attack_object_name": "MMC", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1218.015", "attack_object_name": "Electron Applications", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Desktop sharing software", "capability_description": "Superset of 'Desktop sharing' and '3rd party desktop'.  Please use in place of the other two", "mapping_type": "related_to", "attack_object_id": "T1219.002", "attack_object_name": "Remote Desktop Software", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1212", "attack_object_name": "Exploitation for Credential Access", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1212", "attack_object_name": "Exploitation for Credential Access", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Web application - drive-by", "capability_description": "Web via auto-executed or \"drive-by\" infection. Child of 'Web application'.", "mapping_type": "related_to", "attack_object_id": "T1212", "attack_object_name": "Exploitation for Credential Access", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1212", "attack_object_name": "Exploitation for Credential Access", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1220", "attack_object_name": "XSL Script Processing", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1213.006", "attack_object_name": "Databases", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1213", "attack_object_name": "Data from Information Repositories", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1213.001", "attack_object_name": "Confluence", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1213.001", "attack_object_name": "Confluence", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1213.002", "attack_object_name": "Sharepoint", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1213.002", "attack_object_name": "Sharepoint", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1213.003", "attack_object_name": "Code Repositories", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1213.004", "attack_object_name": "Customer Relationship Management Software", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1213.005", "attack_object_name": "Messaging Applications", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1480", "attack_object_name": "Execution Guardrails", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1480", "attack_object_name": "Execution Guardrails", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1480.001", "attack_object_name": "Environmental Keying", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1480.001", "attack_object_name": "Environmental Keying", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1480.002", "attack_object_name": "Mutual Exclusion", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1688", "attack_object_name": "Safe Mode Boot", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1496", "attack_object_name": "Resource Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1496.001", "attack_object_name": "Compute Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1496.002", "attack_object_name": "Bandwidth Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1496.003", "attack_object_name": "SMS Pumping", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1496.004", "attack_object_name": "Cloud Service Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Hypervisor", "capability_description": "Hypervisor break-out attack", "mapping_type": "related_to", "attack_object_id": "T1497", "attack_object_name": "Virtualization/Sandbox Evasion", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Inter-tenant", "capability_description": "Penetration of another VM or web site on shared device or infrastructure", "mapping_type": "related_to", "attack_object_id": "T1497", "attack_object_name": "Virtualization/Sandbox Evasion", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.DoS", "capability_description": "Denial of service", "mapping_type": "related_to", "attack_object_id": "T1498", "attack_object_name": "Network Denial of Service", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.DoS", "capability_description": "Denial of service", "mapping_type": "related_to", "attack_object_id": "T1498.001", "attack_object_name": "Direct Network Flood", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.DoS", "capability_description": "Denial of service", "mapping_type": "related_to", "attack_object_id": "T1498.002", "attack_object_name": "Reflection Amplification", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.DoS", "capability_description": "Denial of service", "mapping_type": "related_to", "attack_object_id": "T1499", "attack_object_name": "Endpoint Denial of Service", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Soap array abuse", "capability_description": "Soap array abuse. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1499", "attack_object_name": "Endpoint Denial of Service", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.XML external entities", "capability_description": "XML external entities. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1499", "attack_object_name": "Endpoint Denial of Service", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Adminware", "capability_description": "System or network utilities (e.g., PsTools, Netcat)", "mapping_type": "related_to", "attack_object_id": "T1219.001", "attack_object_name": "IDE Tunneling", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.DoS", "capability_description": "Denial of service", "mapping_type": "related_to", "attack_object_id": "T1499.001", "attack_object_name": "OS Exhaustion Flood", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Client-side attack", "capability_description": "Client-side or browser attack (e.g., redirection, XSS, AitB)", "mapping_type": "related_to", "attack_object_id": "T1221", "attack_object_name": "Template Injection", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1222", "attack_object_name": "File and Directory Permissions Modification", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1222.001", "attack_object_name": "Windows Permissions", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1222.002", "attack_object_name": "Linux and Mac Permissions", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.DoS", "capability_description": "Denial of service", "mapping_type": "related_to", "attack_object_id": "T1499.002", "attack_object_name": "Service Exhaustion Flood", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.DoS", "capability_description": "Denial of service", "mapping_type": "related_to", "attack_object_id": "T1499.003", "attack_object_name": "Application Exhaustion Flood", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.DoS", "capability_description": "Denial of service", "mapping_type": "related_to", "attack_object_id": "T1499.004", "attack_object_name": "Application or System Exploitation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1505.006", "attack_object_name": "vSphere Installation Bundles", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1505.002", "attack_object_name": "Transport Agent", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1482", "attack_object_name": "Domain Trust Discovery", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1484", "attack_object_name": "Domain or Tenant Policy Modification", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1484.001", "attack_object_name": "Group Policy Modification", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1484.002", "attack_object_name": "Trust Modification", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.malware.variety.Destroy data", "capability_description": "Destroy or corrupt stored data", "mapping_type": "related_to", "attack_object_id": "T1485", "attack_object_name": "Data Destruction", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Destruction", "capability_description": "Destruction", "mapping_type": "related_to", "attack_object_id": "T1485", "attack_object_name": "Data Destruction", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Interruption", "capability_description": "Interruption", "mapping_type": "related_to", "attack_object_id": "T1485", "attack_object_name": "Data Destruction", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.malware.variety.Destroy data", "capability_description": "Destroy or corrupt stored data", "mapping_type": "related_to", "attack_object_id": "T1485.001", "attack_object_name": "Lifecycle-Triggered Deletion", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Destruction", "capability_description": "Destruction", "mapping_type": "related_to", "attack_object_id": "T1485.001", "attack_object_name": "Lifecycle-Triggered Deletion", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Interruption", "capability_description": "Interruption", "mapping_type": "related_to", "attack_object_id": "T1485.001", "attack_object_name": "Lifecycle-Triggered Deletion", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.malware.variety.Ransomware", "capability_description": "Ransomware (encrypt or seize stored data)", "mapping_type": "related_to", "attack_object_id": "T1486", "attack_object_name": "Data Encrypted for Impact", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Interruption", "capability_description": "Interruption", "mapping_type": "related_to", "attack_object_id": "T1486", "attack_object_name": "Data Encrypted for Impact", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Obscuration", "capability_description": "Conversion or obscuration (ransomware)", "mapping_type": "related_to", "attack_object_id": "T1486", "attack_object_name": "Data Encrypted for Impact", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1518", "attack_object_name": "Software Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.DoS", "capability_description": "DoS attack", "mapping_type": "related_to", "attack_object_id": "T1489", "attack_object_name": "Service Stop", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Interruption", "capability_description": "Interruption", "mapping_type": "related_to", "attack_object_id": "T1489", "attack_object_name": "Service Stop", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1490", "attack_object_name": "Inhibit System Recovery", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Ransomware", "capability_description": "Ransomware (encrypt or seize stored data)", "mapping_type": "related_to", "attack_object_id": "T1490", "attack_object_name": "Inhibit System Recovery", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Loss", "capability_description": "Loss", "mapping_type": "related_to", "attack_object_id": "T1490", "attack_object_name": "Inhibit System Recovery", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Obscuration", "capability_description": "Conversion or obscuration (ransomware)", "mapping_type": "related_to", "attack_object_id": "T1491", "attack_object_name": "Defacement", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.integrity.variety.Defacement", "capability_description": "Deface content", "mapping_type": "related_to", "attack_object_id": "T1491", "attack_object_name": "Defacement", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.availability.variety.Obscuration", "capability_description": "Conversion or obscuration (ransomware)", "mapping_type": "related_to", "attack_object_id": "T1491.001", "attack_object_name": "Internal Defacement", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.integrity.variety.Defacement", "capability_description": "Deface content", "mapping_type": "related_to", "attack_object_id": "T1491.001", "attack_object_name": "Internal Defacement", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.availability.variety.Obscuration", "capability_description": "Conversion or obscuration (ransomware)", "mapping_type": "related_to", "attack_object_id": "T1491.002", "attack_object_name": "External Defacement", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.integrity.variety.Defacement", "capability_description": "Deface content", "mapping_type": "related_to", "attack_object_id": "T1491.002", "attack_object_name": "External Defacement", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.malware.variety.Destroy data", "capability_description": "Destroy or corrupt stored data", "mapping_type": "related_to", "attack_object_id": "T1495", "attack_object_name": "Firmware Corruption", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Destruction", "capability_description": "Destruction", "mapping_type": "related_to", "attack_object_id": "T1495", "attack_object_name": "Firmware Corruption", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Interruption", "capability_description": "Interruption", "mapping_type": "related_to", "attack_object_id": "T1495", "attack_object_name": "Firmware Corruption", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Loss", "capability_description": "Loss", "mapping_type": "related_to", "attack_object_id": "T1495", "attack_object_name": "Firmware Corruption", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1518.002", "attack_object_name": "Backup Software Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Click fraud", "capability_description": "Click fraud, whether or not cryptocurrency mining.  Also mark 'Click fraud or cryptocurrency mining'. Child of 'Click fraud and cryptocurrency mining'.", "mapping_type": "related_to", "attack_object_id": "T1496", "attack_object_name": "Resource Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Click fraud and cryptocurrency mining", "capability_description": "Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'.", "mapping_type": "related_to", "attack_object_id": "T1496", "attack_object_name": "Resource Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Cryptocurrency mining", "capability_description": "Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'.", "mapping_type": "related_to", "attack_object_id": "T1496", "attack_object_name": "Resource Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Click fraud and cryptocurrency mining", "capability_description": "Click fraud or cryptocurrency mining. Parent of 'Click fraud' and 'Cryptocurrency mining'.", "mapping_type": "related_to", "attack_object_id": "T1496.001", "attack_object_name": "Compute Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Cryptocurrency mining", "capability_description": "Cryptocurrency mining, whether or not click fraud. Child of 'Click fraud and cryptocurrency mining'.", "mapping_type": "related_to", "attack_object_id": "T1496.001", "attack_object_name": "Compute Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Degradation", "capability_description": "Performance degradation", "mapping_type": "related_to", "attack_object_id": "T1496", "attack_object_name": "Resource Hijacking", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1525", "attack_object_name": "Implant Internal Image", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Backdoor", "capability_description": "Hacking actions taken through a backdoor.  C2 is only used by malware.", "mapping_type": "related_to", "attack_object_id": "T1525", "attack_object_name": "Implant Internal Image", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1526", "attack_object_name": "Cloud Service Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1529", "attack_object_name": "System Shutdown/Reboot", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1531", "attack_object_name": "Account Access Removal", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Forced browsing", "capability_description": "Forced browsing or predictable resource location. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1539", "attack_object_name": "Steal Web Session Cookie", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1497", "attack_object_name": "Virtualization/Sandbox Evasion", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1497.001", "attack_object_name": "System Checks", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1497.002", "attack_object_name": "User Activity Based Checks", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1497.003", "attack_object_name": "Time Based Checks", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.AiTM", "capability_description": "Adversary-in-the-middle attack. Child of 'Exploit vuln'", "mapping_type": "related_to", "attack_object_id": "T1539", "attack_object_name": "Steal Web Session Cookie", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.DoS", "capability_description": "DoS attack", "mapping_type": "related_to", "attack_object_id": "T1498", "attack_object_name": "Network Denial of Service", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Degradation", "capability_description": "Performance degradation", "mapping_type": "related_to", "attack_object_id": "T1498", "attack_object_name": "Network Denial of Service", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Loss", "capability_description": "Loss", "mapping_type": "related_to", "attack_object_id": "T1498", "attack_object_name": "Network Denial of Service", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.hacking.variety.Session replay", "capability_description": "Session replay. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1539", "attack_object_name": "Steal Web Session Cookie", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.DoS", "capability_description": "DoS attack", "mapping_type": "related_to", "attack_object_id": "T1498.001", "attack_object_name": "Direct Network Flood", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Degradation", "capability_description": "Performance degradation", "mapping_type": "related_to", "attack_object_id": "T1498.001", "attack_object_name": "Direct Network Flood", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Loss", "capability_description": "Loss", "mapping_type": "related_to", "attack_object_id": "T1498.001", "attack_object_name": "Direct Network Flood", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1543", "attack_object_name": "Create or Modify System Process", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.DoS", "capability_description": "DoS attack", "mapping_type": "related_to", "attack_object_id": "T1498.002", "attack_object_name": "Reflection Amplification", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Degradation", "capability_description": "Performance degradation", "mapping_type": "related_to", "attack_object_id": "T1498.002", "attack_object_name": "Reflection Amplification", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Loss", "capability_description": "Loss", "mapping_type": "related_to", "attack_object_id": "T1498.002", "attack_object_name": "Reflection Amplification", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1543", "attack_object_name": "Create or Modify System Process", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Backdoor", "capability_description": "Hacking actions taken through a backdoor.  C2 is only used by malware.", "mapping_type": "related_to", "attack_object_id": "T1543", "attack_object_name": "Create or Modify System Process", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1543.001", "attack_object_name": "Launch Agent", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.DoS", "capability_description": "DoS attack", "mapping_type": "related_to", "attack_object_id": "T1499", "attack_object_name": "Endpoint Denial of Service", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Degradation", "capability_description": "Performance degradation", "mapping_type": "related_to", "attack_object_id": "T1499", "attack_object_name": "Endpoint Denial of Service", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Loss", "capability_description": "Loss", "mapping_type": "related_to", "attack_object_id": "T1499", "attack_object_name": "Endpoint Denial of Service", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1543.002", "attack_object_name": "Systemd Service", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.DoS", "capability_description": "DoS attack", "mapping_type": "related_to", "attack_object_id": "T1499.001", "attack_object_name": "OS Exhaustion Flood", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Degradation", "capability_description": "Performance degradation", "mapping_type": "related_to", "attack_object_id": "T1499.001", "attack_object_name": "OS Exhaustion Flood", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Loss", "capability_description": "Loss", "mapping_type": "related_to", "attack_object_id": "T1499.001", "attack_object_name": "OS Exhaustion Flood", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1543.003", "attack_object_name": "Windows Service", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.DoS", "capability_description": "DoS attack", "mapping_type": "related_to", "attack_object_id": "T1499.002", "attack_object_name": "Service Exhaustion Flood", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Degradation", "capability_description": "Performance degradation", "mapping_type": "related_to", "attack_object_id": "T1499.002", "attack_object_name": "Service Exhaustion Flood", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Loss", "capability_description": "Loss", "mapping_type": "related_to", "attack_object_id": "T1499.002", "attack_object_name": "Service Exhaustion Flood", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1543.004", "attack_object_name": "Launch Daemon", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.DoS", "capability_description": "DoS attack", "mapping_type": "related_to", "attack_object_id": "T1499.003", "attack_object_name": "Application Exhaustion Flood", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Degradation", "capability_description": "Performance degradation", "mapping_type": "related_to", "attack_object_id": "T1499.003", "attack_object_name": "Application Exhaustion Flood", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Loss", "capability_description": "Loss", "mapping_type": "related_to", "attack_object_id": "T1499.003", "attack_object_name": "Application Exhaustion Flood", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1543.005", "attack_object_name": "Container Service", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.DoS", "capability_description": "DoS attack", "mapping_type": "related_to", "attack_object_id": "T1499.004", "attack_object_name": "Application or System Exploitation", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Degradation", "capability_description": "Performance degradation", "mapping_type": "related_to", "attack_object_id": "T1499.004", "attack_object_name": "Application or System Exploitation", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Loss", "capability_description": "Loss", "mapping_type": "related_to", "attack_object_id": "T1499.004", "attack_object_name": "Application or System Exploitation", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1505", "attack_object_name": "Server Software Component", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1505", "attack_object_name": "Server Software Component", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1546", "attack_object_name": "Event Triggered Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1505.001", "attack_object_name": "SQL Stored Procedures", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1505.001", "attack_object_name": "SQL Stored Procedures", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.XML injection", "capability_description": "XML injection. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1546", "attack_object_name": "Event Triggered Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1505.002", "attack_object_name": "Transport Agent", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1505.002", "attack_object_name": "Transport Agent", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1505.003", "attack_object_name": "Web Shell", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1505.003", "attack_object_name": "Web Shell", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.vector.Backdoor", "capability_description": "Hacking actions taken through a backdoor.  C2 is only used by malware.", "mapping_type": "related_to", "attack_object_id": "T1546", "attack_object_name": "Event Triggered Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1547", "attack_object_name": "Boot or Logon Autostart Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1547", "attack_object_name": "Boot or Logon Autostart Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Backdoor", "capability_description": "Hacking actions taken through a backdoor.  C2 is only used by malware.", "mapping_type": "related_to", "attack_object_id": "T1547", "attack_object_name": "Boot or Logon Autostart Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1525", "attack_object_name": "Implant Internal Image", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1525", "attack_object_name": "Implant Internal Image", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.RAT", "capability_description": "Remote Access Trojan.  Parent of 'Backdoor' and 'Trojan'", "mapping_type": "related_to", "attack_object_id": "T1525", "attack_object_name": "Implant Internal Image", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1525", "attack_object_name": "Implant Internal Image", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1548", "attack_object_name": "Abuse Elevation Control Mechanism", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1548.001", "attack_object_name": "Setuid and Setgid", "capability_group": "action.hacking", "references": []}, {"capability_id": "attribute.availability.variety.Interruption", "capability_description": "Interruption", "mapping_type": "related_to", "attack_object_id": "T1529", "attack_object_name": "System Shutdown/Reboot", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1548.002", "attack_object_name": "Bypass User Account Control", "capability_group": "action.hacking", "references": []}, {"capability_id": "attribute.availability.variety.Destruction", "capability_description": "Destruction", "mapping_type": "related_to", "attack_object_id": "T1531", "attack_object_name": "Account Access Removal", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Interruption", "capability_description": "Interruption", "mapping_type": "related_to", "attack_object_id": "T1531", "attack_object_name": "Account Access Removal", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.social.variety.Pretexting", "capability_description": "Pretexting (dialogue leveraging invented scenario).  Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.", "mapping_type": "related_to", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "action.social", "references": []}, {"capability_id": "attribute.integrity.variety.Misrepresentation", "capability_description": "compromise of authenticity (e.g. masquerading as the legitimate owner of an account)", "mapping_type": "related_to", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Repurpose", "capability_description": "Repurposed asset for unauthorized function", "mapping_type": "related_to", "attack_object_id": "T1535", "attack_object_name": "Unused/Unsupported Cloud Regions", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1537", "attack_object_name": "Transfer Data to Cloud Account", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1537", "attack_object_name": "Transfer Data to Cloud Account", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.hacking.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1548.002", "attack_object_name": "Bypass User Account Control", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1548.003", "attack_object_name": "Sudo and Sudo Caching", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1548.003", "attack_object_name": "Sudo and Sudo Caching", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Capture app data", "capability_description": "Capture data from application or system process", "mapping_type": "related_to", "attack_object_id": "T1539", "attack_object_name": "Steal Web Session Cookie", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Rootkit", "capability_description": "Rootkit (maintain local privileges and stealth)", "mapping_type": "related_to", "attack_object_id": "T1542", "attack_object_name": "Pre-OS Boot", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Rootkit", "capability_description": "Rootkit (maintain local privileges and stealth)", "mapping_type": "related_to", "attack_object_id": "T1542.001", "attack_object_name": "System Firmware", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Rootkit", "capability_description": "Rootkit (maintain local privileges and stealth)", "mapping_type": "related_to", "attack_object_id": "T1542.002", "attack_object_name": "Component Firmware", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Rootkit", "capability_description": "Rootkit (maintain local privileges and stealth)", "mapping_type": "related_to", "attack_object_id": "T1542.003", "attack_object_name": "Bootkit", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Rootkit", "capability_description": "Rootkit (maintain local privileges and stealth)", "mapping_type": "related_to", "attack_object_id": "T1542.004", "attack_object_name": "ROMMONkit", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Rootkit", "capability_description": "Rootkit (maintain local privileges and stealth)", "mapping_type": "related_to", "attack_object_id": "T1542.005", "attack_object_name": "TFTP Boot", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1548.004", "attack_object_name": "Elevated Execution with Prompt", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1543", "attack_object_name": "Create or Modify System Process", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1543", "attack_object_name": "Create or Modify System Process", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Rootkit", "capability_description": "Rootkit (maintain local privileges and stealth)", "mapping_type": "related_to", "attack_object_id": "T1543", "attack_object_name": "Create or Modify System Process", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.integrity.variety.Software installation", "capability_description": "Software installation or code modification", "mapping_type": "related_to", "attack_object_id": "T1543", "attack_object_name": "Create or Modify System Process", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.hacking.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1548.004", "attack_object_name": "Elevated Execution with Prompt", "capability_group": "action.hacking", "references": []}, {"capability_id": "attribute.integrity.variety.Software installation", "capability_description": "Software installation or code modification", "mapping_type": "related_to", "attack_object_id": "T1543.001", "attack_object_name": "Launch Agent", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1548.005", "attack_object_name": "Temporary Elevated Cloud Access", "capability_group": "action.hacking", "references": []}, {"capability_id": "attribute.integrity.variety.Software installation", "capability_description": "Software installation or code modification", "mapping_type": "related_to", "attack_object_id": "T1543.002", "attack_object_name": "Systemd Service", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1548.006", "attack_object_name": "TCC Manipulation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.RAT", "capability_description": "Remote Access Trojan.  Parent of 'Backdoor' and 'Trojan'", "mapping_type": "related_to", "attack_object_id": "T1543.003", "attack_object_name": "Windows Service", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.integrity.variety.Software installation", "capability_description": "Software installation or code modification", "mapping_type": "related_to", "attack_object_id": "T1543.003", "attack_object_name": "Windows Service", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "action.hacking", "references": []}, {"capability_id": "attribute.integrity.variety.Software installation", "capability_description": "Software installation or code modification", "mapping_type": "related_to", "attack_object_id": "T1543.004", "attack_object_name": "Launch Daemon", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1550.001", "attack_object_name": "Application Access Token", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Pass-the-hash", "capability_description": "Pass-the-hash", "mapping_type": "related_to", "attack_object_id": "T1550.002", "attack_object_name": "Pass the Hash", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1550.002", "attack_object_name": "Pass the Hash", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1550.003", "attack_object_name": "Pass the Ticket", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1546", "attack_object_name": "Event Triggered Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1546", "attack_object_name": "Event Triggered Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546", "attack_object_name": "Event Triggered Execution", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.001", "attack_object_name": "Change Default File Association", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.002", "attack_object_name": "Screensaver", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.003", "attack_object_name": "Windows Management Instrumentation Event Subscription", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.004", "attack_object_name": "Unix Shell Configuration Modification", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.005", "attack_object_name": "Trap", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.006", "attack_object_name": "LC_LOAD_DYLIB Addition", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.007", "attack_object_name": "Netsh Helper DLL", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.008", "attack_object_name": "Accessibility Features", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.009", "attack_object_name": "AppCert DLLs", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.010", "attack_object_name": "AppInit DLLs", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.011", "attack_object_name": "Application Shimming", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.012", "attack_object_name": "Image File Execution Options Injection", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.013", "attack_object_name": "PowerShell Profile", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.014", "attack_object_name": "Emond", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Alter behavior", "capability_description": "Influence or alter human behavior", "mapping_type": "related_to", "attack_object_id": "T1546.015", "attack_object_name": "Component Object Model Hijacking", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Software installation", "capability_description": "Software installation or code modification", "mapping_type": "related_to", "attack_object_id": "T1546.016", "attack_object_name": "Installer Packages", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.hacking.variety.Session replay", "capability_description": "Session replay. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1550.004", "attack_object_name": "Web Session Cookie", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1547", "attack_object_name": "Boot or Logon Autostart Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1547", "attack_object_name": "Boot or Logon Autostart Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1547", "attack_object_name": "Boot or Logon Autostart Execution", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1547.001", "attack_object_name": "Registry Run Keys / Startup Folder", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1547.002", "attack_object_name": "Authentication Package", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1547.003", "attack_object_name": "Time Providers", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1547.004", "attack_object_name": "Winlogon Helper DLL", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1547.005", "attack_object_name": "Security Support Provider", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1547.006", "attack_object_name": "Kernel Modules and Extensions", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1547.007", "attack_object_name": "Re-opened Applications", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1547.008", "attack_object_name": "LSASS Driver", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1547.009", "attack_object_name": "Shortcut Modification", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1547.010", "attack_object_name": "Port Monitors", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1547.012", "attack_object_name": "Print Processors", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1547.013", "attack_object_name": "XDG Autostart Entries", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1547.014", "attack_object_name": "Active Setup", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1553", "attack_object_name": "Subvert Trust Controls", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1554", "attack_object_name": "Compromise Host Software Binary", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1548.002", "attack_object_name": "Bypass User Account Control", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.vector.Backdoor", "capability_description": "Hacking actions taken through a backdoor.  C2 is only used by malware.", "mapping_type": "related_to", "attack_object_id": "T1554", "attack_object_name": "Compromise Host Software Binary", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Client-side attack", "capability_description": "Client-side or browser attack (e.g., redirection, XSS, AitB)", "mapping_type": "related_to", "attack_object_id": "T1548.003", "attack_object_name": "Sudo and Sudo Caching", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Backdoor", "capability_description": "Hacking action that creates a backdoor for use.", "mapping_type": "related_to", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Backdoor", "capability_description": "Hacking actions taken through a backdoor.  C2 is only used by malware.", "mapping_type": "related_to", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.AiTM", "capability_description": "Adversary-in-the-middle attack. Child of 'Exploit vuln'", "mapping_type": "related_to", "attack_object_id": "T1557", "attack_object_name": "Adversary-in-the-Middle", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Routing detour", "capability_description": "Routing detour. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1557", "attack_object_name": "Adversary-in-the-Middle", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Pass-the-hash", "capability_description": "Pass-the-hash", "mapping_type": "related_to", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Network propagation", "capability_description": "Network propagation", "mapping_type": "related_to", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.AiTM", "capability_description": "Adversary-in-the-middle attack. Child of 'Exploit vuln'", "mapping_type": "related_to", "attack_object_id": "T1557.001", "attack_object_name": "Name Resolution Poisoning and SMB Relay", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Cache poisoning", "capability_description": "Cache poisoning. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1557.002", "attack_object_name": "ARP Cache Poisoning", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.AiTM", "capability_description": "Adversary-in-the-middle attack. Child of 'Exploit vuln'", "mapping_type": "related_to", "attack_object_id": "T1557.002", "attack_object_name": "ARP Cache Poisoning", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Pass-the-hash", "capability_description": "Pass-the-hash", "mapping_type": "related_to", "attack_object_id": "T1550.002", "attack_object_name": "Pass the Hash", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1550.002", "attack_object_name": "Pass the Hash", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1558", "attack_object_name": "Steal or Forge Kerberos Tickets", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1558.001", "attack_object_name": "Golden Ticket", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1558.002", "attack_object_name": "Silver Ticket", "capability_group": "action.hacking", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1552", "attack_object_name": "Unsecured Credentials", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1552.001", "attack_object_name": "Credentials In Files", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1552.001", "attack_object_name": "Credentials In Files", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1552.002", "attack_object_name": "Credentials in Registry", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1552.002", "attack_object_name": "Credentials in Registry", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1552.003", "attack_object_name": "Shell History", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1552.003", "attack_object_name": "Shell History", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1552.004", "attack_object_name": "Private Keys", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1552.004", "attack_object_name": "Private Keys", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1552.005", "attack_object_name": "Cloud Instance Metadata API", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1552.005", "attack_object_name": "Cloud Instance Metadata API", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1552.006", "attack_object_name": "Group Policy Preferences", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1552.006", "attack_object_name": "Group Policy Preferences", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1552.007", "attack_object_name": "Container API", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1552.008", "attack_object_name": "Chat Messages", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1552.008", "attack_object_name": "Chat Messages", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1558.003", "attack_object_name": "Kerberoasting", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1553", "attack_object_name": "Subvert Trust Controls", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1553", "attack_object_name": "Subvert Trust Controls", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1553", "attack_object_name": "Subvert Trust Controls", "capability_group": "action.social", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1553.001", "attack_object_name": "Gatekeeper Bypass", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1553.002", "attack_object_name": "Code Signing", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1553.003", "attack_object_name": "SIP and Trust Provider Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1553.004", "attack_object_name": "Install Root Certificate", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1553.005", "attack_object_name": "Mark-of-the-Web Bypass", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1553.006", "attack_object_name": "Code Signing Policy Modification", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1558.004", "attack_object_name": "AS-REP Roasting", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1558.004", "attack_object_name": "AS-REP Roasting", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Adminware", "capability_description": "System or network utilities (e.g., PsTools, Netcat)", "mapping_type": "related_to", "attack_object_id": "T1554", "attack_object_name": "Compromise Host Software Binary", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1554", "attack_object_name": "Compromise Host Software Binary", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1554", "attack_object_name": "Compromise Host Software Binary", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Trojan", "capability_description": "An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor'", "mapping_type": "related_to", "attack_object_id": "T1554", "attack_object_name": "Compromise Host Software Binary", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1555", "attack_object_name": "Credentials from Password Stores", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1555", "attack_object_name": "Credentials from Password Stores", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1555.001", "attack_object_name": "Keychain", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1555.001", "attack_object_name": "Keychain", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1555.002", "attack_object_name": "Securityd Memory", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.RAM scraper", "capability_description": "RAM scraper or memory parser (capture data from volatile memory)", "mapping_type": "related_to", "attack_object_id": "T1555.002", "attack_object_name": "Securityd Memory", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1555.002", "attack_object_name": "Securityd Memory", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1555.003", "attack_object_name": "Credentials from Web Browsers", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1555.003", "attack_object_name": "Credentials from Web Browsers", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1555.004", "attack_object_name": "Windows Credential Manager", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1555.004", "attack_object_name": "Windows Credential Manager", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1555.005", "attack_object_name": "Password Managers", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1555.005", "attack_object_name": "Password Managers", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Password dumper", "capability_description": "Password dumper (extract credential hashes)", "mapping_type": "related_to", "attack_object_id": "T1555.006", "attack_object_name": "Cloud Secrets Management Stores", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1555.006", "attack_object_name": "Cloud Secrets Management Stores", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1559", "attack_object_name": "Inter-Process Communication", "capability_group": "action.hacking", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1556.001", "attack_object_name": "Domain Controller Authentication", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1556.001", "attack_object_name": "Domain Controller Authentication", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.malware.vector.Email link", "capability_description": "Email via embedded link. Child of 'Email'", "mapping_type": "related_to", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1556.003", "attack_object_name": "Pluggable Authentication Modules", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1556.003", "attack_object_name": "Pluggable Authentication Modules", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1556.004", "attack_object_name": "Network Device Authentication", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1556.004", "attack_object_name": "Network Device Authentication", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1559.001", "attack_object_name": "Component Object Model", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1559.002", "attack_object_name": "Dynamic Data Exchange", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.AiTM", "capability_description": "Man-in-the-middle attack. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1557", "attack_object_name": "Adversary-in-the-Middle", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1557", "attack_object_name": "Adversary-in-the-Middle", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1685.006", "attack_object_name": "Clear Linux or Mac System Logs", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1685", "attack_object_name": "Disable or Modify Tools", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1685", "attack_object_name": "Disable or Modify Tools", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.AiTM", "capability_description": "Man-in-the-middle attack. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1557.002", "attack_object_name": "ARP Cache Poisoning", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.AiTM", "capability_description": "Man-in-the-middle attack. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1557.003", "attack_object_name": "DHCP Spoofing", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1685.001", "attack_object_name": "Disable or Modify Windows Event Log", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1690", "attack_object_name": "Prevent Command History Logging", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1686.001", "attack_object_name": "Cloud Firewall", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1685.002", "attack_object_name": "Disable or Modify Cloud Log", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1685.003", "attack_object_name": "Modify or Spoof Tool UI", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1685.004", "attack_object_name": "Disable or Modify Linux Audit System Log", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1558.004", "attack_object_name": "AS-REP Roasting", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1563", "attack_object_name": "Remote Service Session Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1563", "attack_object_name": "Remote Service Session Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1563.001", "attack_object_name": "SSH Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1560", "attack_object_name": "Archive Collected Data", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1560.001", "attack_object_name": "Archive via Utility", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1560.002", "attack_object_name": "Archive via Library", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1560.003", "attack_object_name": "Archive via Custom Method", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Destroy data", "capability_description": "Destroy or corrupt stored data", "mapping_type": "related_to", "attack_object_id": "T1561", "attack_object_name": "Disk Wipe", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Destruction", "capability_description": "Destruction", "mapping_type": "related_to", "attack_object_id": "T1561", "attack_object_name": "Disk Wipe", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Interruption", "capability_description": "Interruption", "mapping_type": "related_to", "attack_object_id": "T1561", "attack_object_name": "Disk Wipe", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Loss", "capability_description": "Loss", "mapping_type": "related_to", "attack_object_id": "T1561", "attack_object_name": "Disk Wipe", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.malware.variety.Destroy data", "capability_description": "Destroy or corrupt stored data", "mapping_type": "related_to", "attack_object_id": "T1561.001", "attack_object_name": "Disk Content Wipe", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Destruction", "capability_description": "Destruction", "mapping_type": "related_to", "attack_object_id": "T1561.001", "attack_object_name": "Disk Content Wipe", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Loss", "capability_description": "Loss", "mapping_type": "related_to", "attack_object_id": "T1561.001", "attack_object_name": "Disk Content Wipe", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.malware.variety.Destroy data", "capability_description": "Destroy or corrupt stored data", "mapping_type": "related_to", "attack_object_id": "T1561.002", "attack_object_name": "Disk Structure Wipe", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.availability.variety.Destruction", "capability_description": "Destruction", "mapping_type": "related_to", "attack_object_id": "T1561.002", "attack_object_name": "Disk Structure Wipe", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Interruption", "capability_description": "Interruption", "mapping_type": "related_to", "attack_object_id": "T1561.002", "attack_object_name": "Disk Structure Wipe", "capability_group": "attribute.availability", "references": []}, {"capability_id": "attribute.availability.variety.Loss", "capability_description": "Loss", "mapping_type": "related_to", "attack_object_id": "T1561.002", "attack_object_name": "Disk Structure Wipe", "capability_group": "attribute.availability", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1563.001", "attack_object_name": "SSH Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1563.002", "attack_object_name": "RDP Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1563.002", "attack_object_name": "RDP Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1564", "attack_object_name": "Hide Artifacts", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1685.001", "attack_object_name": "Disable or Modify Windows Event Log", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564", "attack_object_name": "Hide Artifacts", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1690", "attack_object_name": "Prevent Command History Logging", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1564.001", "attack_object_name": "Hidden Files and Directories", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1686", "attack_object_name": "Disable or Modify System Firewall", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1685", "attack_object_name": "Disable or Modify Tools", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.001", "attack_object_name": "Hidden Files and Directories", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1686.001", "attack_object_name": "Cloud Firewall", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1564.002", "attack_object_name": "Hidden Users", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1685.002", "attack_object_name": "Disable or Modify Cloud Log", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.002", "attack_object_name": "Hidden Users", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1564.003", "attack_object_name": "Hidden Window", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1685.004", "attack_object_name": "Disable or Modify Linux Audit System Log", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.003", "attack_object_name": "Hidden Window", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.vector.Network propagation", "capability_description": "Network propagation", "mapping_type": "related_to", "attack_object_id": "T1563", "attack_object_name": "Remote Service Session Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1564.004", "attack_object_name": "NTFS File Attributes", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.vector.Network propagation", "capability_description": "Network propagation", "mapping_type": "related_to", "attack_object_id": "T1563.001", "attack_object_name": "SSH Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.004", "attack_object_name": "NTFS File Attributes", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.vector.Network propagation", "capability_description": "Network propagation", "mapping_type": "related_to", "attack_object_id": "T1563.002", "attack_object_name": "RDP Hijacking", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1564.005", "attack_object_name": "Hidden File System", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564", "attack_object_name": "Hide Artifacts", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564", "attack_object_name": "Hide Artifacts", "capability_group": "action.social", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.005", "attack_object_name": "Hidden File System", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.001", "attack_object_name": "Hidden Files and Directories", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.001", "attack_object_name": "Hidden Files and Directories", "capability_group": "action.social", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1564.006", "attack_object_name": "Run Virtual Instance", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.002", "attack_object_name": "Hidden Users", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.002", "attack_object_name": "Hidden Users", "capability_group": "action.social", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.006", "attack_object_name": "Run Virtual Instance", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.003", "attack_object_name": "Hidden Window", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.003", "attack_object_name": "Hidden Window", "capability_group": "action.social", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1564.007", "attack_object_name": "VBA Stomping", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.004", "attack_object_name": "NTFS File Attributes", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.004", "attack_object_name": "NTFS File Attributes", "capability_group": "action.social", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.007", "attack_object_name": "VBA Stomping", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.005", "attack_object_name": "Hidden File System", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.005", "attack_object_name": "Hidden File System", "capability_group": "action.social", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1568", "attack_object_name": "Dynamic Resolution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.006", "attack_object_name": "Run Virtual Instance", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.006", "attack_object_name": "Run Virtual Instance", "capability_group": "action.social", "references": []}, {"capability_id": "action.hacking.vector.Other network service", "capability_description": "Network service that is not remote access or a web application.", "mapping_type": "related_to", "attack_object_id": "T1568", "attack_object_name": "Dynamic Resolution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.007", "attack_object_name": "VBA Stomping", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Trojan", "capability_description": "An application which appears legitimate but hides malicious functionality. Child of 'RAT' when combined with 'Backdoor'", "mapping_type": "related_to", "attack_object_id": "T1564.007", "attack_object_name": "VBA Stomping", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.007", "attack_object_name": "VBA Stomping", "capability_group": "action.social", "references": []}, {"capability_id": "attribute.integrity.variety.Modify data", "capability_description": "Modified stored data or content", "mapping_type": "related_to", "attack_object_id": "T1565", "attack_object_name": "Data Manipulation", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify data", "capability_description": "Modified stored data or content", "mapping_type": "related_to", "attack_object_id": "T1565.001", "attack_object_name": "Stored Data Manipulation", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify data", "capability_description": "Modified stored data or content", "mapping_type": "related_to", "attack_object_id": "T1565.002", "attack_object_name": "Transmitted Data Manipulation", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify data", "capability_description": "Modified stored data or content", "mapping_type": "related_to", "attack_object_id": "T1565.003", "attack_object_name": "Runtime Data Manipulation", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.malware.vector.Instant messaging", "capability_description": "Instant Messaging", "mapping_type": "related_to", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Email", "capability_description": "Email", "mapping_type": "related_to", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "action.social", "references": []}, {"capability_id": "action.malware.vector.Email", "capability_description": "Email. Parent to 'Email attachment', 'Email autoexecute', 'Email link', 'Email unknown'", "mapping_type": "related_to", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Email attachment", "capability_description": "Email via user-executed attachment. Child of 'Email'", "mapping_type": "related_to", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Email", "capability_description": "Email", "mapping_type": "related_to", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Email", "capability_description": "Email", "mapping_type": "related_to", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Web application", "capability_description": "Web application", "mapping_type": "related_to", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1566.003", "attack_object_name": "Spearphishing via Service", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.vector.Email", "capability_description": "Email", "mapping_type": "related_to", "attack_object_id": "T1566.003", "attack_object_name": "Spearphishing via Service", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1566.004", "attack_object_name": "Spearphishing Voice", "capability_group": "action.social", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1567", "attack_object_name": "Exfiltration Over Web Service", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1567", "attack_object_name": "Exfiltration Over Web Service", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1567.001", "attack_object_name": "Exfiltration to Code Repository", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1567.001", "attack_object_name": "Exfiltration to Code Repository", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1567.002", "attack_object_name": "Exfiltration to Cloud Storage", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1567.002", "attack_object_name": "Exfiltration to Cloud Storage", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1567.003", "attack_object_name": "Exfiltration to Text Storage Sites", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1567.003", "attack_object_name": "Exfiltration to Text Storage Sites", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1567.004", "attack_object_name": "Exfiltration Over Webhook", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1567.004", "attack_object_name": "Exfiltration Over Webhook", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1568.001", "attack_object_name": "Fast Flux DNS", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1568.002", "attack_object_name": "Domain Generation Algorithms", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1568", "attack_object_name": "Dynamic Resolution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1568", "attack_object_name": "Dynamic Resolution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Download by malware", "capability_description": "Downloaded and installed by local malware", "mapping_type": "related_to", "attack_object_id": "T1568", "attack_object_name": "Dynamic Resolution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1568.003", "attack_object_name": "DNS Calculation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1568.001", "attack_object_name": "Fast Flux DNS", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1568.001", "attack_object_name": "Fast Flux DNS", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1569.003", "attack_object_name": "Systemctl", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1568.002", "attack_object_name": "Domain Generation Algorithms", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1568.002", "attack_object_name": "Domain Generation Algorithms", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1569.001", "attack_object_name": "Launchctl", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1568.003", "attack_object_name": "DNS Calculation", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1568.003", "attack_object_name": "DNS Calculation", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1569.002", "attack_object_name": "Service Execution", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Other network service", "capability_description": "Network service that is not remote access or a web application.", "mapping_type": "related_to", "attack_object_id": "T1571", "attack_object_name": "Non-Standard Port", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1572", "attack_object_name": "Protocol Tunneling", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.vector.Direct install", "capability_description": "Directly installed or inserted by threat agent (after system access)", "mapping_type": "related_to", "attack_object_id": "T1569.002", "attack_object_name": "Service Execution", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Network propagation", "capability_description": "Network propagation", "mapping_type": "related_to", "attack_object_id": "T1570", "attack_object_name": "Lateral Tool Transfer", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.vector.Other network service", "capability_description": "Network service that is not remote access or a web application.", "mapping_type": "related_to", "attack_object_id": "T1572", "attack_object_name": "Protocol Tunneling", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1571", "attack_object_name": "Non-Standard Port", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1571", "attack_object_name": "Non-Standard Port", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1573", "attack_object_name": "Encrypted Channel", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Other network service", "capability_description": "Network service that is not remote access or a web application.", "mapping_type": "related_to", "attack_object_id": "T1573", "attack_object_name": "Encrypted Channel", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1572", "attack_object_name": "Protocol Tunneling", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1572", "attack_object_name": "Protocol Tunneling", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1573.001", "attack_object_name": "Symmetric Cryptography", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1573.002", "attack_object_name": "Asymmetric Cryptography", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1573", "attack_object_name": "Encrypted Channel", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1573", "attack_object_name": "Encrypted Channel", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1574", "attack_object_name": "Hijack Execution Flow", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1573.001", "attack_object_name": "Symmetric Cryptography", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1573.001", "attack_object_name": "Symmetric Cryptography", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1574", "attack_object_name": "Hijack Execution Flow", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1573.002", "attack_object_name": "Asymmetric Cryptography", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1573.002", "attack_object_name": "Asymmetric Cryptography", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.XML injection", "capability_description": "XML injection. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1574", "attack_object_name": "Hijack Execution Flow", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1574.001", "attack_object_name": "DLL", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Exploit vuln", "capability_description": "Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.", "mapping_type": "related_to", "attack_object_id": "T1574.001", "attack_object_name": "DLL", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1574.001", "attack_object_name": "DLL", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1574.001", "attack_object_name": "DLL", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Exploit vuln", "capability_description": "Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.", "mapping_type": "related_to", "attack_object_id": "T1574.004", "attack_object_name": "Dylib Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1574.004", "attack_object_name": "Dylib Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1574.004", "attack_object_name": "Dylib Hijacking", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1574.005", "attack_object_name": "Executable Installer File Permissions Weakness", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1574.005", "attack_object_name": "Executable Installer File Permissions Weakness", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1574.005", "attack_object_name": "Executable Installer File Permissions Weakness", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1574.010", "attack_object_name": "Services File Permissions Weakness", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Exploit misconfig", "capability_description": "Exploit a misconfiguration (vs vuln or weakness)", "mapping_type": "related_to", "attack_object_id": "T1574.011", "attack_object_name": "Services Registry Permissions Weakness", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1668", "attack_object_name": "Exclusive Control", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Hypervisor", "capability_description": "Hypervisor break-out attack", "mapping_type": "related_to", "attack_object_id": "T1578", "attack_object_name": "Modify Cloud Compute Infrastructure", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1574.012", "attack_object_name": "COR_PROFILER", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.vector.Inter-tenant", "capability_description": "Penetration of another VM or web site on shared device or infrastructure", "mapping_type": "related_to", "attack_object_id": "T1578", "attack_object_name": "Modify Cloud Compute Infrastructure", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1578.001", "attack_object_name": "Create Snapshot", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1578.002", "attack_object_name": "Create Cloud Instance", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1578.003", "attack_object_name": "Delete Cloud Instance", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1578.004", "attack_object_name": "Revert Cloud Instance", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1578.005", "attack_object_name": "Modify Cloud Compute Configurations", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1580", "attack_object_name": "Cloud Infrastructure Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1583", "attack_object_name": "Acquire Infrastructure", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.vector.Web application - download", "capability_description": "Web via user-executed or downloaded content. Child of 'Web application'.", "mapping_type": "related_to", "attack_object_id": "T1583", "attack_object_name": "Acquire Infrastructure", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1583.001", "attack_object_name": "Domains", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1583.001", "attack_object_name": "Domains", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1583.001", "attack_object_name": "Domains", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1583.002", "attack_object_name": "DNS Server", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1583.002", "attack_object_name": "DNS Server", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1583.002", "attack_object_name": "DNS Server", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Forced browsing", "capability_description": "Forced browsing or predictable resource location. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1583.003", "attack_object_name": "Virtual Private Server", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1583.003", "attack_object_name": "Virtual Private Server", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Forced browsing", "capability_description": "Forced browsing or predictable resource location. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1583.004", "attack_object_name": "Server", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1583.004", "attack_object_name": "Server", "capability_group": "action.hacking", "references": []}, {"capability_id": "value_chain.development.variety.Bot", "capability_description": "A small program that can be distributed, installed, and controlled en mass.", "mapping_type": "related_to", "attack_object_id": "T1583.005", "attack_object_name": "Botnet", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.hacking.variety.Forced browsing", "capability_description": "Forced browsing or predictable resource location. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1583.006", "attack_object_name": "Web Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1583.006", "attack_object_name": "Web Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1583.006", "attack_object_name": "Web Services", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1583.006", "attack_object_name": "Web Services", "capability_group": "action.malware", "references": []}, {"capability_id": "value_chain.development.variety.Website", "capability_description": "Development of any full website controlled by the attacker", "mapping_type": "related_to", "attack_object_id": "T1583.006", "attack_object_name": "Web Services", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1584", "attack_object_name": "Compromise Infrastructure", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.vector.Web application - download", "capability_description": "Web via user-executed or downloaded content. Child of 'Web application'.", "mapping_type": "related_to", "attack_object_id": "T1584", "attack_object_name": "Compromise Infrastructure", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1584.001", "attack_object_name": "Domains", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.social.variety.Pretexting", "capability_description": "Pretexting (dialogue leveraging invented scenario).  Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.", "mapping_type": "related_to", "attack_object_id": "T1584.001", "attack_object_name": "Domains", "capability_group": "action.social", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1584.002", "attack_object_name": "DNS Server", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Backdoor or C2", "capability_description": "Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.", "mapping_type": "related_to", "attack_object_id": "T1584.002", "attack_object_name": "DNS Server", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1584.002", "attack_object_name": "DNS Server", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1584.003", "attack_object_name": "Virtual Private Server", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1584.004", "attack_object_name": "Server", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.DoS", "capability_description": "Denial of service", "mapping_type": "related_to", "attack_object_id": "T1584.005", "attack_object_name": "Botnet", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1584.005", "attack_object_name": "Botnet", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1584.006", "attack_object_name": "Web Services", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.social.variety.Pretexting", "capability_description": "Pretexting (dialogue leveraging invented scenario).  Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.", "mapping_type": "related_to", "attack_object_id": "T1585", "attack_object_name": "Establish Accounts", "capability_group": "action.social", "references": []}, {"capability_id": "value_chain.development.variety.Persona", "capability_description": "A fake representation of a person, such as fake social media profiles", "mapping_type": "related_to", "attack_object_id": "T1585", "attack_object_name": "Establish Accounts", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.social.variety.Pretexting", "capability_description": "Pretexting (dialogue leveraging invented scenario).  Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.", "mapping_type": "related_to", "attack_object_id": "T1585.001", "attack_object_name": "Social Media Accounts", "capability_group": "action.social", "references": []}, {"capability_id": "value_chain.development.variety.Persona", "capability_description": "A fake representation of a person, such as fake social media profiles", "mapping_type": "related_to", "attack_object_id": "T1585.001", "attack_object_name": "Social Media Accounts", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.social.variety.Pretexting", "capability_description": "Pretexting (dialogue leveraging invented scenario).  Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.", "mapping_type": "related_to", "attack_object_id": "T1585.002", "attack_object_name": "Email Accounts", "capability_group": "action.social", "references": []}, {"capability_id": "value_chain.development.variety.Persona", "capability_description": "A fake representation of a person, such as fake social media profiles", "mapping_type": "related_to", "attack_object_id": "T1585.002", "attack_object_name": "Email Accounts", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1586", "attack_object_name": "Compromise Accounts", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1586.001", "attack_object_name": "Social Media Accounts", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1586.001", "attack_object_name": "Social Media Accounts", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Pretexting", "capability_description": "Pretexting (dialogue leveraging invented scenario).  Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.", "mapping_type": "related_to", "attack_object_id": "T1586.001", "attack_object_name": "Social Media Accounts", "capability_group": "action.social", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1586.002", "attack_object_name": "Email Accounts", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1587", "attack_object_name": "Develop Capabilities", "capability_group": "action.hacking", "references": []}, {"capability_id": "value_chain.development.variety.Unknown", "capability_description": "Nothing is known about the need for or type of development investment other than it was present.", "mapping_type": "related_to", "attack_object_id": "T1587", "attack_object_name": "Develop Capabilities", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1587.001", "attack_object_name": "Malware", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1587.001", "attack_object_name": "Malware", "capability_group": "action.malware", "references": []}, {"capability_id": "value_chain.development.variety.Bot", "capability_description": "A small program that can be distributed, installed, and controlled en mass.", "mapping_type": "related_to", "attack_object_id": "T1587.001", "attack_object_name": "Malware", "capability_group": "value_chain.development", "references": []}, {"capability_id": "value_chain.development.variety.Payload", "capability_description": "The portion a program that causes a negative effect.", "mapping_type": "related_to", "attack_object_id": "T1587.001", "attack_object_name": "Malware", "capability_group": "value_chain.development", "references": []}, {"capability_id": "value_chain.development.variety.Ransomware", "capability_description": "Ransomware (encrypt or seize stored data)", "mapping_type": "related_to", "attack_object_id": "T1587.001", "attack_object_name": "Malware", "capability_group": "value_chain.development", "references": []}, {"capability_id": "value_chain.development.variety.Trojan", "capability_description": "A program which masquerades as another program to get a target to execute malicious content", "mapping_type": "related_to", "attack_object_id": "T1587.001", "attack_object_name": "Malware", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1587.002", "attack_object_name": "Code Signing Certificates", "capability_group": "action.hacking", "references": []}, {"capability_id": "value_chain.development.variety.Other", "capability_description": "The variety of development required is known, but is not listed.", "mapping_type": "related_to", "attack_object_id": "T1587.002", "attack_object_name": "Code Signing Certificates", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1587.003", "attack_object_name": "Digital Certificates", "capability_group": "action.hacking", "references": []}, {"capability_id": "value_chain.development.variety.Other", "capability_description": "The variety of development required is known, but is not listed.", "mapping_type": "related_to", "attack_object_id": "T1587.003", "attack_object_name": "Digital Certificates", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1587.004", "attack_object_name": "Exploits", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1587.004", "attack_object_name": "Exploits", "capability_group": "action.malware", "references": []}, {"capability_id": "value_chain.development.variety.Exploit", "capability_description": "Code to exploit a vulnerability, including web injects.", "mapping_type": "related_to", "attack_object_id": "T1587.004", "attack_object_name": "Exploits", "capability_group": "value_chain.development", "references": []}, {"capability_id": "value_chain.development.variety.Exploit Kits", "capability_description": "Code sets capable of selecting and trying multiple exploits against a target.", "mapping_type": "related_to", "attack_object_id": "T1587.004", "attack_object_name": "Exploits", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1588", "attack_object_name": "Obtain Capabilities", "capability_group": "action.hacking", "references": []}, {"capability_id": "value_chain.development.variety.Unknown", "capability_description": "Nothing is known about the need for or type of development investment other than it was present.", "mapping_type": "related_to", "attack_object_id": "T1588", "attack_object_name": "Obtain Capabilities", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1588.001", "attack_object_name": "Malware", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1588.001", "attack_object_name": "Malware", "capability_group": "action.malware", "references": []}, {"capability_id": "value_chain.development.variety.Bot", "capability_description": "A small program that can be distributed, installed, and controlled en mass.", "mapping_type": "related_to", "attack_object_id": "T1588.001", "attack_object_name": "Malware", "capability_group": "value_chain.development", "references": []}, {"capability_id": "value_chain.development.variety.Payload", "capability_description": "The portion a program that causes a negative effect.", "mapping_type": "related_to", "attack_object_id": "T1588.001", "attack_object_name": "Malware", "capability_group": "value_chain.development", "references": []}, {"capability_id": "value_chain.development.variety.Ransomware", "capability_description": "Ransomware (encrypt or seize stored data)", "mapping_type": "related_to", "attack_object_id": "T1588.001", "attack_object_name": "Malware", "capability_group": "value_chain.development", "references": []}, {"capability_id": "value_chain.development.variety.Trojan", "capability_description": "A program which masquerades as another program to get a target to execute malicious content", "mapping_type": "related_to", "attack_object_id": "T1588.001", "attack_object_name": "Malware", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1588.003", "attack_object_name": "Code Signing Certificates", "capability_group": "action.hacking", "references": []}, {"capability_id": "value_chain.development.variety.Other", "capability_description": "The variety of development required is known, but is not listed.", "mapping_type": "related_to", "attack_object_id": "T1588.003", "attack_object_name": "Code Signing Certificates", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1588.004", "attack_object_name": "Digital Certificates", "capability_group": "action.hacking", "references": []}, {"capability_id": "value_chain.development.variety.Other", "capability_description": "The variety of development required is known, but is not listed.", "mapping_type": "related_to", "attack_object_id": "T1588.004", "attack_object_name": "Digital Certificates", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1588.005", "attack_object_name": "Exploits", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1588.005", "attack_object_name": "Exploits", "capability_group": "action.malware", "references": []}, {"capability_id": "value_chain.development.variety.Exploit", "capability_description": "Code to exploit a vulnerability, including web injects.", "mapping_type": "related_to", "attack_object_id": "T1588.005", "attack_object_name": "Exploits", "capability_group": "value_chain.development", "references": []}, {"capability_id": "value_chain.development.variety.Exploit Kits", "capability_description": "Code sets capable of selecting and trying multiple exploits against a target.", "mapping_type": "related_to", "attack_object_id": "T1588.005", "attack_object_name": "Exploits", "capability_group": "value_chain.development", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1588.006", "attack_object_name": "Vulnerabilities", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1588.006", "attack_object_name": "Vulnerabilities", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1588.007", "attack_object_name": "Artificial Intelligence", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1588.007", "attack_object_name": "Artificial Intelligence", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1589", "attack_object_name": "Gather Victim Identity Information", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1589.001", "attack_object_name": "Credentials", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1589.002", "attack_object_name": "Email Addresses", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1589.003", "attack_object_name": "Employee Names", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1590", "attack_object_name": "Gather Victim Network Information", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1590.001", "attack_object_name": "Domain Properties", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1590.002", "attack_object_name": "DNS", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1590.003", "attack_object_name": "Network Trust Dependencies", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1590.004", "attack_object_name": "Network Topology", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1590.005", "attack_object_name": "IP Addresses", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1590.006", "attack_object_name": "Network Security Appliances", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1592", "attack_object_name": "Gather Victim Host Information", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1592.001", "attack_object_name": "Hardware", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1592.002", "attack_object_name": "Software", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1592.003", "attack_object_name": "Firmware", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1592.004", "attack_object_name": "Client Configurations", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1595", "attack_object_name": "Active Scanning", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1595.001", "attack_object_name": "Scanning IP Blocks", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Exploit vuln", "capability_description": "Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties.", "mapping_type": "related_to", "attack_object_id": "T1595.002", "attack_object_name": "Vulnerability Scanning", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1595.002", "attack_object_name": "Vulnerability Scanning", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1598", "attack_object_name": "Phishing for Information", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Pretexting", "capability_description": "Pretexting (dialogue leveraging invented scenario).  Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.", "mapping_type": "related_to", "attack_object_id": "T1598", "attack_object_name": "Phishing for Information", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1598.001", "attack_object_name": "Spearphishing Service", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Pretexting", "capability_description": "Pretexting (dialogue leveraging invented scenario).  Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.", "mapping_type": "related_to", "attack_object_id": "T1598.001", "attack_object_name": "Spearphishing Service", "capability_group": "action.social", "references": []}, {"capability_id": "action.malware.vector.Email attachment", "capability_description": "Email via user-executed attachment. Child of 'Email'", "mapping_type": "related_to", "attack_object_id": "T1598.002", "attack_object_name": "Spearphishing Attachment", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1598.002", "attack_object_name": "Spearphishing Attachment", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Pretexting", "capability_description": "Pretexting (dialogue leveraging invented scenario).  Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.", "mapping_type": "related_to", "attack_object_id": "T1598.002", "attack_object_name": "Spearphishing Attachment", "capability_group": "action.social", "references": []}, {"capability_id": "action.malware.vector.Email link", "capability_description": "Email via embedded link. Child of 'Email'", "mapping_type": "related_to", "attack_object_id": "T1598.003", "attack_object_name": "Spearphishing Link", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1598.003", "attack_object_name": "Spearphishing Link", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Pretexting", "capability_description": "Pretexting (dialogue leveraging invented scenario).  Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data.", "mapping_type": "related_to", "attack_object_id": "T1598.003", "attack_object_name": "Spearphishing Link", "capability_group": "action.social", "references": []}, {"capability_id": "action.social.variety.Phishing", "capability_description": "Any type of *ishing.  Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn\u2019t rise to the level of an invented scenario. E.g. A fake google login page isn\u2019t really pretexting.", "mapping_type": "related_to", "attack_object_id": "T1598.004", "attack_object_name": "Spearphishing Voice", "capability_group": "action.social", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1599", "attack_object_name": "Network Boundary Bridging", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1599.001", "attack_object_name": "Network Address Translation Traversal", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Cryptanalysis", "capability_description": "Cryptanalysis. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1600", "attack_object_name": "Weaken Encryption", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1600", "attack_object_name": "Weaken Encryption", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1600.001", "attack_object_name": "Reduce Key Space", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1600.002", "attack_object_name": "Disable Crypto Hardware", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1601", "attack_object_name": "Modify System Image", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.integrity.variety.Software installation", "capability_description": "Software installation or code modification", "mapping_type": "related_to", "attack_object_id": "T1601", "attack_object_name": "Modify System Image", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1601.001", "attack_object_name": "Patch System Image", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.integrity.variety.Software installation", "capability_description": "Software installation or code modification", "mapping_type": "related_to", "attack_object_id": "T1601.001", "attack_object_name": "Patch System Image", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1601.002", "attack_object_name": "Downgrade System Image", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1602", "attack_object_name": "Data from Configuration Repository", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Capture stored data", "capability_description": "Capture data stored on system disk", "mapping_type": "related_to", "attack_object_id": "T1602", "attack_object_name": "Data from Configuration Repository", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1602", "attack_object_name": "Data from Configuration Repository", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1602.001", "attack_object_name": "SNMP (MIB Dump)", "capability_group": "action.hacking", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1602.001", "attack_object_name": "SNMP (MIB Dump)", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1602.002", "attack_object_name": "Network Device Configuration Dump", "capability_group": "action.hacking", "references": []}, {"capability_id": "attribute.confidentiality.data_disclosure", "capability_description": "Confirmed or potential data disclosure", "mapping_type": "related_to", "attack_object_id": "T1602.002", "attack_object_name": "Network Device Configuration Dump", "capability_group": "attribute.confidentiality", "references": []}, {"capability_id": "action.hacking.variety.Session prediction", "capability_description": "Credential or session prediction. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1606", "attack_object_name": "Forge Web Credentials", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1606", "attack_object_name": "Forge Web Credentials", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Session prediction", "capability_description": "Credential or session prediction. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1606.001", "attack_object_name": "Web Cookies", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1606.001", "attack_object_name": "Web Cookies", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1606.002", "attack_object_name": "SAML Tokens", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1608", "attack_object_name": "Stage Capabilities", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1608.001", "attack_object_name": "Upload Malware", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1608.002", "attack_object_name": "Upload Tool", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1608.003", "attack_object_name": "Install Digital Certificate", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1608.004", "attack_object_name": "Drive-by Target", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1608.005", "attack_object_name": "Link Target", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1609", "attack_object_name": "Container Administration Command", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Downloader", "capability_description": "Downloader (pull updates or other malware)", "mapping_type": "related_to", "attack_object_id": "T1610", "attack_object_name": "Deploy Container", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1610", "attack_object_name": "Deploy Container", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Virtual machine escape", "capability_description": "Virtual machine escape. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1611", "attack_object_name": "Escape to Host", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1612", "attack_object_name": "Build Image on Host", "capability_group": "action.malware", "references": []}, {"capability_id": "action.hacking.variety.Scan network", "capability_description": "Enumerating the state of the network", "mapping_type": "related_to", "attack_object_id": "T1613", "attack_object_name": "Container and Resource Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1614", "attack_object_name": "System Location Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1614.001", "attack_object_name": "System Language Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1622", "attack_object_name": "Debugger Evasion", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1622", "attack_object_name": "Debugger Evasion", "capability_group": "action.malware", "references": []}, {"capability_id": "action.social.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1622", "attack_object_name": "Debugger Evasion", "capability_group": "action.social", "references": []}, {"capability_id": "action.malware.variety.Backdoor", "capability_description": "Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1546.017", "attack_object_name": "Udev Rules", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Brute force", "capability_description": "Brute force attack", "mapping_type": "related_to", "attack_object_id": "T1531", "attack_object_name": "Account Access Removal", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.C2", "capability_description": "Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'.", "mapping_type": "related_to", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Export data", "capability_description": "Export data to another site or system", "mapping_type": "related_to", "attack_object_id": "T1588.002", "attack_object_name": "Tool", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.AiTM", "capability_description": "Man-in-the-middle attack. Child of 'Exploit vuln'.", "mapping_type": "related_to", "attack_object_id": "T1557.001", "attack_object_name": "Name Resolution Poisoning and SMB Relay", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1685", "attack_object_name": "Disable or Modify Tools", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Modify data", "capability_description": "Malware which compromises a legitimate file rather than creating new filess", "mapping_type": "related_to", "attack_object_id": "T1685", "attack_object_name": "Disable or Modify Tools", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1685.003", "attack_object_name": "Modify or Spoof Tool UI", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.Partner", "capability_description": "Partner connection or credential. (Indicates supply chain breach.)", "mapping_type": "related_to", "attack_object_id": "T1584.008", "attack_object_name": "Network Devices", "capability_group": "action.malware", "references": []}, {"capability_id": "action.malware.vector.remote injection", "capability_description": "Remotely injected by agent (i.e. via SQLi)", "mapping_type": "related_to", "attack_object_id": "T1659", "attack_object_name": "Content Injection", "capability_group": "action.malware", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1556.008", "attack_object_name": "Network Provider DLL", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1556.008", "attack_object_name": "Network Provider DLL", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify configuration", "capability_description": "Modified configuration or services", "mapping_type": "related_to", "attack_object_id": "T1556.009", "attack_object_name": "Conditional Access Policies", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "attribute.integrity.variety.Modify privileges", "capability_description": "Modified privileges or permissions", "mapping_type": "related_to", "attack_object_id": "T1556.009", "attack_object_name": "Conditional Access Policies", "capability_group": "attribute.integrity", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1543.005", "attack_object_name": "Container Service", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1548.005", "attack_object_name": "Temporary Elevated Cloud Access", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1548.006", "attack_object_name": "TCC Manipulation", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Use of stolen creds", "capability_description": "Use of stolen or default authentication credentials (including credential stuffing)", "mapping_type": "related_to", "attack_object_id": "T1558.005", "attack_object_name": "Ccache Files", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.011", "attack_object_name": "Ignore Process Interrupts", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1564.012", "attack_object_name": "File/Path Exclusions", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1564.012", "attack_object_name": "File/Path Exclusions", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Hijack", "capability_description": "To assume control over and steal functionality for an illicit purpose (e.g. Hijacking phone number intercept SMS verification codes)", "mapping_type": "related_to", "attack_object_id": "T1574.014", "attack_object_name": "AppDomainManager", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.vector.Partner", "capability_description": "Partner connection or credential. (Indicates supply chain breach.)", "mapping_type": "related_to", "attack_object_id": "T1584.008", "attack_object_name": "Network Devices", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1651", "attack_object_name": "Cloud Administration Command", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1652", "attack_object_name": "Device Driver Discovery", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1653", "attack_object_name": "Power Settings", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Profile host", "capability_description": "Enumerating the state of the current host", "mapping_type": "related_to", "attack_object_id": "T1654", "attack_object_name": "Log Enumeration", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Abuse of functionality", "capability_description": "Abuse of functionality.", "mapping_type": "related_to", "attack_object_id": "T1665", "attack_object_name": "Hide Infrastructure", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Evade Defenses", "capability_description": "Modification of the action (rather than the system, as in 'Disable controls') to avoid detection.", "mapping_type": "related_to", "attack_object_id": "T1666", "attack_object_name": "Modify Cloud Resource Hierarchy", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1686.002", "attack_object_name": "Network Device Firewall", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1686", "attack_object_name": "Disable or Modify System Firewall", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Brute force", "capability_description": "Brute force or password guessing attacks.", "mapping_type": "related_to", "attack_object_id": "T1531", "attack_object_name": "Account Access Removal", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Disable controls", "capability_description": "Disable or interfere with security controls", "mapping_type": "related_to", "attack_object_id": "T1686.003", "attack_object_name": "Windows Host Firewall", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.DoS", "capability_description": "Denial of service", "mapping_type": "related_to", "attack_object_id": "T1583.005", "attack_object_name": "Botnet", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1583.005", "attack_object_name": "Botnet", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Unknown", "capability_description": "Unknown", "mapping_type": "related_to", "attack_object_id": "T1588.002", "attack_object_name": "Tool", "capability_group": "action.hacking", "references": []}, {"capability_id": "action.hacking.variety.Other", "capability_description": "Other", "mapping_type": "related_to", "attack_object_id": "T1689", "attack_object_name": "Downgrade Attack", "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Hacking.Vector.Unknown", "capability_description": "Unknown", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "action.hacking", "references": []}, {"capability_id": "Action.Malware.Variety.Other", "capability_description": "Other", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "action.malware", "references": []}, {"capability_id": "Action.Malware.Vector.Email other", "capability_description": "Email sub-variety known, but not one of those listed (attachment, link, autoexecute, etc). Child of 'Email'", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "action.malware", "references": []}, {"capability_id": "Action.Social.Variety.Baiting", "capability_description": "Prepare malicious content in a location where a victim is likely to interact with it. (e.g. SEO - vect: websites, left usbs- vect: removable media, etc)", "mapping_type": "related_to", "attack_object_id": "T1684", "attack_object_name": "Social Engineering", "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Variety.Influence", "capability_description": "Influence tactics (Leveraging authority or obligation, framing, etc)", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "action.social", "references": []}, {"capability_id": "Action.Social.Vector.Unknown", "capability_description": "Unknown", "mapping_type": "non_mappable", "attack_object_id": null, "attack_object_name": null, "capability_group": "action.social", "references": []}, {"capability_id": "attribute.integrity.variety.Register MFA device", "capability_description": "Registers an attacker controlled MFA device to an account", "mapping_type": "related_to", "attack_object_id": "T1098.005", "attack_object_name": "Device Registration", "capability_group": "attribute.integrity", "references": []}]}