# TTP ANALYSIS (MITRE ATT&CK Data V16)

In [None]:
!git clone https://github.com/Ashis-Palai/CTI_Analysis_MITRE_Backend.git

Cloning into 'CTI_Analysis_MITRE_Backend'...
remote: Enumerating objects: 7, done.[K
remote: Counting objects: 100% (7/7), done.[K
remote: Compressing objects: 100% (6/6), done.[K
remote: Total 7 (delta 1), reused 0 (delta 0), pack-reused 0 (from 0)[K
Receiving objects: 100% (7/7), 14.79 KiB | 261.00 KiB/s, done.
Resolving deltas: 100% (1/1), done.


In [None]:
!mkdir apt-comparison-ui
%cd apt-comparison-ui
!git init
!git config --global user.name "Ashis-Palai"
!git config --global user.email "ashis.palai.learning2022@gmail.com"

!git remote add origin https://github.com/Ashis-Palai/apt-comparison-ui.git
!git remote set-url origin https://Ashis-Palai:XXXXXXXXXACCESSTOKEN@github.com/Ashis-Palai/apt-comparison-ui.git







/content/apt-comparison-ui
[33mhint: Using 'master' as the name for the initial branch. This default branch name[m
[33mhint: is subject to change. To configure the initial branch name to use in all[m
[33mhint: [m
[33mhint: 	git config --global init.defaultBranch <name>[m
[33mhint: [m
[33mhint: Names commonly chosen instead of 'master' are 'main', 'trunk' and[m
[33mhint: 'development'. The just-created branch can be renamed via this command:[m
[33mhint: [m
[33mhint: 	git branch -m <name>[m
Initialized empty Git repository in /content/apt-comparison-ui/.git/


In [None]:
!mkdir public src
!touch public/index.html
!touch src/index.js src/App.js src/api.js
!touch package.json
!mkdir src/components
!mkdir ./src/components/ui
!touch src/components/ui/table.js
!mkdir src/styles
!touch src/styles/global.css

In [None]:
%%writefile package.json
{
  "name": "apt-comparison-ui",
  "version": "1.0.0",
  "private": true,
  "dependencies": {
    "react": "^18.0.0",
    "react-dom": "^18.0.0",
    "react-scripts": "5.0.1",
    "axios": "^1.5.1"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build",
    "predeploy": "npm run build",
    "deploy": "gh-pages -d build"
  },
  "homepage": "https://Ashis-Palai.github.io/apt-comparison-ui",
  "devDependencies": {
    "gh-pages": "^4.0.0"
  }
}

Overwriting package.json


In [None]:
%%writefile public/index.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>APT Comparison Tool</title>
    <link rel="stylesheet" href="%PUBLIC_URL%/styles.css">
</head>
<body>
    <div id="root"></div>
</body>
</html>

Overwriting public/index.html


In [None]:
%%writefile src/index.js
import React from "react";
import ReactDOM from "react-dom";
import App from "./App";
import './styles/global.css';


ReactDOM.render(
    <React.StrictMode>
        <App />
    </React.StrictMode>,
    document.getElementById("root")
);

Overwriting src/index.js


In [None]:
%%writefile src/App.js
import React, { useState } from "react";
import { Button } from "./components/ui/button";
import { Table, Thead, Tbody, Tr, Th, Td } from "./components/ui/table";

const App = () => {
  const [aptGroups, setAptGroups] = useState(["", "", ""]);
  const [results, setResults] = useState(null);
  const [loading, setLoading] = useState(false);

  const handleChange = (index, value) => {
    const newGroups = [...aptGroups];
    newGroups[index] = value;
    setAptGroups(newGroups);
  };

  const getTTPId = (ttp) => {
    return ttp.external_references.find(ref => ref.external_id)?.external_id || "N/A";
  };

  const fetchTTPs = async () => {
    setLoading(true);
    try {
      const response = await fetch("https://cti-analysis-mitre-backend.onrender.com/compare", {
        method: "POST",
        headers: { "Content-Type": "application/json" },
        body: JSON.stringify({ apt_groups: aptGroups.filter((g) => g.trim() !== "") }),
      });

      if (!response.ok) {
        throw new Error(`API Error: ${response.status}`);
      }

      const data = await response.json();
      console.log("API Response:", data); // 🔍 Debug: Check what the API is returning

      if (!data.apt_ttps) {
        throw new Error("Invalid response format");
      }

      // Extract TTPs and find common ones
      const allTTPs = Object.values(data.apt_ttps).map(group =>
        group.map(ttp => getTTPId(ttp))
      );

      const commonTTPs = allTTPs.reduce((acc, curr) => {
        if (acc === null) return new Set(curr);
        return new Set([...acc].filter(id => curr.includes(id)));
      }, null);

      // Filter TTPs to show only common ones
      const filteredResults = Object.fromEntries(
        Object.entries(data.apt_ttps).map(([group, ttps]) => [
          group,
          ttps.filter(ttp => commonTTPs.has(getTTPId(ttp)))
        ])
      );

      setResults(filteredResults);
    } catch (error) {
      console.error("Error fetching data:", error);
    }
    setLoading(false);
  };

  const downloadJSON = async () => {
    const response = await fetch("https://cti-analysis-mitre-backend.onrender.com/download");
    const blob = await response.blob();
    const url = window.URL.createObjectURL(blob);
    const a = document.createElement("a");
    a.href = url;
    a.download = "navigator.json";
    document.body.appendChild(a);
    a.click();
    document.body.removeChild(a);
  };

  return (
    <div className="p-4 max-w-4xl mx-auto">
      <h1 className="text-xl font-bold mb-4">APT Group TTPs Analysis</h1>
      {aptGroups.map((group, index) => (
        <input
          key={index}
          type="text"
          value={group}
          onChange={(e) => handleChange(index, e.target.value)}
          placeholder={`APT Group ${index + 1}`}
          className="border p-2 rounded w-full mb-2"
        />
      ))}
      <Button onClick={fetchTTPs} disabled={loading}>
        {loading ? "Loading..." : "Get TTPs"}
      </Button>
      {results && (
        <div className="mt-4">
          <Table>
            <Thead>
              <Tr>
                <Th>APT Group</Th>
                <Th>TTP Name</Th>
                <Th>TTP ID</Th>
                <Th>External Link</Th>
              </Tr>
            </Thead>
            <Tbody>
              {Object.entries(results).map(([group, ttps]) =>
                ttps.map((ttp) => (
                  <Tr key={getTTPId(ttp)}>
                    <Td>{group}</Td>
                    <Td>{ttp.name}</Td>
                    <Td>{getTTPId(ttp)}</Td>
                    <Td>
                      <a href={ttp.external_references.find(ref => ref.url)?.url || "#"}
                         target="_blank" className="text-blue-500">
                        Reference
                      </a>
                    </Td>
                  </Tr>
                ))
              )}
            </Tbody>
          </Table>
          <Button onClick={downloadJSON} className="mt-4">Download Navigator JSON</Button>
        </div>
      )}
    </div>
  );
};

export default App;


In [None]:
%%writefile src/components/ui/button.js
export function Button({ children, onClick, className }) {
  return (
    <button onClick={onClick} className={`p-2 bg-blue-500 text-white rounded ${className}`}>
      {children}
    </button>
  );
}

Writing src/components/ui/button.js


In [None]:
%%writefile /content/apt-comparison-ui/src/components/ui/table.js
import React from "react";

const Table = ({ children }) => {
  return (
    <div className="overflow-x-auto">
      <table className="min-w-full border-collapse border border-gray-300">
        {children}
      </table>
    </div>
  );
};

const Thead = ({ children }) => (
  <thead className="bg-gray-200 border-b">{children}</thead>
);

const Tbody = ({ children }) => <tbody>{children}</tbody>;

const Tr = ({ children }) => <tr className="border-b">{children}</tr>;

const Th = ({ children }) => (
  <th className="px-4 py-2 border border-gray-300">{children}</th>
);

const Td = ({ children }) => (
  <td className="px-4 py-2 border border-gray-300">{children}</td>
);

export { Table, Thead, Tbody, Tr, Th, Td };

Overwriting /content/apt-comparison-ui/src/components/ui/table.js


In [None]:
!npm install

# !npm audit fix
# !npm audit fix --force
!npm install gh-pages --save-dev
!npm install @shadcn/ui

!npm run build











[1G[0K⠙[1G[0K⠹[1G[0K⠸[1G[0K⠼[1G[0K⠴[1G[0K⠦[1G[0K⠧[1G[0K⠇[1G[0K⠏[1G[0K⠋[1G[0K⠙[1G[0K⠹[1G[0K⠸[1G[0K⠼[1G[0K⠴[1G[0K⠦[1G[0K⠧[1G[0K⠇[1G[0K⠏[1G[0K⠋[1G[0K⠙[1G[0K⠹[1G[0K⠸[1G[0K⠼[1G[0K⠴[1G[0K⠦[1G[0K⠧[1G[0K⠇[1G[0K⠏[1G[0K⠋[1G[0K⠙[1G[0K⠹[1G[0K⠸[1G[0K⠼[1G[0K⠴[1G[0K⠦[1G[0K⠧[1G[0K⠇[1G[0K⠏[1G[0K⠋[1G[0K⠙[1G[0K⠹[1G[0K⠸[1G[0K⠼[1G[0K⠴[1G[0K⠦[1G[0K⠧[1G[0K⠇[1G[0K⠏[1G[0K⠋[1G[0K⠙[1G[0K⠹[1G[0K⠸[1G[0K⠼[1G[0K⠴[1G[0K⠦[1G[0K⠧[1G[0K⠇[1G[0K⠏[1G[0K⠋[1G[0K⠙[1G[0K⠹[1G[0K⠸[1G[0K⠼[1G[0K⠴[1G[0K⠦[1G[0K⠧[1G[0K⠇[1G[0K⠏[1G[0K⠋[1G[0K⠙[1G[0K⠹[1G[0K⠸[1G[0K⠼[1G[0K⠴[1G[0K⠦[1G[0K⠧[1G[0K⠇[1G[0K⠏[1G[0K⠋[1G[0K⠙[1G[0K⠹[1G[0K⠸[1G[0K⠼[1G[0K⠴[1G[0K⠦[1G[0K⠧[1G[0K⠇[1G[0K⠏[1G[0K⠋[1G[0K⠙[1G[0K⠹[1G[0K⠸[1G[0K⠼[1G[0K⠴[1G[0K⠦[1G[0K⠧[1G[0K⠇[1G[0K⠏[1G[0K⠋[1G[0K⠙[1G[0K⠹[1G[0K⠸[1G[0K⠼[1G[0K⠴[1G[0K⠦[1G[0K⠧[1G[0K⠇[1G[0K⠏[1G[0K⠋[1G[0K⠙

In [None]:
!npm run deploy


> apt-comparison-ui@1.0.0 predeploy
> npm run build

[1G[0K
> apt-comparison-ui@1.0.0 build
> react-scripts build

[1G[0KCreating an optimized production build...
[32mCompiled successfully.[39m
[32m[39m
File sizes after gzip:

  46.13 kB  [2mbuild/static/js/[22m[36mmain.b582a994.js[39m
  20 B      [2mbuild/static/css/[22m[36mmain.31d6cfe0.css[39m

The project was built assuming it is hosted at [32m/apt-comparison-ui/[39m.
You can control this with the [32mhomepage[39m field in your [36mpackage.json[39m.

The [36mbuild[39m folder is ready to be deployed.

Find out more about deployment here:

  [33mhttps://cra.link/deployment[39m

[1G[0K⠙[1G[0K[1G[0K⠙[1G[0K
> apt-comparison-ui@1.0.0 deploy
> gh-pages -d build

[1G[0K⠙[1G[0KPublished
[1G[0K⠙[1G[0K

In [None]:
!npm run build



> apt-comparison-ui@1.0.0 build
> react-scripts build

[1G[0KCreating an optimized production build...
[32mCompiled successfully.[39m
[32m[39m
File sizes after gzip:

  46.36 kB ([32m-13 B[39m)  [2mbuild/static/js/[22m[36mmain.3bff73f6.js[39m
  20 B              [2mbuild/static/css/[22m[36mmain.31d6cfe0.css[39m

The project was built assuming it is hosted at [32m/apt-comparison-ui/[39m.
You can control this with the [32mhomepage[39m field in your [36mpackage.json[39m.

The [36mbuild[39m folder is ready to be deployed.

Find out more about deployment here:

  [33mhttps://cra.link/deployment[39m

[1G[0K⠙[1G[0K

In [None]:
!npm run deploy


> apt-comparison-ui@1.0.0 predeploy
> npm run build

[1G[0K
> apt-comparison-ui@1.0.0 build
> react-scripts build

[1G[0KCreating an optimized production build...
[32mCompiled successfully.[39m
[32m[39m
File sizes after gzip:

  46.36 kB  [2mbuild/static/js/[22m[36mmain.3bff73f6.js[39m
  20 B      [2mbuild/static/css/[22m[36mmain.31d6cfe0.css[39m

The project was built assuming it is hosted at [32m/apt-comparison-ui/[39m.
You can control this with the [32mhomepage[39m field in your [36mpackage.json[39m.

The [36mbuild[39m folder is ready to be deployed.

Find out more about deployment here:

  [33mhttps://cra.link/deployment[39m

[1G[0K⠙[1G[0K[1G[0K⠙[1G[0K
> apt-comparison-ui@1.0.0 deploy
> gh-pages -d build

[1G[0K⠙[1G[0KPublished
[1G[0K⠙[1G[0K

In [None]:
# !git status
!git remote -v

In [None]:
!git add .
!git commit -m "Updated UI and ready for deployment"


In [None]:
# !git add enterprise-attack.json
# !git commit -m "Added JSON file"
# !git push origin main

On branch main
Your branch is ahead of 'origin/main' by 1 commit.
  (use "git push" to publish your local commits)

nothing to commit, working tree clean
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 6.45 MiB | 3.05 MiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
To https://github.com/Ashis-Palai/CTI_Analysis_MITRE_Backend.git
   6ea052b..0ee085a  main -> main


In [None]:
%cd /content/CTI_Analysis_MITRE_Backend

/content/CTI_Analysis_MITRE_Backend


In [None]:
!sudo apt install git
!git clone https://github.com/mitre/cti.git

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
git is already the newest version (1:2.34.1-1ubuntu1.12).
0 upgraded, 0 newly installed, 0 to remove and 29 not upgraded.
Cloning into 'cti'...
remote: Enumerating objects: 524709, done.[K
remote: Counting objects: 100% (159/159), done.[K
remote: Compressing objects: 100% (43/43), done.[K
remote: Total 524709 (delta 131), reused 116 (delta 116), pack-reused 524550 (from 2)[K
Receiving objects: 100% (524709/524709), 254.72 MiB | 14.68 MiB/s, done.
Resolving deltas: 100% (511377/511377), done.
Updating files: 100% (30734/30734), done.


In [None]:
import json
import re

# Load the MITRE ATT&CK dataset
with open("cti/enterprise-attack/enterprise-attack.json", "r", encoding="utf-8") as f:
    attack_data = json.load(f)

# Regex pattern to match attack-pattern IDs
attack_pattern_regex = r"attack-pattern--[a-f0-9\-]+"  # Matches 'attack-pattern--ID' format

# Search function for a query
def search_mitre_attack(query):
    results = []

    for obj in attack_data["objects"]:
        # Convert object to string to check everywhere
        obj_text = json.dumps(obj).lower()

        if query.lower() in obj_text:
            results.append(obj)

    return results

# Function to fetch details for the attack-pattern ID
def get_attack_pattern_details(attack_pattern_id):
    # Search for the attack-pattern object by its ID
    for obj in attack_data["objects"]:
        if obj.get("type") == "attack-pattern" and obj.get("id") == attack_pattern_id:
            # Extract required fields
            return {
                "name": obj.get("name"),
                "kill_chain_phases": obj.get("kill_chain_phases"),
                "external_references": obj.get("external_references")
            }
    return None

import textwrap

# Function to format and print details in a readable format
def print_attack_pattern_details(attack_pattern_id, details):
    print(f"🔹 Name: {details['name']}")
    print(f"   ID: {details['external_references'][0]['external_id']}")


    # Formatting the description (if available)
    if details.get("external_references"):
        for ref in details["external_references"]:
            if "description" in ref:
                formatted_description = textwrap.fill(ref["description"], width=80)  # Wrap text
                print("\n📌 Description:\n" + formatted_description)
                break  # Print only the first available description

    # Formatting the kill chain phases
    if details.get("kill_chain_phases"):
        kill_chain_list = [phase['phase_name'] for phase in details["kill_chain_phases"]]
        print("\n🔗 Kill Chain Phases: " + ", ".join(kill_chain_list))

    # Formatting the external references
    if details.get("external_references"):
        print("\n🌐 External References:")
        for ref in details["external_references"]:
            if "url" in ref:
                print(f"   - {ref['url']}")


    print("\n" + "=" * 100)  # Separator for readability



In [None]:
# Example: Search for a query
query = "SHELL command"  # Example query
found_ttps = search_mitre_attack(query)

# Set to store unique attack-pattern IDs and prevent duplicates
unique_attack_patterns = set()

# Iterate through the search results and apply regex to find attack-pattern references
for obj in found_ttps:
    # Check if 'target_ref' or 'source_ref' contains a reference to an attack-pattern
    for key in ['target_ref', 'source_ref','id']:
        if key in obj:
            attack_pattern_id = obj[key]
            # Check if the ID matches the attack-pattern regex
            if re.match(attack_pattern_regex, attack_pattern_id):
                unique_attack_patterns.add(attack_pattern_id)

# Now, fetch and print details for each attack-pattern ID
if unique_attack_patterns:
    print(f"\n✅ Found {len(unique_attack_patterns)} unique attack-patterns:\n")
    for attack_pattern_id in unique_attack_patterns:
        details = get_attack_pattern_details(attack_pattern_id)
        if details:
            print_attack_pattern_details(attack_pattern_id, details)
else:
    print("\n❌ No unique attack-patterns found.")



✅ Found 37 unique attack-patterns:

🔹 Name: Trust Modification
   ID: T1484.002

📌 Description:
Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for
proactive threat detection. Retrieved September 25, 2024.

🔗 Kill Chain Phases: defense-evasion, privilege-escalation

🌐 External References:
   - https://attack.mitre.org/techniques/T1484/002
   - https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
   - https://us-cert.cisa.gov/ncas/alerts/aa21-008a
   - https://o365blog.com/post/federation-vulnerability/
   - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
   - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml
   - https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365
   - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-dete

In [None]:
import json

# Define TTPs for APT39 and Ocean Lotus
apt39_ttps = ["T1071.001", "T1566.001", "T1003.001"]  # Example TTPs
ocean_lotus_ttps = ["T1547.001", "T1204.002", "T1059.003"]

# Merge and remove duplicates
all_ttps = list(set(apt39_ttps + ocean_lotus_ttps))

# Define Layer Structure
layer_data = {
    "name": "APT39 & Ocean Lotus Merged Layer",
    "versions": {"navigator": "5.1.0","layer":"4.5"},
    "domain": "enterprise-attack",
    "description": "Combined TTPs of APT39 and Ocean Lotus",
    "techniques": [{"techniqueID": ttp, "score": 1+i} for i,ttp in enumerate(all_ttps)],
    "gradient": {
        "colors": ["#ff6666", "#ffff66", "#66ff66"],
        "minValue": 1,
        "maxValue": 6
    },
    "legendItems": [
        {"label": "APT39 & Ocean Lotus TTPs", "color": "#ff6666"}
    ]
}

# Save to JSON file
with open("merged_layer.json", "w") as f:
    json.dump(layer_data, f, indent=4)

print("Layer JSON file created: merged_layer.json")


Layer JSON file created: merged_layer.json


In [None]:
import json

# Define TTPs for APT39 and Ocean Lotus with scores and colors
apt39_ttps = [
    {"techniqueID": "T1071.001", "score": 5, "color": "#ff6666", "comment": "APT39 C2 communication"},
    {"techniqueID": "T1566.001", "score": 4, "color": "#ff9999", "comment": "APT39 phishing attempt"},
    {"techniqueID": "T1003.001", "score": 3, "color": "#ffcccc", "comment": "APT39 credential dumping"}
]

ocean_lotus_ttps = [
    {"techniqueID": "T1547.001", "score": 5, "color": "#6666ff", "comment": "Ocean Lotus persistence"},
    {"techniqueID": "T1204.002", "score": 4, "color": "#9999ff", "comment": "Ocean Lotus user execution"},
    {"techniqueID": "T1059.003", "score": 3, "color": "#ccccff", "comment": "Ocean Lotus scripting attack"}
]

# Merge both groups while preserving scores and colors
merged_ttps = apt39_ttps + ocean_lotus_ttps

# Define Layer Structure with all required parameters
layer_data = {
    "name": "APT39 & Ocean Lotus Merged Layer",
    "version": "4.5",  # Ensure compatibility with Navigator
    "domain": "enterprise-attack",  # "mobile-attack" or "ics-attack" if needed
    "description": "Combined TTPs of APT39 and Ocean Lotus with scores and colors",
    "techniques": merged_ttps,
    "gradient": {
        "colors": ["#ff6666", "#ffff66", "#66ff66"],  # Red to yellow to green
        "minValue": 1,
        "maxValue": 5
    },
    "legendItems": [
        {"label": "APT39 TTPs", "color": "#ff6666"},
        {"label": "Ocean Lotus TTPs", "color": "#6666ff"}
    ],
    "metadata": [
        {"name": "Created By", "value": "Automated Script"},
        {"name": "Date", "value": "2025-04-02"}
    ],
    "showTacticRowBackground": True,  # Enhances tactic row visibility
    "tacticRowBackground": "#f4f4f4",  # Light gray for tactics row
    "selectTechniquesAcrossTactics": True,  # Allows cross-tactic selections
    "layout": {
        "layout": "side",  # "side" or "flat"
        "showName": True,  # Display technique names
        "showID": True  # Display technique IDs
    }
}

# Save to JSON file
with open("merged_layer_new.json", "w") as f:
    json.dump(layer_data, f, indent=4)

print("Layer JSON file created: merged_layer.json")


Layer JSON file created: merged_layer.json


In [None]:
!curl -X POST "https://cti-analysis-mitre-backend.onrender.com/compare" \
     -H "Content-Type: application/json" \
     -d '{"apt_groups": ["APT41", "APT37","APT39"]}'


{"apt_ttps":{"APT37":[{"external_references":[{"external_id":"T1057","source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1057"},{"description":"Cisco. (2022, August 16). show processes - . Retrieved July 13, 2022.","source_name":"show_processes_cisco_cmd","url":"https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_monitor_permit_list_through_show_process_memory.html#wp3599497760"},{"description":"US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.","source_name":"US-CERT-TA18-106A","url":"https://www.us-cert.gov/ncas/alerts/TA18-106A"}],"kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"discovery"}],"name":"Process Discovery"},{"external_references":[{"external_id":"T1559.002","source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1559/002"},{"description":" Albinowax Timo Goosen. (n.d.). CSV I

In [None]:
!curl -X POST "https://cti-analysis-mitre-backend.onrender.com/compare" \
     -H "Content-Type: application/json" \
     -d '{"apt_groups": ["APT41"]}'

{"apt_ttps":{"APT41":[{"external_references":[{"external_id":"T1542.003","source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1542/003"},{"description":"Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019.","source_name":"Mandiant M Trends 2016","url":"https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf"},{"description":"Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014.","source_name":"Lau 2011","url":"http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion"}],"kill_chain_phases":[{"kill_chain_name":"mitre-attack","phase_name":"persistence"},{"kill_chain_name":"mitre-attack","phase_name":"defense-evasion"}],"name":"Bootkit"},{"external_references":[{"external_id":"T1573.002","source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1573/002"},{"description":"Butler, M. (2013, November). Finding Hidden Threats by Decryp