{ "type": "bundle", "id": "bundle--50ba2a80-2388-599a-9820-243f43d43c69", "objects": [ { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--2e70bb4c-e25c-5123-b9aa-c8f5f53ca2f0", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Token Genesis", "description": "Pre-launch / Launch", "x_oak_shortname": "token-genesis", "external_references": [ { "source_name": "oak", "external_id": "OAK-T1", "url": "https://onchainattack.org/#/tactic/OAK-T1" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--54ff19cd-6a14-595b-be41-49018e597919", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Bridge and Cross-Chain", "description": "Targeted compromise", "x_oak_shortname": "bridge-and-cross-chain", "external_references": [ { "source_name": "oak", "external_id": "OAK-T10", "url": "https://onchainattack.org/#/tactic/OAK-T10" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--a05710d6-773d-5671-81e6-1a9d53ce156a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Custody and Signing Infrastructure", "description": "Targeted compromise", "x_oak_shortname": "custody-and-signing-infrastructure", "external_references": [ { "source_name": "oak", "external_id": "OAK-T11", "url": "https://onchainattack.org/#/tactic/OAK-T11" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--4a289ef4-441e-58b3-869d-49ccfdee57a4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "NFT-Specific Patterns", "description": "Realization", "x_oak_shortname": "nft-specific-patterns", "external_references": [ { "source_name": "oak", "external_id": "OAK-T12", "url": "https://onchainattack.org/#/tactic/OAK-T12" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--3ec189b1-7483-5eec-bd93-b8191e1c508c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Account Abstraction Attacks", "description": "Targeted compromise", "x_oak_shortname": "account-abstraction-attacks", "external_references": [ { "source_name": "oak", "external_id": "OAK-T13", "url": "https://onchainattack.org/#/tactic/OAK-T13" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--8bad0643-6df7-5354-80c9-005cb836b58c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Validator / Staking / Restaking Attacks", "description": "Targeted compromise", "x_oak_shortname": "validator-staking-restaking-attacks", "external_references": [ { "source_name": "oak", "external_id": "OAK-T14", "url": "https://onchainattack.org/#/tactic/OAK-T14" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--805d835b-8d16-5215-ab2a-a5a008681adb", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Off-chain Entry-Vector / Pre-Positioning", "description": "Pre-positioning", "x_oak_shortname": "off-chain-entry-vector-pre-positioning", "external_references": [ { "source_name": "oak", "external_id": "OAK-T15", "url": "https://onchainattack.org/#/tactic/OAK-T15" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--85e7f358-8dce-57fe-9f3a-4b0a0a048a69", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Governance / Voting Manipulation", "description": "Realization", "x_oak_shortname": "governance-voting-manipulation", "external_references": [ { "source_name": "oak", "external_id": "OAK-T16", "url": "https://onchainattack.org/#/tactic/OAK-T16" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--72fc0a09-f385-516c-82bb-a08b6fd3d57c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Market Manipulation", "description": "Realization", "x_oak_shortname": "market-manipulation", "external_references": [ { "source_name": "oak", "external_id": "OAK-T17", "url": "https://onchainattack.org/#/tactic/OAK-T17" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--83a8e7a7-61ec-58d1-a664-22dce505f924", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Liquidity Establishment", "description": "Pre-launch / Launch", "x_oak_shortname": "liquidity-establishment", "external_references": [ { "source_name": "oak", "external_id": "OAK-T2", "url": "https://onchainattack.org/#/tactic/OAK-T2" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--c9583e28-ae7b-5589-8d5b-0d4334bcbb6a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Holder Capture", "description": "Pre-launch / Launch", "x_oak_shortname": "holder-capture", "external_references": [ { "source_name": "oak", "external_id": "OAK-T3", "url": "https://onchainattack.org/#/tactic/OAK-T3" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--462dc46f-d3c8-5956-9fcd-83fd745b277a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Access Acquisition", "description": "Targeted compromise", "x_oak_shortname": "access-acquisition", "external_references": [ { "source_name": "oak", "external_id": "OAK-T4", "url": "https://onchainattack.org/#/tactic/OAK-T4" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--b951d3f3-4d67-579b-8cae-b48eed3aa59f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Value Extraction", "description": "Realization", "x_oak_shortname": "value-extraction", "external_references": [ { "source_name": "oak", "external_id": "OAK-T5", "url": "https://onchainattack.org/#/tactic/OAK-T5" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--7fa7f00b-059a-5a92-b145-0893b4530bb6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Defense Evasion", "description": "Cross-cutting", "x_oak_shortname": "defense-evasion", "external_references": [ { "source_name": "oak", "external_id": "OAK-T6", "url": "https://onchainattack.org/#/tactic/OAK-T6" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--5fc49855-8bca-5500-b810-322019badf15", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Laundering", "description": "Post-extraction", "x_oak_shortname": "laundering", "external_references": [ { "source_name": "oak", "external_id": "OAK-T7", "url": "https://onchainattack.org/#/tactic/OAK-T7" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--d70463dd-edee-5226-9d2b-4921dac73b9b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Operator Continuity / Attribution Signals", "description": "Post-extraction", "x_oak_shortname": "operator-continuity-attribution-signals", "external_references": [ { "source_name": "oak", "external_id": "OAK-T8", "url": "https://onchainattack.org/#/tactic/OAK-T8" } ] }, { "type": "x-oak-tactic", "spec_version": "2.1", "id": "x-oak-tactic--d3f737a3-09cc-571c-88eb-d5e9e251167d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Smart-Contract Exploit", "description": "Realization", "x_oak_shortname": "smart-contract-exploit", "external_references": [ { "source_name": "oak", "external_id": "OAK-T9", "url": "https://onchainattack.org/#/tactic/OAK-T9" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--3113300f-d067-5bda-b93a-de6cb0044037", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Modifiable Tax Function", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "token-genesis" }, { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "EVM", "Solana" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T1.001", "url": "https://onchainattack.org/#/technique/OAK-T1.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--91a0a76b-eaf0-5e8a-b6b9-7f62268ce853", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Token-2022 Permanent Delegate Authority", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "token-genesis" }, { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "Solana" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T1.002", "url": "https://onchainattack.org/#/technique/OAK-T1.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--aa324a54-0e77-513e-bc77-dea4683702d2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Renounced-But-Not-Really (Proxy-Upgrade Backdoor)", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "token-genesis" }, { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "EVM (primary)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T1.003", "url": "https://onchainattack.org/#/technique/OAK-T1.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--e45221c4-74e9-52ab-8e20-96d05003d65a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Blacklist / Pausable Transfer Weaponization", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "token-genesis" }, { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "EVM (primary)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T1.004", "url": "https://onchainattack.org/#/technique/OAK-T1.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--00534efe-a713-54c9-9ef3-5b12fd6d0c01", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Hidden Fee-on-Transfer", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "token-genesis" }, { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "EVM (primary)", "Solana (SPL via Token-2022 transfer-fee extension; secondary)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T1.005", "url": "https://onchainattack.org/#/technique/OAK-T1.005" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--c90dbca1-780a-54c2-a24e-3f6d4472a134", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Honeypot-by-Design", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "token-genesis" } ], "x_oak_platforms": [ "EVM (BNB Chain dominant by deployment count; Base, Ethereum); cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T1.006", "url": "https://onchainattack.org/#/technique/OAK-T1.006" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f80bec40-b7fa-52eb-a6a4-d4acd59dce38", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Token-2022 Transfer-Hook Abuse", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "token-genesis" }, { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "Solana (SPL Token-2022); cross-standard analogues on EVM (ERC-777 `tokensReceived`, ERC-1363 transfer-and-call, ERC-4626 vault hooks) covered separately at OAK-T9.005" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T1.007", "url": "https://onchainattack.org/#/technique/OAK-T1.007" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--cf39fa63-9044-5279-8ea5-4acb64d53904", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Validator / Signer Key Compromise", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "bridge-and-cross-chain" } ], "x_oak_platforms": [ "EVM", "cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T10.001", "url": "https://onchainattack.org/#/technique/OAK-T10.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--44a15cd3-db68-5127-b8dd-cb96e537e3b7", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Message-Verification Bypass", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "bridge-and-cross-chain" } ], "x_oak_platforms": [ "EVM", "Solana", "cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T10.002", "url": "https://onchainattack.org/#/technique/OAK-T10.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--37433c31-ae6a-50f0-bfe3-22ac2f1747d9", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Cross-Chain Replay", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "bridge-and-cross-chain" } ], "x_oak_platforms": [ "EVM", "cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T10.003", "url": "https://onchainattack.org/#/technique/OAK-T10.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--8a373cd0-d1fc-5d17-916d-993d5cd3e7c1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Optimistic-Bridge Fraud-Proof Gap", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "bridge-and-cross-chain" } ], "x_oak_platforms": [ "EVM", "cross-chain (any optimistic-message-verification or optimistic-rollup-bridged architecture)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T10.004", "url": "https://onchainattack.org/#/technique/OAK-T10.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--4950a164-f5b6-579d-b44d-af445947d99e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Light-Client Verification Bypass", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "bridge-and-cross-chain" } ], "x_oak_platforms": [ "EVM", "Cosmos / IBC", "Bitcoin SPV consumers", "cross-chain (any bridge whose security reduces to a cryptographic light-client or proof-verification primitive)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T10.005", "url": "https://onchainattack.org/#/technique/OAK-T10.005" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Third-Party Signing-Vendor UI / Signing-Flow Compromise", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "custody-and-signing-infrastructure" } ], "x_oak_platforms": [ "EVM", "Solana", "cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T11.001", "url": "https://onchainattack.org/#/technique/OAK-T11.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Wallet-Software Distribution Compromise", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "custody-and-signing-infrastructure" } ], "x_oak_platforms": [ "multi-chain (any chain the affected wallet supports)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T11.002", "url": "https://onchainattack.org/#/technique/OAK-T11.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "In-Use Multisig Smart-Contract Manipulation", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "custody-and-signing-infrastructure" }, { "kill_chain_name": "oak", "phase_name": "smart-contract-exploit" } ], "x_oak_platforms": [ "EVM" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T11.003", "url": "https://onchainattack.org/#/technique/OAK-T11.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--052caee2-c494-51c7-87d3-0b5ae531eeb2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Insufficient-Entropy Key Generation", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "custody-and-signing-infrastructure" } ], "x_oak_platforms": [ "chain-agnostic (any ECDSA / EdDSA-curve chain whose end-user keys are produced by an off-chain generator); canonical anchors on Ethereum" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T11.004", "url": "https://onchainattack.org/#/technique/OAK-T11.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f43b3cdc-ed19-5ad0-b661-706c665d9f83", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Operator-side Fake-Platform Fraud", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "custody-and-signing-infrastructure" } ], "x_oak_platforms": [ "chain-agnostic (deposit substrate is BTC / ETH / stablecoins on-chain; the fraud \"platform\" is off-chain operator-controlled UI/database)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T11.005", "url": "https://onchainattack.org/#/technique/OAK-T11.005" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--0fd4fcde-3464-5d2d-86ac-7c68035870a3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Cold-storage Seed-phrase Exfiltration at Rest", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "custody-and-signing-infrastructure" } ], "x_oak_platforms": [ "chain-agnostic (the substrate-of-extraction is the BIP39 seed phrase / private key material itself; downstream extraction occurs across whichever chains the affected wallet holds)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T11.006", "url": "https://onchainattack.org/#/technique/OAK-T11.006" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--040f06e8-1825-51bd-8145-52c5b97b26d5", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Hardware-wallet Supply-chain / Physical-access Compromise", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "custody-and-signing-infrastructure" } ], "x_oak_platforms": [ "chain-agnostic (the substrate-of-extraction is the BIP39 seed phrase / hardware-wallet-controlled private-key material; downstream extraction occurs across whichever chains the affected wallet supports)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T11.007", "url": "https://onchainattack.org/#/technique/OAK-T11.007" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--0955e8c5-f474-5ac6-bbb8-b53b80ef6c0b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Embedded-Wallet Identity-Provider Compromise", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "custody-and-signing-infrastructure" } ], "x_oak_platforms": [ "EVM (Polygon-resident Polymarket / Magic Labs canonical at v0.1; cross-chain analogues across Privy / Web3Auth / Dynamic deployments on Ethereum, Base, Arbitrum, Solana, others)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T11.008", "url": "https://onchainattack.org/#/technique/OAK-T11.008" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--414a6469-36be-5ecd-9603-290930d42b86", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Trader-Tooling Supply-Chain Compromise targeting `.env` Private Keys", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "custody-and-signing-infrastructure" } ], "x_oak_platforms": [ "chain-agnostic (the substrate-of-extraction is the developer-environment plaintext key file; downstream extraction occurs across whichever chains the bot operates on — Polygon, Solana, Ethereum, Base, Arbitrum, BNB Chain are all in scope across the cohort)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T11.009", "url": "https://onchainattack.org/#/technique/OAK-T11.009" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--888de015-81a7-52ec-9832-87baca164029", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "NFT Wash-Trade Volume Inflation", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "nft-specific-patterns" } ], "x_oak_platforms": [ "EVM (primary; Ethereum / Polygon)", "Solana (Magic Eden, Tensor)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T12.001", "url": "https://onchainattack.org/#/technique/OAK-T12.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f7bfa62c-b23c-5fef-a74b-bca3b34cf4df", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Fake-Mint / Counterfeit Collection", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "nft-specific-patterns" } ], "x_oak_platforms": [ "EVM (primary; Ethereum / Polygon)", "Solana (Magic Eden cohort)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T12.002", "url": "https://onchainattack.org/#/technique/OAK-T12.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--a4191d6c-02e1-5dae-aa08-2c4f908e10c5", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Royalty Bypass / Marketplace Manipulation", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "nft-specific-patterns" } ], "x_oak_platforms": [ "EVM (primary; Ethereum / Polygon / other ERC-721-bearing chains)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T12.003", "url": "https://onchainattack.org/#/technique/OAK-T12.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--7a7e61f2-3d7c-5d61-90dc-9e198573731c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Paymaster Compromise", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "account-abstraction-attacks" } ], "x_oak_platforms": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction (zkSync Era, Starknet) where the paymaster role is analogous; conceptually portable to any chain whose execution model separates gas-sponsorship validation from execution" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T13.001", "url": "https://onchainattack.org/#/technique/OAK-T13.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--67bf8212-71d7-5c52-87fc-fa40b25fb11c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Paymaster Accounting Drain", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "account-abstraction-attacks" } ], "x_oak_platforms": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction (zkSync Era, Starknet) where the paymaster role is analogous" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T13.001.001", "url": "https://onchainattack.org/#/technique/OAK-T13.001.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--286d6367-67eb-51d1-8a4b-cb5bc3d012f4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Paymaster Policy Bypass", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "account-abstraction-attacks" } ], "x_oak_platforms": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction; Solana (analogous fee-payer / Token-2022 paymaster surfaces — Kora advisory)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T13.001.002", "url": "https://onchainattack.org/#/technique/OAK-T13.001.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--ba1ed4a4-51a0-58c0-a6ea-3742137d79b9", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Paymaster Reentrancy", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "account-abstraction-attacks" } ], "x_oak_platforms": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T13.001.003", "url": "https://onchainattack.org/#/technique/OAK-T13.001.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--fbe93b94-384c-543f-9ae9-a73850f14a4f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Paymaster Griefing", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "account-abstraction-attacks" } ], "x_oak_platforms": [ "EVM (ERC-4337 EntryPoint v0.6 / v0.7 / v0.8 / v0.9 deployments); EVM L2s with native account abstraction" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T13.001.004", "url": "https://onchainattack.org/#/technique/OAK-T13.001.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--e12a0e1d-8dac-5395-b37b-b0aa20814db2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Bundler MEV", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "account-abstraction-attacks" } ], "x_oak_platforms": [ "EVM (any chain with deployed ERC-4337 EntryPoint, including Ethereum mainnet, Polygon, Arbitrum, Optimism, Base, BNB Chain)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T13.002", "url": "https://onchainattack.org/#/technique/OAK-T13.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--ff6b56c9-5bc9-5111-be9b-aa70a55951f1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Session-Key Hijacking", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "account-abstraction-attacks" } ], "x_oak_platforms": [ "EVM (ERC-4337 / ERC-7579 smart accounts); Solana analogues out of scope at v0.1" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T13.003", "url": "https://onchainattack.org/#/technique/OAK-T13.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--320f06d5-906a-5b2f-a737-01b09ce60315", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "EIP-7702 Delegation Abuse", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "account-abstraction-attacks" } ], "x_oak_platforms": [ "EVM (Ethereum mainnet primary; cross-chain replay surface across all EIP-7702-activated chains)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T13.004", "url": "https://onchainattack.org/#/technique/OAK-T13.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--980e72bb-7127-51de-9870-d8a88edc74f8", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Slashing-Condition Exploit", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "validator-staking-restaking-attacks" } ], "x_oak_platforms": [ "Ethereum (Beacon Chain / consensus layer)", "Cosmos-SDK family (Cosmos Hub, Osmosis, Injective, Terra, etc.)", "Polkadot / Kusama (NPoS)", "Solana (lite slashing model)", "restaking layers (EigenLayer, Symbiotic, Karak)", "interchain-security consumer chains" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T14.001", "url": "https://onchainattack.org/#/technique/OAK-T14.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b28eb96d-c303-5027-bc7d-413c3659495a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "MEV-Boost Relay Attack", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "validator-staking-restaking-attacks" } ], "x_oak_platforms": [ "Ethereum (mainnet PoS; secondarily any EVM L1 running an MEV-Boost-compatible PBS sidecar — Holesky/Hoodi testnets, Gnosis Chain, etc.)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T14.002", "url": "https://onchainattack.org/#/technique/OAK-T14.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--0658ea79-01b4-5c49-bb12-4c6e0876df4e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Restaking Cascading Risk", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "validator-staking-restaking-attacks" } ], "x_oak_platforms": [ "Ethereum L1 (canonical)", "EVM L2s with restaking-secured AVS", "Cosmos-style shared-security analogues" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T14.003", "url": "https://onchainattack.org/#/technique/OAK-T14.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--846cf1ff-739a-5199-abd6-5f09cc1aeeb0", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "LST/LRT Depeg-Cascade as Constrained-Primitive Sub-class", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "validator-staking-restaking-attacks" }, { "kill_chain_name": "oak", "phase_name": "token-genesis" } ], "x_oak_platforms": [ "Ethereum L1 canonical (Lido stETH; Renzo ezETH); EVM L2s and L1s with LST / LRT collateral integration into lending markets" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T14.003.001", "url": "https://onchainattack.org/#/technique/OAK-T14.003.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--7861ffbc-2d68-5482-ba5f-32e5a630a7a6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Social Engineering of Operator Personnel", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "off-chain-entry-vector-pre-positioning" } ], "x_oak_platforms": [ "chain-agnostic (the social-engineering vector is off-chain; downstream on-chain manifestation is per-incident)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T15.001", "url": "https://onchainattack.org/#/technique/OAK-T15.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f0e70cea-8e64-51c4-9f64-09ea2bf642aa", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Supply-Chain / Vendor-Pipeline Compromise", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "off-chain-entry-vector-pre-positioning" } ], "x_oak_platforms": [ "chain-agnostic (the supply-chain compromise is off-chain; downstream on-chain manifestation is per-incident)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T15.002", "url": "https://onchainattack.org/#/technique/OAK-T15.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--77b517cc-4b13-5a1b-8262-fb171254ddb5", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Operator-Endpoint Compromise (Developer Workstation / Signing Machine)", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "off-chain-entry-vector-pre-positioning" } ], "x_oak_platforms": [ "chain-agnostic (the endpoint compromise is off-chain; downstream on-chain manifestation is per-incident)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T15.003", "url": "https://onchainattack.org/#/technique/OAK-T15.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--78f0aa7b-06b4-5266-b348-58db62932a71", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Operator-Side Credential Compromise (SSO / Cloud / Registrar / DNS / Package Registry)", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "off-chain-entry-vector-pre-positioning" } ], "x_oak_platforms": [ "chain-agnostic (the credential compromise is off-chain; downstream on-chain manifestation is per-incident)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T15.004", "url": "https://onchainattack.org/#/technique/OAK-T15.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--94a03321-bd42-5ba5-a14c-869236fb3822", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Operator-Communication-Channel Takeover (Discord / X / Telegram)", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "off-chain-entry-vector-pre-positioning" } ], "x_oak_platforms": [ "chain-agnostic (the channel takeover is off-chain; downstream on-chain manifestation is per-incident)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T15.005", "url": "https://onchainattack.org/#/technique/OAK-T15.005" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b19923a2-b45b-5106-935d-f52d0d875a94", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Vote Takeover via Flash-Loan", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "governance-voting-manipulation" } ], "x_oak_platforms": [ "EVM (canonical anchors); cross-chain governance contracts inherit the surface where flash-loan liquidity exists in the same execution context as the voting-power-eligibility check" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T16.001", "url": "https://onchainattack.org/#/technique/OAK-T16.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--03407478-76ff-57d8-bf96-1cb5b5108d9d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Hostile-Vote Treasury Drain", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "governance-voting-manipulation" } ], "x_oak_platforms": [ "EVM", "Solana", "cross-chain (any DAO with on-chain governance over a treasury whose voting-token can be acquired or inflated by the attacker)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T16.002", "url": "https://onchainattack.org/#/technique/OAK-T16.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--523b3321-6fd3-5d53-b04e-bbd114e8f317", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Delegation-Cluster Vote Takeover", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "governance-voting-manipulation" } ], "x_oak_platforms": [ "EVM (canonical anchors at Compound, Balancer, SushiSwap); cross-chain governance contracts inherit the surface where delegation-graph mechanics exist" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T16.003", "url": "https://onchainattack.org/#/technique/OAK-T16.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--3065cec6-1624-5c76-a1a6-417a305ecec3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Snapshot / Off-chain Voting Exploitation", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "governance-voting-manipulation" } ], "x_oak_platforms": [ "chain-agnostic (off-chain Snapshot.org-class voting platforms operate independently of any specific chain; signature schemes vary)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T16.004", "url": "https://onchainattack.org/#/technique/OAK-T16.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--ad24b94c-0c7f-5bac-bd56-cf837da9180b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Malicious Proposal Snowballing", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "governance-voting-manipulation" } ], "x_oak_platforms": [ "EVM (canonical anchors at Tornado Cash, Audius, Curio); cross-chain governance contracts inherit the surface where proposal payloads can contain `delegatecall` or storage-collision-mediated authority capture" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T16.005", "url": "https://onchainattack.org/#/technique/OAK-T16.005" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--473b0aa4-1cea-57d5-a0a1-9114ebeb1de6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Cross-Venue Arbitrage-Driven Price-Discovery Distortion", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "chain-agnostic (cross-venue arbitrage is a continuous phenomenon across CEX / DEX venues on every chain with non-trivial trading activity; the load-bearing surface is the inter-venue spread, not the chain-level state)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T17.001", "url": "https://onchainattack.org/#/technique/OAK-T17.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--fe838439-8aa4-5b23-9494-fde9e1d5637c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Liquidation-Cascade Engineering", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "EVM (Aave / Compound / Maker / Liquity / Morpho / Spark canonical); Solana (Solend / Marginfi / Kamino); cross-chain liquidation-engine designs broadly inherit the surface" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T17.002", "url": "https://onchainattack.org/#/technique/OAK-T17.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--3419f870-c58f-5b87-b67d-829b01e4d724", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Spoofing / Cancel-Flood Order-Book Manipulation", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "EVM-L2 (dYdX / GMX V2 perps / Aevo); Hyperliquid HyperEVM; Solana (Drift, Phoenix, Mango v4); cross-chain order-book-DEX designs broadly inherit the surface" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T17.003", "url": "https://onchainattack.org/#/technique/OAK-T17.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--be296581-d897-5922-9a9a-964e99817421", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "TWAP / Time-Window Manipulation Against DAO Treasury / Vesting Math", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "EVM (Uniswap V2/V3 TWAP windows used as oracle reference; OpenZeppelin TimelockController / Compound Timelock-class windows; vesting-contract designs across OpenZeppelin VestingWallet / Sablier / Hedgey); cross-chain TWAP-consuming designs broadly inherit the surface" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T17.004", "url": "https://onchainattack.org/#/technique/OAK-T17.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--a55b5859-fa73-5cab-a342-82b97187ea20", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Single-Sided Liquidity Plant", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "liquidity-establishment" } ], "x_oak_platforms": [ "EVM", "Solana" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T2.001", "url": "https://onchainattack.org/#/technique/OAK-T2.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--2e0bf741-b432-58e7-8948-f5599bf0209e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Locked-Liquidity Spoof", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "liquidity-establishment" }, { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "EVM", "BNB Chain", "Solana" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T2.002", "url": "https://onchainattack.org/#/technique/OAK-T2.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--a6cff4d8-210c-5f75-9fb5-0f3318e8f8c3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Cross-Chain Locked-Liquidity Spoof", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "liquidity-establishment" }, { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "EVM (Ethereum, BSC, Polygon, Arbitrum, Base)", "Solana", "cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T2.003", "url": "https://onchainattack.org/#/technique/OAK-T2.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--39564b4f-4af2-5b1a-8405-eb8cf9d2f12b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Initial-Liquidity Backdoor", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "liquidity-establishment" }, { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "EVM (Ethereum, BSC, Polygon, Arbitrum, Base)", "Solana" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T2.004", "url": "https://onchainattack.org/#/technique/OAK-T2.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b027592f-baee-5d2a-9d15-925aa1b77941", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Sybil-Bundled Launch", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "holder-capture" } ], "x_oak_platforms": [ "EVM", "Solana" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T3.001", "url": "https://onchainattack.org/#/technique/OAK-T3.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--ea13efc1-d0df-532c-8add-3d39dcd29713", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Wash-Trade Volume Inflation", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "holder-capture" }, { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "EVM", "Solana", "CEX (cross-venue)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T3.002", "url": "https://onchainattack.org/#/technique/OAK-T3.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b8d62a9c-14cd-503a-af8d-a26b825dffcd", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Coordinated Pump-and-Dump", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "holder-capture" }, { "kill_chain_name": "oak", "phase_name": "value-extraction" }, { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "EVM", "Solana", "BSC", "CEX (cross-venue)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T3.003", "url": "https://onchainattack.org/#/technique/OAK-T3.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--921bd515-01df-5ee1-a643-7138f8d1ee7c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Influencer-Amplified Promotion-and-Dump", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "holder-capture" }, { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "EVM (Ethereum, Solana via Pump.fun, BNB Chain); cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T3.004", "url": "https://onchainattack.org/#/technique/OAK-T3.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--58002197-8183-530c-9eea-d2d8532a9008", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Permit2 Signature-Based Authority Misuse", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "access-acquisition" } ], "x_oak_platforms": [ "EVM" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T4.001", "url": "https://onchainattack.org/#/technique/OAK-T4.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--7ec6ff5b-83cd-5725-adda-2b5d3a846414", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Compromised Front-End Permit Solicitation", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "access-acquisition" }, { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "EVM" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T4.002", "url": "https://onchainattack.org/#/technique/OAK-T4.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--4dd355bc-2389-55c4-911c-1bac3744dbbc", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Address Poisoning", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "access-acquisition" }, { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "EVM (primary)", "Solana", "Tron" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T4.003", "url": "https://onchainattack.org/#/technique/OAK-T4.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Allowance / Approve-Pattern Drainer", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "access-acquisition" } ], "x_oak_platforms": [ "EVM (primary)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T4.004", "url": "https://onchainattack.org/#/technique/OAK-T4.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "`setApprovalForAll` NFT Drainer", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "access-acquisition" } ], "x_oak_platforms": [ "EVM (primary; Ethereum / Polygon / BNB Chain)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T4.005", "url": "https://onchainattack.org/#/technique/OAK-T4.005" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--75d94806-bc98-57dc-894c-8ba499eb5540", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "WalletConnect Session Hijack", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "access-acquisition" } ], "x_oak_platforms": [ "EVM (primary)", "Solana", "multi-chain (any chain WalletConnect supports)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T4.006", "url": "https://onchainattack.org/#/technique/OAK-T4.006" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--79d99263-2431-5abd-bf5f-2869979031be", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Native-app Social Phishing on Engagement-Weighted Platforms", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "access-acquisition" } ], "x_oak_platforms": [ "EVM (Polygon-resident Polymarket canonical at v0.1; cross-platform analogues across Friend.tech, Pump.fun, Farcaster, and any platform with engagement-weighted in-platform distribution)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T4.007", "url": "https://onchainattack.org/#/technique/OAK-T4.007" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--419b5ccf-6a56-5639-a130-82e3f14a544e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Fake-DEX Clone-Frontend Phishing", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "access-acquisition" } ], "x_oak_platforms": [ "EVM dominant (Uniswap / PancakeSwap / Lido / Curve / Stargate / Orbiter / Radiant / Zapper / DefiLlama clone-frontends); Solana (Raydium clone-frontends); cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T4.008", "url": "https://onchainattack.org/#/technique/OAK-T4.008" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--5deeb2fb-1df3-5566-8229-2e83bd241a08", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Hard LP Drain", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "value-extraction" } ], "x_oak_platforms": [ "EVM", "Solana" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T5.001", "url": "https://onchainattack.org/#/technique/OAK-T5.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--647504b6-bc6d-5c30-b18d-82c99e51b62d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Slow LP Trickle Removal", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "value-extraction" }, { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "EVM", "Solana" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T5.002", "url": "https://onchainattack.org/#/technique/OAK-T5.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--e66a56f1-221e-5079-bfe4-99ccbe842a5a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Hidden-Mint Dilution", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "value-extraction" } ], "x_oak_platforms": [ "EVM", "Solana" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T5.003", "url": "https://onchainattack.org/#/technique/OAK-T5.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--51de129b-35c6-52ab-baa1-4952b944dad8", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Sandwich / MEV Extraction", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "value-extraction" }, { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "EVM" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T5.004", "url": "https://onchainattack.org/#/technique/OAK-T5.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--cccae07c-951c-54bd-bfa4-af87de266370", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Treasury-Management Exit", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "value-extraction" }, { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "EVM", "Solana" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T5.005", "url": "https://onchainattack.org/#/technique/OAK-T5.005" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--99c728d0-3e0c-55a4-906f-55c349257e5d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Vesting Cliff Dump", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "value-extraction" } ], "x_oak_platforms": [ "EVM", "Solana", "Cosmos", "BNB Chain (any chain hosting time-locked allocation contracts)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T5.006", "url": "https://onchainattack.org/#/technique/OAK-T5.006" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f65581dd-3a77-50d8-b85f-c0df5e90b22f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Third-party Brand-impersonation Custodial Soft-rug", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "value-extraction" } ], "x_oak_platforms": [ "EVM (Polygon-resident Polymarket-branded canonical case at v0.1; cross-platform analogues across any high-trust platform whose brand can be impersonated by off-platform services — Polymarket, Hyperliquid, dYdX, Pump.fun, GMX, prediction-market and trader-tooling ecosystems)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T5.007", "url": "https://onchainattack.org/#/technique/OAK-T5.007" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--d9e4a005-06a9-5cee-9f7c-234e20790118", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Source-Verification Mismatch", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "EVM (primary)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T6.001", "url": "https://onchainattack.org/#/technique/OAK-T6.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--c23370e0-2f94-555e-8e18-e753a767bb51", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Fake Audit-Claim", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "chain-agnostic (the failure mode lives off-chain; the underlying Technique it modifies may be on any chain)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T6.002", "url": "https://onchainattack.org/#/technique/OAK-T6.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--5a491154-55c8-5abc-8449-0d48df41514b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Audit-of-Different-Bytecode-Version", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "chain-agnostic (the failure mode is the audit-vs-deployed gap; the underlying Technique it modifies may be on any chain)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T6.003", "url": "https://onchainattack.org/#/technique/OAK-T6.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--d275621f-df75-55ac-974a-4589472dde87", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Audit-Pending Marketing Claim", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "chain-agnostic (the failure mode lives off-chain at the marketing-claim layer; the underlying Technique it modifies may be on any chain)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T6.004", "url": "https://onchainattack.org/#/technique/OAK-T6.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--3be95af9-48b3-56a3-8e57-f07ac58e27f2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Proxy-Upgrade Malicious Switching", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "defense-evasion" }, { "kill_chain_name": "oak", "phase_name": "token-genesis" }, { "kill_chain_name": "oak", "phase_name": "smart-contract-exploit" }, { "kill_chain_name": "oak", "phase_name": "bridge-and-cross-chain" } ], "x_oak_platforms": [ "EVM (primary); cross-chain bridge variants (Polkadot ⇄ EVM canonical at v0.1)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T6.005", "url": "https://onchainattack.org/#/technique/OAK-T6.005" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--71ecfc99-0efa-5c66-ad46-d0a4851cee1c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Counterfeit Token Impersonation", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "defense-evasion" }, { "kill_chain_name": "oak", "phase_name": "access-acquisition" }, { "kill_chain_name": "oak", "phase_name": "value-extraction" } ], "x_oak_platforms": [ "EVM (primary); cross-chain bridge variants (Polkadot ⇄ EVM canonical at v0.1)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T6.006", "url": "https://onchainattack.org/#/technique/OAK-T6.006" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--a019d6df-047d-5759-8cee-e8de54595ade", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Trust-substrate Shift / Vendor-side Promise Revocation", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "defense-evasion" } ], "x_oak_platforms": [ "chain-agnostic (the substrate-of-revocation is the vendor / regulator / infrastructure-policy claim; the realised effect is on user-side threat-model construction across whichever chains the affected product operates)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T6.007", "url": "https://onchainattack.org/#/technique/OAK-T6.007" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Mixer-Routed Hop", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "laundering" } ], "x_oak_platforms": [ "EVM", "Bitcoin", "cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T7.001", "url": "https://onchainattack.org/#/technique/OAK-T7.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "CEX Deposit-Address Layering", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "laundering" } ], "x_oak_platforms": [ "EVM", "Solana", "Bitcoin", "cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T7.002", "url": "https://onchainattack.org/#/technique/OAK-T7.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--093e472c-281c-5e78-9228-486255d3058a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Cross-Chain Bridge Laundering", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "laundering" } ], "x_oak_platforms": [ "EVM", "Solana", "Bitcoin", "cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T7.003", "url": "https://onchainattack.org/#/technique/OAK-T7.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--a33bad38-8e4f-5cdd-a0a4-779143c81d8d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "NFT Wash-Laundering", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "laundering" } ], "x_oak_platforms": [ "EVM (primary; Ethereum / Polygon)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T7.004", "url": "https://onchainattack.org/#/technique/OAK-T7.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--a7ebcbb2-dafe-5364-9932-e3d7bee02596", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Privacy-Chain Hops", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "laundering" } ], "x_oak_platforms": [ "EVM", "Bitcoin", "cross-chain", "Monero", "Zcash" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T7.005", "url": "https://onchainattack.org/#/technique/OAK-T7.005" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--2addb763-67df-5522-8864-f3f0d400252a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "DeFi Yield-Strategy Laundering", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "laundering" } ], "x_oak_platforms": [ "EVM", "Solana", "cross-chain (within-chain laundering rail per chain)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T7.006", "url": "https://onchainattack.org/#/technique/OAK-T7.006" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Common-Funder Cluster Reuse", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "operator-continuity-attribution-signals" } ], "x_oak_platforms": [ "EVM", "Solana" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T8.001", "url": "https://onchainattack.org/#/technique/OAK-T8.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--1d0e4f47-8c77-58a2-b885-f44145ed3bf4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Cross-Chain Operator Continuity", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "operator-continuity-attribution-signals" } ], "x_oak_platforms": [ "cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T8.002", "url": "https://onchainattack.org/#/technique/OAK-T8.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f5bce1e3-3637-56df-8db9-94e793306171", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Oracle Price Manipulation", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "smart-contract-exploit" }, { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "EVM", "Solana" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T9.001", "url": "https://onchainattack.org/#/technique/OAK-T9.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f81933a4-bfe2-528f-94ef-399577e5a682", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Flash-Loan-Enabled Exploit", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "smart-contract-exploit" } ], "x_oak_platforms": [ "EVM", "Solana", "cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T9.002", "url": "https://onchainattack.org/#/technique/OAK-T9.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b6a77deb-14ae-59e3-b4b2-b73065972b6c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Governance Attack", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "smart-contract-exploit" } ], "x_oak_platforms": [ "EVM", "cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T9.003", "url": "https://onchainattack.org/#/technique/OAK-T9.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--9b65ffc8-0be6-5809-b228-a85033f790ba", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Access-Control Misconfiguration", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "smart-contract-exploit" } ], "x_oak_platforms": [ "EVM", "Solana", "cross-chain" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T9.004", "url": "https://onchainattack.org/#/technique/OAK-T9.004" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--fd40fed2-9093-5b5a-8ebd-5b288e3ae6c5", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Reentrancy", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "smart-contract-exploit" } ], "x_oak_platforms": [ "EVM (primary); EVM-compatible L2s; conceptually applicable to any chain whose execution model allows external calls before state finalisation" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T9.005", "url": "https://onchainattack.org/#/technique/OAK-T9.005" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b0b659a0-71d1-5943-b57e-96082367adef", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Subjective-Oracle Resolution Manipulation", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "smart-contract-exploit" }, { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "EVM (Polygon-resident Polymarket / Ethereum-resident UMA DVM canonical at v0.1; cross-chain analogues across Kleros, Reality.eth, Augur REP)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T9.006", "url": "https://onchainattack.org/#/technique/OAK-T9.006" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--5c19685a-578d-5a35-969d-4ad75a1ab78a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "DVM Vote Capture by Economically-Interested Holder", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "smart-contract-exploit" }, { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "EVM (Polymarket on Polygon / UMA DVM on Ethereum canonical at v0.1)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T9.006.001", "url": "https://onchainattack.org/#/technique/OAK-T9.006.001" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b10815cf-cfad-5b45-97a2-61614ce86053", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Resolution-Spec Ambiguity Exploitation", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "smart-contract-exploit" }, { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "EVM (Polymarket on Polygon / UMA DVM on Ethereum canonical at v0.1)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T9.006.002", "url": "https://onchainattack.org/#/technique/OAK-T9.006.002" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f783bf18-a6db-5a11-bcbf-3ad4892f9214", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Off-chain Resolution-Source Coercion", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "smart-contract-exploit" }, { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "EVM (Polymarket on Polygon canonical at v0.1)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T9.006.003", "url": "https://onchainattack.org/#/technique/OAK-T9.006.003" } ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--6cd5a72f-146d-5a9f-8324-beebe7a70c42", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Operational-Insider Trading on Subjective-Resolution Prediction Markets", "kill_chain_phases": [ { "kill_chain_name": "oak", "phase_name": "smart-contract-exploit" }, { "kill_chain_name": "oak", "phase_name": "market-manipulation" } ], "x_oak_platforms": [ "EVM (Polymarket on Polygon canonical at v0.1)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-T9.006.004", "url": "https://onchainattack.org/#/technique/OAK-T9.006.004" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--65aa1681-44d0-5121-8849-2b866abc876c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Source-Bytecode Verification", "description": "OAK OAK-M01 — class: detection; audience: vendor, risk-team, venue", "external_references": [ { "source_name": "oak", "external_id": "OAK-M01", "url": "https://onchainattack.org/#/mitigation/OAK-M01" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--0e4b3b55-5f84-5074-9b3b-9404e99b67fd", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Static-Analysis Pre-Deployment", "description": "OAK OAK-M02 — class: architecture; audience: protocol, designer", "external_references": [ { "source_name": "oak", "external_id": "OAK-M02", "url": "https://onchainattack.org/#/mitigation/OAK-M02" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--6b5af533-e806-54c4-8fe5-f990131e41d0", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Continuous Bytecode-Diff Monitoring", "description": "OAK OAK-M03 — class: detection; audience: vendor, risk-team", "external_references": [ { "source_name": "oak", "external_id": "OAK-M03", "url": "https://onchainattack.org/#/mitigation/OAK-M03" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--a82e10db-dcf6-5231-8299-6cedb873560e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Funder-Graph Clustering", "description": "OAK OAK-M04 — class: detection; audience: vendor, risk-team", "external_references": [ { "source_name": "oak", "external_id": "OAK-M04", "url": "https://onchainattack.org/#/mitigation/OAK-M04" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--82833c64-290a-554c-bc31-c2af67f2cab2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Authority-Graph Enumeration", "description": "OAK OAK-M05 — class: detection; audience: custody-customer, risk-team, vendor", "external_references": [ { "source_name": "oak", "external_id": "OAK-M05", "url": "https://onchainattack.org/#/mitigation/OAK-M05" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--6959c20e-2277-5961-9bda-ee8f1c8278dc", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Mempool / Pre-Block Telemetry", "description": "OAK OAK-M06 — class: detection; audience: vendor, trader, protocol", "external_references": [ { "source_name": "oak", "external_id": "OAK-M06", "url": "https://onchainattack.org/#/mitigation/OAK-M06" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--34d3bf3c-54f7-5956-a7dd-c969cdace21f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Cross-Chain Attribution Graph", "description": "OAK OAK-M07 — class: detection; audience: vendor, risk-team, venue", "external_references": [ { "source_name": "oak", "external_id": "OAK-M07", "url": "https://onchainattack.org/#/mitigation/OAK-M07" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--6f0b252d-02b3-56a4-9512-65438d2d5e9c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Per-Spender Approval Audit and Revocation", "description": "OAK OAK-M08 — class: wallet-ux; audience: wallet, custody-customer, vendor", "external_references": [ { "source_name": "oak", "external_id": "OAK-M08", "url": "https://onchainattack.org/#/mitigation/OAK-M08" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--59d11b85-db9b-56b3-b911-a06869c26471", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "TWAP + Multi-Venue Oracle with Deviation Circuit-Breaker", "description": "OAK OAK-M09 — class: architecture; audience: protocol, designer", "external_references": [ { "source_name": "oak", "external_id": "OAK-M09", "url": "https://onchainattack.org/#/mitigation/OAK-M09" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--043ecb34-7344-5ca6-af88-d9a3b208abd7", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Checks-Effects-Interactions and ReentrancyGuard", "description": "OAK OAK-M10 — class: architecture; audience: protocol, designer", "external_references": [ { "source_name": "oak", "external_id": "OAK-M10", "url": "https://onchainattack.org/#/mitigation/OAK-M10" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--fc65c84f-75b3-5fab-884f-4dd9bf5cf33f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Rate-Limiting and Per-Block Caps", "description": "OAK OAK-M11 — class: architecture; audience: protocol, designer", "external_references": [ { "source_name": "oak", "external_id": "OAK-M11", "url": "https://onchainattack.org/#/mitigation/OAK-M11" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--4985a1a6-d512-58c4-ac01-565e47a16316", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Per-Message Replay Binding", "description": "OAK OAK-M12 — class: architecture; audience: protocol, designer (bridge / cross-chain)", "external_references": [ { "source_name": "oak", "external_id": "OAK-M12", "url": "https://onchainattack.org/#/mitigation/OAK-M12" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--d2facfb9-55b5-57f6-a4d4-f8133a8d943e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Long Challenge Window with Economic Challenger Incentives", "description": "OAK OAK-M13 — class: architecture; audience: protocol, designer (optimistic-bridge / rollup)", "external_references": [ { "source_name": "oak", "external_id": "OAK-M13", "url": "https://onchainattack.org/#/mitigation/OAK-M13" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--b33cf8ae-db6f-5385-8594-a8cb71ace431", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Multi-Prover Redundancy", "description": "OAK OAK-M14 — class: architecture; audience: protocol, designer (zk-bridge / zk-rollup)", "external_references": [ { "source_name": "oak", "external_id": "OAK-M14", "url": "https://onchainattack.org/#/mitigation/OAK-M14" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--5ea92caa-6e87-5630-a816-3f5d3ae7ed34", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Threshold Signing with Operator Separation", "description": "OAK OAK-M15 — class: architecture; audience: custody-customer, custody-vendor, protocol (bridge)", "external_references": [ { "source_name": "oak", "external_id": "OAK-M15", "url": "https://onchainattack.org/#/mitigation/OAK-M15" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Pre-Deployment Audit and Formal Verification", "description": "OAK OAK-M16 — class: architecture; audience: protocol, designer", "external_references": [ { "source_name": "oak", "external_id": "OAK-M16", "url": "https://onchainattack.org/#/mitigation/OAK-M16" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--01f02050-cc06-593c-a921-e8ab898f429a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Time-Locked Governance and Multi-Block Quorum", "description": "OAK OAK-M17 — class: architecture; audience: protocol, designer (governance)", "external_references": [ { "source_name": "oak", "external_id": "OAK-M17", "url": "https://onchainattack.org/#/mitigation/OAK-M17" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--3e4307df-8595-57e2-a65d-b8aaaa23e81d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Out-of-Band Destination Verification", "description": "OAK OAK-M18 — class: operational; audience: custody-customer, custody-vendor", "external_references": [ { "source_name": "oak", "external_id": "OAK-M18", "url": "https://onchainattack.org/#/mitigation/OAK-M18" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--be9a2640-cc30-5674-b229-2d5f1bd94f8b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Air-Gap Cold-Wallet Signing", "description": "OAK OAK-M19 — class: operational; audience: custody-customer", "external_references": [ { "source_name": "oak", "external_id": "OAK-M19", "url": "https://onchainattack.org/#/mitigation/OAK-M19" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--2a2b0ba1-d486-52c0-92c5-95e040a51134", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Vendor Breach-Notification SLA", "description": "OAK OAK-M20 — class: operational; audience: custody-customer, risk-team, venue", "external_references": [ { "source_name": "oak", "external_id": "OAK-M20", "url": "https://onchainattack.org/#/mitigation/OAK-M20" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--37102889-cc74-5f7d-8d19-48568d94a335", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Anti-Phishing Training for Privileged Staff", "description": "OAK OAK-M21 — class: operational; audience: custody-customer, custody-vendor, protocol", "external_references": [ { "source_name": "oak", "external_id": "OAK-M21", "url": "https://onchainattack.org/#/mitigation/OAK-M21" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--8382e168-bf14-5b22-ad8a-f6843ae9917d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Rotate-on-Disclosure Discipline", "description": "OAK OAK-M22 — class: operational; audience: custody-customer, custody-vendor, protocol", "external_references": [ { "source_name": "oak", "external_id": "OAK-M22", "url": "https://onchainattack.org/#/mitigation/OAK-M22" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--a1ff9392-2106-56ff-8788-2000d14f5b0a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Audit-Attestation Public-Registry Verification", "description": "OAK OAK-M23 — class: venue; audience: venue, risk-team, trader", "external_references": [ { "source_name": "oak", "external_id": "OAK-M23", "url": "https://onchainattack.org/#/mitigation/OAK-M23" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--0b9f4268-084a-5bb8-8b77-9eb905dc2028", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Out-of-Band Audit-Engagement Verification", "description": "OAK OAK-M24 — class: venue; audience: venue, risk-team, trader", "external_references": [ { "source_name": "oak", "external_id": "OAK-M24", "url": "https://onchainattack.org/#/mitigation/OAK-M24" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Listing-Time Source-Verification + Audit-Status Gate", "description": "OAK OAK-M25 — class: venue; audience: venue (CEX, DEX aggregator), aggregator (token-data, market-data), launchpad", "external_references": [ { "source_name": "oak", "external_id": "OAK-M25", "url": "https://onchainattack.org/#/mitigation/OAK-M25" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--44f6d12e-3515-5504-9aa4-41bb152664a1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Wash-Trade-Rate Metrics at Marketplace Layer", "description": "OAK OAK-M26 — class: venue; audience: venue (NFT marketplace, DEX), aggregator (analytics), risk-team", "external_references": [ { "source_name": "oak", "external_id": "OAK-M26", "url": "https://onchainattack.org/#/mitigation/OAK-M26" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--ea2c1b0f-ebc9-54e2-a68f-314c8380f1f9", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Travel Rule and KYC at Privacy-Chain Boundary", "description": "OAK OAK-M27 — class: venue; audience: venue (CEX, OTC desk, instant-swap service), regulator, risk-team", "external_references": [ { "source_name": "oak", "external_id": "OAK-M27", "url": "https://onchainattack.org/#/mitigation/OAK-M27" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--04901282-62d1-524a-9961-55cb58e18f73", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Token-Unlock Calendar Integration", "description": "OAK OAK-M28 — class: venue; audience: venue (DEX aggregator, CEX, market-data aggregator), risk-team, trader", "external_references": [ { "source_name": "oak", "external_id": "OAK-M28", "url": "https://onchainattack.org/#/mitigation/OAK-M28" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--58f0baa5-432b-5765-9598-e2a051775f86", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Full-Address Verification and Lookalike Detection", "description": "OAK OAK-M29 — class: wallet-ux; audience: wallet (mobile, browser-extension, hardware-wallet companion), custody-customer, risk-team", "external_references": [ { "source_name": "oak", "external_id": "OAK-M29", "url": "https://onchainattack.org/#/mitigation/OAK-M29" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--ef85cd4e-91fe-5597-bf63-13f0b2627b36", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Per-dApp Domain and App-Store-Package Allowlist", "description": "OAK OAK-M30 — class: wallet-ux; audience: wallet (mobile, browser-extension), custody-customer", "external_references": [ { "source_name": "oak", "external_id": "OAK-M30", "url": "https://onchainattack.org/#/mitigation/OAK-M30" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--ef3a9258-2595-51be-841c-aa3bbfb353de", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "EIP-712 Permit Display and Signing-Risk Heuristics", "description": "OAK OAK-M31 — class: wallet-ux; audience: wallet (mobile, browser-extension, hardware-wallet companion), custody-customer", "external_references": [ { "source_name": "oak", "external_id": "OAK-M31", "url": "https://onchainattack.org/#/mitigation/OAK-M31" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Bug Bounty Programs", "description": "OAK OAK-M32 — class: operational; audience: protocol, designer, vendor", "external_references": [ { "source_name": "oak", "external_id": "OAK-M32", "url": "https://onchainattack.org/#/mitigation/OAK-M32" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Decentralized Insurance Protocols", "description": "OAK OAK-M33 — class: operational; audience: trader, protocol, custody-customer", "external_references": [ { "source_name": "oak", "external_id": "OAK-M33", "url": "https://onchainattack.org/#/mitigation/OAK-M33" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--f66db0d5-a086-59e4-b95c-2946dc1ae340", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Pause-by-Default Emergency Pause", "description": "OAK OAK-M34 — class: architecture; audience: protocol, designer", "external_references": [ { "source_name": "oak", "external_id": "OAK-M34", "url": "https://onchainattack.org/#/mitigation/OAK-M34" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Whitehat-Rescue Coordination", "description": "OAK OAK-M35 — class: operational; audience: protocol, designer, vendor", "external_references": [ { "source_name": "oak", "external_id": "OAK-M35", "url": "https://onchainattack.org/#/mitigation/OAK-M35" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--9fbccd98-5d69-565c-ae1e-512ed8496492", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Proof-of-Reserves Cryptographic Auditing", "description": "OAK OAK-M36 — class: venue; audience: venue (CEX), risk-team, regulator", "external_references": [ { "source_name": "oak", "external_id": "OAK-M36", "url": "https://onchainattack.org/#/mitigation/OAK-M36" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--c21ebe1c-c2c2-574c-b4e8-9a56c424c27c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "HSM and MPC Custody Architectures", "description": "OAK OAK-M37 — class: operational; audience: custody-customer, custody-vendor, protocol (treasury), risk-team", "external_references": [ { "source_name": "oak", "external_id": "OAK-M37", "url": "https://onchainattack.org/#/mitigation/OAK-M37" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--d21d281b-32da-54da-aa63-dc2279c7ff5a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Time-Windowed Withdrawal Limits", "description": "OAK OAK-M38 — class: architecture; audience: protocol, designer, custody-vendor", "external_references": [ { "source_name": "oak", "external_id": "OAK-M38", "url": "https://onchainattack.org/#/mitigation/OAK-M38" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Cross-Protocol Watcher Network", "description": "OAK OAK-M39 — class: detection; audience: vendor, risk-team, protocol, designer", "external_references": [ { "source_name": "oak", "external_id": "OAK-M39", "url": "https://onchainattack.org/#/mitigation/OAK-M39" } ] }, { "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--1bab4ab0-e72b-5c94-aec8-d24c8d844d30", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Supply-Chain Package Integrity", "description": "OAK OAK-M40 — class: operational; audience: protocol (engineering staff), designer, custody-customer, custody-vendor, wallet", "external_references": [ { "source_name": "oak", "external_id": "OAK-M40", "url": "https://onchainattack.org/#/mitigation/OAK-M40" } ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--cd4a2105-1119-5bd7-a680-670d4d1d64ca", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Inferno Drainer", "aliases": [ "Inferno", "Inferno DaaS", "Discord-link drainer kit\" (per affiliate-channel framing in `[checkpoint2023drainers]`)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S01", "url": "https://onchainattack.org/#/software/OAK-S01" } ], "tool_types": [ "exploitation" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--5ad45975-dab7-53e9-8619-66c8eb0cfc63", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Angel Drainer", "aliases": [ "Angel", "Angel DaaS", "Angel-X\" (occasional rebranding suffix observed in industry forensic posts)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S02", "url": "https://onchainattack.org/#/software/OAK-S02" } ], "tool_types": [ "exploitation" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--bfde2831-5467-5e6f-a6d1-e4122d97842f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Pink Drainer", "aliases": [ "Pink", "Pinkdrainer", "Pink-X\" (occasional industry shorthand for the operator-of-record team behind the kit)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S03", "url": "https://onchainattack.org/#/software/OAK-S03" } ], "tool_types": [ "exploitation" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--176e9349-f531-5570-93a1-c4a8a41d3fa2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Monkey Drainer", "aliases": [ "Monkey", "Monkey-Drainer.eth\" (one of the historically-associated naming patterns in industry forensic posts)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S04", "url": "https://onchainattack.org/#/software/OAK-S04" } ], "tool_types": [ "exploitation" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--f0ed502b-402f-582b-a752-d72b34f83045", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Venom Drainer", "aliases": [ "Venom", "Venom DaaS." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S05", "url": "https://onchainattack.org/#/software/OAK-S05" } ], "tool_types": [ "exploitation" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--f62e5cdf-a9b6-5937-8013-f22b7360d132", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Vanilla Drainer", "aliases": [ "Vanilla", "Vanilla DaaS." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S06", "url": "https://onchainattack.org/#/software/OAK-S06" } ], "tool_types": [ "exploitation" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--e62b06af-edeb-58b0-9b4b-90c1c8e7f228", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Chick Drainer", "aliases": [ "Chick", "Chick DaaS." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S07", "url": "https://onchainattack.org/#/software/OAK-S07" } ], "tool_types": [ "exploitation" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--a55da009-7480-5a50-8a91-347e90ba7b22", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "TraderTraitor", "is_family": true, "aliases": [ "ManuscryptCrypto\" sub-family overlaps as documented by Kaspersky and Mandiant", "and \"Hidden Risk\" / \"RustBucket\" successors tracked separately by SentinelOne and Jamf for macOS evolution." ], "x_oak_platforms": [ "cross-platform (macOS-focused — both Intel and Apple Silicon builds documented; Windows builds also distributed via the same lure infrastructure; Linux builds reported in narrower vendor-corroborated cases)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S08", "url": "https://onchainattack.org/#/software/OAK-S08" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--ca7b9c46-bcf0-5e1a-9c03-2021303539c3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "AppleJeus", "is_family": true, "aliases": [ "COPPERHEDGE" ], "x_oak_platforms": [ "cross-platform (macOS-focused with foundational role in establishing the macOS-targeting DPRK tradecraft; Windows builds distributed in parallel through 2018–2021)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S09", "url": "https://onchainattack.org/#/software/OAK-S09" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--c9e659a2-639a-5077-8263-533686709bf6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Manuscrypt", "is_family": true, "x_oak_platforms": [ "Windows (long-running Windows-only family; macOS and Linux-side DPRK tooling sits in the AppleJeus / RustBucket / KandyKorn lineage rather than the Manuscrypt lineage)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S10", "url": "https://onchainattack.org/#/software/OAK-S10" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--5d7a6f91-5b20-5011-9891-34fd5cdaca79", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "3CX VoIP Client Trojan", "is_family": true, "x_oak_platforms": [ "cross-platform (Windows and macOS — both `3CXDesktopApp.exe` and `3CXDesktopApp` Mach-O binaries were trojanized in the supply-chain compromise; Linux 3CX builds were not affected per public reporting)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S11", "url": "https://onchainattack.org/#/software/OAK-S11" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--b9301c01-f47a-515e-a5d7-238549fc8f43", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "JADESNOW", "is_family": true, "aliases": [ "BABYSHARK (PowerShell-based reconnaissance / staging family also documented in Kimsuky activity by multiple vendors)" ], "x_oak_platforms": [ "Windows (the dominant deployment target for JADESNOW within the APT43 / Kimsuky operational profile, consistent with the cluster's spear-phishing-into-Windows-victim-environment tradecraft against policy researchers, journalists, and government targets)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S12", "url": "https://onchainattack.org/#/software/OAK-S12" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--d31a01a0-a0eb-5609-a13c-4c16a6996946", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "RedLine Stealer", "is_family": true, "aliases": [ "RedLine", "RedLine Infostealer" ], "x_oak_platforms": [ "Windows (primary); cross-platform browser-data targets (Chromium-family, Gecko-family)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S13", "url": "https://onchainattack.org/#/software/OAK-S13" } ], "malware_types": [ "spyware", "credential-exploitation" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--9255da7a-0f5e-5915-bc28-6465bc7db74d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Lumma Stealer", "is_family": true, "aliases": [ "LummaC2", "Lumma", "Lumma C2 Stealer" ], "x_oak_platforms": [ "Windows (primary)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S14", "url": "https://onchainattack.org/#/software/OAK-S14" } ], "malware_types": [ "spyware", "credential-exploitation" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--a55bbadd-c3e6-52ca-9aee-b91532c61a9a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "AsyncRAT", "is_family": true, "aliases": [ "Async RAT", "AsyncRAT C#" ], "x_oak_platforms": [ "Windows (primary; .NET Framework / .NET Core targets)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S15", "url": "https://onchainattack.org/#/software/OAK-S15" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--7ff1da9c-a18d-5686-889d-9b654b898cbb", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Profanity", "aliases": [ "Profanity (johguse/profanity)" ], "x_oak_platforms": [ "Linux / Windows / macOS (GPU-accelerated, OpenCL)" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S16", "url": "https://onchainattack.org/#/software/OAK-S16" } ], "tool_types": [ "exploitation" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--88f19f07-d87d-5350-ae41-ce479cbfc7ee", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "jaredfromsubway.eth", "aliases": [ "Jared", "jaredfromsubway", "Jared 2.0\" (2024 iteration tracked by EigenPhi)" ], "x_oak_platforms": [ "Ethereum mainnet (sandwich-MEV operation); off-chain searcher infrastructure not publicly characterised" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S17", "url": "https://onchainattack.org/#/software/OAK-S17" } ], "tool_types": [ "exploitation" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--ded60c66-92eb-5c74-a21c-326e63e6cff0", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Pump.fun-style Bundlers", "aliases": [ "Pump.fun bundlers", "launch bundlers", "dev-snipe bundlers", "Jito bundlers (in this context)" ], "x_oak_platforms": [ "Solana (primary); equivalent classes have emerged on other chains' token-launch venues" ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S18", "url": "https://onchainattack.org/#/software/OAK-S18" } ], "tool_types": [ "exploitation" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--19d87156-8f94-5a72-b336-889f9d28e34e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "KandyKorn", "is_family": true, "aliases": [ "so the same observed activity may be reported as \"KandyKorn detected\" or as \"Citrine Sleet macOS staging\" depending on the reporting vendor." ], "x_oak_platforms": [ "macOS (Intel and Apple Silicon — Elastic's original reporting documented Mach-O builds for both architectures within the same campaign infrastructure, consistent with the broader DPRK macOS lineage's shift to universal-binary distribution from 2022 onward)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S19", "url": "https://onchainattack.org/#/software/OAK-S19" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--a8c40011-d841-509c-b02b-424191105390", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "RustBucket", "is_family": true, "aliases": [ "but Jamf's original RustBucket naming remains the canonical industry label for the Rust-language second-stage loader specifically." ], "x_oak_platforms": [ "macOS (Intel-first, with Apple Silicon variants documented in subsequent Jamf and SentinelOne reporting through 2023–2024 consistent with the broader DPRK macOS lineage's shift to universal-binary distribution)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S20", "url": "https://onchainattack.org/#/software/OAK-S20" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--b7215b7c-47a0-5f14-aaff-f22040ea76fb", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "SwiftLoader", "is_family": true, "aliases": [ "ObjCShellz (OAK-S22)", "and the Hidden Risk campaign cohort within the broader BlueNoroff and Lazarus macOS lineages" ], "x_oak_platforms": [ "macOS (Intel and Apple Silicon — universal-binary distribution consistent with the broader DPRK macOS lineage's 2022-onward shift to universal builds)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S21", "url": "https://onchainattack.org/#/software/OAK-S21" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--71df2d91-411a-5d72-a9fb-c8715c02aa17", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "ObjCShellz", "is_family": true, "aliases": [ "SwiftLoader (OAK-S21)", "but SentinelOne's original naming remains the canonical industry label for the Objective-C-language reverse-shell specifically." ], "x_oak_platforms": [ "macOS (Intel and Apple Silicon — universal-binary distribution consistent with the broader DPRK macOS lineage's 2022-onward shift to universal builds)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S22", "url": "https://onchainattack.org/#/software/OAK-S22" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--13bed137-d65c-53c2-bf4f-048aadb26ca6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "LockBit ransomware", "is_family": true, "x_oak_platforms": [ "Windows (primary, all major versions); Linux (LockBit 2.0 onward, with dedicated Linux/ESXi targeting in LockBit 3.0); VMware ESXi (the dedicated ESXi-hypervisor variant from 2021 onward is one of the family's defining technical features and shaped the ESXi-targeting trend across the broader RaaS sector); cross-platform aspirations in the unreleased LockBit-NG-Dev Rust rewrite (which mirrored the BlackCat / ALPHV cross-platform-Rust design choice)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S23", "url": "https://onchainattack.org/#/software/OAK-S23" } ], "malware_types": [ "ransomware" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--66d281d4-5e2f-5707-afe5-568e6b167a82", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "BlackCat / ALPHV ransomware", "is_family": true, "x_oak_platforms": [ "Windows (primary, with Windows-server enterprise targeting the dominant deployment surface); Linux (parity build released alongside Windows); VMware ESXi (a dedicated hypervisor variant, mirroring the LockBit-3.0-era sector pivot to ESXi-targeting); the Rust-language implementation produces structurally identical builds across these platforms", "which is the family's defining technical innovation and the principal reason for ALPHV's 2022–2023 affiliate-attractiveness." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S24", "url": "https://onchainattack.org/#/software/OAK-S24" } ], "malware_types": [ "ransomware" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--b99afedd-61bf-5be2-a839-e93147ea2e38", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Maui ransomware", "is_family": true, "x_oak_platforms": [ "Windows (the only platform observed in public reporting; CISA AA22-187A and the subsequent Mandiant / Microsoft / Stairwell technical analyses describe a Windows-only x86 implementation)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S25", "url": "https://onchainattack.org/#/software/OAK-S25" } ], "malware_types": [ "ransomware" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--2e94d85c-173f-5591-a8bf-deacf922e499", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Conti ransomware", "is_family": true, "x_oak_platforms": [ "Windows (primary, all variants); Linux (a Conti-Linux variant emerged in late 2021 with VMware ESXi targeting, mirroring the broader RaaS-sector ESXi pivot; partial code reuse of the Conti-Linux variant is documented in Hive's Linux build per Mandiant); the Conti v3 Windows codebase was leaked in full during the ContiLeaks dump and has since been forked / rebadged by multiple unrelated groups (LockBit Green is the highest-profile rebadge — see OAK-S23 — but unaffiliated commodity-tier Conti-fork builds also circulate)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S26", "url": "https://onchainattack.org/#/software/OAK-S26" } ], "malware_types": [ "ransomware" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--01cc12b6-a3e9-50b2-984d-7cb990052ace", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Black Basta ransomware", "is_family": true, "aliases": [ "Storm-1811 (Microsoft Threat Intelligence naming, partially overlapping the broader Conti-successor-cohort surface)" ], "x_oak_platforms": [ "Windows (primary, all enterprise-server variants); Linux / VMware ESXi (a dedicated ESXi-hypervisor variant emerged June 2022, mirroring the broader RaaS-sector pivot to hypervisor-targeted attacks established by LockBit and ALPHV). The Windows codebase is C++-authored with structural-and-stylistic similarities to Conti v3 documented by Trend Micro", "Sophos", "and Mandiant; the lineage is read as *Conti-codebase-derivative-with-rewrites* rather than a clean fork." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S27", "url": "https://onchainattack.org/#/software/OAK-S27" } ], "malware_types": [ "ransomware" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--6f6ba66d-784c-5c94-a458-e7d8e6c7fa2a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Royal / BlackSuit ransomware", "is_family": true, "aliases": [ "the informal \"Royal/BlackSuit\" conjoined naming used in CISA AA23-061A and the November 2023 / August 2024 update advisories", "Microsoft", "leak-site infrastructure", "and operator-cohort were continuous across the rebrand at the wallet-cluster and tradecraft-fingerprint levels." ], "x_oak_platforms": [ "Windows (primary, all enterprise-server variants); Linux / VMware ESXi (a dedicated ESXi-hypervisor variant emerged in early 2023, mirroring the broader RaaS-sector pivot to hypervisor-targeted attacks). The Windows codebase's lineage to Conti's Zeon variant is the cleanest documented case of *direct Conti-codebase fork as a successor-brand encryptor* — Royal forked from Zeon rather than being a clean rewrite", "distinguishing it from the Black Basta lineage where the Conti v3 codebase was substantively rewritten before redeployment." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S28", "url": "https://onchainattack.org/#/software/OAK-S28" } ], "malware_types": [ "ransomware" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--936e8372-3daa-54da-a89a-4f68f1b71a1f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "BeaverTail", "is_family": true, "x_oak_platforms": [ "cross-platform (Windows, macOS, Linux — the JavaScript implementation runs natively in the Node.js runtime that the npm-package delivery surface presupposes; this cross-platform property is itself a defining family-architectural feature, distinguishing BeaverTail from the platform-specific macOS-focused TraderTraitor / RustBucket / KandyKorn / SwiftLoader / ObjCShellz lineage at OAK-S08 / S20 / S21 / S22)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S29", "url": "https://onchainattack.org/#/software/OAK-S29" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--60e49e2e-1db3-599d-a4e8-1c4d9e72107b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "InvisibleFerret", "is_family": true, "x_oak_platforms": [ "cross-platform (Windows, macOS, Linux — the Python implementation runs natively in any Python-3 runtime that the BeaverTail first-stage establishes; cross-platform property mirrors BeaverTail and distinguishes the family from the platform-specific macOS-focused TraderTraitor lineage at OAK-S08)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S30", "url": "https://onchainattack.org/#/software/OAK-S30" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--e92e8137-b390-5c7a-b1a5-f2491b4059c4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "TigerRAT", "is_family": true, "aliases": [ "Onyx Sleet / Plutonium (Microsoft Threat Intelligence's continuous Andariel-cluster naming)", "Stonefly (Symantec / Broadcom)", "DarkSeoul-cohort historical naming for the broader DPRK destructive-and-espionage cluster from which Andariel is the contemporary financially-motivated sub-cluster", "and the external Group ID G0138 Andariel Group profile under which TigerRAT activity is documented." ], "x_oak_platforms": [ "Windows (the only platform observed in public reporting; KrCERT/CC, AhnLab, and Mandiant analyses describe a Windows-only x86 implementation; no macOS or Linux variants documented as of v0.1)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S31", "url": "https://onchainattack.org/#/software/OAK-S31" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--51690d05-7fe1-5041-9cd4-4ddc600d0ff1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "AppleSeed", "is_family": true, "aliases": [ "Thallium (Microsoft Threat Intelligence's earlier Kimsuky naming)", "Black Banshee (CrowdStrike's Kimsuky-cluster naming)", "Velvet Chollima and the broader Chollima-family naming", "APT43 (Mandiant's March 2023 cluster-naming consolidation)", "TA406 (Proofpoint's Kimsuky naming)", "and the external Group ID G0094 Kimsuky Group profile under which AppleSeed activity is documented." ], "x_oak_platforms": [ "Windows (the only platform observed in public reporting; Talos, ESET, Mandiant, AhnLab, and KISA analyses describe a Windows-only x86 implementation; no macOS or Linux variants documented as of v0.1, consistent with the family's HWP-document-borne delivery surface that presupposes a Korean-language Windows-host target population)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S32", "url": "https://onchainattack.org/#/software/OAK-S32" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--90dd3e78-eaae-59ab-ad4f-2ab48eb520a0", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Akira ransomware", "is_family": true, "aliases": [ "Sophos" ], "x_oak_platforms": [ "Windows (primary, all enterprise-server variants, C++-authored codebase with partial structural similarities to Conti v3 documented by Sophos and Avast); Linux / VMware ESXi (a Rust-language variant emerged April–May 2023 under the temporary \"Megazord\" naming before consolidation back to the Akira brand). The dual-language architecture — C++ Windows + Rust ESXi/Linux — mirrors the ALPHV-influenced sector-wide pattern of Rust-for-cross-platform-hypervisor-variants while retaining C++ for the Windows codebase", "a hybrid pattern that became more common across 2023–2024 RaaS emergences." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S33", "url": "https://onchainattack.org/#/software/OAK-S33" } ], "malware_types": [ "ransomware" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--583c2311-1a94-56ff-ac8f-67ac88d6cbcc", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "RansomHub ransomware", "is_family": true, "aliases": [ "with the \"Notchy\" affiliate behind the Change Healthcare attack widely-reported as having rotated onto the RansomHub affiliate panel." ], "x_oak_platforms": [ "Windows (primary, all enterprise-server variants, with the encryptor codebase showing partial structural similarities to the prior Knight / Cyclops-class codebase per Mandiant and Microsoft attribution work); Linux / VMware ESXi (a dedicated ESXi-hypervisor variant emerged in mid-2024); Go-language and Rust-language partial implementations have been documented in different RansomHub builds across 2024", "with the dual-language architecture mirroring the broader sector pattern of hybrid-codebase RaaS designs established by Akira (OAK-S33) and the LockBit NG-Dev rewrite." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S34", "url": "https://onchainattack.org/#/software/OAK-S34" } ], "malware_types": [ "ransomware" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--1a29e7c0-ecea-5f4c-bd2f-28956dda3417", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "BlackByte ransomware", "is_family": true, "aliases": [ "and the BlackByte 2.0 / NT / 3.0 version-string naming used to disambiguate the multi-language codebase rotations across .NET (2021–2022)", "Go (2022–2023)" ], "x_oak_platforms": [ "Windows (primary, all enterprise-server variants, with the codebase rotated across .NET (2021–2022) → Go (2022–2023) → C++ (2023–2025) per Trustwave, Microsoft, and Sophos attribution work); Linux / VMware ESXi (a dedicated ESXi-hypervisor variant emerged in 2022, mirroring the broader RaaS-sector pivot to hypervisor-targeted attacks established by LockBit and ALPHV). The multi-language codebase rotation is the family's defining technical history and provides a useful comparative reference for understanding the *operator-side codebase-modernisation cadence* across a long-lifetime mid-tier RaaS brand — distinct from both single-language persistence (Conti's C++-only history) and single-rewrite rotation (LockBit's NG-Dev Rust rewrite recovered pre-deployment)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S35", "url": "https://onchainattack.org/#/software/OAK-S35" } ], "malware_types": [ "ransomware" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--f16b05e5-f10e-5b54-88bb-65e6f08b5cd2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Karakurt extortion-only kit", "aliases": [ "Karakurt extortion kit; Karakurt Lair (operator leak-site branding); part of the Conti-spinoff cohort tracked by Mandiant and CrowdStrike under the Wizard Spider successor-brand umbrella." ], "x_oak_platforms": [ "Cross-platform-by-tool-stack — Karakurt does not develop or deploy a custom encryptor and is not", "in the strict sense", "a \"ransomware family.\" Its operating tooling is a curated configuration of commodity post-exploitation and exfiltration utilities: Cobalt Strike (OAK-S37)", "Mimikatz", "AnyDesk", "rclone (the dominant Karakurt-fingerprint exfiltration utility)", "Filezilla / WinSCP", "Mega.io's MEGAsync", "and a custom set of automated victim-data-publication scripts running against the Karakurt Lair leak site." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S36", "url": "https://onchainattack.org/#/software/OAK-S36" } ], "tool_types": [ "exploitation" ] }, { "type": "tool", "spec_version": "2.1", "id": "tool--a2e9134d-5c15-5c22-b6f2-44bfba03b872", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Cobalt Strike", "x_oak_platforms": [ "Windows (primary, all variants); cross-platform Beacon variants (Linux, macOS) exist in legitimate licensed deployments and have been observed in some cracked-criminal deployments through 2024." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S37", "url": "https://onchainattack.org/#/software/OAK-S37" } ], "tool_types": [ "exploitation" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--ebc08a60-abd0-5dea-a30c-27f7ec340051", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "IcedID + Pikabot loaders", "is_family": true, "aliases": [ "IcedID — also tracked as BokBot (CrowdStrike) and as TA551-and-derivatives (Proofpoint historical naming for some delivery cohorts). Pikabot — successor-and-overlap loader to Qakbot (OAK-S40)", "tracked by Trend Micro", "Elastic", "and Zscaler from early 2023. The two are combined into a single OAK-S entry because they share the Russian-cybercrime-ecosystem operator substrate", "the initial-access-broker operating role", "and the May 2024 Operation Endgame disruption-event scope." ], "x_oak_platforms": [ "Windows (primary, all variants)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S38", "url": "https://onchainattack.org/#/software/OAK-S38" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--107e102f-d531-58ef-9f01-aa602de42211", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "DanaBot", "is_family": true, "x_oak_platforms": [ "Windows (primary, all variants)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S39", "url": "https://onchainattack.org/#/software/OAK-S39" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "malware", "spec_version": "2.1", "id": "malware--ceea4ce9-71aa-52df-899b-27715d98c7d9", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Qakbot / Pinkslipbot / QBot", "is_family": true, "x_oak_platforms": [ "Windows (primary, all variants)." ], "external_references": [ { "source_name": "oak", "external_id": "OAK-S40", "url": "https://onchainattack.org/#/software/OAK-S40" } ], "malware_types": [ "backdoor", "rat" ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--59707bbb-48c5-5afb-8aaf-6233fb654e93", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Lazarus Group / DPRK-attributed crypto theft", "description": "OAK OAK-G01 — attribution status: **confirmed** by FBI public statements, U.S. Treasury OFAC designations, U.S. Department of Justice indictments, and multiple national CERT bodies (KISA, NCSC, BSI). Attribution to the Reconnaissance General Bureau of the DPRK is the standing public position of the U.S. government.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G01", "url": "https://onchainattack.org/#/group/OAK-G01" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--9f9bbd23-75c8-5685-9224-6d053ccba386", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Drainer-as-a-Service operators", "description": "OAK OAK-G02 — attribution status: **inferred-strong** at the service-family level (industry forensic providers with consistent published attributions). Per-incident operator-of-record attribution within a service family is generally **inferred-weak** and is not published per-incident at v0.1.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G02", "url": "https://onchainattack.org/#/group/OAK-G02" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--3f5d75bc-c34c-5d4a-af7f-80df1166d48c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Russian-attributed crypto-laundering infrastructure cluster (Garantex / Grinex / A7A5 lineage)", "description": "OAK OAK-G03 — attribution status: **confirmed** at the *infrastructure-and-named-operator* level for the Garantex sub-cluster — U.S. Treasury OFAC SDN designation April 5, 2022 (`[ofac2022garantex]`); DOJ Eastern District of Virginia indictment unsealed February 27, 2025 against named administrators Aleksej Besciokov and Aleksandr Mira Serda (`[doj2025garantex]`); coordinated U.S. Secret Service / German BKA / Finnish NBI takedown action March 6, 2025; second OFAC designation round August 14, 2025 against Grinex and the A7A5 token network (`[treasury2025garantexnetwork]`). Attribution that the Garantex cluster *received and processed proceeds* from specific upstream criminal categories — Conti ransomware (\\~\\$6M direct inflow), Hydra darknet market (\\~\\$2.6M direct inflow), and a longer tail of ransomware-affiliate flows — is **inferred-strong** from industry forensic providers (Chainalysis, Elliptic, TRM Labs) cited in the Treasury press releases.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G03", "url": "https://onchainattack.org/#/group/OAK-G03" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--603fffec-d3ba-5f13-be62-476303b69361", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "DPRK IT-Worker Placement Scheme", "description": "OAK OAK-G04 — attribution status: **confirmed** at the *scheme-and-named-facilitator* level — joint U.S. State / Treasury / FBI advisory dated May 16, 2022 (`[fbidprkitworker2022]`); OFAC SDN designations of Chinyong IT Cooperation Company and Kim Sang Man on May 23, 2023 (`[treasurydprkitworker2023]`); multiple DOJ indictments and convictions, including the Christina Marie Chapman \"laptop farm\" prosecution (guilty plea February 2024; sentenced 102 months / July 2025) (`[dojchapmanindictment2024]`) and the Jin Sung-Il / Pak Jin-Song et al. five-defendant indictment (Southern District of Florida, January 2025); March 2026 OFAC round designating six individuals and two entities for IT-worker fraud (`[ofac2026dprkitworker]`). Attribution that *specific crypto-firm exploits* are downstream of an OAK-G04 placement (Munchables March 2024; Solareum and other industry-reported cases) is **inferred-strong** from forensic providers (Chainalysis, TRM Labs, ZachXBT) where the on-chain signature, hire-then-exploit timeline, and identity-overlap evidence are jointly documented.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G04", "url": "https://onchainattack.org/#/group/OAK-G04" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--50ffc35a-f390-56a1-b93c-4af2c94e2889", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "LockBit Ransomware-as-a-Service operation", "description": "OAK OAK-G05 — attribution status: **confirmed** at the *operator-and-named-affiliate* level — coordinated U.K. National Crime Agency / U.S. FBI / Europol \"Operation Cronos\" disruption announced February 20, 2024 (`[nca2024operationcronos]`); U.S. Treasury OFAC SDN designations of Russian nationals Artur Sungatov and Ivan Kondratyev with ten cryptocurrency addresses listed as SDN identifiers, February 20, 2024 (`[ofac2024lockbitaffiliates]`); U.S. Department of Justice 26-count indictment unsealed May 7, 2024 against Dmitry Yuryevich Khoroshev as the LockBit developer-and-administrator, accompanied by OFAC SDN designation of Khoroshev personally and a U.S. Department of State \\$10M reward (`[doj2024khoroshev]`, `[ofac2024khoroshev]`); coordinated U.K. FCDO and Australia DFAT designations the same day; subsequent OFAC action against the Russian web-hosting provider Aeza Group for hosting LockBit infrastructure (`[ofac2025aeza]`). Attribution that *specific ransom-payment flows* trace through specific downstream laundering infrastructure (Garantex / OAK-G03, Sinbad mixer, Bitzlato) is **inferred-strong** from industry forensic providers (Chainalysis, TRM Labs) and the U.K. NCA's \"Behind the Screens\" wallet-tracing publication.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G05", "url": "https://onchainattack.org/#/group/OAK-G05" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--25519556-9d97-5dbe-9bd2-3ed7e815c7c6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Evil Corp", "description": "OAK OAK-G06 — attribution status: **confirmed** at the *operator-and-named-defendant* level — U.S. Treasury OFAC SDN designation of Evil Corp as an entity together with seventeen named individuals on December 5, 2019, pursuant to E.O. 13694 / E.O. 13757 (`[ofac2019evilcorp]`); same-day U.S. Department of Justice unsealed indictments in the Western District of Pennsylvania and the District of Nebraska charging Yakubets and Turashev with conspiracy, computer hacking, wire fraud, and bank fraud (`[doj2019yakubets]`); U.S. Department of State \\$5M reward for information leading to the arrest of Yakubets (the largest such reward for a cybercriminal at the time of issuance); coordinated trilateral sanctions architecture announced October 1, 2024 with U.S. Treasury OFAC, U.K. Foreign, Commonwealth and Development Office (FCDO) via the National Crime Agency, and Australia Department of Foreign Affairs and Trade (DFAT) jointly designating sixteen Evil Corp members and associates including Viktor Yakubets and Eduard Benderskiy as the FSB-link node (`[ofac2024evilcorp]`, `[nca2024evilcorp]`); same-day U.S. DOJ unsealed seven-count indictment of Aleksandr Ryzhenkov in the Northern District of Texas explicitly naming the BitPaymer-and-LockBit-affiliate dual-track activity (`[doj2024ryzhenkov]`); explicit Treasury and NCA findings that Yakubets has provided material assistance to the Russian Federal Security Service (FSB) — the FSB-link finding was the December 2019 designation's stated rationale and was reinforced in the October 2024 designation through the Benderskiy nexus. Attribution that *specific ransom-payment flows* trace through specific downstream laundering venues (Garantex / OAK-G03, mixers, non-KYC exchanges) is **inferred-strong** from industry forensic providers (Chainalysis, TRM Labs) and from the U.K. NCA's October 2024 \"Behind the Screens\" publication (`[chainalysisevilcorp2024]`, `[trmevilcorp2024]`).", "external_references": [ { "source_name": "oak", "external_id": "OAK-G06", "url": "https://onchainattack.org/#/group/OAK-G06" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--533fc757-0230-574b-99b5-4e0d54367824", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "APT43 / Kimsuky (DPRK espionage-and-self-funding cluster)", "description": "OAK OAK-G07 — attribution status: **confirmed** at the *cluster-and-state-attribution* level — U.S. Department of the Treasury OFAC SDN designation of Kimsuky on November 30, 2023 (`[ofac2023kimsuky]`, Treasury press release JY1938) carried out in coordination with Australia, Japan, and the Republic of Korea, attributing the cluster to the DPRK Reconnaissance General Bureau (RGB) and citing intelligence-gathering in support of the DPRK's strategic objectives following the November 1, 2023 reconnaissance-satellite launch; Republic of Korea sanctions designation of Kimsuky by the Ministry of Foreign Affairs / NIS, June 2, 2023 (`[mofakimsuky2023]`), the first time South Korea sanctioned a North Korean hacking group; joint cyber-security advisory of March 20, 2023 issued by the German Bundesamt für Verfassungsschutz (BfV) and the Republic of Korea National Intelligence Service (NIS) characterising Kimsuky's tooling and TTPs (`[bfvnis2023kimsuky]`); Mandiant APT43 report of March 28, 2023 attributing the cluster to the RGB at *moderate confidence* and documenting the cryptocurrency-funded operational model in technical detail (`[mandiantapt432023]`); external Group ID G0094 with sustained multi-vendor corroboration (CrowdStrike, Microsoft, Proofpoint, Google TAG, Recorded Future, Kaspersky). Attribution that *specific cryptocurrency-theft incidents* are downstream of an OAK-G07 placement (rather than an OAK-G01 placement) is **inferred-strong** in most cases — the cluster boundary between G01 (BlueNoroff / APT38 financial-theft sub-cluster) and G07 (APT43 / Kimsuky espionage-and-self-funding sub-cluster) is operationally meaningful but not always cleanly resolvable per-incident from public reporting.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G07", "url": "https://onchainattack.org/#/group/OAK-G07" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--3adb2eec-bad1-5bb3-ba32-1d86e8069b69", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "BlueNoroff (DPRK financial-institution and crypto-firm intrusion sub-cluster)", "description": "OAK OAK-G08 — attribution status: **confirmed** at the *cluster-and-state-attribution* level — U.S. Department of the Treasury OFAC SDN designation of BlueNoroff on September 13, 2019 under Executive Orders 13694 and 13757 (Treasury press release SM-774, designating Lazarus Group, BlueNoroff, and Andariel as three separate sub-cluster entries belonging to the DPRK Reconnaissance General Bureau) (`[ofac2019dprkclusters]`); external Group ID G0082 (BlueNoroff) and G0079 / G0138 mappings for the APT38 / TraderTraitor naming overlap; CISA / FBI / Treasury joint cybersecurity advisory AA22-108A of April 2022 documenting the *TraderTraitor* sub-set of cluster activity — partially but not entirely co-extensive with BlueNoroff (`[cisa2022tradertraitor]`); long-running multi-vendor industry-forensic record across Kaspersky GReAT (BlueNoroff naming origin, 2017 onward), Mandiant (APT38 naming, 2018 onward), Jamf Threat Labs (RustBucket macOS family, 2023 onward), SentinelOne (ObjCShellz / RustBucket follow-on, 2023), Volexity, and Microsoft Threat Intelligence (Sapphire Sleet naming, 2023 onward). Attribution that *specific cryptocurrency-theft incidents* are downstream of an OAK-G08 placement (rather than an OAK-G01 placement) is **inferred-strong** in most cases — the BlueNoroff / TraderTraitor sub-cluster boundary inside the broader Lazarus / RGB whole is operationally meaningful but not always cleanly resolvable per-incident from public reporting; some incidents (DMM Bitcoin, May 2024) are attributed to TraderTraitor in primary FBI / DC3 / NPA documents while concurrent industry write-ups discuss BlueNoroff overlap.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G08", "url": "https://onchainattack.org/#/group/OAK-G08" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--0184acd8-671f-54aa-8ae7-7c61c7bf4dc8", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Andariel (DPRK ransomware-and-ICS sub-cluster within the Lazarus / RGB ecosystem)", "description": "OAK OAK-G09 — attribution status: **confirmed** at the *cluster-and-state-attribution* level — U.S. Department of the Treasury OFAC SDN designation of Andariel under Executive Orders 13694 and 13722 on September 13, 2019 (`[ofac2019dprkcyber]`, Treasury press release SM-774), in coordinated action that designated Lazarus, BlueNoroff, and Andariel as three separate but related DPRK state-sponsored sub-clusters subordinate to the Reconnaissance General Bureau; CISA / FBI / U.S. Treasury joint cybersecurity advisory AA22-187A of July 6, 2022, \"North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector,\" with explicit Andariel attribution and the canonical public characterisation of the Maui-ransomware-against-healthcare operational pattern (`[cisa2022aa22187a]`); U.S. Department of Justice unsealed indictment of Rim Jong Hyok of July 25, 2024, charging the named Andariel operator with a multi-year campaign of healthcare-sector ransomware attacks and DIB-intrusion espionage, accompanied by a U.S. Department of State \\$10M reward (`[doj2024rimjonghyok]`); CISA / FBI / NSA / ROK NIS / NPA / DSA / U.K. NCSC joint cybersecurity advisory of July 25, 2024, \"North Korea state-sponsored cyber group conducts global espionage campaign to advance regime's military and nuclear programs\" (`[cisa2024andarieladvisory]`); ROK National Police Agency public attribution actions of 2023–2024; sustained multi-vendor industry-forensic record (Mandiant APT45 reporting, Microsoft Onyx Sleet reporting, Kaspersky Andariel reporting, SentinelOne, Symantec / Broadcom Stonefly reporting). Attribution that *specific cryptocurrency ransom-payment flows* trace to G09 versus other DPRK ransomware-touching activity is **inferred-strong** in most cases — the Maui-ransomware-attributed payment surface is small relative to the Lazarus crypto-theft surface, and per-victim public reporting of payment-trail forensics is sparse. Attribution that *specific Black Basta–attributed payments* trace to Andariel rather than to the Russian-speaking Black Basta core is **inferred-strong** at best and is flagged in Discussion below; OAK does not publish the Andariel × Black Basta overlap as confirmed at v0.1.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G09", "url": "https://onchainattack.org/#/group/OAK-G09" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--02bfdd95-e888-5f32-95d8-90fbda1f2e39", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "ALPHV / BlackCat Ransomware-as-a-Service operation", "description": "OAK OAK-G10 — attribution status: **confirmed** at the *operator-cluster-and-named-affiliate* level — U.S. Federal Bureau of Investigation / Department of Justice disruption operation announced December 19, 2023, including FBI access to the ALPHV decryptor and a CISA / FBI joint advisory characterising the cluster's TTPs (`[fbi2023blackcatdisruption]`, `[cisa2023blackcatadvisory]`); DOJ indictments unsealed across 2024 against multiple Scattered Spider members for the September 2023 MGM Resorts and Caesars Entertainment campaigns and earlier Reddit-targeting activity (`[doj2024scatteredspider]`); HHS / U.S. Department of Health and Human Services public advisories on the February 21, 2024 Change Healthcare incident (`[hhs2024changehealthcare]`); sustained multi-vendor industry-forensic corroboration (Mandiant, Microsoft, Sophos, SentinelOne, Recorded Future, Chainalysis, TRM Labs, Symantec) characterising the Rust-based encryptor lineage, the Russian-language operator-forum substrate, the affiliate-cut economics, and the February-to-March 2024 self-exit-scam dynamic. ALPHV itself was not OFAC-designated as a cluster within its operating window; that distinction makes G10 a *confirmed-by-disruption-and-indictment* rather than *confirmed-by-OFAC-SDN-designation* case at v0.1, which is operationally important for the *asset-freeze counter-factual* discussed below. Attribution that *specific ransom-payment flows* trace to specific affiliate wallets within the ALPHV cluster is **inferred-strong** from industry forensic providers; the canonical instance is the \\~\\$22M Bitcoin payment from Change Healthcare that was traced on-chain by Chainalysis and TRM Labs to an affiliate wallet before the operator-side exit-scam diverted the funds out of affiliate control (`[chainalysis2024alphvexit]`, `[trm2024changehealthcare]`).", "external_references": [ { "source_name": "oak", "external_id": "OAK-G10", "url": "https://onchainattack.org/#/group/OAK-G10" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--5a3de7b5-cc0c-5c84-a4bd-b5a7b8252e40", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Black Basta Ransomware-as-a-Service operation", "description": "OAK OAK-G11 — attribution status: **confirmed** at the *cluster-and-tooling* level — joint CISA / FBI / HHS / MS-ISAC cyber-security advisory AA24-131A \"StopRansomware: Black Basta,\" May 10, 2024 (`[cisa2024aa24131ablackbasta]`), characterising the cluster's TTPs across the healthcare and other critical-infrastructure sectors and naming Black Basta as a closed RaaS operating brand with hundreds of named victims; sustained multi-vendor industry-forensic corroboration (Mandiant UNC4393 tracking, Microsoft Storm-1811 / Storm-0506 sub-cluster attribution, Recorded Future, SentinelOne, Sophos, Symantec) characterising the encryptor lineage, the Russian-language operator-forum substrate, the Conti-2022-organisational-continuity dispersal pattern, and the affiliate-cut economics; the February 2025 leaked Black Basta internal-chats archive (\"BlackBastaLeaks\"), which surfaced operator-and-affiliate Jabber/Matrix communications and externally validated the cluster-internal organisational structure inferred from prior industry-forensic tracking. The Conti-organisational-continuity claim is *inferred-strong* — overlap of operator personas, Bitcoin-funder-cluster reuse across the Conti-shutdown / Black Basta-launch window, and shared TTPs (QakBot loader chain, Cobalt Strike post-exploit tooling, Empire / BloodHound lateral-movement) are documented across Mandiant, CrowdStrike, and Recorded Future tracking but the cluster has not been individually OFAC-designated or DOJ-indicted at the principal-operator level as of v0.1. Attribution that *specific ransom-payment flows* trace to specific affiliate wallets within the Black Basta cluster is **inferred-strong** from industry forensic providers; the Elliptic 2024 retrospective traced approximately \\$107M in confirmed Bitcoin ransom payments to Black Basta-attributable wallet clusters across the cluster's first 18 months of operation (`[elliptic2024blackbasta]`), with downstream laundering routes sharing the broader Russian-language commercial-criminal off-ramp profile.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G11", "url": "https://onchainattack.org/#/group/OAK-G11" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--a33c0569-65d6-56bb-9327-211ecf4389ea", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Scattered Spider / UNC3944 (English-speaking financially-motivated affiliate cluster)", "description": "OAK OAK-G12 — attribution status: **confirmed** at the *cluster-and-named-affiliate* level — U.S. Department of Justice indictments unsealed across 2024 against multiple Scattered Spider members, notably the November 13, 2024 indictment of five U.S.-and-U.K.-resident defendants (Elbadawy, Urban, Osiebo, Evans, Buchanan) for wire fraud, conspiracy, and aggravated identity theft tied to the MGM Resorts and Caesars Entertainment campaigns and earlier intrusions (`[doj2024scatteredspider]`); the July 2024 Spanish National Police arrest of Tyler Robert Buchanan in Palma de Mallorca pursuant to U.S. and U.K. extradition requests; U.K. National Crime Agency arrests of multiple U.K.-resident members through 2024-and-2025; sustained multi-vendor industry-forensic corroboration (Mandiant UNC3944, Microsoft Octo Tempest, Palo Alto Unit 42 Muddled Libra, Group-IB 0ktapus, Okta Scatter Swine, Trellix, CrowdStrike, Recorded Future) characterising the cluster's social-engineering-led intrusion style, the predominantly-English-speaking-and-Western-passport member composition, and the multi-RaaS-affiliate operating model. Attribution that *specific cryptocurrency-firm intrusions* are downstream of a Scattered Spider placement is **inferred-strong** for most cases — multiple 2022-to-2024 cryptocurrency-firm SIM-swap and social-engineering intrusions show TTPs consistent with the Scattered Spider operational profile per Mandiant, Microsoft, and Trellix tracking, but per-incident affiliate-attribution to the named DOJ defendants requires court-filing-level evidentiary specificity that is not always publicly available.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G12", "url": "https://onchainattack.org/#/group/OAK-G12" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--b6280d45-80d0-516a-a4dd-4e75416464ca", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Iranian financially-motivated cyber operators (MuddyWater + Charming Kitten + Pioneer Kitten cluster set)", "description": "OAK OAK-G13 — attribution status: **confirmed** at the *cluster-set-and-state-attribution* level — multiple OFAC SDN designations against IRGC-affiliated cyber units and individuals across 2018-to-2024 (`[ofac2018samsam]`, `[ofac2020apt39]`, `[ofac2022irgcyber]`); CISA AA22-257A \"Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Ransomware Operations,\" September 14, 2022 (`[cisa2022aa22257a]`); CISA AA22-055A \"Iranian Government-Sponsored MuddyWater Actors Conducting Malicious Cyber Operations,\" February 24, 2022 (`[cisa2022aa22055a]`); CISA AA20-259A \"Iran-Based Threat Actor Exploits VPN Vulnerabilities,\" September 15, 2020 (`[cisa2020aa20259a]`); FBI Flash on Pioneer Kitten / Fox Kitten / Lemon Sandstorm activity, August 28, 2024 (`[fbi2024pioneerkittenflash]`); January 2022 U.S. Cyber Command attribution of MuddyWater to MOIS; sustained multi-vendor industry-forensic corroboration (Mandiant, Microsoft, CrowdStrike, ClearSky, Recorded Future, Kaspersky, Check Point, ESET) characterising the cluster set's TTPs and the IRGC-vs-MOIS sub-cluster boundary. Attribution that *specific cryptocurrency-theft or ransomware-payment incidents* are downstream of a specific Iranian sub-cluster placement is **inferred-strong** in many cases — the per-incident MuddyWater-vs-Charming-Kitten-vs-Pioneer-Kitten partition is operationally meaningful but not always cleanly resolvable from public reporting.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G13", "url": "https://onchainattack.org/#/group/OAK-G13" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--804c8d72-b1bf-566a-9563-9fa07aae1c53", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Cl0p / Clop Ransomware-and-Data-Extortion operation", "description": "OAK OAK-G14 — attribution status: **confirmed** at the *cluster-and-named-affiliate* level — U.S. Department of the Treasury OFAC June 2023 designations of multiple Cl0p-affiliated Russian nationals (`[ofac2023clopaffiliates]`); CISA / FBI / NSA / U.S. Cyber Command joint cyber-security advisory AA23-158A \"CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability,\" June 7, 2023 (`[cisa2023aa23158aclop]`); CISA / FBI joint cyber-security advisory AA23-039A \"#StopRansomware: CLOP Ransomware,\" February 8, 2023 (`[cisa2023aa23039aclop]`); June 2021 Ukrainian Cyber Police arrests of multiple Cl0p-affiliated individuals in coordination with the U.S. and South Korean law enforcement (`[ukrcyberpolice2021clop]`); U.S. Department of State Rewards for Justice \\$10M reward for information on Cl0p leadership and affiliates (consistent with the broader RfJ ransomware-leadership reward architecture); sustained multi-vendor industry-forensic corroboration (Mandiant, Microsoft, CrowdStrike, Sophos, Recorded Future, Coveware, Chainalysis, TRM Labs, Sangfor) characterising the encryptor lineage, the TA505 / FIN11 operator-cohort substrate, the data-extortion-only pivot of mid-2023, and the mass-exploitation operational signature. Attribution that *specific ransom-payment flows or data-extortion-payment flows* trace to specific affiliate wallets within the Cl0p cluster is **inferred-strong** from industry forensic providers; per Coveware and Chainalysis aggregate tracking, Cl0p-attributable extortion proceeds across the cluster's operating window exceed \\$100M and place the cluster in the top-tier of ransomware-and-data-extortion volume per the 2023-and-2024 Chainalysis ransomware reports (`[chainalysis2025ransomware]`).", "external_references": [ { "source_name": "oak", "external_id": "OAK-G14", "url": "https://onchainattack.org/#/group/OAK-G14" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--1b552102-9688-5fb5-adc0-ea710eb9e8ea", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "RansomHub Ransomware-as-a-Service operation", "description": "OAK OAK-G15 — attribution status: **confirmed** at the *cluster-and-tooling* level — joint CISA / FBI / HHS / MS-ISAC cyber-security advisory AA24-242A \"StopRansomware: RansomHub Ransomware,\" August 29, 2024 (`[cisa2024aa24242aransomhub]`), characterising the cluster's TTPs across the healthcare and other critical-infrastructure sectors and naming RansomHub as the largest RaaS strain by victim-count in the immediate post-ALPHV-exit-scam window with more than 200 named victims through August 2024; sustained multi-vendor industry-forensic corroboration (Mandiant's UNC4393-adjacent and Notchy-affiliate tracking, Microsoft Threat Intelligence, Sophos, Symantec, Recorded Future, Coveware, Chainalysis, TRM Labs) characterising the Go-language encryptor lineage, the Russian-language operator-forum substrate, the affiliate-cut economics (\\~90 / 10 affiliate / operator split per industry-forensic tracking, more affiliate-favourable than the ALPHV \\~85 / 15 baseline and substantially more affiliate-favourable than the LockBit \\~80 / 20 baseline), and the post-ALPHV-affiliate-absorption pattern; Mandiant 2024 reporting describing RansomHub as \"the largest 2024 RaaS by post-ALPHV-exit-scam affiliate-absorption volume\" (`[mandiant2024ransomhub]`). RansomHub itself was not OFAC-designated as a cluster within its first 18 months of operation; that distinction makes G15 a *confirmed-by-CISA-advisory-and-industry-forensic-corroboration* rather than *confirmed-by-OFAC-SDN-designation* case at v0.1, structurally adjacent to OAK-G11 Black Basta on the attribution-strength axis. Attribution that *specific ransom-payment flows* trace to specific affiliate wallets within the RansomHub cluster is **inferred-strong** from industry forensic providers; the canonical instance is the cluster-continuity attestation linking Notchy and other ALPHV-displaced affiliates to RansomHub-cluster wallet activity in the months following the March 2024 ALPHV exit-scam (`[chainalysis2025ransomware]`, `[trm2024ransomhub]`).", "external_references": [ { "source_name": "oak", "external_id": "OAK-G15", "url": "https://onchainattack.org/#/group/OAK-G15" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--c49d1031-95b3-573d-8daa-a2bf2cd66c77", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Akira Ransomware-as-a-Service operation", "description": "OAK OAK-G16 — attribution status: **confirmed** at the *cluster-and-tooling* level — joint CISA / FBI / Europol EC3 / Netherlands NCSC-NL cyber-security advisory AA24-109A \"StopRansomware: Akira Ransomware,\" April 18, 2024 (`[cisa2024aa24109aakira]`), characterising the cluster's TTPs across the manufacturing, education, financial-services, and other sectors, naming Akira as a high-volume RaaS strain with approximately 250 victim organisations and approximately \\$42M in confirmed ransom-payment proceeds through January 2024, and identifying the Akira-affiliate cohort's exploitation-of-public-facing-vulnerabilities and Cisco-VPN-without-MFA initial-access vectors; sustained multi-vendor industry-forensic corroboration (Mandiant tracking, Microsoft Storm-1567, Sophos X-Ops, Recorded Future, Coveware, Chainalysis, TRM Labs) characterising the C++-and-Rust encryptor lineage, the Russian-language operator-forum substrate, the Conti-codebase-related lineage attestation, and the affiliate-cut economics; Sophos late-2023 reporting on the Megazord encryptor-variant as a Rust-based redevelopment of the Akira codebase (`[sophos2023akira]`). The Conti-codebase-related lineage claim is *inferred-strong* — overlap of operator personas, encryptor-architecture decisions, and TTP-fingerprint signal across the Conti-shutdown / Akira-launch window are documented across Mandiant, Microsoft, and Sophos tracking but the cluster has not been individually OFAC-designated or DOJ-indicted at the principal-operator level as of v0.1. Attribution that *specific ransom-payment flows* trace to specific affiliate wallets within the Akira cluster is **inferred-strong** from industry forensic providers; per CISA AA24-109A and Chainalysis aggregate tracking, Akira-attributable ransom-payment proceeds across the cluster's first 10 months of operation total approximately \\$42M, with downstream laundering routes sharing the broader Russian-language commercial-criminal off-ramp profile.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G16", "url": "https://onchainattack.org/#/group/OAK-G16" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--6635387a-3ff2-5c07-8112-fbc9a4254690", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "BlackByte Ransomware-as-a-Service operation", "description": "OAK OAK-G17 — attribution status: **confirmed** at the *cluster-and-tooling* level — joint FBI / U.S. Secret Service cyber-security advisory CU-000167-MW (Feb 11 2022 FBI Flash) and the joint FBI / U.S. Secret Service Joint Cybersecurity Advisory TLP:WHITE on BlackByte Ransomware (the same February 2022 advisory cycle frequently referenced by industry-forensic write-ups as \"TA22-039A-equivalent\" though the canonical CISA advisory tracker uses the FBI Flash format rather than the AA-NNNNN tracker number) (`[fbi2022blackbyteflash]`), characterising the cluster's TTPs across U.S. critical-infrastructure entities including the February 2022 attack against the San Francisco 49ers professional sports franchise; sustained multi-vendor industry-forensic corroboration (Mandiant tracking, Microsoft Threat Intelligence, Sophos X-Ops, Trustwave SpiderLabs, Symantec Threat Hunter Team, Recorded Future, Coveware, Chainalysis, TRM Labs) characterising the multi-language encryptor lineage, the Russian-language operator-forum substrate, the Conti-splinter lineage attestation, and sustained 2022-and-2023 cross-platform encryptor-variant development including the Go-language variant; Trustwave SpiderLabs late-2021 reporting on the BlackByte encryptor's symmetric-key-reuse implementation flaw that allowed the publication of a free decryptor (`[trustwave2021blackbyte]`); subsequent BlackByte-encryptor redevelopment to address the cryptographic flaw and extend the cross-platform variant set. The Conti-splinter lineage claim is *inferred-strong* — overlap of operator personas, encryptor-architecture decisions, and TTP-fingerprint signal across the Conti-organisational substrate are documented across Mandiant, Microsoft, and Sophos tracking but the cluster has not been individually OFAC-designated or DOJ-indicted at the principal-operator level as of v0.1. Attribution that *specific ransom-payment flows* trace to specific affiliate wallets within the BlackByte cluster is **inferred-strong** from industry forensic providers.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G17", "url": "https://onchainattack.org/#/group/OAK-G17" } ] }, { "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--fc2d4c9b-40e7-5631-affb-97bf77e6d21d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Karakurt extortion-only data-theft operation", "description": "OAK OAK-G18 — attribution status: **confirmed** at the *cluster-and-CISA-advisory* level — CISA / FBI / U.S. Department of the Treasury / FinCEN joint cyber-security advisory AA22-152A \"Karakurt Data Extortion Group,\" June 1, 2022 (`[cisaaa22152a]`), with a March 2023 update extending the Karakurt-cohort tracking through 2023; multi-vendor industry-forensic corroboration (Mandiant, Microsoft, CrowdStrike, Sophos, Recorded Future, Coveware, Chainalysis, TRM Labs) characterising the Conti-cohort-continuity attribution at the operator-cohort level and the data-extortion-only operating-model signature; Tetra Defense and Infinitum I.T. cross-vendor reporting on Karakurt-attributed intrusions and the recovery-and-negotiation behaviour profile. Attribution that *specific extortion-payment flows trace to specific Conti-successor affiliate wallets within the Karakurt cluster* is **inferred-strong** from industry-forensic providers; per Chainalysis and Mandiant cross-cohort analysis, Karakurt affiliate wallet clusters share funder addresses with documented Conti-era and Black Basta affiliate clusters, supporting the Conti-cohort-continuity attribution at the on-chain layer.", "external_references": [ { "source_name": "oak", "external_id": "OAK-G18", "url": "https://onchainattack.org/#/group/OAK-G18" } ] }, { "type": "x-oak-data-source", "spec_version": "2.1", "id": "x-oak-data-source--f3c39da7-0634-58ad-a556-6bdf6eb36956", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Token Deployment Events and Bytecode", "description": "Records the moment a new token contract is deployed: deployer address, deployment block, raw bytecode, constructor parameters, and (for Solana SPL Token-2022) the list of enabled extensions and their authorities. From a defender's perspective this is the earliest observable signal in a token's lifecycle, and it is the substrate on which OAK-T1 (Token Genesis) Techniques are detected.", "external_references": [ { "source_name": "oak", "external_id": "OAK-DS-01", "url": "https://onchainattack.org/#/datasource/OAK-DS-01" } ] }, { "type": "x-oak-data-source", "spec_version": "2.1", "id": "x-oak-data-source--afa7090f-041a-5bf1-8460-eb48ed4f4d77", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "DEX Pool Creation and Liquidity Events", "description": "Records the lifecycle of DEX liquidity pools: creation, liquidity provision, liquidity removal. The destination of LP tokens at provision time is the canonical \"who controls liquidity\" signal, and the size and timing of liquidity removal events is the canonical OAK-T5.001 (Hard LP Drain) signal.", "external_references": [ { "source_name": "oak", "external_id": "OAK-DS-02", "url": "https://onchainattack.org/#/datasource/OAK-DS-02" } ] }, { "type": "x-oak-data-source", "spec_version": "2.1", "id": "x-oak-data-source--63140fbf-45e9-5645-a015-e07da68ba4e5", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Token Approval Events", "description": "Records the granting of transfer authority from a token holder to a third-party spender or operator. T4.004 (Approve-Pattern Drainer) and T4.005 (setApprovalForAll NFT Drainer) both produce explicit `Approval` / `ApprovalForAll` events at the moment of authority grant — making these the highest-leverage detection-side telemetry for the on-chain authority artefact.", "external_references": [ { "source_name": "oak", "external_id": "OAK-DS-03", "url": "https://onchainattack.org/#/datasource/OAK-DS-03" } ] }, { "type": "x-oak-data-source", "spec_version": "2.1", "id": "x-oak-data-source--3858886c-02f1-5c82-b8c5-1e78830e672e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Permit / Permit2 Off-Chain Signatures", "description": "Records EIP-2612 `permit` and Uniswap Permit2 signed authorisations. Distinct from DS-03 (on-chain `Approval` events) because the authority artefact lives off-chain as a signed payload until consumed on-chain by the holder of the signature. The off-chain payload contains the full authority scope (spender, token, value, deadline, nonce) and is the canonical detection surface for OAK-T4.001 — but only at the wallet-UX layer, since the on-chain consumption event arrives after the authority has alre", "external_references": [ { "source_name": "oak", "external_id": "OAK-DS-04", "url": "https://onchainattack.org/#/datasource/OAK-DS-04" } ] }, { "type": "x-oak-data-source", "spec_version": "2.1", "id": "x-oak-data-source--e11ce8db-d70e-5ea8-bca6-4e9860b5be92", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Oracle Price Feeds and Oracle-Input Trades", "description": "Records oracle price updates and the input-venue trades that feed them. Critical for OAK-T9.001 detection because the canonical attack pattern moves the oracle's reported price through trades on its input venues; the oracle-side telemetry is the leading indicator of an in-progress oracle-manipulation event.", "external_references": [ { "source_name": "oak", "external_id": "OAK-DS-05", "url": "https://onchainattack.org/#/datasource/OAK-DS-05" } ] }, { "type": "x-oak-data-source", "spec_version": "2.1", "id": "x-oak-data-source--17d8413a-4d20-5c1c-a1d6-968b68fdb8f5", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Token Mint and Burn Events", "description": "Records changes to a token's total supply. Critical for OAK-T5.003 (Hidden-Mint Dilution) detection — both pre-event (presence of mint authority) and at-event (mint to deployer-clustered addresses).", "external_references": [ { "source_name": "oak", "external_id": "OAK-DS-06", "url": "https://onchainattack.org/#/datasource/OAK-DS-06" } ] }, { "type": "x-oak-data-source", "spec_version": "2.1", "id": "x-oak-data-source--83410f0c-3d3e-5807-ba5e-ee87af4a3447", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "DEX Trade and Swap Events", "description": "Records DEX trades — the on-chain artefact of every swap, sandwich, wash-trade, and oracle-input-venue manipulation. The most heavily-indexed Data Source in the on-chain space; near-zero access cost via standard indexers.", "external_references": [ { "source_name": "oak", "external_id": "OAK-DS-07", "url": "https://onchainattack.org/#/datasource/OAK-DS-07" } ] }, { "type": "x-oak-data-source", "spec_version": "2.1", "id": "x-oak-data-source--03ae9ba7-3d37-5555-9fc6-c9763cffdc52", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Bridge Validator Messages and VAAs", "description": "Records cross-chain authorisation messages: the signed payloads (often called VAAs — Validator Action Approvals — in Wormhole-style architectures, or generic threshold-signed messages in MPC-style bridges) that authorise asset movements across chains. Critical for OAK-T10 detection across all three Techniques.", "external_references": [ { "source_name": "oak", "external_id": "OAK-DS-08", "url": "https://onchainattack.org/#/datasource/OAK-DS-08" } ] }, { "type": "x-oak-data-source", "spec_version": "2.1", "id": "x-oak-data-source--dba14e9b-547b-5e8d-afc3-93d112893337", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Funder Graph (Derived)", "description": "Records the per-address graph of funding sources, computed from raw transfer events. For each address, the funder graph identifies the set of upstream addresses that have sent funds to it (directly or via N hops), allowing defenders to detect operator clusters that share funding ancestors. The most important *derived* Data Source in OAK because the underlying detection methodology for OAK-T3.001, T8.001, and the broader Group-attribution (`actors/`) axis depends on it.", "external_references": [ { "source_name": "oak", "external_id": "OAK-DS-09", "url": "https://onchainattack.org/#/datasource/OAK-DS-09" } ] }, { "type": "x-oak-data-source", "spec_version": "2.1", "id": "x-oak-data-source--35ae6f15-2676-56bf-9798-6ade8a05e805", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Cross-Chain Bridge and Swap Flows", "description": "Records cross-chain asset movements: deposits on the source chain, settlements on the destination chain, and (for cross-chain swap protocols) per-swap fee accrual to protocol operators. Critical for OAK-T7.003 (Cross-Chain Bridge Laundering) detection, including the protocol-economics signal (sudden fee accrual correlated with illicit-cluster inflow) introduced in the T7.003 page.", "external_references": [ { "source_name": "oak", "external_id": "OAK-DS-10", "url": "https://onchainattack.org/#/datasource/OAK-DS-10" } ] }, { "type": "x-oak-data-source", "spec_version": "2.1", "id": "x-oak-data-source--f1741bb2-760f-5c0b-b8f8-7db1418453ae", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Mempool and Pre-Block Order Flow", "description": "Records pending transactions and pre-block order flow — the \"what is about to be confirmed\" surface that sandwich-MEV operators (T5.004) operate on, and that some pre-event detection (T9.002 flash-loan setup; T9.001 oracle-input-trade staging) requires. Substantially less universally-accessible than on-chain Data Sources because much modern transaction flow is routed through private mempools specifically to defeat front-running.", "external_references": [ { "source_name": "oak", "external_id": "OAK-DS-11", "url": "https://onchainattack.org/#/datasource/OAK-DS-11" } ] }, { "type": "x-oak-data-source", "spec_version": "2.1", "id": "x-oak-data-source--ffb2eb6b-9321-59af-afe2-08d93fe4ef01", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "name": "Off-Chain CTI Feeds", "description": "Records off-chain telemetry that informs on-chain attack detection: phishing-campaign indicators, DNS / hosting compromise, social-engineering campaigns targeting validator-operator personnel, fake-job-offer LinkedIn campaigns, compromised-Discord-server announcements. Distinct from all on-chain Data Sources because the telemetry originates outside the blockchain layer entirely. Critical for the entry-vector detection of OAK-T4.002, T4.005, T10.001, and the broader OAK-G01 Lazarus Group operator", "external_references": [ { "source_name": "oak", "external_id": "OAK-DS-12", "url": "https://onchainattack.org/#/datasource/OAK-DS-12" } ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--74a11ed5-6387-5472-ba0f-585d35986a6a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--65aa1681-44d0-5121-8849-2b866abc876c", "target_ref": "attack-pattern--3113300f-d067-5bda-b93a-de6cb0044037" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--12d9dfe2-4dee-567b-be8a-32d8db8021ea", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--65aa1681-44d0-5121-8849-2b866abc876c", "target_ref": "attack-pattern--aa324a54-0e77-513e-bc77-dea4683702d2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--89a41937-66cc-58e2-9c3b-b52d92570ebe", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--65aa1681-44d0-5121-8849-2b866abc876c", "target_ref": "attack-pattern--e45221c4-74e9-52ab-8e20-96d05003d65a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d81c1eba-b5bc-57f2-8fc5-26225781f56b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--65aa1681-44d0-5121-8849-2b866abc876c", "target_ref": "attack-pattern--00534efe-a713-54c9-9ef3-5b12fd6d0c01" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--54818848-06d7-5323-9a9d-fafa787a18fa", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--65aa1681-44d0-5121-8849-2b866abc876c", "target_ref": "attack-pattern--39564b4f-4af2-5b1a-8405-eb8cf9d2f12b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--92a4e1c9-ea67-5ad3-9abe-6fca391e8c6d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--65aa1681-44d0-5121-8849-2b866abc876c", "target_ref": "attack-pattern--d9e4a005-06a9-5cee-9f7c-234e20790118" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7ed49c59-a1f8-5000-85e0-1e01892d1fba", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--65aa1681-44d0-5121-8849-2b866abc876c", "target_ref": "attack-pattern--5a491154-55c8-5abc-8449-0d48df41514b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e411c2c6-579c-5a37-a0b6-6a7ffa22fa33", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0e4b3b55-5f84-5074-9b3b-9404e99b67fd", "target_ref": "attack-pattern--3113300f-d067-5bda-b93a-de6cb0044037" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--34b81a1c-3114-5741-8ae6-27f0409c4d66", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0e4b3b55-5f84-5074-9b3b-9404e99b67fd", "target_ref": "attack-pattern--aa324a54-0e77-513e-bc77-dea4683702d2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--30ef5632-468f-5c48-9319-3e227f7a8f73", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0e4b3b55-5f84-5074-9b3b-9404e99b67fd", "target_ref": "attack-pattern--e45221c4-74e9-52ab-8e20-96d05003d65a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--08d37896-b80a-5bb3-912b-896e77404882", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0e4b3b55-5f84-5074-9b3b-9404e99b67fd", "target_ref": "attack-pattern--00534efe-a713-54c9-9ef3-5b12fd6d0c01" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--31662a5f-e85f-5e2d-aeaa-f492e0739002", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0e4b3b55-5f84-5074-9b3b-9404e99b67fd", "target_ref": "attack-pattern--d9e4a005-06a9-5cee-9f7c-234e20790118" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--da322009-ab8f-5582-b658-0b8df7eaa537", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0e4b3b55-5f84-5074-9b3b-9404e99b67fd", "target_ref": "attack-pattern--c23370e0-2f94-555e-8e18-e753a767bb51" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b31aa98a-9079-559d-968c-1aa46e7ddbdc", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0e4b3b55-5f84-5074-9b3b-9404e99b67fd", "target_ref": "attack-pattern--9b65ffc8-0be6-5809-b228-a85033f790ba" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0f0a64b5-1be0-52be-94e6-285198d5b624", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0e4b3b55-5f84-5074-9b3b-9404e99b67fd", "target_ref": "attack-pattern--fd40fed2-9093-5b5a-8ebd-5b288e3ae6c5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e27ac529-e573-5976-9d43-f9df46d281c3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0e4b3b55-5f84-5074-9b3b-9404e99b67fd", "target_ref": "attack-pattern--7a7e61f2-3d7c-5d61-90dc-9e198573731c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bb3e6214-f10f-50cf-bdb3-d922e94a92c3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6b5af533-e806-54c4-8fe5-f990131e41d0", "target_ref": "attack-pattern--aa324a54-0e77-513e-bc77-dea4683702d2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9ed16541-e0a5-5add-b2f2-536c5bef9ea7", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6b5af533-e806-54c4-8fe5-f990131e41d0", "target_ref": "attack-pattern--e45221c4-74e9-52ab-8e20-96d05003d65a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3e35914a-79f9-52a4-8fe0-d05d23ba1850", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6b5af533-e806-54c4-8fe5-f990131e41d0", "target_ref": "attack-pattern--39564b4f-4af2-5b1a-8405-eb8cf9d2f12b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4b6d30f8-42e2-5a53-9255-9678407051f7", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6b5af533-e806-54c4-8fe5-f990131e41d0", "target_ref": "attack-pattern--d9e4a005-06a9-5cee-9f7c-234e20790118" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7cf04c61-0bdc-5521-a8fd-e3a1606afe99", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6b5af533-e806-54c4-8fe5-f990131e41d0", "target_ref": "attack-pattern--5a491154-55c8-5abc-8449-0d48df41514b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8ed35fc6-d1df-552e-8f6c-1c454fca67d0", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6b5af533-e806-54c4-8fe5-f990131e41d0", "target_ref": "attack-pattern--9b65ffc8-0be6-5809-b228-a85033f790ba" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e33efd56-bcae-5edd-b3ef-9161fafdc07e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6b5af533-e806-54c4-8fe5-f990131e41d0", "target_ref": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f2c0da6b-e7a2-5c9e-bb9c-6673e48279c9", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a82e10db-dcf6-5231-8299-6cedb873560e", "target_ref": "attack-pattern--a55b5859-fa73-5cab-a342-82b97187ea20" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--84070792-fc92-53a0-8882-0163b38f5b11", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a82e10db-dcf6-5231-8299-6cedb873560e", "target_ref": "attack-pattern--b027592f-baee-5d2a-9d15-925aa1b77941" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7197d9e1-28fb-504e-8fbc-2dd148d4a6df", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a82e10db-dcf6-5231-8299-6cedb873560e", "target_ref": "attack-pattern--ea13efc1-d0df-532c-8add-3d39dcd29713" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8ee1670b-3767-562d-85ca-09105c66e1ab", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a82e10db-dcf6-5231-8299-6cedb873560e", "target_ref": "attack-pattern--b8d62a9c-14cd-503a-af8d-a26b825dffcd" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3df0dbe2-8598-59f1-905e-3d114b21d1c0", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a82e10db-dcf6-5231-8299-6cedb873560e", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7f90857f-6fb8-58ba-8e88-5133c1bc1949", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a82e10db-dcf6-5231-8299-6cedb873560e", "target_ref": "attack-pattern--1d0e4f47-8c77-58a2-b885-f44145ed3bf4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aa4c14e0-99a0-5366-a2a4-8dc56dd20ff9", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a82e10db-dcf6-5231-8299-6cedb873560e", "target_ref": "attack-pattern--3113300f-d067-5bda-b93a-de6cb0044037" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3a53d586-e332-5505-b089-06e3a63e9f8a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a82e10db-dcf6-5231-8299-6cedb873560e", "target_ref": "attack-pattern--39564b4f-4af2-5b1a-8405-eb8cf9d2f12b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ba35ee48-5b76-5d87-9386-3ad136303af2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--82833c64-290a-554c-bc31-c2af67f2cab2", "target_ref": "attack-pattern--aa324a54-0e77-513e-bc77-dea4683702d2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d3bb8697-b5e9-55f7-9b72-80c63f2d0be3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--82833c64-290a-554c-bc31-c2af67f2cab2", "target_ref": "attack-pattern--e45221c4-74e9-52ab-8e20-96d05003d65a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--29671266-ab3d-5e27-a073-f9c98753f583", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--82833c64-290a-554c-bc31-c2af67f2cab2", "target_ref": "attack-pattern--b6a77deb-14ae-59e3-b4b2-b73065972b6c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cb2053b0-498f-5ef0-9ef4-7ae8971f32db", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--82833c64-290a-554c-bc31-c2af67f2cab2", "target_ref": "attack-pattern--9b65ffc8-0be6-5809-b228-a85033f790ba" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ef7b0de7-18da-58e4-a6b8-4ae931eec2bd", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--82833c64-290a-554c-bc31-c2af67f2cab2", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cb308035-5c18-5ac1-ae59-8de690da4111", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--82833c64-290a-554c-bc31-c2af67f2cab2", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--122e9734-2edf-5642-9839-92ff126c214c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--82833c64-290a-554c-bc31-c2af67f2cab2", "target_ref": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d237e5f6-e742-56e7-9b62-9ebcccd94abd", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6959c20e-2277-5961-9bda-ee8f1c8278dc", "target_ref": "attack-pattern--51de129b-35c6-52ab-baa1-4952b944dad8" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--717efce6-ba0b-5c2f-a729-f363cb750051", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6959c20e-2277-5961-9bda-ee8f1c8278dc", "target_ref": "attack-pattern--e12a0e1d-8dac-5395-b37b-b0aa20814db2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cbe8099c-e6c0-5259-9d98-371ca5ca8080", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6959c20e-2277-5961-9bda-ee8f1c8278dc", "target_ref": "attack-pattern--b28eb96d-c303-5027-bc7d-413c3659495a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c68c7dbf-e415-5615-963e-63ddb1b2336d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--34d3bf3c-54f7-5956-a7dd-c969cdace21f", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4e31074b-f53d-5f8f-a51e-80e728cdc0eb", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--34d3bf3c-54f7-5956-a7dd-c969cdace21f", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2616d930-cad7-52ff-9a2f-4500aa28094f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--34d3bf3c-54f7-5956-a7dd-c969cdace21f", "target_ref": "attack-pattern--093e472c-281c-5e78-9228-486255d3058a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c97c9931-8fae-5ae6-a6a0-8f86a8390f3c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--34d3bf3c-54f7-5956-a7dd-c969cdace21f", "target_ref": "attack-pattern--a33bad38-8e4f-5cdd-a0a4-779143c81d8d" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--32523ac5-8063-5dfc-a2fc-36882323eced", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--34d3bf3c-54f7-5956-a7dd-c969cdace21f", "target_ref": "attack-pattern--a7ebcbb2-dafe-5364-9932-e3d7bee02596" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--930eece2-c60b-5058-a1ac-1668f7c8147b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--34d3bf3c-54f7-5956-a7dd-c969cdace21f", "target_ref": "attack-pattern--2addb763-67df-5522-8864-f3f0d400252a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8d388f10-8a7b-5b16-80b6-acc616cbed2b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--34d3bf3c-54f7-5956-a7dd-c969cdace21f", "target_ref": "attack-pattern--1d0e4f47-8c77-58a2-b885-f44145ed3bf4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f827896c-796c-5ffd-b821-eedfdee5dfa2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--34d3bf3c-54f7-5956-a7dd-c969cdace21f", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8999f12c-6ab6-5208-8138-a9cbb7b42b22", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6f0b252d-02b3-56a4-9512-65438d2d5e9c", "target_ref": "attack-pattern--58002197-8183-530c-9eea-d2d8532a9008" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cf61cce2-6b8d-5a13-b569-bd88a6c63dd8", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6f0b252d-02b3-56a4-9512-65438d2d5e9c", "target_ref": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6e002cfe-1ffa-51f4-9235-14ccc450422d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6f0b252d-02b3-56a4-9512-65438d2d5e9c", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d2f3cead-b7ad-5bf5-a0b4-fa14f40f5bb6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--6f0b252d-02b3-56a4-9512-65438d2d5e9c", "target_ref": "attack-pattern--75d94806-bc98-57dc-894c-8ba499eb5540" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0ee2a94e-81a7-5b4f-ba79-012771e8cf47", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--59d11b85-db9b-56b3-b911-a06869c26471", "target_ref": "attack-pattern--f5bce1e3-3637-56df-8db9-94e793306171" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--82e81798-7996-5c4d-bcfd-a67ea5ca0c50", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--59d11b85-db9b-56b3-b911-a06869c26471", "target_ref": "attack-pattern--f81933a4-bfe2-528f-94ef-399577e5a682" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c747adb9-b277-570d-8bca-c38941d35937", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--043ecb34-7344-5ca6-af88-d9a3b208abd7", "target_ref": "attack-pattern--fd40fed2-9093-5b5a-8ebd-5b288e3ae6c5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b868e794-1e52-552f-ab65-b0544803658f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--043ecb34-7344-5ca6-af88-d9a3b208abd7", "target_ref": "attack-pattern--f81933a4-bfe2-528f-94ef-399577e5a682" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3bb1e531-29e9-5102-bb06-3d13d16d277d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--fc65c84f-75b3-5fab-884f-4dd9bf5cf33f", "target_ref": "attack-pattern--5deeb2fb-1df3-5566-8229-2e83bd241a08" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d0a80ed1-d50c-50a4-858c-f6b5cb7ee813", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--fc65c84f-75b3-5fab-884f-4dd9bf5cf33f", "target_ref": "attack-pattern--647504b6-bc6d-5c30-b18d-82c99e51b62d" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d54c2514-6e35-5c7a-9e4d-6a406968d2ae", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--fc65c84f-75b3-5fab-884f-4dd9bf5cf33f", "target_ref": "attack-pattern--f5bce1e3-3637-56df-8db9-94e793306171" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--936eb5fd-7ff4-5424-84c8-f917f785e1ec", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--fc65c84f-75b3-5fab-884f-4dd9bf5cf33f", "target_ref": "attack-pattern--f81933a4-bfe2-528f-94ef-399577e5a682" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b7705e4d-d0eb-587c-969a-c35294533a90", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--fc65c84f-75b3-5fab-884f-4dd9bf5cf33f", "target_ref": "attack-pattern--cf39fa63-9044-5279-8ea5-4acb64d53904" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3693afda-d108-5c99-ab8f-81edf737a13a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--fc65c84f-75b3-5fab-884f-4dd9bf5cf33f", "target_ref": "attack-pattern--44a15cd3-db68-5127-b8dd-cb96e537e3b7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cdfea692-8bda-5fc3-a503-436613ba59ee", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--4985a1a6-d512-58c4-ac01-565e47a16316", "target_ref": "attack-pattern--44a15cd3-db68-5127-b8dd-cb96e537e3b7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--848fc443-13eb-52d0-9e4d-05a11be9ef68", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--4985a1a6-d512-58c4-ac01-565e47a16316", "target_ref": "attack-pattern--37433c31-ae6a-50f0-bfe3-22ac2f1747d9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--91967aa6-3798-51f7-b0dc-2f9f3fcd3a77", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d2facfb9-55b5-57f6-a4d4-f8133a8d943e", "target_ref": "attack-pattern--8a373cd0-d1fc-5d17-916d-993d5cd3e7c1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e8b9434b-e0d7-578d-9fa7-c3077fc81a3f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b33cf8ae-db6f-5385-8594-a8cb71ace431", "target_ref": "attack-pattern--4950a164-f5b6-579d-b44d-af445947d99e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f7d2e5dd-b67b-52bc-ac5a-3ed72e8f6d79", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ea92caa-6e87-5630-a816-3f5d3ae7ed34", "target_ref": "attack-pattern--cf39fa63-9044-5279-8ea5-4acb64d53904" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--386fde4c-0591-5a89-ae03-a4d7f710df09", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ea92caa-6e87-5630-a816-3f5d3ae7ed34", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6da028e2-57d1-588c-9498-2b7803fca1c8", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ea92caa-6e87-5630-a816-3f5d3ae7ed34", "target_ref": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--072127c9-a14a-5d2f-badd-1788bd82a369", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--3113300f-d067-5bda-b93a-de6cb0044037" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1b746c40-4607-5a44-9fb6-901d09efe8d0", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--aa324a54-0e77-513e-bc77-dea4683702d2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b5d06701-93d4-5c39-a3a7-f92fdfa6974d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--e45221c4-74e9-52ab-8e20-96d05003d65a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7a0871e8-65a8-5ac2-97a8-ccd13264a123", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--d9e4a005-06a9-5cee-9f7c-234e20790118" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b873fdb1-16f4-5b41-b58f-3d450a5e7d88", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--c23370e0-2f94-555e-8e18-e753a767bb51" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--74ad6aa3-f86d-5717-a0d2-0acdc8d6052d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--5a491154-55c8-5abc-8449-0d48df41514b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d67da2c8-ddad-58a0-8250-f6363ac85025", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--d275621f-df75-55ac-974a-4589472dde87" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5de354b5-800e-54ad-bb41-30937ac83680", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--f5bce1e3-3637-56df-8db9-94e793306171" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--12f899ec-12d7-5caa-8e48-2dc31453bf02", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--f81933a4-bfe2-528f-94ef-399577e5a682" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ff736be3-f836-5c14-80ad-638c4f9736a2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--b6a77deb-14ae-59e3-b4b2-b73065972b6c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1c026f9a-d66e-5cbc-9aa7-64232a69bf7a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--9b65ffc8-0be6-5809-b228-a85033f790ba" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--08aac28c-b60d-51fc-9df5-17bfe6af5a23", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--fd40fed2-9093-5b5a-8ebd-5b288e3ae6c5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b6bfd4a9-a0aa-5ba0-be9c-26b78efca450", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--cf39fa63-9044-5279-8ea5-4acb64d53904" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--08d0fc94-07f5-5cb1-9aae-a2dfbd6a35d6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--44a15cd3-db68-5127-b8dd-cb96e537e3b7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3ffb402e-415a-59c6-be15-d39f09432b7e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--37433c31-ae6a-50f0-bfe3-22ac2f1747d9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d905d382-9c16-510b-b3cf-736e26f7093b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--8a373cd0-d1fc-5d17-916d-993d5cd3e7c1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--837bcfa9-1163-5fad-bc42-8cb683da49a4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--dbcae7d1-60fb-5bbb-8aa5-ece44830e988", "target_ref": "attack-pattern--4950a164-f5b6-579d-b44d-af445947d99e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--66b01e0c-b8e2-5ef7-a35c-9a89db9f3c33", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--01f02050-cc06-593c-a921-e8ab898f429a", "target_ref": "attack-pattern--b6a77deb-14ae-59e3-b4b2-b73065972b6c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ed464a02-5e43-50a4-b4ff-e77d8676a7dc", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3e4307df-8595-57e2-a65d-b8aaaa23e81d", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--533a7b60-0f62-5b87-8959-e6046814cd8b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3e4307df-8595-57e2-a65d-b8aaaa23e81d", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8db4b314-5542-5334-b719-fab63375600e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3e4307df-8595-57e2-a65d-b8aaaa23e81d", "target_ref": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5f13290f-7426-59ed-ab78-275df5e12b3b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3e4307df-8595-57e2-a65d-b8aaaa23e81d", "target_ref": "attack-pattern--58002197-8183-530c-9eea-d2d8532a9008" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3e8663c6-5ef5-55fd-b93e-21a7b999ff4f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3e4307df-8595-57e2-a65d-b8aaaa23e81d", "target_ref": "attack-pattern--7ec6ff5b-83cd-5725-adda-2b5d3a846414" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b393ca5b-59ac-5547-9b78-44bcc1014469", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3e4307df-8595-57e2-a65d-b8aaaa23e81d", "target_ref": "attack-pattern--4dd355bc-2389-55c4-911c-1bac3744dbbc" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c103ab86-3cd2-5deb-adee-5193d129d868", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3e4307df-8595-57e2-a65d-b8aaaa23e81d", "target_ref": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--228fde7f-f6ba-519c-ba3d-25172584868e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3e4307df-8595-57e2-a65d-b8aaaa23e81d", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--842fc75e-665d-5025-87f0-aa0b2ed51ff6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--3e4307df-8595-57e2-a65d-b8aaaa23e81d", "target_ref": "attack-pattern--75d94806-bc98-57dc-894c-8ba499eb5540" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--104a82d8-f086-5c05-9503-4efc60962a87", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--be9a2640-cc30-5674-b229-2d5f1bd94f8b", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cb5f1f3d-d878-5c5e-b902-36fe32a4e9fa", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--be9a2640-cc30-5674-b229-2d5f1bd94f8b", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5b17128a-d6e6-5af4-8858-82d8ec52c2f8", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--be9a2640-cc30-5674-b229-2d5f1bd94f8b", "target_ref": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4adec3c2-6716-5811-99ac-7ae1d10e620e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2a2b0ba1-d486-52c0-92c5-95e040a51134", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--85ea943d-57b9-55ef-bb0f-6002c115b117", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--2a2b0ba1-d486-52c0-92c5-95e040a51134", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7949edd8-57ce-51f1-b229-3086f0a0b113", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--37102889-cc74-5f7d-8d19-48568d94a335", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0c8dc2c7-e849-544f-b8f2-1081341e769d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--37102889-cc74-5f7d-8d19-48568d94a335", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9b5c6d52-0d11-5e5e-93f5-05bd53b9ff12", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--8382e168-bf14-5b22-ad8a-f6843ae9917d", "target_ref": "attack-pattern--aa324a54-0e77-513e-bc77-dea4683702d2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b7e5d4e1-16df-5c68-a166-8634e5e5a836", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--8382e168-bf14-5b22-ad8a-f6843ae9917d", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--80a15398-d8bb-5c3e-a48a-9b31d359d994", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--8382e168-bf14-5b22-ad8a-f6843ae9917d", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6e50d45a-e0cb-59c9-b34c-2e9c421b0ee6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--8382e168-bf14-5b22-ad8a-f6843ae9917d", "target_ref": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b7d743bb-90a7-5f1f-8ad7-04c48982e456", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--8382e168-bf14-5b22-ad8a-f6843ae9917d", "target_ref": "attack-pattern--9b65ffc8-0be6-5809-b228-a85033f790ba" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f384434d-df5d-54d8-b497-b50bdf4f5351", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1ff9392-2106-56ff-8788-2000d14f5b0a", "target_ref": "attack-pattern--d9e4a005-06a9-5cee-9f7c-234e20790118" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a8d8e65d-d19d-5a83-9352-a8b5826aea7f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1ff9392-2106-56ff-8788-2000d14f5b0a", "target_ref": "attack-pattern--c23370e0-2f94-555e-8e18-e753a767bb51" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1d5997c3-57c6-5cc5-a5f4-d337c615c9a6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1ff9392-2106-56ff-8788-2000d14f5b0a", "target_ref": "attack-pattern--5a491154-55c8-5abc-8449-0d48df41514b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--077b7b3f-8f10-5ce1-a9fb-7ef700ca0e0d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1ff9392-2106-56ff-8788-2000d14f5b0a", "target_ref": "attack-pattern--d275621f-df75-55ac-974a-4589472dde87" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--80cd838c-6a58-52bc-8b14-8a53a896f365", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--a1ff9392-2106-56ff-8788-2000d14f5b0a", "target_ref": "attack-pattern--3113300f-d067-5bda-b93a-de6cb0044037" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3dd93fe0-4456-59d7-a377-a35c36dac91a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0b9f4268-084a-5bb8-8b77-9eb905dc2028", "target_ref": "attack-pattern--c23370e0-2f94-555e-8e18-e753a767bb51" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--00dc8188-4c6d-50eb-a510-a862fe2553e2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--0b9f4268-084a-5bb8-8b77-9eb905dc2028", "target_ref": "attack-pattern--d275621f-df75-55ac-974a-4589472dde87" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5ee19953-f2c6-5ed8-80c9-8195bc53af1c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "target_ref": "attack-pattern--3113300f-d067-5bda-b93a-de6cb0044037" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c1bc89db-054b-5ada-90b3-4f4e0abcdf33", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "target_ref": "attack-pattern--91a0a76b-eaf0-5e8a-b6b9-7f62268ce853" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--46f2c9c5-641d-5d65-8d3b-2ef0ad54c2d8", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "target_ref": "attack-pattern--aa324a54-0e77-513e-bc77-dea4683702d2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dbb4de9d-6819-5fea-a8ce-026460dc8c38", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "target_ref": "attack-pattern--e45221c4-74e9-52ab-8e20-96d05003d65a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1a2e0e3f-6fa2-5c1f-ae89-27ba3139f6f0", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "target_ref": "attack-pattern--00534efe-a713-54c9-9ef3-5b12fd6d0c01" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2cf7fe01-d33e-5b1b-a936-2c8bda530f4d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "target_ref": "attack-pattern--a55b5859-fa73-5cab-a342-82b97187ea20" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5329f4b1-d1cc-59c9-9fc3-63ba29f750af", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "target_ref": "attack-pattern--2e0bf741-b432-58e7-8948-f5599bf0209e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--75f08573-203f-55f9-8e03-a5d0f25e24b3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "target_ref": "attack-pattern--a6cff4d8-210c-5f75-9fb5-0f3318e8f8c3" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--70e46ee6-963c-55f1-8621-bd7bddbbed72", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "target_ref": "attack-pattern--39564b4f-4af2-5b1a-8405-eb8cf9d2f12b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fd1da810-170a-5dd4-bced-a6550ec0b891", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "target_ref": "attack-pattern--d9e4a005-06a9-5cee-9f7c-234e20790118" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a50c2b4a-db1d-5bd4-a9f7-837ced92ab51", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "target_ref": "attack-pattern--c23370e0-2f94-555e-8e18-e753a767bb51" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--71059d73-98ea-5f1b-ba38-67af751b925f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "target_ref": "attack-pattern--5a491154-55c8-5abc-8449-0d48df41514b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a9282d85-6419-55b4-bb05-3a169664ba8b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--e8f1a172-e586-55bf-ac18-f2e71868823f", "target_ref": "attack-pattern--d275621f-df75-55ac-974a-4589472dde87" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--170a5dfd-bcd8-520b-a465-5624932cbe56", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--44f6d12e-3515-5504-9aa4-41bb152664a1", "target_ref": "attack-pattern--ea13efc1-d0df-532c-8add-3d39dcd29713" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--57d66645-b4b2-584e-84e4-c506a01ce431", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--44f6d12e-3515-5504-9aa4-41bb152664a1", "target_ref": "attack-pattern--a33bad38-8e4f-5cdd-a0a4-779143c81d8d" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ed6fbb09-586c-5aac-b14c-1af089db9ba2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--44f6d12e-3515-5504-9aa4-41bb152664a1", "target_ref": "attack-pattern--888de015-81a7-52ec-9832-87baca164029" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--33933003-9829-5e23-a1b9-40d1f6f00436", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ea2c1b0f-ebc9-54e2-a68f-314c8380f1f9", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--659bd7ca-83e8-51fe-8dc8-1a9a66ec1231", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ea2c1b0f-ebc9-54e2-a68f-314c8380f1f9", "target_ref": "attack-pattern--093e472c-281c-5e78-9228-486255d3058a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0d834086-3cfe-59a4-9e47-1da746cf7d30", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ea2c1b0f-ebc9-54e2-a68f-314c8380f1f9", "target_ref": "attack-pattern--a7ebcbb2-dafe-5364-9932-e3d7bee02596" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6f8aaa94-1c4a-5bd6-99f1-376a42a3b95c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--04901282-62d1-524a-9961-55cb58e18f73", "target_ref": "attack-pattern--99c728d0-3e0c-55a4-906f-55c349257e5d" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--30998000-8ce2-55fa-990a-e48f9224fd2d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--58f0baa5-432b-5765-9598-e2a051775f86", "target_ref": "attack-pattern--4dd355bc-2389-55c4-911c-1bac3744dbbc" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3f945dff-c869-56fa-a3f5-61c42c5109e4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ef85cd4e-91fe-5597-bf63-13f0b2627b36", "target_ref": "attack-pattern--58002197-8183-530c-9eea-d2d8532a9008" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f165021e-5de4-5625-947e-94398df0289a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ef85cd4e-91fe-5597-bf63-13f0b2627b36", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--79128177-8ca8-5dab-9536-90e27dd120ad", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ef85cd4e-91fe-5597-bf63-13f0b2627b36", "target_ref": "attack-pattern--75d94806-bc98-57dc-894c-8ba499eb5540" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f5e9168f-fc31-5b7e-a4b6-a14b5aa8f273", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ef3a9258-2595-51be-841c-aa3bbfb353de", "target_ref": "attack-pattern--58002197-8183-530c-9eea-d2d8532a9008" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8da0c39e-9eb3-5b9c-9671-2900f6eb4f7d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ef3a9258-2595-51be-841c-aa3bbfb353de", "target_ref": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--192a9c31-874f-557b-ade2-7a1779fed568", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ef3a9258-2595-51be-841c-aa3bbfb353de", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2d081f9e-307d-5f54-b363-9949b056d842", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--3113300f-d067-5bda-b93a-de6cb0044037" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ba49280d-7c53-53d3-a102-6bd4a1d3417c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--91a0a76b-eaf0-5e8a-b6b9-7f62268ce853" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e94d41ee-1a6d-5213-8a24-f323ee8c6da6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--aa324a54-0e77-513e-bc77-dea4683702d2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1eb72ce6-ddc2-5969-b6d7-852df9ea5591", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--e45221c4-74e9-52ab-8e20-96d05003d65a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bffe5623-535e-56d4-8c1b-d564c259b907", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--00534efe-a713-54c9-9ef3-5b12fd6d0c01" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--724d4e0a-a6a4-5a7f-a7c9-97aee0434b3d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--d9e4a005-06a9-5cee-9f7c-234e20790118" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--54af862d-cb6e-5ff4-9731-21af1eb040d2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--c23370e0-2f94-555e-8e18-e753a767bb51" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--483de585-7896-5f6f-9996-f56b86e0d9a6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--5a491154-55c8-5abc-8449-0d48df41514b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bd14b37b-0a7d-5879-98c5-45052a641a0c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--d275621f-df75-55ac-974a-4589472dde87" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f56678b8-6e90-5a95-9b28-7d9f3a0a4616", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--f5bce1e3-3637-56df-8db9-94e793306171" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--893c9de4-93fd-5ce4-a171-8db80acb0d85", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--f81933a4-bfe2-528f-94ef-399577e5a682" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--36c77ddc-df40-55b1-97f1-33fe171bd2af", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--b6a77deb-14ae-59e3-b4b2-b73065972b6c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2817fb38-d0ef-5848-b63b-bf893e181c9f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--9b65ffc8-0be6-5809-b228-a85033f790ba" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4288fa4c-b9be-513c-8478-facf34855bf2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--fd40fed2-9093-5b5a-8ebd-5b288e3ae6c5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8fdc37bf-c4cf-5d9d-8bfc-bb92f878c7fe", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--cf39fa63-9044-5279-8ea5-4acb64d53904" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--018d8c3a-5ca9-5b92-925f-589fbaa62001", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--44a15cd3-db68-5127-b8dd-cb96e537e3b7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6a91d527-44c5-5fbb-b7d6-55f64236d20f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--37433c31-ae6a-50f0-bfe3-22ac2f1747d9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5ed929ee-89dd-5ad3-af3e-446097588b36", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--8a373cd0-d1fc-5d17-916d-993d5cd3e7c1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--71f75786-f9a6-50e3-a651-3cb2bc111fa2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--5ada4075-2650-59b9-ba11-0f7c0ebad320", "target_ref": "attack-pattern--4950a164-f5b6-579d-b44d-af445947d99e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1eb5cf9c-4edd-51ff-985a-c5e873f46c6a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "target_ref": "attack-pattern--f5bce1e3-3637-56df-8db9-94e793306171" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8942cbce-74da-5001-9c34-d2d0be8ee7fb", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "target_ref": "attack-pattern--f81933a4-bfe2-528f-94ef-399577e5a682" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d8e9bdaa-ada9-5971-9f59-91775a39dfb2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "target_ref": "attack-pattern--b6a77deb-14ae-59e3-b4b2-b73065972b6c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b288646e-e1ba-5c67-9b04-2b54f360e687", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "target_ref": "attack-pattern--9b65ffc8-0be6-5809-b228-a85033f790ba" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6020a320-9bb7-5fd4-ad23-cc5e4d989a9e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "target_ref": "attack-pattern--fd40fed2-9093-5b5a-8ebd-5b288e3ae6c5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ab0f9491-4d76-5762-8f6b-60bed455351e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "target_ref": "attack-pattern--cf39fa63-9044-5279-8ea5-4acb64d53904" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--82db9b61-ea65-5588-9807-601d88cd8901", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "target_ref": "attack-pattern--44a15cd3-db68-5127-b8dd-cb96e537e3b7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f36fffd8-bb12-5c6d-a4fe-0aa3053e571d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "target_ref": "attack-pattern--37433c31-ae6a-50f0-bfe3-22ac2f1747d9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9fc68f22-cb3c-5c08-881d-6b7648af0bf4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "target_ref": "attack-pattern--8a373cd0-d1fc-5d17-916d-993d5cd3e7c1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cc743421-c833-5129-9550-9a23e52a29b3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "target_ref": "attack-pattern--4950a164-f5b6-579d-b44d-af445947d99e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5581ddb9-91ac-5a36-937d-09e96d4cccb3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7394a10f-726e-51ed-b8f2-6fa2c5a2c3b0", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--724d4f73-8919-5ef7-b07e-0fbea3801b4e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--b91ae2ee-bab0-592d-a5e0-91bab1b0ca18", "target_ref": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0836ae32-29be-5c07-8fca-78721ab021ac", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f66db0d5-a086-59e4-b95c-2946dc1ae340", "target_ref": "attack-pattern--f5bce1e3-3637-56df-8db9-94e793306171" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bc1a5ceb-36db-55b7-8d74-fddf256b028b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f66db0d5-a086-59e4-b95c-2946dc1ae340", "target_ref": "attack-pattern--f81933a4-bfe2-528f-94ef-399577e5a682" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d5e9f8b0-ecdd-5a0b-9b1c-4eeb40a468fe", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f66db0d5-a086-59e4-b95c-2946dc1ae340", "target_ref": "attack-pattern--b6a77deb-14ae-59e3-b4b2-b73065972b6c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cf62cbda-1413-59bb-9c82-8aacc288991a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f66db0d5-a086-59e4-b95c-2946dc1ae340", "target_ref": "attack-pattern--9b65ffc8-0be6-5809-b228-a85033f790ba" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d4463dc3-b269-580a-a311-78cf76803b49", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f66db0d5-a086-59e4-b95c-2946dc1ae340", "target_ref": "attack-pattern--fd40fed2-9093-5b5a-8ebd-5b288e3ae6c5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--89806103-4aa0-5316-aa0e-e6c2705f5ae1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f66db0d5-a086-59e4-b95c-2946dc1ae340", "target_ref": "attack-pattern--cf39fa63-9044-5279-8ea5-4acb64d53904" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--380f3840-0b3e-5a9a-830c-6772a252971a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f66db0d5-a086-59e4-b95c-2946dc1ae340", "target_ref": "attack-pattern--44a15cd3-db68-5127-b8dd-cb96e537e3b7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d2f2addb-935e-5e9d-88bd-84d43e45e832", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f66db0d5-a086-59e4-b95c-2946dc1ae340", "target_ref": "attack-pattern--37433c31-ae6a-50f0-bfe3-22ac2f1747d9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--30a2c3fc-a4e2-5dea-a53a-0a15aa7d2cc3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f66db0d5-a086-59e4-b95c-2946dc1ae340", "target_ref": "attack-pattern--8a373cd0-d1fc-5d17-916d-993d5cd3e7c1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6604e49a-9afd-584b-b735-58b462337db0", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f66db0d5-a086-59e4-b95c-2946dc1ae340", "target_ref": "attack-pattern--4950a164-f5b6-579d-b44d-af445947d99e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5e7beb63-5798-5a94-b832-2a3b16c09b33", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--f66db0d5-a086-59e4-b95c-2946dc1ae340", "target_ref": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--98660299-eef6-5eae-889b-56af04a23cc2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "target_ref": "attack-pattern--f5bce1e3-3637-56df-8db9-94e793306171" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b5d34841-9c89-5f04-acb7-663a50faf274", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "target_ref": "attack-pattern--f81933a4-bfe2-528f-94ef-399577e5a682" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3c10d6bc-97fb-5869-acb0-a502eda3d037", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "target_ref": "attack-pattern--b6a77deb-14ae-59e3-b4b2-b73065972b6c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--40b9a0b0-891c-5964-93e9-eed7ea904293", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "target_ref": "attack-pattern--9b65ffc8-0be6-5809-b228-a85033f790ba" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3298fdc9-a7f8-5d9e-a642-c3a563325271", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "target_ref": "attack-pattern--fd40fed2-9093-5b5a-8ebd-5b288e3ae6c5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ab1d882c-5b86-5131-976e-a6e587093154", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "target_ref": "attack-pattern--cf39fa63-9044-5279-8ea5-4acb64d53904" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--304577e7-c049-5f66-b3b9-f59b81ef0a1a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "target_ref": "attack-pattern--44a15cd3-db68-5127-b8dd-cb96e537e3b7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--33321ac3-c7ca-55e6-ad8a-d80a2658166d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "target_ref": "attack-pattern--37433c31-ae6a-50f0-bfe3-22ac2f1747d9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--74a83c4a-954e-59a3-bf4a-694309a36f1e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "target_ref": "attack-pattern--8a373cd0-d1fc-5d17-916d-993d5cd3e7c1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a1018c56-2bdf-5610-9518-531667cce43a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "target_ref": "attack-pattern--4950a164-f5b6-579d-b44d-af445947d99e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2a7698df-6286-5bca-8475-7bfec3741682", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e5e999ad-bec2-5a72-914d-91970cb46424", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9827ecdc-219e-584c-a628-85784b0b7e4e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--ebec25cb-37ca-5aa8-9b99-b8289275131d", "target_ref": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f353a359-4bdf-5a94-bddb-f985d208bb40", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--9fbccd98-5d69-565c-ae1e-512ed8496492", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--77afdf89-3ffe-567d-a5ad-ff86dfc90221", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--9fbccd98-5d69-565c-ae1e-512ed8496492", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7e920ff2-72ec-5ec7-b79f-d9b9342e504b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--9fbccd98-5d69-565c-ae1e-512ed8496492", "target_ref": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4708e597-8300-5910-8eaa-be39a134360b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c21ebe1c-c2c2-574c-b4e8-9a56c424c27c", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fada6043-7a7c-58e9-9f01-166ba41e17db", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c21ebe1c-c2c2-574c-b4e8-9a56c424c27c", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7916e042-0153-5178-947c-9c62b0953e24", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c21ebe1c-c2c2-574c-b4e8-9a56c424c27c", "target_ref": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e51af97e-bab3-5f58-b684-682868272155", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c21ebe1c-c2c2-574c-b4e8-9a56c424c27c", "target_ref": "attack-pattern--cf39fa63-9044-5279-8ea5-4acb64d53904" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4484aed2-6dc5-5e94-b227-2005213e50f0", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d21d281b-32da-54da-aa63-dc2279c7ff5a", "target_ref": "attack-pattern--5deeb2fb-1df3-5566-8229-2e83bd241a08" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4f265a64-eda3-54b6-855e-d14f875c884d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d21d281b-32da-54da-aa63-dc2279c7ff5a", "target_ref": "attack-pattern--647504b6-bc6d-5c30-b18d-82c99e51b62d" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d3c91199-4ff5-5d65-b1be-4c5eba1a925f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d21d281b-32da-54da-aa63-dc2279c7ff5a", "target_ref": "attack-pattern--cccae07c-951c-54bd-bfa4-af87de266370" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--86891ace-3055-53d0-8701-53761f7f87fb", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d21d281b-32da-54da-aa63-dc2279c7ff5a", "target_ref": "attack-pattern--f5bce1e3-3637-56df-8db9-94e793306171" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--46b59c0a-53dd-53da-acd7-6966b49c9f01", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d21d281b-32da-54da-aa63-dc2279c7ff5a", "target_ref": "attack-pattern--f81933a4-bfe2-528f-94ef-399577e5a682" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a32610e9-e76c-58fc-b185-b8d242a83607", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d21d281b-32da-54da-aa63-dc2279c7ff5a", "target_ref": "attack-pattern--9b65ffc8-0be6-5809-b228-a85033f790ba" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7a018354-5260-596d-bfde-bfbd1a4efea6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d21d281b-32da-54da-aa63-dc2279c7ff5a", "target_ref": "attack-pattern--fd40fed2-9093-5b5a-8ebd-5b288e3ae6c5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--acd40aaf-ead2-5b82-83b1-d0795e3d05fd", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d21d281b-32da-54da-aa63-dc2279c7ff5a", "target_ref": "attack-pattern--cf39fa63-9044-5279-8ea5-4acb64d53904" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--818e8b08-0ec9-55d3-949f-b2cd421aff39", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d21d281b-32da-54da-aa63-dc2279c7ff5a", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aff667f3-24f7-51fd-a017-7a8426679a2b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d21d281b-32da-54da-aa63-dc2279c7ff5a", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0cdcca73-4935-578d-806a-8f35fc09d71b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--d21d281b-32da-54da-aa63-dc2279c7ff5a", "target_ref": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--871520fb-e548-569c-b502-5a5405e75d3a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--f5bce1e3-3637-56df-8db9-94e793306171" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--064c7036-6546-5165-93e2-4e016d3dbc13", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--f81933a4-bfe2-528f-94ef-399577e5a682" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e234e9a5-ce3a-5502-bdee-5d5f510f86e1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--b6a77deb-14ae-59e3-b4b2-b73065972b6c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f300b651-0f68-5c86-b982-960846bebcd3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--9b65ffc8-0be6-5809-b228-a85033f790ba" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--20fbef16-d24e-5526-aa41-df713562271d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--fd40fed2-9093-5b5a-8ebd-5b288e3ae6c5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e6a4a9a4-ca0c-5dcd-81f7-7c1555a04612", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--cf39fa63-9044-5279-8ea5-4acb64d53904" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9ffbdb11-c1fe-5ec1-9f20-d180cc7afa10", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--44a15cd3-db68-5127-b8dd-cb96e537e3b7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--df936b73-16d3-5210-8e20-699ff35a66fc", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--37433c31-ae6a-50f0-bfe3-22ac2f1747d9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7fdee349-3d41-5063-94a4-a758587c5ef4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--8a373cd0-d1fc-5d17-916d-993d5cd3e7c1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--745b1fea-42f0-52cc-b98b-3451cb38e37d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--4950a164-f5b6-579d-b44d-af445947d99e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4b3167cb-b026-5890-8042-cbecf77e8974", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--79456455-7842-5315-b137-0576a9dcf1a7", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2465b92f-1e32-594c-89c2-c8323e0f1424", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--0de49898-b977-5cf7-9608-eff3285c50c7" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5d833f89-218a-5d59-a8d2-1de5fde3fe8e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e70a2dab-8316-5489-8161-6cbfc3eb69e2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--c392e9e5-92b6-5d9c-90f7-9a483f648389", "target_ref": "attack-pattern--1d0e4f47-8c77-58a2-b885-f44145ed3bf4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--edcd1fe7-6e3b-5c09-b7c0-65e724766897", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--1bab4ab0-e72b-5c94-aec8-d24c8d844d30", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--50f134d1-a753-5832-a69c-fcf5644d4baa", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--1bab4ab0-e72b-5c94-aec8-d24c8d844d30", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2f992dec-1c34-539b-b54d-d7d1887223fe", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--1bab4ab0-e72b-5c94-aec8-d24c8d844d30", "target_ref": "attack-pattern--aa324a54-0e77-513e-bc77-dea4683702d2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dbc72958-5703-53bc-b862-29edbfca0f40", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--1bab4ab0-e72b-5c94-aec8-d24c8d844d30", "target_ref": "attack-pattern--58002197-8183-530c-9eea-d2d8532a9008" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ef61d899-958e-5e58-8b6e-a15ccc79dde2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--1bab4ab0-e72b-5c94-aec8-d24c8d844d30", "target_ref": "attack-pattern--7ec6ff5b-83cd-5725-adda-2b5d3a846414" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0e73a422-01d6-5fa5-8a9c-12662b39fe32", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--1bab4ab0-e72b-5c94-aec8-d24c8d844d30", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--19bdcc86-893a-545d-903f-2862981a5f43", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "mitigates", "source_ref": "course-of-action--1bab4ab0-e72b-5c94-aec8-d24c8d844d30", "target_ref": "attack-pattern--75d94806-bc98-57dc-894c-8ba499eb5540" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7809adcc-751b-593e-aef8-dcc87c3238c1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--cd4a2105-1119-5bd7-a680-670d4d1d64ca", "target_ref": "attack-pattern--58002197-8183-530c-9eea-d2d8532a9008" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--623d01d3-107e-5241-a29e-a7e2e1ea1216", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--cd4a2105-1119-5bd7-a680-670d4d1d64ca", "target_ref": "attack-pattern--7ec6ff5b-83cd-5725-adda-2b5d3a846414" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2df9d80e-13bc-525e-b72b-e80c49a35e55", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--cd4a2105-1119-5bd7-a680-670d4d1d64ca", "target_ref": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--80480416-83cd-552f-bcb3-5ba5214dab80", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--cd4a2105-1119-5bd7-a680-670d4d1d64ca", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9b398879-a71b-5cd1-ae38-89fd25139825", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--cd4a2105-1119-5bd7-a680-670d4d1d64ca", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8a50a9b0-b528-5a65-a6ed-b2d55121cef4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--cd4a2105-1119-5bd7-a680-670d4d1d64ca", "target_ref": "attack-pattern--093e472c-281c-5e78-9228-486255d3058a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--da7af854-622e-53c7-a749-997caf30d23c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--cd4a2105-1119-5bd7-a680-670d4d1d64ca", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7d624df5-e705-593f-93d4-d71bb4373ce9", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--cd4a2105-1119-5bd7-a680-670d4d1d64ca", "target_ref": "attack-pattern--1d0e4f47-8c77-58a2-b885-f44145ed3bf4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--30d28ffc-d188-5118-a61c-fb6e1260fee4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--9f9bbd23-75c8-5685-9224-6d053ccba386", "target_ref": "tool--cd4a2105-1119-5bd7-a680-670d4d1d64ca" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--20003d9f-4e5f-5a39-a5d0-38eecbd5312a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--5ad45975-dab7-53e9-8619-66c8eb0cfc63", "target_ref": "attack-pattern--58002197-8183-530c-9eea-d2d8532a9008" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--98e9b366-8574-546a-ac6d-74c580d9fdd4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--5ad45975-dab7-53e9-8619-66c8eb0cfc63", "target_ref": "attack-pattern--7ec6ff5b-83cd-5725-adda-2b5d3a846414" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0bb1937d-d49f-534e-8833-a0e0bb0c2725", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--5ad45975-dab7-53e9-8619-66c8eb0cfc63", "target_ref": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8a3537d9-688f-5bcd-99f9-0f2c15c34d3e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--5ad45975-dab7-53e9-8619-66c8eb0cfc63", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--497054df-0c6c-5ae5-9c88-ce3c578ef7b3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--5ad45975-dab7-53e9-8619-66c8eb0cfc63", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a76efd30-2dbe-514c-b2a0-b851cfdd538f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--5ad45975-dab7-53e9-8619-66c8eb0cfc63", "target_ref": "attack-pattern--093e472c-281c-5e78-9228-486255d3058a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7c877ad1-3152-5d2e-ae78-bad3b067e37b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--5ad45975-dab7-53e9-8619-66c8eb0cfc63", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--50f2aa25-78be-5ef5-88b8-56264b58ed46", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--5ad45975-dab7-53e9-8619-66c8eb0cfc63", "target_ref": "attack-pattern--1d0e4f47-8c77-58a2-b885-f44145ed3bf4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e7ce04cf-bb5f-56c8-8e77-c8ac0284304d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--9f9bbd23-75c8-5685-9224-6d053ccba386", "target_ref": "tool--5ad45975-dab7-53e9-8619-66c8eb0cfc63" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--eadb7f0e-7d83-56b4-a2a1-4db200d08d6a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--bfde2831-5467-5e6f-a6d1-e4122d97842f", "target_ref": "attack-pattern--58002197-8183-530c-9eea-d2d8532a9008" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4d105d45-f636-5e6f-a0cc-e7d29abdb18b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--bfde2831-5467-5e6f-a6d1-e4122d97842f", "target_ref": "attack-pattern--7ec6ff5b-83cd-5725-adda-2b5d3a846414" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4d4df45c-cf4e-571f-bda2-a8f04251fb68", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--bfde2831-5467-5e6f-a6d1-e4122d97842f", "target_ref": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--23abea63-80d1-546a-9579-f4351faf5f38", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--bfde2831-5467-5e6f-a6d1-e4122d97842f", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e411be07-cbb5-5f77-963d-69f5153ccb26", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--bfde2831-5467-5e6f-a6d1-e4122d97842f", "target_ref": "attack-pattern--75d94806-bc98-57dc-894c-8ba499eb5540" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ee13b6c0-eaec-5d32-80a9-aee4ffa0c954", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--bfde2831-5467-5e6f-a6d1-e4122d97842f", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b93a3763-4c3d-5c11-8a3a-20b3b69a1663", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--bfde2831-5467-5e6f-a6d1-e4122d97842f", "target_ref": "attack-pattern--093e472c-281c-5e78-9228-486255d3058a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2652dca0-da69-5917-91e9-3df463b79740", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--bfde2831-5467-5e6f-a6d1-e4122d97842f", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dd594aca-ab26-59b5-9fa9-432178093c8e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--9f9bbd23-75c8-5685-9224-6d053ccba386", "target_ref": "tool--bfde2831-5467-5e6f-a6d1-e4122d97842f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--59acca65-0f8f-5c43-930a-6cfde4656fdc", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--176e9349-f531-5570-93a1-c4a8a41d3fa2", "target_ref": "attack-pattern--58002197-8183-530c-9eea-d2d8532a9008" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--427ccf10-7788-5fc6-9bff-ae721879499e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--176e9349-f531-5570-93a1-c4a8a41d3fa2", "target_ref": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--460a5f83-72bb-5517-9b21-23fbe7382fad", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--176e9349-f531-5570-93a1-c4a8a41d3fa2", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--69734402-7d9c-57e2-ae16-3d7ef70c1ae4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--176e9349-f531-5570-93a1-c4a8a41d3fa2", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--40457b0d-8c51-585b-bf59-3f0f07ecfac9", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--176e9349-f531-5570-93a1-c4a8a41d3fa2", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3c96e4f4-b70a-5e3c-bd4f-4fc16f049af5", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--9f9bbd23-75c8-5685-9224-6d053ccba386", "target_ref": "tool--176e9349-f531-5570-93a1-c4a8a41d3fa2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d5cfef12-ecbd-5eb7-a3bc-bbb4e5a974ec", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f0ed502b-402f-582b-a752-d72b34f83045", "target_ref": "attack-pattern--58002197-8183-530c-9eea-d2d8532a9008" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e8cb351e-d552-5f23-a256-90b54936f317", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f0ed502b-402f-582b-a752-d72b34f83045", "target_ref": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0644a18b-1c62-5e22-ad6d-b367ef11f982", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f0ed502b-402f-582b-a752-d72b34f83045", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1e84ee7e-ad83-54a6-8f5f-36ad65925083", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f0ed502b-402f-582b-a752-d72b34f83045", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a7d68d12-2cdb-5767-98a2-e00d978997bc", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f0ed502b-402f-582b-a752-d72b34f83045", "target_ref": "attack-pattern--093e472c-281c-5e78-9228-486255d3058a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d0239f7d-db33-5f05-8244-0d8f25f11dd1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f0ed502b-402f-582b-a752-d72b34f83045", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8263b713-fced-5203-bf43-f7ec3215955e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--9f9bbd23-75c8-5685-9224-6d053ccba386", "target_ref": "tool--f0ed502b-402f-582b-a752-d72b34f83045" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ecb3f1da-78c8-5f39-94fb-fff3f89bada3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f62e5cdf-a9b6-5937-8013-f22b7360d132", "target_ref": "attack-pattern--58002197-8183-530c-9eea-d2d8532a9008" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--18dc9d62-006c-57fa-8f06-1555ef9ef000", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f62e5cdf-a9b6-5937-8013-f22b7360d132", "target_ref": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e0130982-e9fc-54d7-85d9-05a9f26d5fba", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f62e5cdf-a9b6-5937-8013-f22b7360d132", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6adc56b0-e6e0-532f-9a20-317cbf1289c2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f62e5cdf-a9b6-5937-8013-f22b7360d132", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f44b4863-8ccd-5f97-a638-a2316961055f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f62e5cdf-a9b6-5937-8013-f22b7360d132", "target_ref": "attack-pattern--093e472c-281c-5e78-9228-486255d3058a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bb903f8d-71f5-5933-a444-6f5ba162f7b5", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f62e5cdf-a9b6-5937-8013-f22b7360d132", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d7a898c0-aa51-534a-9e99-82348288e081", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f62e5cdf-a9b6-5937-8013-f22b7360d132", "target_ref": "attack-pattern--1d0e4f47-8c77-58a2-b885-f44145ed3bf4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a0918a85-a0cf-514c-91a2-5e3c109665af", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--9f9bbd23-75c8-5685-9224-6d053ccba386", "target_ref": "tool--f62e5cdf-a9b6-5937-8013-f22b7360d132" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--14279772-eecb-5fa4-a6b3-83f0c2580c33", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--e62b06af-edeb-58b0-9b4b-90c1c8e7f228", "target_ref": "attack-pattern--58002197-8183-530c-9eea-d2d8532a9008" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--42af72d1-53c5-5baa-a76b-4a50b4baf16a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--e62b06af-edeb-58b0-9b4b-90c1c8e7f228", "target_ref": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--97ed87aa-a47b-5d28-85bc-7097f5909e45", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--e62b06af-edeb-58b0-9b4b-90c1c8e7f228", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--11424074-9d3f-51ee-a3c2-8f98498a7d7f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--e62b06af-edeb-58b0-9b4b-90c1c8e7f228", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--950449c1-a415-5ff1-9ad4-b64b9479a9c2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--e62b06af-edeb-58b0-9b4b-90c1c8e7f228", "target_ref": "attack-pattern--093e472c-281c-5e78-9228-486255d3058a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--24984443-a568-5120-82ec-95644ad5fd09", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--e62b06af-edeb-58b0-9b4b-90c1c8e7f228", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--46bc374e-ad67-5460-b8ff-5b4eab18e94f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--9f9bbd23-75c8-5685-9224-6d053ccba386", "target_ref": "tool--e62b06af-edeb-58b0-9b4b-90c1c8e7f228" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--40b54857-3d0a-57fe-adf5-4356246b080f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--a55da009-7480-5a50-8a91-347e90ba7b22", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b6787b04-d05f-5b43-b534-7d5e55898c78", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--a55da009-7480-5a50-8a91-347e90ba7b22", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9161fe24-97c3-56fe-9014-556e7c50aaf4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--59707bbb-48c5-5afb-8aaf-6233fb654e93", "target_ref": "malware--a55da009-7480-5a50-8a91-347e90ba7b22" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b6f8f007-f0e0-5e6f-911f-39d2934417ab", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--ca7b9c46-bcf0-5e1a-9c03-2021303539c3", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--37bf9efa-7062-5503-af7f-c820c197ba49", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--ca7b9c46-bcf0-5e1a-9c03-2021303539c3", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d1a062d6-6ad4-55ad-9ebc-286b8a649c12", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--59707bbb-48c5-5afb-8aaf-6233fb654e93", "target_ref": "malware--ca7b9c46-bcf0-5e1a-9c03-2021303539c3" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1cf00d8a-fe04-5ea9-a8b9-34935fbbb831", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--c9e659a2-639a-5077-8263-533686709bf6", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d3cba919-1578-50c5-9699-bf4a41e159a7", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--c9e659a2-639a-5077-8263-533686709bf6", "target_ref": "attack-pattern--cf39fa63-9044-5279-8ea5-4acb64d53904" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--31b9cb80-aeb6-5e45-893f-fcf3073db951", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--59707bbb-48c5-5afb-8aaf-6233fb654e93", "target_ref": "malware--c9e659a2-639a-5077-8263-533686709bf6" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3ee40fdc-baf3-5a63-b779-168692c0cc16", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--5d7a6f91-5b20-5011-9891-34fd5cdaca79", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a6a8827b-944d-5aad-8276-86e5c3cc677a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--59707bbb-48c5-5afb-8aaf-6233fb654e93", "target_ref": "malware--5d7a6f91-5b20-5011-9891-34fd5cdaca79" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--92c75e4d-c8a0-589a-b1c8-2b55f11bc463", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--b9301c01-f47a-515e-a5d7-238549fc8f43", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b85e0f98-3471-5743-ab4e-886c9225a081", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--533fc757-0230-574b-99b5-4e0d54367824", "target_ref": "malware--b9301c01-f47a-515e-a5d7-238549fc8f43" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e57cf7a4-e583-5a52-9c11-b4cf4043b741", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--d31a01a0-a0eb-5609-a13c-4c16a6996946", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2f3de90c-cfb0-507e-bc6d-786a52f711d4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--d31a01a0-a0eb-5609-a13c-4c16a6996946", "target_ref": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0e426144-5fd2-5f11-8cbb-18098cd33341", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--d31a01a0-a0eb-5609-a13c-4c16a6996946", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--34eb7f98-198a-5bc0-a005-996df9c8b65c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--9255da7a-0f5e-5915-bc28-6465bc7db74d", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6a08379f-94a3-5bee-8b92-a5f3c59ddded", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--9255da7a-0f5e-5915-bc28-6465bc7db74d", "target_ref": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d90c6c94-b3f4-5582-9f6c-71f069a3f4e5", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--9255da7a-0f5e-5915-bc28-6465bc7db74d", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--78f0a594-771f-51f1-8265-2cac165bb19a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--a55bbadd-c3e6-52ca-9aee-b91532c61a9a", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--090e5309-fd84-5df5-be44-e0b105fa03d7", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--a55bbadd-c3e6-52ca-9aee-b91532c61a9a", "target_ref": "attack-pattern--12a37f6f-1b04-52d2-9ad3-56bca9ba3350" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dd275538-1a43-517f-9f49-b67fe26aab31", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--a55bbadd-c3e6-52ca-9aee-b91532c61a9a", "target_ref": "attack-pattern--92ca3ca4-e512-53c5-be45-1f8b05cc913b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bcd67e39-8044-544c-b21f-56b5dbc5fbdf", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--7ff1da9c-a18d-5686-889d-9b654b898cbb", "target_ref": "attack-pattern--052caee2-c494-51c7-87d3-0b5ae531eeb2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2120fcdb-6b51-5829-9cbf-50acd4a4deb1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--88f19f07-d87d-5350-ae41-ce479cbfc7ee", "target_ref": "attack-pattern--51de129b-35c6-52ab-baa1-4952b944dad8" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3e427450-446f-55b4-8eef-7c0718755906", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--ded60c66-92eb-5c74-a21c-326e63e6cff0", "target_ref": "attack-pattern--b027592f-baee-5d2a-9d15-925aa1b77941" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0abd9e16-f262-5e4c-b934-fff185722ed1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--ded60c66-92eb-5c74-a21c-326e63e6cff0", "target_ref": "attack-pattern--a55b5859-fa73-5cab-a342-82b97187ea20" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--10636af1-446e-55e5-99b3-c7c648122688", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--ded60c66-92eb-5c74-a21c-326e63e6cff0", "target_ref": "attack-pattern--e12a0e1d-8dac-5395-b37b-b0aa20814db2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c9f544cd-b33b-56a6-b21c-23c124e83aee", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--19d87156-8f94-5a72-b336-889f9d28e34e", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b9f01678-14df-52fd-9a5a-5445591c6099", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--19d87156-8f94-5a72-b336-889f9d28e34e", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4abfb9f4-503d-5ba1-9d17-a4901e7e86d6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--59707bbb-48c5-5afb-8aaf-6233fb654e93", "target_ref": "malware--19d87156-8f94-5a72-b336-889f9d28e34e" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--855e2203-f01c-5f20-b4d3-d6e70a1029c1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--a8c40011-d841-509c-b02b-424191105390", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--51f76767-094a-5932-855c-dd48511e7e80", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--a8c40011-d841-509c-b02b-424191105390", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--afbd4fd8-c47f-509e-9afa-35c5dd7a187c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--3adb2eec-bad1-5bb3-ba32-1d86e8069b69", "target_ref": "malware--a8c40011-d841-509c-b02b-424191105390" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--18d278df-2c8a-531b-b6f0-a49baeedd9d7", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--59707bbb-48c5-5afb-8aaf-6233fb654e93", "target_ref": "malware--a8c40011-d841-509c-b02b-424191105390" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8ac720d3-c26e-5d3e-bf67-df84e3d71d07", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--b7215b7c-47a0-5f14-aaff-f22040ea76fb", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--663120ab-eaac-5cf0-9806-b847b0a002a4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--b7215b7c-47a0-5f14-aaff-f22040ea76fb", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2b090e88-c2e8-5226-a2e9-5a09f03b1d0b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--59707bbb-48c5-5afb-8aaf-6233fb654e93", "target_ref": "malware--b7215b7c-47a0-5f14-aaff-f22040ea76fb" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6e7832c6-ad84-52db-b289-d5edf327a4f6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--3adb2eec-bad1-5bb3-ba32-1d86e8069b69", "target_ref": "malware--b7215b7c-47a0-5f14-aaff-f22040ea76fb" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--91dc5dc5-b85c-5831-bed4-8b522c0530ac", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--71df2d91-411a-5d72-a9fb-c8715c02aa17", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--84c3d492-5b2a-5841-b42e-4259942698d3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--71df2d91-411a-5d72-a9fb-c8715c02aa17", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--396e3144-5b5b-5f2d-b48c-0535ea9ef6b7", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--59707bbb-48c5-5afb-8aaf-6233fb654e93", "target_ref": "malware--71df2d91-411a-5d72-a9fb-c8715c02aa17" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8d3d7899-3665-5821-bbfe-e7dda5105a99", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--3adb2eec-bad1-5bb3-ba32-1d86e8069b69", "target_ref": "malware--71df2d91-411a-5d72-a9fb-c8715c02aa17" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3c775270-e75c-50f0-97a5-d8ad04baddd1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--13bed137-d65c-53c2-bf4f-048aadb26ca6", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a6ebee4e-8c29-51a5-a220-979f6514298e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--13bed137-d65c-53c2-bf4f-048aadb26ca6", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f5d2f00c-cd27-5bfb-80b3-09af3228c18c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--13bed137-d65c-53c2-bf4f-048aadb26ca6", "target_ref": "attack-pattern--093e472c-281c-5e78-9228-486255d3058a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c6305f5f-3b67-52ca-a7e7-765c9b47638e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--50ffc35a-f390-56a1-b93c-4af2c94e2889", "target_ref": "malware--13bed137-d65c-53c2-bf4f-048aadb26ca6" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3955a58b-1118-565c-b535-7ce938d639b3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--25519556-9d97-5dbe-9bd2-3ed7e815c7c6", "target_ref": "malware--13bed137-d65c-53c2-bf4f-048aadb26ca6" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3b0d530a-d351-51c0-b624-566dd4178f24", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--66d281d4-5e2f-5707-afe5-568e6b167a82", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8ab6fc6b-53de-5f7b-bd99-8ba7f8d91460", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--66d281d4-5e2f-5707-afe5-568e6b167a82", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fbf1b60d-1aff-59c3-b186-7073c7d71392", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--66d281d4-5e2f-5707-afe5-568e6b167a82", "target_ref": "attack-pattern--093e472c-281c-5e78-9228-486255d3058a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c79474e0-66f7-54e1-9112-8675031e6749", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--02bfdd95-e888-5f32-95d8-90fbda1f2e39", "target_ref": "malware--66d281d4-5e2f-5707-afe5-568e6b167a82" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5fca0645-4954-5264-994b-ca473caa3447", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--b99afedd-61bf-5be2-a839-e93147ea2e38", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0a28a642-5551-5a10-899e-d6e478f06eef", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--b99afedd-61bf-5be2-a839-e93147ea2e38", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--22b84df0-7e7d-5742-9fa6-c3efef2180fb", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--b99afedd-61bf-5be2-a839-e93147ea2e38", "target_ref": "attack-pattern--1d0e4f47-8c77-58a2-b885-f44145ed3bf4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7d00ed30-7433-5188-b925-6a5e2077c6dd", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--0184acd8-671f-54aa-8ae7-7c61c7bf4dc8", "target_ref": "malware--b99afedd-61bf-5be2-a839-e93147ea2e38" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cdc5cb4a-139a-5d29-a70f-5a4092e22cc9", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--59707bbb-48c5-5afb-8aaf-6233fb654e93", "target_ref": "malware--b99afedd-61bf-5be2-a839-e93147ea2e38" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ae389596-e63d-57ce-b464-8b6692ef7e7b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--2e94d85c-173f-5591-a8bf-deacf922e499", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bfff7fe2-f22b-5988-b542-eca824942011", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--2e94d85c-173f-5591-a8bf-deacf922e499", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1d4da5a7-a55f-5979-9c45-9d6b1761d2ac", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--2e94d85c-173f-5591-a8bf-deacf922e499", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5ae15e19-dfe3-5494-a930-2e20caad854b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--25519556-9d97-5dbe-9bd2-3ed7e815c7c6", "target_ref": "malware--2e94d85c-173f-5591-a8bf-deacf922e499" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fd850248-a842-5393-8758-82916ca79685", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--50ffc35a-f390-56a1-b93c-4af2c94e2889", "target_ref": "malware--2e94d85c-173f-5591-a8bf-deacf922e499" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--62eb61f3-8f35-5062-8fc0-a0bed3aa27c5", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--01cc12b6-a3e9-50b2-984d-7cb990052ace", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--caf1b032-5e54-5b61-a6e9-593d894cf3a1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--01cc12b6-a3e9-50b2-984d-7cb990052ace", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--19f9a90b-06a6-52af-ad76-50c9d6d51208", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--01cc12b6-a3e9-50b2-984d-7cb990052ace", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--167fd7f6-e2d0-589d-b0c9-c558b4161837", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--5a3de7b5-cc0c-5c84-a4bd-b5a7b8252e40", "target_ref": "malware--01cc12b6-a3e9-50b2-984d-7cb990052ace" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--434b36d5-7e1f-5eed-ab43-8ca2a92b0ae1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--6f6ba66d-784c-5c94-a458-e7d8e6c7fa2a", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--830f9a16-ead7-52b9-ab00-c45b837cebfe", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--6f6ba66d-784c-5c94-a458-e7d8e6c7fa2a", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b8aab5ac-9f4a-5510-9fed-1c97da40c25f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--6f6ba66d-784c-5c94-a458-e7d8e6c7fa2a", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--068b3cbc-fe51-5041-b877-ad58d4fbae0f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--936e8372-3daa-54da-a89a-4f68f1b71a1f", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--53462639-2614-589a-99ed-cb6d87dcc46d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--936e8372-3daa-54da-a89a-4f68f1b71a1f", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d8126f6c-2e2f-5a46-bf15-3ad5aa0b1ccb", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--59707bbb-48c5-5afb-8aaf-6233fb654e93", "target_ref": "malware--936e8372-3daa-54da-a89a-4f68f1b71a1f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--25b0957a-1e86-5215-ae05-a7e27079ca8a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--3adb2eec-bad1-5bb3-ba32-1d86e8069b69", "target_ref": "malware--936e8372-3daa-54da-a89a-4f68f1b71a1f" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fe745842-7805-5596-96f8-eee619cf4009", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--60e49e2e-1db3-599d-a4e8-1c4d9e72107b", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c3ff6413-2804-5f79-95dd-c788d50e349d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--60e49e2e-1db3-599d-a4e8-1c4d9e72107b", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3c853891-d440-5fd5-a6ac-001d98fc2ce2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--59707bbb-48c5-5afb-8aaf-6233fb654e93", "target_ref": "malware--60e49e2e-1db3-599d-a4e8-1c4d9e72107b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c67e18bf-9a3d-5013-8147-3c4e169e32be", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--3adb2eec-bad1-5bb3-ba32-1d86e8069b69", "target_ref": "malware--60e49e2e-1db3-599d-a4e8-1c4d9e72107b" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5281bb41-b69f-517c-b47f-84adbe1a934b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--e92e8137-b390-5c7a-b1a5-f2491b4059c4", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1244a2a1-f01f-5377-af40-7f28e46c505a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--e92e8137-b390-5c7a-b1a5-f2491b4059c4", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--116b95e9-a995-5190-aa1e-829c5a043c03", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--e92e8137-b390-5c7a-b1a5-f2491b4059c4", "target_ref": "attack-pattern--1d0e4f47-8c77-58a2-b885-f44145ed3bf4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ee4729bf-dfaf-55b3-870b-a960b859e5d2", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--0184acd8-671f-54aa-8ae7-7c61c7bf4dc8", "target_ref": "malware--e92e8137-b390-5c7a-b1a5-f2491b4059c4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1a44234e-9b33-52a0-8e14-74dd803e7c33", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--51690d05-7fe1-5041-9cd4-4ddc600d0ff1", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f46d4272-fcb6-5f55-9a32-54c9bfd48d39", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--51690d05-7fe1-5041-9cd4-4ddc600d0ff1", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--40c6233f-4542-5d5f-a6d4-e4b55c689c9d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--51690d05-7fe1-5041-9cd4-4ddc600d0ff1", "target_ref": "attack-pattern--1d0e4f47-8c77-58a2-b885-f44145ed3bf4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b404b914-41d9-51b1-9760-f5eab803914d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--533fc757-0230-574b-99b5-4e0d54367824", "target_ref": "malware--51690d05-7fe1-5041-9cd4-4ddc600d0ff1" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b092064d-b4b4-548f-8e02-facb4c9b045b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--90dd3e78-eaae-59ab-ad4f-2ab48eb520a0", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--569d1809-e859-5630-b043-87b8d647e893", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--90dd3e78-eaae-59ab-ad4f-2ab48eb520a0", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f721ee74-27a2-5eba-b0d2-b4ee70359d3c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--90dd3e78-eaae-59ab-ad4f-2ab48eb520a0", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b9bd9856-9b8f-5ba4-95f1-590520f315e0", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--c49d1031-95b3-573d-8daa-a2bf2cd66c77", "target_ref": "malware--90dd3e78-eaae-59ab-ad4f-2ab48eb520a0" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c6c1bdf5-25e7-5fe2-b401-b6a41b30a2ff", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--583c2311-1a94-56ff-ac8f-67ac88d6cbcc", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--832a7813-ac9c-5b4b-bd89-86a0dcbbd2be", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--583c2311-1a94-56ff-ac8f-67ac88d6cbcc", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4ddc2d00-9cc1-5c8f-839d-9b70b53ca0d3", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--583c2311-1a94-56ff-ac8f-67ac88d6cbcc", "target_ref": "attack-pattern--093e472c-281c-5e78-9228-486255d3058a" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--836712d2-890a-500d-8c6f-96533794a49b", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--583c2311-1a94-56ff-ac8f-67ac88d6cbcc", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--395c5622-5f4f-5514-b404-96364e0cc07d", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--1b552102-9688-5fb5-adc0-ea710eb9e8ea", "target_ref": "malware--583c2311-1a94-56ff-ac8f-67ac88d6cbcc" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dd669c79-fc1a-5d1f-8730-a9e5ba835167", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--1a29e7c0-ecea-5f4c-bd2f-28956dda3417", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--44e40e5c-7771-5880-a54e-1014690e4c2a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--1a29e7c0-ecea-5f4c-bd2f-28956dda3417", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3c9f36c4-26c6-585b-bf57-abdbbd18ca10", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--1a29e7c0-ecea-5f4c-bd2f-28956dda3417", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bf581447-28c4-5c24-8c10-4244fba642e1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--6635387a-3ff2-5c07-8112-fbc9a4254690", "target_ref": "malware--1a29e7c0-ecea-5f4c-bd2f-28956dda3417" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--44cb674c-82e4-5143-b77f-b4b722fcd6c9", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f16b05e5-f10e-5b54-88bb-65e6f08b5cd2", "target_ref": "attack-pattern--ddd118a2-e2a6-5f75-93db-10e9f14dcdf9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3d0f75c7-2793-5038-8822-439733f4faca", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f16b05e5-f10e-5b54-88bb-65e6f08b5cd2", "target_ref": "attack-pattern--e69d7f82-fe18-5677-abba-9dd6347bc5a2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--86e73817-5977-553f-9a32-f1a4afcbac12", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f16b05e5-f10e-5b54-88bb-65e6f08b5cd2", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6e498e8c-c07f-5920-a7c9-1a8442d31d06", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--f16b05e5-f10e-5b54-88bb-65e6f08b5cd2", "target_ref": "attack-pattern--1d0e4f47-8c77-58a2-b885-f44145ed3bf4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dee53393-c678-5a68-8b8a-177eabdb3020", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--fc2d4c9b-40e7-5631-affb-97bf77e6d21d", "target_ref": "tool--f16b05e5-f10e-5b54-88bb-65e6f08b5cd2" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5843ba71-103c-5b77-bec8-4114c2ccb37a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--a2e9134d-5c15-5c22-b6f2-44bfba03b872", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e9380926-b271-5552-aacd-75cfede70492", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "tool--a2e9134d-5c15-5c22-b6f2-44bfba03b872", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--abc9f003-038e-5573-a100-e2547fc26746", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--50ffc35a-f390-56a1-b93c-4af2c94e2889", "target_ref": "tool--a2e9134d-5c15-5c22-b6f2-44bfba03b872" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--96143191-b080-516b-914d-d5e2285b7175", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--0184acd8-671f-54aa-8ae7-7c61c7bf4dc8", "target_ref": "tool--a2e9134d-5c15-5c22-b6f2-44bfba03b872" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--285f5348-9497-5c12-b6ce-cacc3ea2483e", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--02bfdd95-e888-5f32-95d8-90fbda1f2e39", "target_ref": "tool--a2e9134d-5c15-5c22-b6f2-44bfba03b872" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--68482a96-9f15-55a8-8a66-83c2fb3afd38", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--5a3de7b5-cc0c-5c84-a4bd-b5a7b8252e40", "target_ref": "tool--a2e9134d-5c15-5c22-b6f2-44bfba03b872" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2bffaac0-0f01-5949-88f9-665690ecf1f1", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--804c8d72-b1bf-566a-9563-9fa07aae1c53", "target_ref": "tool--a2e9134d-5c15-5c22-b6f2-44bfba03b872" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--186e593d-9a1c-5a4f-8f13-1f67eb164a78", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--1b552102-9688-5fb5-adc0-ea710eb9e8ea", "target_ref": "tool--a2e9134d-5c15-5c22-b6f2-44bfba03b872" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ebeb9412-e27a-5a02-861c-845f35d94c40", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--c49d1031-95b3-573d-8daa-a2bf2cd66c77", "target_ref": "tool--a2e9134d-5c15-5c22-b6f2-44bfba03b872" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aa537466-52f9-531c-83d7-93ff51916f28", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--6635387a-3ff2-5c07-8112-fbc9a4254690", "target_ref": "tool--a2e9134d-5c15-5c22-b6f2-44bfba03b872" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bc321c9f-be38-570a-8a6a-f576e6364c39", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--fc2d4c9b-40e7-5631-affb-97bf77e6d21d", "target_ref": "tool--a2e9134d-5c15-5c22-b6f2-44bfba03b872" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3ee968f5-860c-598b-b064-59adb4b9359c", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--25519556-9d97-5dbe-9bd2-3ed7e815c7c6", "target_ref": "tool--a2e9134d-5c15-5c22-b6f2-44bfba03b872" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cbd56587-a339-5c25-b812-99e2d4ef3658", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--ebc08a60-abd0-5dea-a30c-27f7ec340051", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5cf35251-e7fe-5d6c-9f27-c1507d005350", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--ebc08a60-abd0-5dea-a30c-27f7ec340051", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c69b3868-52df-5370-96e8-3564c61f36ff", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--ebc08a60-abd0-5dea-a30c-27f7ec340051", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7959aad2-c421-5ef9-b3df-431b700385ed", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--50ffc35a-f390-56a1-b93c-4af2c94e2889", "target_ref": "malware--ebc08a60-abd0-5dea-a30c-27f7ec340051" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c3fa1a58-cc75-5d96-86ff-72404f157e1f", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--02bfdd95-e888-5f32-95d8-90fbda1f2e39", "target_ref": "malware--ebc08a60-abd0-5dea-a30c-27f7ec340051" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--78b87af5-c13d-5577-8e2e-4cbdbb604412", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--5a3de7b5-cc0c-5c84-a4bd-b5a7b8252e40", "target_ref": "malware--ebc08a60-abd0-5dea-a30c-27f7ec340051" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1b7c84b9-bd8e-5ed4-8ef3-53be8caab8c4", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--804c8d72-b1bf-566a-9563-9fa07aae1c53", "target_ref": "malware--ebc08a60-abd0-5dea-a30c-27f7ec340051" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--42f75d8c-b8f9-5bc5-ae89-4c9a0bc18256", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--c49d1031-95b3-573d-8daa-a2bf2cd66c77", "target_ref": "malware--ebc08a60-abd0-5dea-a30c-27f7ec340051" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a19f1358-9b86-5714-bbe1-5f3b75da4f95", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--6635387a-3ff2-5c07-8112-fbc9a4254690", "target_ref": "malware--ebc08a60-abd0-5dea-a30c-27f7ec340051" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7b9dec16-456c-5ad7-a08a-2cacd56dde36", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--fc2d4c9b-40e7-5631-affb-97bf77e6d21d", "target_ref": "malware--ebc08a60-abd0-5dea-a30c-27f7ec340051" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9a662b5f-bff8-5f72-8c77-296679e41174", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--107e102f-d531-58ef-9f01-aa602de42211", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--59df1b92-43da-53ad-8f37-b6a6105521c9", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--107e102f-d531-58ef-9f01-aa602de42211", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aecc5b3b-ad83-5007-a876-0ca0642ede20", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--107e102f-d531-58ef-9f01-aa602de42211", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--75c254fe-594d-5d66-8b12-8d70679ff3fb", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--50ffc35a-f390-56a1-b93c-4af2c94e2889", "target_ref": "malware--107e102f-d531-58ef-9f01-aa602de42211" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a0365595-4aec-5f8f-a349-1caf493bcafe", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--02bfdd95-e888-5f32-95d8-90fbda1f2e39", "target_ref": "malware--107e102f-d531-58ef-9f01-aa602de42211" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4f1d8901-f8ef-5464-9755-37131e8d9814", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--5a3de7b5-cc0c-5c84-a4bd-b5a7b8252e40", "target_ref": "malware--107e102f-d531-58ef-9f01-aa602de42211" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--cd7dfb10-6a87-57cf-8947-289603e4813a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--c49d1031-95b3-573d-8daa-a2bf2cd66c77", "target_ref": "malware--107e102f-d531-58ef-9f01-aa602de42211" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e5ee0caa-900b-5980-a246-b2633b6fd388", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--ceea4ce9-71aa-52df-899b-27715d98c7d9", "target_ref": "attack-pattern--2a21b0c6-c06c-5130-9114-0d760dcb5b2c" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0f7638b9-1e61-5356-bf42-29b94b025dc6", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--ceea4ce9-71aa-52df-899b-27715d98c7d9", "target_ref": "attack-pattern--9552d7a9-3083-569f-a641-d880fc8a27d5" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c3cef476-baa7-5e11-a1fc-25f2176097b9", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "malware--ceea4ce9-71aa-52df-899b-27715d98c7d9", "target_ref": "attack-pattern--bf6ef44d-fa93-5733-862a-26c1ac15a4b4" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1cf9793c-4bb1-5730-a9a8-2e989c671cc8", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--50ffc35a-f390-56a1-b93c-4af2c94e2889", "target_ref": "malware--ceea4ce9-71aa-52df-899b-27715d98c7d9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ae25bf55-aa9f-555c-96de-67522aa25f9a", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--02bfdd95-e888-5f32-95d8-90fbda1f2e39", "target_ref": "malware--ceea4ce9-71aa-52df-899b-27715d98c7d9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--88da1997-b9bc-54d9-b5dc-d61205dc82fa", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--5a3de7b5-cc0c-5c84-a4bd-b5a7b8252e40", "target_ref": "malware--ceea4ce9-71aa-52df-899b-27715d98c7d9" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f5795cc8-986a-51d6-ac9d-8d323b710eba", "created": "2026-05-04T12:46:13.000Z", "modified": "2026-05-04T12:46:13.000Z", "relationship_type": "uses", "source_ref": "intrusion-set--804c8d72-b1bf-566a-9563-9fa07aae1c53", "target_ref": "malware--ceea4ce9-71aa-52df-899b-27715d98c7d9" } ] }