D3FEND™ - A knowledge graph of cybersecurity countermeasures

In macOS, an alias is a small file that represents another object in a local, remote, or removable[1] file system and provides a dynamic link to it; the target object may be moved or renamed, and the alias will still link to it (unless the original file is recreated; such an alias is ambiguous and how it is resolved depends on the version of macOS).

has super-classes: Slow Symbolic Link^c

Analysis of Alternatives^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AnalysisOfAlternatives

has super-classes: D3FEND Catalog Thing^c; analyzes^op some Portfolio Assessment^c; author^op some Agent^c

Analytic Latency^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AnalyticLatency

has super-classes: Latency^c
has members: non-real-time-analyticⁿⁱ, real-time-analyticⁿⁱ

AppCert DLLs^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.009

has super-classes: Event Triggered Execution^c; invokes^op some Create Process^c; loads^op some Shared Library File^c; modifies^op some System Configuration Database Record^c
is also defined as: named individual

AppInit DLLs^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.010

has super-classes: Event Triggered Execution^c; invokes^op some Create Process^c; loads^op some Shared Library File^c; modifies^op some System Configuration Database Record^c
is also defined as: named individual

AppleScript Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1059.002

has super-classes: Command and Scripting Interpreter Execution^c

Appliance^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Appliance

has super-classes: Product^c

Application^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Application

has super-classes: Software^c; may-contain^op some Application Configuration^c; uses^op some Resource^c
has sub-classes: Client Application^c, Password Manager^c, Service Application^c, User Application^c
is also defined as: named individual

Application Access Token^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1550.001

has super-classes: Use Alternate Authentication Material^c; may-produce^op some Network Traffic^c; uses^op some Access Token^c
is also defined as: named individual

Application Configuration^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationConfiguration

has super-classes: Configuration Bearing Entity^c
has sub-classes: Application Configuration Database Record^c, Application Process Configuration^c, Application Rule^c, Process Environment Variable^c
is also defined as: named individual

Application Configuration Database^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationConfigurationDatabase

has super-classes: Database^c; contains^op some Application Configuration Database Record^c
has sub-classes: Shim Database^c
is also defined as: named individual

Application Configuration Database Record^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationConfigurationDatabaseRecord

has super-classes: Application Configuration^c; Record^c
is also defined as: named individual

Application Configuration File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationConfigurationFile

has super-classes: Configuration File^c; contains^op some Application Configuration^c
has sub-classes: Compiler Configuration File^c
is also defined as: named individual

Application Configuration Hardening^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationConfigurationHardening

has super-classes: Application Hardening^c; hardens^op some Application Configuration^c
is also defined as: named individual

Application Hardening^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationHardening

has super-classes: Defensive Technique^c; enables^op some Harden^c
has sub-classes: Application Configuration Hardening^c, Dead Code Elimination^c, Exception Handler Pointer Validation^c, Pointer Authentication^c, Process Segment Execution Prevention^c, Segment Address Offset Randomization^c, Stack Frame Canary Validation^c
has members: Application Configuration Hardeningⁿⁱ, Dead Code Eliminationⁿⁱ, Exception Handler Pointer Validationⁿⁱ, Pointer Authenticationⁿⁱ, Process Segment Execution Preventionⁿⁱ, Segment Address Offset Randomizationⁿⁱ, Stack Frame Canary Validationⁿⁱ
is also defined as: named individual

Application Inventory Sensor^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationInventorySensor

has super-classes: Endpoint Sensor^c; monitors^op some Application^c

Application Layer Firewall^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationLayerFirewall

is defined by: http://dbpedia.org/resource/Application_firewall

An application firewall is a form of firewall that controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls that do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall, which is - without additional software - unable to control network traffic regarding a specific application. There are two primary categories of application firewalls, network-based application firewalls and host-based application firewalls.

has super-classes: Firewall^c
has sub-classes: Web Application Firewall^c

Application Layer Protocol^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1071

has super-classes: Command and Control Technique^c; may-transfer^op some Certificate File^c; produces^op some Outbound Internet Network Traffic^c
has sub-classes: DNS^c, File Transfer Protocols^c, Mail Protocols^c, Web Protocols^c
is also defined as: named individual

Application Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationProcess

has super-classes: User Process^c; runs^op some Application^c
has sub-classes: Container Process^c, Script Application Process^c
is also defined as: named individual

Application Process Configuration^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationProcessConfiguration

The current configuration of an application process, stored in memory. It may have been sourced from other types of application configurations, e.g. Application Configuration Files or Application Configuration Database Records.

has super-classes: Application Configuration^c

Application Rule^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationRule

A configuration of an application which is used to apply logical or data processing functions to data processed by the application.

has super-classes: Application Configuration^c
has sub-classes: Email Rule^c

Application Shim^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationShim

An application shim adapts an application program to run on a version of a platform for which they were not originally created. Most commonly "Application Shimming" refers to use of The Windows Application Compatibility Toolkit (ACT) provides backward compatibility by simulating the behavior of older version of Windows.

has super-classes: Shim^c

Application Shimming^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.011

has super-classes: Event Triggered Execution^c; creates^op some Shim^c; modifies^op some Shim Database^c
is also defined as: named individual

Application Window Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1010

has super-classes: Discovery Technique^c

Archive Collected Data^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1560

has super-classes: Collection Technique^c; creates^op some Archive File^c
has sub-classes: Archive via Custom Method^c, Archive via Library^c, Archive via Utility^c
is also defined as: named individual

Archive File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ArchiveFile

has super-classes: File^c
has sub-classes: Custom Archive File^c
is also defined as: named individual

Archive via Custom Method^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1560.003

has super-classes: Archive Collected Data^c; creates^op some Custom Archive File^c
is also defined as: named individual

Archive via Library^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1560.002

has super-classes: Archive Collected Data^c; creates^op some Archive File^c
is also defined as: named individual

Archive via Utility^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1560.001

has super-classes: Archive Collected Data^c; creates^op some Archive File^c
is also defined as: named individual

Article^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Article

has super-classes: Document^c
has sub-classes: Academic Article^c, News Article^c

Artifact^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Artifact

A man-made object taken as a whole.

has super-classes: D3FEND Thing^c
has sub-classes: Digital Artifact^c, Physical Artifact^c
is in range of: d3fend-tactical-verb-property^op

Artifact Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ArtifactServer

A digital artifact server provides access services to digital artifacts in a repository. It provides an associated set of data management, search and access methods allowing application-independent access to the content.

has super-classes: Web Server^c
has sub-classes: Data Artifact Server^c, Software Artifact Server^c

Assessment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Assessment

is defined by: http://wordnet-rdf.princeton.edu/id/05741528-n

The classification of someone or something with respect to its worth.

has super-classes: D3FEND Catalog Thing^c; author^op some Agent^c; expectation rating^dp only { "below" , "exceeded" , "met" }
has sub-classes: Capability Assessment^c, Feature Assessment^c, Portfolio Assessment^c

Asymmetric Cryptography^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1573.002

has super-classes: Encrypted Channel^c; creates^op some Outbound Internet Encrypted Traffic^c; may-transfer^op some Certificate File^c
is also defined as: named individual

Asymmetric Key^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AsymmetricKey

Asymmetric keys are public and private keys, paired such that asymmetric (public-key) cryptography algorithms can be implemented using them. Public-key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys that may be disseminated widely paired with private keys which are known only to the owner. There are two functions that can be achieved: using a public key to authenticate that a message originated with a holder of the paired private key; or encrypting a message with a public key to ensure that only the holder of the paired private key can decrypt it.

has super-classes: Cryptographic Key^c
has sub-classes: Private Key^c, Public Key^c

Asynchronous Procedure Call^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.004

has super-classes: Process Injection^c; may-invoke^op some Create Process^c
is also defined as: named individual

At (Linux) Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1053.001

has super-classes: Scheduled Task/Job Execution^c

At (Windows) Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1053.002

has super-classes: Scheduled Task/Job Execution^c

ATTACK Mitigation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ATTACKMitigation

has super-classes: ATTACK Thing^c; semantic relation^op some Defensive Technique^c; d3fend-comment^dp some string
has members: Account Use Policiesⁿⁱ, Active Directory Configurationⁿⁱ, Antivirus/Antimalwareⁿⁱ, Application Developer Guidanceⁿⁱ, Application Isolation and Sandboxingⁿⁱ, Auditⁿⁱ, Behavior Prevention on Endpointⁿⁱ, Boot Integrityⁿⁱ, Code Signingⁿⁱ, Credential Access Protectionⁿⁱ, Data Backupⁿⁱ, Disable or Remove Feature or Programⁿⁱ, Do Not Mitigateⁿⁱ, Encrypt Sensitive Informationⁿⁱ, Environment Variable Permissionsⁿⁱ, Execution Preventionⁿⁱ, Exploit Protectionⁿⁱ, Filter Network Trafficⁿⁱ, Limit Access to Resource Over Networkⁿⁱ, Limit Hardware Installationⁿⁱ, Limit Software Installationⁿⁱ, Multi-factor Authenticationⁿⁱ, Network Intrusion Preventionⁿⁱ, Network Segmentationⁿⁱ, Operating System Configurationⁿⁱ, Password Policiesⁿⁱ, Pre-compromiseⁿⁱ, Privileged Account Managementⁿⁱ, Privileged Process Integrityⁿⁱ, Remote Data Storageⁿⁱ, Restrict File and Directory Permissionsⁿⁱ, Restrict Library Loadingⁿⁱ, Restrict Registry Permissionⁿⁱ, Restrict Web-Based Contentⁿⁱ, SSL/TLS Inspectionⁿⁱ, Software Configurationⁿⁱ, Threat Intelligence Programⁿⁱ, Update Softwareⁿⁱ, User Account Controlⁿⁱ, User Account Managementⁿⁱ, User Trainingⁿⁱ, Vulnerability Scanningⁿⁱ

ATTACK Thing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ATTACKThing

ATTACK things are concepts defined in the ATT&CK Framework.

has sub-classes: ATTACK Mitigation^c, Offensive Tactic^c, Offensive Technique^c

Audio Capture^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1123

has super-classes: Collection Technique^c; accesses^op some Audio Input Device^c
is also defined as: named individual

Audio Input Device^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AudioInputDevice

has super-classes: Input Device^c
is also defined as: named individual

Authenticate User^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthenticateUser

has super-classes: System Call^c

Authentication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Authentication

has super-classes: User Action^c; authenticates^op some User^c; may-create^op some Intranet Network Traffic^c; originates-from^op some Physical Location^c
has sub-classes: Web Authentication^c
has members: Authenticationⁿⁱ
is also defined as: named individual

Authentication Cache Invalidation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthenticationCacheInvalidation

has super-classes: Credential Eviction^c; deletes^op some Credential^c
is also defined as: named individual

Authentication Event Thresholding^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthenticationEventThresholding

has super-classes: User Behavior Analysis^c; analyzes^op some Authentication^c
is also defined as: named individual

Authentication Log^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthenticationLog

has super-classes: Log^c; records^op some Authentication^c
is also defined as: named individual

Authentication Package^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.002

has super-classes: Boot or Logon Autostart Execution^c; modifies^op some System Configuration Database Record^c
is also defined as: named individual

Authentication Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthenticationServer

is defined by: http://dbpedia.org/resource/Authentication_server

An authentication server provides a network service that applications use to authenticate the credentials, usually account names and passwords, of their users. When a client submits a valid set of credentials, it receives a cryptographic ticket that it can subsequently use to access various services. Major authentication algorithms include passwords, Kerberos, and public key encryption.

has super-classes: Server^c

Authentication Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthenticationService

has super-classes: Service Application^c
has sub-classes: Local Authentication Service^c, Remote Authentication Service^c
is also defined as: named individual

Authorization^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Authorization

has super-classes: User Action^c; authorizes^op some Network Resource Access^c
has sub-classes: Cloud Service Authorization^c
is also defined as: named individual

Authorization Event Thresholding^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthorizationEventThresholding

has super-classes: User Behavior Analysis^c; analyzes^op some Authorization^c
is also defined as: named individual

Authorization Log^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthorizationLog

has super-classes: Log^c; records^op some Network Resource Access^c
is also defined as: named individual

Authorization Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthorizationService

is defined by: https://www.sciencedirect.com/referencework/9780122272400/encyclopedia-of-information-systems

An authorization service ensures that the user is authorized to have access to a particular resource. Authorization can be done through role-based access control (RBAC) or list-based access control (LBAC).

has super-classes: Service Application^c
has sub-classes: Local Authorization Service^c, Remote Authorization Service^c

Automated Collection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1119

has super-classes: Collection Technique^c; accesses^op some File^c
is also defined as: named individual

Automated Exfiltration^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1020

has super-classes: Exfiltration Technique^c; produces^op some Internet Network Traffic^c
is also defined as: named individual

Barcode Scanner Input Device^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BarcodeScannerInputDevice

is defined by: http://dbpedia.org/resource/Barcode_reader

A barcode reader (or barcode scanner) is an optical scanner that can read printed barcodes, decode the data contained in the barcode and send the data to a computer. Like a flatbed scanner, it consists of a light source, a lens and a light sensor translating for optical impulses into electrical signals. Additionally, nearly all barcode readers contain decoder circuitry that can analyze the barcode's image data provided by the sensor and sending the barcode's content to the scanner's output port.

has super-classes: Image Scanner Input Device^c

Bash History^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552.003

has super-classes: Unsecured Credentials^c; accesses^op some Command History Log File^c
is also defined as: named individual

Bidirectional Communication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1102.002

has super-classes: Web Service^c

Binary Large Object^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BinaryLargeObject

is defined by: http://dbpedia.org/resource/Binary_large_object

has super-classes: Digital Artifact^c
has sub-classes: JavaScript Blob^c

Binary Padding^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1027.001

has super-classes: Obfuscated Files or Information^c; modifies^op some Executable Binary^c
is also defined as: named individual

Binary Segment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BinarySegment

A binary segment is a partition of binary information within a larger binary object, which arranges a set of binary objects for its purpose. For example, code, data, heap, and stack segments are segments of the binary information used by a process. Code and data segments are also found in object files.

has super-classes: Digital Artifact^c
has sub-classes: Image Segment^c, Process Segment^c

Biometric Authentication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BiometricAuthentication

has super-classes: Credential Hardening^c; authenticates^op some User Account^c
is also defined as: named individual

BITS Jobs^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1197

has super-classes: Defense Evasion Technique^c; Persistence Technique^c; may-produce^op some Intranet IPC Network Traffic^c; may-produce^op some Intranet Web Network Traffic^c; may-produce^op some Outbound Internet Web Traffic^c
is also defined as: named individual

Blob^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Blob

is defined by: http://dbpedia.org/resource/Binary_large_object

A binary large object (BLOB) is a collection of binary data stored as a single entity. Blobs are typically images, audio or other multimedia objects, though sometimes binary executable code is stored as a blob. They can exist as persistent values inside some databases, or exist at runtime as program variables in some languages. The term is used in NoSQL databases, especially in key-value store databases such as Redis. The term is also used by languages that allow runtime manipulation of Blobs, like JavaScript. (en)

has super-classes: Digital Artifact^c

Block Device^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BlockDevice

has super-classes: Digital Artifact^c; contains^op some Boot Sector^c; contains^op some Partition^c; contains^op some Partition Table^c; may-contain^op some Volume^c
is also defined as: named individual

Book Reference^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BookReference

has super-classes: Technique Reference^c

Boot Loader^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BootLoader

has super-classes: Digital Artifact^c
has sub-classes: First-stage Boot Loader^c, Second-stage Boot Loader^c
is also defined as: named individual

Boot or Logon Autostart Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547

has super-classes: Persistence Technique^c; Privilege Escalation Technique^c
has sub-classes: Authentication Package^c, Kernel Modules and Extensions^c, LSASS Driver^c, Login Items^c, Plist Modification^c, Port Monitors^c, Re-opened Applications^c, Registry Run Keys / Startup Folder^c, Security Support Provider^c, Shortcut Modification^c, Time Providers^c, Winlogon Helper DLL^c

Boot or Logon Initialization Scripts^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1037

has super-classes: Persistence Technique^c; Privilege Escalation Technique^c
has sub-classes: Logon Script (Mac)^c, Logon Script (Windows)^c, Network Logon Script^c, Rc.common^c, Startup Items^c

Boot Record^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BootRecord

A d3f:Record which is an essential component of the early boot (system initialization) process.

has super-classes: Record^c
has sub-classes: Boot Sector^c, Volume Boot Record^c

Boot Sector^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BootSector

has super-classes: Boot Record^c
is also defined as: named individual

Bootkit^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1542.003

has super-classes: Pre-OS Boot^c; may-modify^op some Boot Loader^c; may-modify^op some Boot Sector^c; may-modify^op some Volume Boot Record^c
is also defined as: named individual

Bootloader Authentication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BootloaderAuthentication

has super-classes: Platform Hardening^c; authenticates^op some Boot Loader^c
is also defined as: named individual

Broadcast Domain Isolation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BroadcastDomainIsolation

has super-classes: Network Isolation^c; filters^op some Local Area Network Traffic^c
is also defined as: named individual

Browser^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Browser

has super-classes: User Application^c; may-contain^op some Browser Extension^c
is also defined as: named individual

Browser Bookmark Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1217

has super-classes: Discovery Technique^c

Browser Extension^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BrowserExtension

has super-classes: User Application^c; extends^op some Browser^c
is also defined as: named individual

Browser Extensions^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1176

has super-classes: Persistence Technique^c; modifies^op some Browser Extension^c
is also defined as: named individual

Brute Force^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1110

has super-classes: Credential Access Technique^c
has sub-classes: Credential Stuffing^c, Password Cracking^c, Password Guessing^c, Password Spraying^c

Build Tool^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BuildTool

A tool that automates the process of creating a software build and the associated processes including: compiling computer source code into binary code, packaging binary code, and running automated tests.

has super-classes: Developer Application^c
has sub-classes: Compiler^c, Software Packaging Tool^c

Business Communication Platform Client^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BusinessCommunicationPlatformClient

is defined by: http://dbpedia.org/resource/Business_communication

Client software to enable the process of sharing information between employees within and outside a company. Business communication encompasses topics such as marketing, brand management, customer relations, consumer behavior, advertising, public relations, corporate communication, community engagement, reputation management, interpersonal communication, employee engagement, and event management. It is closely related to the fields of professional communication and technical communication.

has super-classes: Collaborative Software^c

Bypass User Access Control^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1548.002

has super-classes: Abuse Elevation Control Mechanism^c; executes^op some Executable File^c; invokes^op some Create Process^c; may-modify^op some System Configuration Database Record^c
is also defined as: named individual

Byte Sequence Emulation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ByteSequenceEmulation

has super-classes: Network Traffic Analysis^c
is also defined as: named individual

CA Certificate File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CACertificateFile

A file containing a digital certificate issued by a certificate authority (CA). Certificate authorities store, issue, and sign digital certificates used as part of the public key infrastructure.

has super-classes: Certificate File^c

Cached Domain Credentials^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.005

has super-classes: OS Credential Dumping^c; accesses^op some Encrypted Credential^c; may-modify^op some Log^c
is also defined as: named individual

Call Stack^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CallStack

has super-classes: Digital Artifact^c; contains^op some Stack Frame^c
is also defined as: named individual

Capability^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Capability

is defined by: http://dbpedia.org/resource/Capability_(systems_engineering)

has super-classes: D3FEND Thing^c; assessed-by^op some Capability Assessment^c; has-feature^op some Capability Feature^c

Capability Assessment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CapabilityAssessment

has super-classes: Assessment^c; assesses^op some Capability^c; has-evidence^op some Admin Feature Assessment^c; has-evidence^op some Defensive Technique Assessment^c; has-implementation^op some Capability Implementation^c

Capability Feature^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CapabilityFeature

A distinguishing characteristic of a capability (e.g., performance, portability, or functionality).

has super-classes: D3FEND Catalog Thing^c
has sub-classes: Administrative Feature^c, Defensive Technique^c
is in range of: features^op

Capability Feature Claim^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CapabilityFeatureClaim

has super-classes: Statement^c; assessed-by^op some Defensive Technique Assessment^c; author^op some Agent^c; implemented-by^op some Capability Implementation^c; comments^dp some string; date created^dp some date time; date modified^dp some date time
has sub-classes: Admin Feature Claim^c, Defensive Technique Claim^c
is in domain of: comments^dp, features^op

Capability Implementation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CapabilityImplementation

has super-classes: D3FEND Catalog Thing^c; features^op some Administrative Feature^c; latency^op some D3FEND Catalog Thing^c; operating-system^dp some string; version^dp some string
has sub-classes: Product^c, Service^c
is in domain of: implements^op, operating-system^dp, version^dp
is in range of: implemented-by^op

Certificate^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Certificate

has super-classes: Digital Artifact^c; contains^op some Identifier^c; contains^op some Public Key^c
is also defined as: named individual

Certificate Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CertificateAnalysis

has super-classes: Network Traffic Analysis^c; analyzes^op some Certificate File^c
has sub-classes: Active Certificate Analysis^c, Passive Certificate Analysis^c
has members: Active Certificate Analysisⁿⁱ, Certificate Analysisⁿⁱ, Passive Certificate Analysisⁿⁱ
is also defined as: named individual

Certificate File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CertificateFile

has super-classes: File^c; contains^op some Certificate^c
has sub-classes: CA Certificate File^c
is also defined as: named individual

Certificate Pinning^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CertificatePinning

has super-classes: Credential Hardening^c; authenticates^op some Public Key^c
is also defined as: named individual

Certificate Trust Store^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CertificateTrustStore

has super-classes: Trust Store^c; contains^op some Certificate^c
is also defined as: named individual

Certificate-based Authentication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Certificate-basedAuthentication

has super-classes: Credential Hardening^c
is also defined as: named individual

Change Default File Association^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.001

has super-classes: Event Triggered Execution^c; modifies^op some System Configuration Database Record^c
is also defined as: named individual

Chatroom Client^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ChatroomClient

is defined by: http://dbpedia.org/resource/Chat_room

Client software used to describe conduct any form of synchronous conferencing, occasionally even asynchronous conferencing. The term can thus mean any technology ranging from real-time online chat and online interaction with strangers (e.g., online forums) to fully immersive graphical social environments.

has super-classes: Collaborative Software^c

Child Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ChildProcess

is defined by: http://dbpedia.org/resource/Child_process

A child process in computing is a process created by another process (the parent process). This technique pertains to multitasking operating systems, and is sometimes called a subprocess or traditionally a subtask. There are two major procedures for creating a child process: the fork system call (preferred in Unix-like systems and the POSIX standard) and the spawn (preferred in the modern (NT) kernel of Microsoft Windows, as well as in some historical operating systems).

has super-classes: Process^c

Clear Command History^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1070.003

has super-classes: Indicator Removal on Host^c; modifies^op some Command History Log^c
is also defined as: named individual

Clear Linux or Mac System Logs^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1070.002

has super-classes: Indicator Removal on Host^c; modifies^op some Operating System Log File^c
is also defined as: named individual

Clear Windows Event Logs^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1070.001

has super-classes: Indicator Removal on Host^c; modifies^op some Event Log^c
is also defined as: named individual

Client Application^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ClientApplication

has super-classes: Application^c
is also defined as: named individual

Client Computer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ClientComputer

is defined by: http://dbpedia.org/resource/Client_(computing)

A client computer is a host that accesses a service made available by a server. The server is often (but not always) on another computer system, in which case the client accesses the service by way of a network.

has super-classes: Host^c
has sub-classes: Embedded Computer^c, Personal Computer^c, Shared Computer^c

Client-server Payload Profiling^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Client-serverPayloadProfiling

has super-classes: Network Traffic Analysis^c; analyzes^op some Network Traffic^c
is also defined as: named individual

Clipboard^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Clipboard

has super-classes: Digital Artifact^c
is also defined as: named individual

Clipboard Data^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1115

has super-classes: Collection Technique^c; reads^op some Clipboard^c
is also defined as: named individual

Cloud Account^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1087.004

has super-classes: Create Account^c; creates^op some Cloud User Account^c
is also defined as: named individual

Cloud Accounts^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1078.004

has super-classes: Valid Accounts^c; uses^op some Cloud User Account^c
is also defined as: named individual

Cloud Configuration^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CloudConfiguration

has super-classes: Configuration Bearing Entity^c
has sub-classes: Cloud Instance Metadata^c
is also defined as: named individual

Cloud Instance Metadata^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CloudInstanceMetadata

has super-classes: Cloud Configuration^c
is also defined as: named individual

Cloud Instance Metadata API^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552.005

has super-classes: Unsecured Credentials^c; accesses^op some Cloud Instance Metadata^c
is also defined as: named individual

Cloud Service Authentication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CloudServiceAuthentication

A request-response comprising a user credential presentation to a system and a verification response where the verifying party is a cloud service.

has super-classes: Web Authentication^c

Cloud Service Authorization^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CloudServiceAuthorization

Cloud authorization is the function of specifying access rights to cloud resources.

has super-classes: Authorization^c

Cloud Service Dashboard^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1538

has super-classes: Discovery Technique^c; accesses^op some Cloud Configuration^c
is also defined as: named individual

Cloud Service Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1526

has super-classes: Discovery Technique^c; reads^op some Cloud Configuration^c
is also defined as: named individual

Cloud Service Sensor^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CloudServiceSensor

has super-classes: Sensor^c; monitors^op some Cloud Service Authentication^c; monitors^op some Cloud Service Authorization^c

Cloud Storage^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CloudStorage

has super-classes: Storage^c
is also defined as: named individual

Cloud Storage Object Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1619

has super-classes: Discovery Technique^c; accesses^op some Cloud Storage^c
is also defined as: named individual

Cloud User Account^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CloudUserAccount

has super-classes: User Account^c
is also defined as: named individual

CMSTP^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.003

has super-classes: Signed Binary Proxy Execution^c; invokes^op some Create Process^c; may-produce^op some Network Traffic^c
is also defined as: named individual

Code Analyzer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CodeAnalyzer

Code analyzers automatically analyze the composition or behavior of computer programs regarding a property such as correctness, robustness, security, and safety. Program analysis can be performed without executing the program (static program analysis), during runtime (dynamic program analysis) or in a combination of both.

has super-classes: Developer Application^c
has sub-classes: Dynamic Analysis Tool^c, Static Analysis Tool^c

Code Repositories^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1213.003

has super-classes: Data from Information Repositories^c; reads^op some Code Repository^c
is also defined as: named individual

Code Repository^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CodeRepository

has super-classes: Database^c; contains^op some Source Code^c
is also defined as: named individual

Code Signing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1553.002

has super-classes: Subvert Trust Controls^c; enables^op some Defense Evasion^c
is also defined as: named individual

Collaborative Software^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CollaborativeSoftware

is defined by: http://dbpedia.org/resource/Collaborative_software

Collaborative software or groupware is application software designed to help people working on a common task to attain their goals. One of the earliest definitions of groupware is "intentional group processes plus software to support them". Collaborative software is a broad concept that overlaps considerably with computer-supported cooperative work (CSCW). According to Carstensen and Schmidt (1999) groupware is part of CSCW. The authors claim that CSCW, and thereby groupware, addresses "how collaborative activities and their coordination can be supported by means of computer systems."

has super-classes: User Application^c
has sub-classes: Business Communication Platform Client^c, Chatroom Client^c, Instant Messaging Client^c

Collection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Collection

has super-classes: Offensive Tactic^c; display-order^dp value 2
is also defined as: named individual

Collection Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CollectionTechnique

has super-classes: Offensive Technique^c; enables^op some Collection^c
has sub-classes: Archive Collected Data^c, Audio Capture^c, Automated Collection^c, Clipboard Data^c, Data Staged^c, Data from Cloud Storage Object^c, Data from Information Repositories^c, Data from Local System^c, Data from Network Shared Drive^c, Data from Removable Media^c, Email Collection^c, Input Capture^c, Man in the Browser^c, Man-in-the-Middle^c, Screen Capture^c, Video Capture^c
is also defined as: named individual

Command^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Command

has super-classes: Digital Artifact^c; Digital Event^c
has sub-classes: Database Query^c, Remote Command^c
is also defined as: named individual

Command And Control^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CommandAndControl

has super-classes: Offensive Tactic^c
is also defined as: named individual

Command and Control Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CommandAndControlTechnique

has super-classes: Offensive Technique^c; enables^op some Command And Control^c
has sub-classes: Application Layer Protocol^c, Communication Through Removable Media^c, Data Encoding^c, Data Obfuscation^c, Dynamic Resolution^c, Encrypted Channel^c, Fallback Channels^c, Ingress Tool Transfer^c, Multi-Stage Channels^c, Non-Application Layer Protocol^c, Non-Standard Port^c, Protocol Tunneling^c, Proxy^c, Remote Access Software^c, Traffic Signaling^c, Web Service^c
is also defined as: named individual

Command and Scripting Interpreter Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1059

has super-classes: Execution Technique^c; executes^op some Executable Script^c
has sub-classes: AppleScript Execution^c, JavaScript/JScript^c, Network Device CLI^c, PowerShell Execution^c, Python Execution^c, Unix Shell Execution^c, VBScript Execution^c, Windows Command Shell Execution^c
is also defined as: named individual

Command History Log^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CommandHistoryLog

has super-classes: Event Log^c
is also defined as: named individual

Command History Log File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CommandHistoryLogFile

has super-classes: Log File^c; contains^op some Command History Log^c
is also defined as: named individual

Command Line Interface^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CommandLineInterface

is defined by: http://dbpedia.org/resource/Command-line_interface

A command-line interface or command language interpreter (CLI), also known as command-line user interface, console user interface, and character user interface (CUI), is a means of interacting with a computer program where the user (or client) issues commands to the program in the form of successive lines of text (command lines). Command-line interfaces to computer operating systems are less widely used by casual computer users, who favor graphical user interfaces. Programs with command-line interfaces are generally easier to automate via scripting.

has super-classes: User Interface^c

Communication Through Removable Media^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1092

has super-classes: Command and Control Technique^c; modifies^op some Removable Media Device^c
is also defined as: named individual

Compile After Delivery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1027.004

has super-classes: Obfuscated Files or Information^c; creates^op some Executable File^c
is also defined as: named individual

Compiled HTML File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.001

has super-classes: Signed Binary Proxy Execution^c; invokes^op some Create File^c; invokes^op some Create Process^c
is also defined as: named individual

Compiler^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Compiler

has super-classes: Build Tool^c; reads^op some Compiler Configuration File^c
is also defined as: named individual

Compiler Configuration File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CompilerConfigurationFile

has super-classes: Application Configuration File^c
is also defined as: named individual

Component Firmware^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1542.002

has super-classes: Pre-OS Boot^c; modifies^op some Firmware^c
is also defined as: named individual

Component Object Model Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1559.001

has super-classes: Inter-Process Communication Execution^c

Component Object Model Hijacking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.015

has super-classes: Event Triggered Execution^c; loads^op some Executable Binary^c; modifies^op some System Configuration Database^c
is also defined as: named individual

Composite Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CompositeTechnique

A commonly applied series of techniques which induce a greater effect than each individual technique. The techniques are applied in a strict sequence.

has super-classes: D3FEND Thing^c

Compromise Client Software Binary^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1554

has super-classes: Persistence Technique^c; modifies^op some Client Application^c
is also defined as: named individual

Compromise Hardware Supply Chain^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1195.003

has super-classes: Supply Chain Compromise^c; modifies^op some Hardware Device^c
is also defined as: named individual

Compromise Software Dependencies and Development Tools^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1195.001

has super-classes: Supply Chain Compromise^c; modifies^op some Software^c
is also defined as: named individual

Compromise Software Supply Chain^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1195.002

has super-classes: Supply Chain Compromise^c; modifies^op some Software^c
is also defined as: named individual

Computing Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ComputingServer

is defined by: https://www.encyclopedia.com/computing/dictionaries-thesauruses-pictures-and-press-releases/compute-server

A compute server is a system specifically designed to undertake large amounts of computation, usually but not necessarily in a client/server environment.

has super-classes: Server^c

Conference Paper^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ConferencePaper

has super-classes: Academic Article^c

Configuration Bearing Entity^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ConfigurationBearingEntity

has super-classes: Resource^c
has sub-classes: Application Configuration^c, Cloud Configuration^c, Operating System Configuration^c
is also defined as: named individual

Configuration File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ConfigurationFile

is defined by: http://dbpedia.org/resource/Configuration_file

A file containing Information used to configure the parameters and initial settings for some computer programs. They are used for user applications, server processes and operating system settings.

has super-classes: File^c
has sub-classes: Application Configuration File^c, Operating System Configuration File^c, Property List File^c, User Init Configuration File^c

Confluence^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1213.001

has super-classes: Data from Information Repositories^c; accesses^op some Web File Resource^c
is also defined as: named individual

Connect Socket^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ConnectSocket

The connect socket system call connects the socket to a target address.

has super-classes: System Call^c

Connected Honeynet^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ConnectedHoneynet

has super-classes: Decoy Environment^c; spoofs^op some Local Area Network^c
is also defined as: named individual

Connection Attempt Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ConnectionAttemptAnalysis

has super-classes: Network Traffic Analysis^c; analyzes^op some Intranet Network Traffic^c
is also defined as: named individual

Container Build Tool^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ContainerBuildTool

A software build tool that creates a container (e.g., Docker container) for deployment.

has super-classes: Software Packaging Tool^c

Container Image^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ContainerImage

has super-classes: File^c
is also defined as: named individual

Container Orchestration Software^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ContainerOrchestrationSoftware

has super-classes: Service Application^c
is also defined as: named individual

Container Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ContainerProcess

A running instance of a d3f:ContainerImage

has super-classes: Application Process^c

Container Runtime^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ContainerRuntime

has super-classes: Service Application^c; runs^op some Container Image^c
is also defined as: named individual

contribution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Contribution

has super-classes: D3FEND Thing^c; has contributor^op some Agent^c; date created^dp some date time

Control Panel Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.002

has super-classes: Signed Binary Proxy Execution^c; invokes^op some Create Process^c; may-modify^op some System Configuration Database Record^c
is also defined as: named individual

Copy Token^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CopyToken

has super-classes: System Call^c
has members: Copy Tokenⁿⁱ
is also defined as: named individual

COR_PROFILER^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.012

has super-classes: Hijack Execution Flow^c; adds^op some Shared Library File^c; modifies^op some System Configuration Database Record^c
is also defined as: named individual

Create Account^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1136

has super-classes: Persistence Technique^c; Privilege Escalation Technique^c; creates^op some User Account^c
has sub-classes: Cloud Account^c, Domain Account^c, Local Account^c
is also defined as: named individual

Create File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CreateFile

has super-classes: System Call^c; creates^op some File^c
is also defined as: named individual

Create or Modify System Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1543

has super-classes: Persistence Technique^c; Privilege Escalation Technique^c
has sub-classes: Launch Agent^c, Launch Daemon^c, Systemd Service^c, Windows Service^c

Create Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CreateProcess

has super-classes: System Call^c
has members: Linux Execⁿⁱ
is also defined as: named individual

Create Process with Token^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1134.002

has super-classes: Access Token Manipulation^c; copies^op some Access Token^c; may-modify^op some Event Log^c
is also defined as: named individual

Create Socket^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CreateSocket

A create socket system call creates an endpoint for communication and returns a file descriptor that refers to that endpoint.

has super-classes: System Call^c

Create Thread^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CreateThread

has super-classes: System Call^c
is also defined as: named individual

Credential^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Credential

has super-classes: Digital Artifact^c; authenticates^op some User Account^c
has sub-classes: Access Token^c, Encrypted Credential^c, Password^c, Session Cookie^c
is also defined as: named individual

Credential Access^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialAccess

has super-classes: Offensive Tactic^c
is also defined as: named individual

Credential Access Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialAccessTechnique

has super-classes: Offensive Technique^c; accesses^op some Credential^c; enables^op some Credential Access^c
has sub-classes: Brute Force^c, Credentials from Password Stores^c, Exploitation for Credential Access^c, Forced Authentication^c, Input Capture^c, Man-in-the-Middle^c, Modify Authentication Process^c, Network Sniffing^c, OS Credential Dumping^c, Steal Application Access Token^c, Steal Web Session Cookie^c, Steal or Forge Kerberos Tickets^c, Two-Factor Authentication Interception^c, Unsecured Credentials^c
is also defined as: named individual

Credential API Hooking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1056.004

has super-classes: Input Capture^c; may-modify^op some Process Code Segment^c
is also defined as: named individual

Credential Compromise Scope Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialCompromiseScopeAnalysis

has super-classes: User Behavior Analysis^c; analyzes^op some Credential^c
is also defined as: named individual

Credential Eviction^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialEviction

has super-classes: Defensive Technique^c; enables^op some Evict^c
has sub-classes: Account Locking^c, Authentication Cache Invalidation^c
has members: Account Lockingⁿⁱ, Authentication Cache Invalidationⁿⁱ
is also defined as: named individual

Credential Hardening^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialHardening

has super-classes: Defensive Technique^c; enables^op some Harden^c
has sub-classes: Biometric Authentication^c, Certificate Pinning^c, Certificate-based Authentication^c, Credential Transmission Scoping^c, Domain Trust Policy^c, Multi-factor Authentication^c, One-time Password^c, Strong Password Policy^c, User Account Permissions^c
has members: Biometric Authenticationⁿⁱ, Certificate Pinningⁿⁱ, Certificate-based Authenticationⁿⁱ, Credential Transmission Scopingⁿⁱ, Domain Trust Policyⁿⁱ, Multi-factor Authenticationⁿⁱ, One-time Passwordⁿⁱ, Strong Password Policyⁿⁱ, User Account Permissionsⁿⁱ
is also defined as: named individual

Credential Management System^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialManagementSystem

has super-classes: Service Application^c
is also defined as: named individual

Credential Stuffing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1110.004

has super-classes: Brute Force^c; may-create^op some Intranet Administrative Network Traffic^c; modifies^op some Authentication Log^c; produces^op some Authentication^c
is also defined as: named individual

Credential Transmission Scoping^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialTransmissionScoping

has super-classes: Credential Hardening^c; restricts^op some Credential^c
is also defined as: named individual

Credentials from Password Stores^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1555

has super-classes: Credential Access Technique^c; accesses^op some Password Store^c
has sub-classes: Credentials from Web Browsers^c, Keychain^c, Securityd Memory^c
is also defined as: named individual

Credentials from Web Browsers^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1555.003

has super-classes: Credentials from Password Stores^c; may-access^op some In-memory Password Store^c
is also defined as: named individual

Credentials in Files^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552.001

has super-classes: Unsecured Credentials^c; accesses^op some File^c
is also defined as: named individual

Credentials in Registry^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552.002

has super-classes: Unsecured Credentials^c; accesses^op some System Configuration Database^c
is also defined as: named individual

Cron Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1053.003

has super-classes: Scheduled Task/Job Execution^c

Cryptographic Key^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CryptographicKey

is defined by: http://dbpedia.org/resource/Public-key_cryptography

In cryptography, a key is a piece of information (a parameter) that determines the functional output of a cryptographic algorithm. For encryption algorithms, a key specifies the transformation of plaintext into ciphertext, and vice versa for decryption algorithms. Keys also specify transformations in other cryptographic algorithms, such as digital signature schemes and message authentication codes.

has super-classes: Digital Artifact^c
has sub-classes: Asymmetric Key^c, Symmetric Key^c

Custom Archive File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CustomArchiveFile

has super-classes: Archive File^c
is also defined as: named individual

D3FEND Catalog Thing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#D3FENDCatalogThing

has super-classes: D3FEND Thing^c
has sub-classes: Agent^c, Analysis of Alternatives^c, Assessment^c, Capability Feature^c, Capability Implementation^c, Information Content Entity^c, Proposition^c

D3FEND Thing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#D3FENDThing

D3FEND things are concepts defined in the core D3FEND Framework.

has sub-classes: Artifact^c, Capability^c, Composite Technique^c, D3FEND Catalog Thing^c, D3FEND Use Case Thing^c, Defensive Tactic^c, Defensive Technique^c, Digital Event^c, Digital Object^c, Latency^c, Monitoring^c, Physical Object^c, Reference^c, Reference Type^c, Sensor^c, Technique^c, Technique Reference^c, contribution^c, procedure^c, step^c

D3FEND Use Case^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#D3FENDUseCase

has super-classes: D3FEND Use Case Thing^c; has prerequisite^op some Use Case Prerequisite^c; has procedure^op some Use Case Procedure^c; has audience^op some Target Audience^c; has goal^op some Use Case Goal^c
is disjoint with: Target Audience^c, Use Case Goal^c, Use Case Prerequisite^c, Use Case Procedure^c, Use Case Step^c

D3FEND Use Case Thing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#D3FENDUseCaseThing

has super-classes: D3FEND Thing^c
has sub-classes: D3FEND Use Case^c, Target Audience^c, Use Case Goal^c, Use Case Prerequisite^c, Use Case Procedure^c, Use Case Step^c

Data Artifact Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DataArtifactServer

A data artifact server provides access services to content in a content repository. The content repository or content store is a database of digital content with an associated set of data management, search and access methods allowing application-independent access to the content, rather like a digital library, but with the ability to store and modify content in addition to searching and retrieving. The content repository acts as the storage engine for a larger application such as a content management system or a document management system, which adds a user interface on top of the repository's application programming interface.

has super-classes: Artifact Server^c

Data Destruction^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1485

has super-classes: Impact Technique^c

Data Encoding^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1132

has super-classes: Command and Control Technique^c; produces^op some Outbound Internet Network Traffic^c
has sub-classes: Non-Standard Encoding^c, Standard Encoding^c
is also defined as: named individual

Data Encrypted for Impact^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1486

has super-classes: Impact Technique^c

Data from Cloud Storage Object^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1530

has super-classes: Collection Technique^c

Data from Information Repositories^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1213

has super-classes: Collection Technique^c; Discovery Technique^c; accesses^op some Resource^c
has sub-classes: Code Repositories^c, Confluence^c, Sharepoint^c
is also defined as: named individual

Data from Local System^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1005

has super-classes: Collection Technique^c; accesses^op some Local Resource^c
is also defined as: named individual

Data from Network Shared Drive^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1039

has super-classes: Collection Technique^c; accesses^op some Network File Share Resource^c
is also defined as: named individual

Data from Removable Media^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1025

has super-classes: Collection Technique^c; accesses^op some Removable Media Device^c
is also defined as: named individual

Data Manipulation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1565

has super-classes: Impact Technique^c
has sub-classes: Runtime Data Manipulation^c, Stored Data Manipulation^c, Transmitted Data Manipulation^c

Data Obfuscation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1001

has super-classes: Command and Control Technique^c; produces^op some Outbound Internet Network Traffic^c
has sub-classes: Junk Data^c, Protocol Impersonation^c, Steganography^c
is also defined as: named individual

Data Staged^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1074

has super-classes: Collection Technique^c; reads^op some Resource^c
has sub-classes: Local Data Staging^c, Remote Data Staging^c
is also defined as: named individual

Data Transfer Size Limits^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1030

has super-classes: Exfiltration Technique^c; produces^op some Internet Network Traffic^c
is also defined as: named individual

Database^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Database

has super-classes: Digital Artifact^c
has sub-classes: Application Configuration Database^c, Code Repository^c, Password Database^c, System Configuration Database^c
is also defined as: named individual

Database Query^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DatabaseQuery

has super-classes: Command^c
has sub-classes: Remote Database Query^c
is also defined as: named individual

Database Query String Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DatabaseQueryStringAnalysis

has super-classes: Process Analysis^c; analyzes^op some Database Query^c
is also defined as: named individual

Database Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DatabaseServer

has super-classes: Server^c; contains^op some Database^c
is also defined as: named individual

DCSync^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.006

has super-classes: OS Credential Dumping^c; may-modify^op some Event Log^c; produces^op some Intranet Administrative Network Traffic^c
is also defined as: named individual

Dead Code Elimination^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DeadCodeElimination

has super-classes: Application Hardening^c
is also defined as: named individual

Dead Drop Resolver^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1102.001

has super-classes: Web Service^c

Deceive^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Deceive

has super-classes: Defensive Tactic^c
is also defined as: named individual

Decoy Artifact^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyArtifact

has super-classes: Digital Artifact^c; may-contain^op some Digital Artifact^c
is also defined as: named individual

Decoy Environment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyEnvironment

has super-classes: Defensive Technique^c; enables^op some Deceive^c; manages^op some Decoy Artifact^c
has sub-classes: Connected Honeynet^c, Integrated Honeynet^c, Standalone Honeynet^c
has members: Connected Honeynetⁿⁱ, Integrated Honeynetⁿⁱ, Standalone Honeynetⁿⁱ
is also defined as: named individual

Decoy File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyFile

has super-classes: Decoy Object^c; spoofs^op some File^c
is also defined as: named individual

Decoy Network Resource^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyNetworkResource

has super-classes: Decoy Object^c; spoofs^op some Network Resource^c
is also defined as: named individual

Decoy Object^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyObject

has super-classes: Defensive Technique^c; enables^op some Deceive^c
has sub-classes: Decoy File^c, Decoy Network Resource^c, Decoy Persona^c, Decoy Public Release^c, Decoy Session Token^c, Decoy User Credential^c
has members: Decoy Fileⁿⁱ, Decoy Network Resourceⁿⁱ, Decoy Personaⁿⁱ, Decoy Public Releaseⁿⁱ, Decoy Session Tokenⁿⁱ, Decoy User Credentialⁿⁱ
is also defined as: named individual

Decoy Persona^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyPersona

has super-classes: Decoy Object^c; spoofs^op some User^c
is also defined as: named individual

Decoy Public Release^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyPublicRelease

has super-classes: Decoy Object^c
is also defined as: named individual

Decoy Session Token^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoySessionToken

has super-classes: Decoy Object^c; spoofs^op some Access Token^c
is also defined as: named individual

Decoy User Credential^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyUserCredential

has super-classes: Decoy Object^c; spoofs^op some Credential^c
is also defined as: named individual

Defacement^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1491

has super-classes: Impact Technique^c
has sub-classes: External Defacement^c, Internal Defacement^c

Default Accounts^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1078.001

has super-classes: Valid Accounts^c; uses^op some Default User Account^c
is also defined as: named individual

Default User Account^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DefaultUserAccount

has super-classes: User Account^c
is also defined as: named individual

Defense Evasion^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DefenseEvasion

has super-classes: Offensive Tactic^c
is also defined as: named individual

Defense Evasion Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DefenseEvasionTechnique

has super-classes: Offensive Technique^c; enables^op some Defense Evasion^c
has sub-classes: Abuse Elevation Control Mechanism^c, Access Token Manipulation^c, BITS Jobs^c, Deobfuscate/Decode Files or Information^c, Direct Volume Access^c, Execution Guardrails^c, Exploitation for Defense Evasion^c, File and Directory Permissions Modification^c, Group Policy Modification^c, Hide Artifacts^c, Hijack Execution Flow^c, Impair Defenses^c, Indicator Removal on Host^c, Indirect Command Execution^c, Masquerading^c, Modify Authentication Process^c, Modify Registry^c, Obfuscated Files or Information^c, Pre-OS Boot^c, Process Injection^c, Reflective Code Loading^c, Rogue Domain Controller^c, Rootkit^c, Signed Binary Proxy Execution^c, Signed Script Proxy Execution^c, Subvert Trust Controls^c, Template Injection^c, Traffic Signaling^c, Trusted Developer Utilities Proxy Execution^c, Unused/Unsupported Cloud Regions^c, Use Alternate Authentication Material^c, Valid Accounts^c, Virtualization/Sandbox Evasion^c, XSL Script Processing^c
is also defined as: named individual

Defensive Tactic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DefensiveTactic

has super-classes: D3FEND Thing^c; enabled-by^op some Defensive Technique^c; display-order^dp some integer
has sub-classes: Deceive^c, Detect^c, Evict^c, Harden^c, Isolate^c, Scan^c
has members: Deceiveⁿⁱ, Detectⁿⁱ, Evictⁿⁱ, Hardenⁿⁱ, Isolateⁿⁱ, Scanⁿⁱ
is also defined as: named individual

Defensive Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DefensiveTechnique

has super-classes: Capability Feature^c; D3FEND Thing^c; Defensive Technique^c; Technique^c; enables^op some Defensive Tactic^c; kb-reference^op some Technique Reference^c; d3fend-id^dp some string; date^dp some date time; display-order^dp some integer
has sub-classes: Application Hardening^c, Credential Eviction^c, Credential Hardening^c, Decoy Environment^c, Decoy Object^c, Defensive Technique^c, Execution Isolation^c, File Analysis^c, Identifier Analysis^c, Message Analysis^c, Message Hardening^c, Network Isolation^c, Network Traffic Analysis^c, Platform Hardening^c, Platform Monitoring^c, Process Analysis^c, Process Eviction^c, User Behavior Analysis^c
is in domain of: d3fend-tactical-verb-property^op, may-be-tactically-associated-with^op
has members: Application Hardeningⁿⁱ, Credential Evictionⁿⁱ, Credential Hardeningⁿⁱ, Decoy Environmentⁿⁱ, Decoy Objectⁿⁱ, Execution Isolationⁿⁱ, File Analysisⁿⁱ, Identifier Analysisⁿⁱ, Message Analysisⁿⁱ, Message Hardeningⁿⁱ, Network Isolationⁿⁱ, Platform Hardeningⁿⁱ, Platform Monitoringⁿⁱ, Process Analysisⁿⁱ, Process Evictionⁿⁱ, User Behavior Analysisⁿⁱ
is also defined as: named individual

Defensive Technique Assessment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DefensiveTechniqueAssessment

Assessing how well a capability implementation's capability feature functions as a countermeasure.

has super-classes: Feature Assessment^c; assesses^op some Defensive Technique Claim^c; counters^op some Offensive Technique^c; confidence^dp some integer; rating^dp only { "0" , "1" , "2" , "3" }; stage^dp only { "Deceive" , "Detect" , "Evict" , "Harden" , "Isolate" }; rating^dp exactly 1; stage^dp exactly 1
is in range of: assesses^op

Defensive Technique Claim^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DefensiveTechniqueClaim

has super-classes: Capability Feature Claim^c; cites^op some Information Content Entity^c; claims^op some Defensive Technique^c
is in domain of: assesses^op

Deobfuscate/Decode Files or Information^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1140

has super-classes: Defense Evasion Technique^c; invokes^op some Create Process^c; may-add^op some Executable File^c; may-modify^op some Event Log^c
is also defined as: named individual

Desktop Computer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DesktopComputer

is defined by: http://dbpedia.org/resource/Desktop_computer

A desktop computer is a personal computer designed for regular use at a single location on or near a desk or table due to its size and power requirements. The most common configuration has a case that houses the power supply, motherboard (a printed circuit board with a microprocessor as the central processing unit (CPU), memory, bus, and other electronic components, disk storage (usually one or more hard disk drives, solid state drives, optical disc drives, and in early models a floppy disk drive); a keyboard and mouse for input; and a computer monitor, speakers, and, often, a printer for output. The case may be oriented horizontally or vertically and placed either underneath, beside, or on top of a desk.

has super-classes: Personal Computer^c

Detect^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Detect

has super-classes: Defensive Tactic^c
is also defined as: named individual

Developer Application^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DeveloperApplication

An application used to develop computer software including applications used for software construction, analysis, testing, packaging, or management.

has super-classes: User Application^c
has sub-classes: Build Tool^c, Code Analyzer^c, Test Execution Tool^c, Version Control Tool^c

Dial Up Modem^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DialUpModem

is defined by: http://dbpedia.org/resource/Modem#Dial-up

A dial-up modem transmits computer data over an ordinary switched telephone line that has not been designed for data use. This contrasts with leased line modems, which also operate over lines provided by a telephone company, but ones which are intended for data use and do not impose the same signaling constraints. The modulated data must fit the frequency constraints of a normal voice audio signal, and the modem must be able to perform the actions needed to connect a call through a telephone exchange, namely: picking up the line, dialing, understanding signals sent back by phone company equipment (dial tone, ringing, busy signal,) and on the far end of the call, the second modem in the connection must be able to recognize the incoming ring signal and answer the line.

has super-classes: Modem^c

Digital Artifact^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DigitalArtifact

has super-classes: Artifact^c; Digital Object^c
has sub-classes: Access Control Configuration^c, Binary Large Object^c, Binary Segment^c, Blob^c, Block Device^c, Boot Loader^c, Call Stack^c, Certificate^c, Clipboard^c, Command^c, Credential^c, Cryptographic Key^c, DNS Lookup^c, Database^c, Decoy Artifact^c, Digital System^c, Directory^c, Display Server^c, Domain Registration^c, Enclave^c, File Section^c, File System^c, File System Link^c, Hardware Device^c, Hardware Driver^c, Identifier^c, Interprocess Communication^c, Kernel Process Table^c, Log^c, Metadata^c, Network^c, Network Flow^c, Network Node^c, Network Traffic^c, Operating System^c, Partition^c, Partition Table^c, Physical Location^c, Platform^c, Pointer^c, Process^c, Process Image^c, Process Tree^c, Record^c, Resource^c, Session^c, Software^c, Stack Component^c, Storage^c, System Call^c, Task Schedule^c, Trust Store^c, User^c, User Account^c, User Action^c, User Behavior^c, User Interface^c, User to User Message^c, Volume^c
is in domain of: d3fend-artifact-data-property^dp
is in range of: hides^op
is also defined as: named individual

Digital Event^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DigitalEvent

has super-classes: D3FEND Thing^c
has sub-classes: Command^c, DNS Lookup^c, Resource Access^c, System Call^c, User Action^c

Digital Object^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DigitalObject

A digital object is the top-level class for an information bearing object that exists in a digital environment. The digital object may be virtual or physical.

has super-classes: D3FEND Thing^c
has sub-classes: Digital Artifact^c

Digital System^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DigitalSystem

A digital system is a group of interacting or interrelated digital artifacts that act according to a set of rules to form a unified whole. A digital system, surrounded and influenced by its environment, is described by its boundaries, structure and purpose and expressed in its functioning. Systems are the subjects of study of systems theory.

has super-classes: Digital Artifact^c
has sub-classes: Legacy System^c

Direct Network Flood^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1498.001

has super-classes: Network Denial of Service^c; creates^op some Inbound Internet Network Traffic^c
is also defined as: named individual

Direct Volume Access^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1006

has super-classes: Defense Evasion Technique^c; accesses^op some Volume^c
is also defined as: named individual

Directory^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Directory

has super-classes: Digital Artifact^c; may-contain^op some File^c
has sub-classes: Startup Directory^c, System Startup Directory^c
is also defined as: named individual

Directory Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DirectoryService

has super-classes: Network Service^c
is also defined as: named individual

Disable or Modify System Firewall^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562.004

has super-classes: Impair Defenses^c; modifies^op some System Firewall Configuration^c
is also defined as: named individual

Disable or Modify Tools^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562.001

has super-classes: Impair Defenses^c; disables^op some Operating System Process^c
is also defined as: named individual

Disable Windows Event Logging^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562.002

has super-classes: Impair Defenses^c; may-modify^op some Application Configuration^c; may-modify^op some Operating System Configuration Component^c
is also defined as: named individual

Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Discovery

has super-classes: Offensive Tactic^c
is also defined as: named individual

Discovery Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DiscoveryTechnique

has super-classes: Offensive Technique^c; enables^op some Discovery^c
has sub-classes: Account Discovery^c, Application Window Discovery^c, Browser Bookmark Discovery^c, Cloud Service Dashboard^c, Cloud Service Discovery^c, Cloud Storage Object Discovery^c, Data from Information Repositories^c, Domain Trust Discovery^c, File and Directory Discovery^c, Group Policy Discovery^c, Network Service Scanning^c, Network Share Discovery^c, Network Sniffing^c, Password Policy Discovery^c, Peripheral Device Discovery^c, Permission Groups Discovery^c, Process Discovery^c, Query Registry^c, Remote System Discovery^c, Software Discovery^c, System Information Discovery^c, System Location Discovery^c, System Network Configuration Discovery^c, System Network Connections Discovery^c, System Owner/User Discovery^c, System Service Discovery^c, System Time Discovery^c
is also defined as: named individual

Disk Content Wipe^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1561.001

has super-classes: Disk Wipe^c; may-modify^op some Boot Sector^c; may-modify^op some Partition^c; may-modify^op some Partition Table^c; may-modify^op some Volume^c; modifies^op some Block Device^c
is also defined as: named individual

Disk Encryption^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DiskEncryption

has super-classes: Platform Hardening^c; encrypts^op some Storage^c
is also defined as: named individual

Disk Structure Wipe^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1561.002

has super-classes: Disk Wipe^c; may-modify^op some Boot Sector^c; may-modify^op some Partition Table^c
is also defined as: named individual

Disk Wipe^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1561

has super-classes: Impact Technique^c
has sub-classes: Disk Content Wipe^c, Disk Structure Wipe^c

Display Adapter^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DisplayAdapter

has super-classes: Output Device^c
is also defined as: named individual

Display Device Driver^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DisplayDeviceDriver

has super-classes: Hardware Driver^c; drives^op some Display Adapter^c
is also defined as: named individual

Display Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DisplayServer

has super-classes: Digital Artifact^c
is also defined as: named individual

Distributed Component Object Model^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1021.003

has super-classes: Remote Services^c

DLL Search Order Hijacking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.001

has super-classes: Hijack Execution Flow^c; may-create^op some Shared Library File^c
is also defined as: named individual

DLL Side-Loading^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.002

has super-classes: Hijack Execution Flow^c; may-create^op some Shared Library File^c; may-modify^op some Shared Library File^c
is also defined as: named individual

DNS^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1071.004

has super-classes: Application Layer Protocol^c; produces^op some Outbound Internet DNS Lookup Traffic^c
is also defined as: named individual

DNS Allowlisting^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DNSAllowlisting

has super-classes: Network Isolation^c; blocks^op some Outbound Internet DNS Lookup Traffic^c
is also defined as: named individual

DNS Calculation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1568.003

has super-classes: Dynamic Resolution^c

DNS Denylisting^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DNSDenylisting

has super-classes: Network Isolation^c; blocks^op some DNS Network Traffic^c
has sub-classes: Forward Resolution Domain Denylisting^c, Forward Resolution IP Denylisting^c, Reverse Resolution Domain Denylisting^c, Reverse Resolution IP Denylisting^c
has members: Forward Resolution Domain Denylistingⁿⁱ, Forward Resolution IP Denylistingⁿⁱ, Reverse Resolution Domain Denylistingⁿⁱ, Reverse Resolution IP Denylistingⁿⁱ
is also defined as: named individual

DNS Lookup^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DNSLookup

has super-classes: Digital Artifact^c; Digital Event^c
has sub-classes: Internet DNS Lookup^c, Intranet DNS Lookup^c
is also defined as: named individual

DNS Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DNSNetworkTraffic

has super-classes: Network Traffic^c
has sub-classes: Outbound Internet DNS Lookup Traffic^c
is also defined as: named individual

DNS Record^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DNSRecord

A Domain Name System (DNS) record is a record of information returned to clients seeking to find computers, services, and other resources connected to the Internet or a private network. Record information is stored on a domain name server so it can respond to DNS queries from clients.There are a variety of record types, depending on the client's information needs. Common types include Start of Authority, IP addresses, SMTP mail exchangers, name servers, reverse DNS lookup pointers, etc.

has super-classes: Record^c

DNS Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DNSServer

is defined by: http://dbpedia.org/resource/Name_server

A Domain Name System (DNS) name server is a kind of name server. Domain names are one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names and hostnames into the corresponding numeric Internet Protocol (IP) addresses, the second principal name space of the Internet which is used to identify and locate computer systems and resources on the Internet. (en). More generally, a name server is a computer application that implements a network service for providing responses to queries against a directory service. It translates an often humanly meaningful, text-based identifier to a system-internal, often numeric identification or addressing component. This service is performed by the server in response to a service protocol request.

has super-classes: Server^c

DNS Traffic Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DNSTrafficAnalysis

has super-classes: Network Traffic Analysis^c; analyzes^op some Outbound Internet DNS Lookup Traffic^c; may-contain^op some DNS Lookup^c
is also defined as: named individual

Document^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Document

A document is a written, drawn, presented or recorded representation of thoughts.

has super-classes: Information Content Entity^c
has sub-classes: Article^c, Patent^c, Policy^c, Specification^c, User Manual^c

Document File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DocumentFile

has super-classes: File^c; may-contain^op some Executable Script^c
has sub-classes: Email^c, Email Attachment^c, HTML File^c, Office Application File^c
has members: Adobe PDF File 1.3ⁿⁱ, Microsoft Word DOC Fileⁿⁱ, Microsoft Word DOCB Fileⁿⁱ, Microsoft Word DOCM Fileⁿⁱ, Microsoft Word DOCX Fileⁿⁱ, Microsoft Word DOT Fileⁿⁱ, Microsoft Word DOTM Fileⁿⁱ, Microsoft Word DOTX Fileⁿⁱ, Microsoft Word WBK Fileⁿⁱ
is also defined as: named individual

Domain Account^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1087.002

has super-classes: Create Account^c; creates^op some Domain User Account^c
is also defined as: named individual

Domain Account Monitoring^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DomainAccountMonitoring

has super-classes: User Behavior Analysis^c; monitors^op some Domain User Account^c
is also defined as: named individual

Domain Accounts^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1078.002

has super-classes: Valid Accounts^c; uses^op some Domain User Account^c
is also defined as: named individual

Domain Controller Authentication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1556.001

has super-classes: Modify Authentication Process^c

Domain Fronting^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1090.004

has super-classes: Proxy^c; produces^op some Outbound Internet Encrypted Web Traffic^c
is also defined as: named individual

Domain Generation Algorithms^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1568.002

has super-classes: Dynamic Resolution^c

Domain Name^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DomainName

has super-classes: Identifier^c
has members: ASCII Domain Nameⁿⁱ, FQDN Domain Nameⁿⁱ, Hostnameⁿⁱ, Internationalized Domain Nameⁿⁱ
is also defined as: named individual

Domain Registration^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DomainRegistration

has super-classes: Digital Artifact^c; may-contain^op some Domain Name^c
has members: WHOIS Compatible Domain Registrationⁿⁱ
is also defined as: named individual

Domain Trust Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1482

has super-classes: Discovery Technique^c

Domain Trust Policy^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DomainTrustPolicy

has super-classes: Credential Hardening^c; restricts^op some Directory Service^c; restricts^op some Domain Account^c
is also defined as: named individual

Domain User Account^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DomainUserAccount

has super-classes: User Account^c
has sub-classes: Global User Account^c
is also defined as: named individual

Double File Extension^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.007

has super-classes: Masquerading^c; modifies^op some File System Metadata^c
is also defined as: named individual

Downgrade Attack^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562.010

has super-classes: Impair Defenses^c; accesses^op some Legacy System^c
is also defined as: named individual

Drive-by Compromise^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1189

has super-classes: Initial Access Technique^c; modifies^op some Process Segment^c; produces^op some Outbound Internet Network Traffic^c; produces^op some URL^c
is also defined as: named individual

Driver Load Integrity Checking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DriverLoadIntegrityChecking

has super-classes: Platform Hardening^c; authenticates^op some Hardware Driver^c
is also defined as: named individual

Dylib Hijacking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.004

has super-classes: Hijack Execution Flow^c; may-create^op some Shared Library File^c; may-modify^op some Shared Library File^c
is also defined as: named individual

Dynamic Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DynamicAnalysis

has super-classes: File Analysis^c; analyzes^op some Document File^c; analyzes^op some Executable File^c
is also defined as: named individual

Dynamic Analysis Tool^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DynamicAnalysisTool

is defined by: http://dbpedia.org/resource/Dynamic_program_analysis

Dynamic program analysis is the analysis of computer software that is performed by executing programs on a real or virtual processor.

has super-classes: Code Analyzer^c

Dynamic Data Exchange Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1559.002

has super-classes: Inter-Process Communication Execution^c

Dynamic Resolution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1568

has super-classes: Command and Control Technique^c; produces^op some Outbound Internet DNS Lookup Traffic^c
has sub-classes: DNS Calculation^c, Domain Generation Algorithms^c, Fast Flux DNS^c
is also defined as: named individual

Dynamic-link Library Injection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.001

has super-classes: Process Injection^c; adds^op some Shared Library File^c; invokes^op some System Call^c; loads^op some Shared Library File^c
is also defined as: named individual

Elevated Execution with Prompt^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1548.004

has super-classes: Abuse Elevation Control Mechanism^c; creates^op some System Configuration Database^c; invokes^op some System Call^c
is also defined as: named individual

Email^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Email

has super-classes: Document File^c; may-contain^op some File^c; may-contain^op some URL^c
has members: MSG Email Fileⁿⁱ
is also defined as: named individual

Email Attachment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EmailAttachment

has super-classes: Document File^c; attached-to^op some Email^c
is also defined as: named individual

Email Collection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1114

has super-classes: Collection Technique^c; accesses^op some Resource^c
has sub-classes: Email Forwarding Rule^c, Local Email Collection^c, Remote Email Collection^c
is also defined as: named individual

Email Forwarding Rule^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1114.003

has super-classes: Email Collection^c; modifies^op some Application Configuration^c
is also defined as: named individual

Email Hiding Rules^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.008

has super-classes: Hide Artifacts^c; may-create^op some Email Rule^c; may-modify^op some Email Rule^c; modifies^op some Application Configuration^c
is also defined as: named individual

Email Rule^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EmailRule

has super-classes: Application Rule^c
is also defined as: named individual

Embedded Computer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EmbeddedComputer

is defined by: http://dbpedia.org/resource/Embedded_system

An embedded computer is a computer system -- a combination of a computer processor, computer memory, and input/output peripheral devices-that has a dedicated function within a larger mechanical or electrical system. It is embedded as part of a complete device often including electrical or electronic hardware and mechanical parts. Because an embedded system typically controls physical operations of the machine that it is embedded within, it often has real-time computing constraints. Embedded systems control many devices in common use today. Ninety-eight percent of all microprocessors manufactured are used in embedded systems.

has super-classes: Client Computer^c

Emond^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.014

has super-classes: Event Triggered Execution^c; may-create^op some Property List File^c; may-modify^op some Property List File^c; modifies^op some Configuration Bearing Entity^c
is also defined as: named individual

Emulated File Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EmulatedFileAnalysis

has super-classes: File Analysis^c; analyzes^op some Document File^c; analyzes^op some Executable File^c
is also defined as: named individual

Enclave^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Enclave

has super-classes: Digital Artifact^c; may-contain^op some Local Area Network^c
is also defined as: named individual

Encrypted Channel^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1573

has super-classes: Command and Control Technique^c; produces^op some Outbound Internet Encrypted Traffic^c
has sub-classes: Asymmetric Cryptography^c, Symmetric Cryptography^c
is also defined as: named individual

Encrypted Credential^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EncryptedCredential

has super-classes: Credential^c
has sub-classes: Encrypted Password^c
is also defined as: named individual

Encrypted Password^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EncryptedPassword

has super-classes: Encrypted Credential^c; Password^c

Encrypted Tunnels^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EncryptedTunnels

has super-classes: Network Isolation^c; isolates^op some Intranet Network^c
is also defined as: named individual

Endpoint Denial of Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1499

has super-classes: Impact Technique^c

Endpoint Health Beacon^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EndpointHealthBeacon

has super-classes: Operating System Monitoring^c
is also defined as: named individual

Endpoint Sensor^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EndpointSensor

has super-classes: Sensor^c
has sub-classes: Application Inventory Sensor^c, File System Sensor^c, Firmware Sensor^c, Host Configuration Sensor^c, Kernel API Sensor^c
is also defined as: named individual

Environmental Keying^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1480.001

has super-classes: Execution Guardrails^c

Event Log^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EventLog

has super-classes: Log^c
has sub-classes: Command History Log^c
is also defined as: named individual

Event Triggered Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546

has super-classes: Persistence Technique^c; Privilege Escalation Technique^c
has sub-classes: .bash_profile and .bashrc^c, Accessibility Features^c, AppCert DLLs^c, AppInit DLLs^c, Application Shimming^c, Change Default File Association^c, Component Object Model Hijacking^c, Emond^c, Image File Execution Options Injection^c, LC_LOAD_DYLIB Addition^c, Netsh Helper DLL^c, PowerShell Profile^c, Screensaver^c, Trap^c, Windows Management Instrumentation Event Subscription^c

Evict^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Evict

has super-classes: Defensive Tactic^c
is also defined as: named individual

Eviction Latency^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EvictionLatency

has super-classes: Latency^c
has members: non-real-time-evictionⁿⁱ, real-time-evictionⁿⁱ

Exception Handler^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExceptionHandler

An exception handler is a code segment that processes an exception.

has super-classes: Subroutine^c

Exception Handler Pointer Validation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExceptionHandlerPointerValidation

has super-classes: Application Hardening^c; validates^op some Pointer^c
is also defined as: named individual

Exchange Email Delegate Permissions^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1098.002

has super-classes: Account Manipulation^c; modifies^op some Domain User Account^c
is also defined as: named individual

Executable Allowlisting^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutableAllowlisting

has super-classes: Execution Isolation^c; blocks^op some Executable File^c
is also defined as: named individual

Executable Binary^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutableBinary

has super-classes: Executable File^c; contains^op some Image Code Segment^c; contains^op some Image Data Segment^c; may-interpret^op some Executable Script^c
has members: Linux ELF File 32bitⁿⁱ, Linux ELF File 64bitⁿⁱ, PE32 Executable Fileⁿⁱ, PE32+ Executable Fileⁿⁱ
is also defined as: named individual

Executable Denylisting^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutableDenylisting

has super-classes: Execution Isolation^c; blocks^op some Executable File^c
is also defined as: named individual

Executable File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutableFile

has super-classes: File^c
has sub-classes: Executable Binary^c, Executable Script^c
is also defined as: named individual

Executable Installer File Permissions Weakness^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.005

has super-classes: Hijack Execution Flow^c; modifies^op some Service Application^c
is also defined as: named individual

Executable Script^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutableScript

has super-classes: Executable File^c
has sub-classes: Init Script^c, System Init Script^c, User Init Script^c, User Startup Script File^c, Web Script File^c
has members: Bash Script Fileⁿⁱ, Javascript Fileⁿⁱ, Lua Script Fileⁿⁱ, Powershell Script Fileⁿⁱ, Python Script Fileⁿⁱ, Ruby Script Fileⁿⁱ, Windows Batch Fileⁿⁱ
is also defined as: named individual

Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Execution

has super-classes: Offensive Tactic^c
is also defined as: named individual

Execution Guardrails^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1480

has super-classes: Defense Evasion Technique^c
has sub-classes: Environmental Keying^c

Execution Isolation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutionIsolation

has super-classes: Defensive Technique^c; enables^op some Isolate^c
has sub-classes: Executable Allowlisting^c, Executable Denylisting^c, Hardware-based Process Isolation^c, IO Port Restriction^c, Kernel-based Process Isolation^c
has members: Executable Denylistingⁿⁱ, Hardware-based Process Isolationⁿⁱ, IO Port Restrictionⁿⁱ, Kernel-based Process Isolationⁿⁱ
is also defined as: named individual

Execution Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutionTechnique

has super-classes: Offensive Technique^c; enables^op some Execution^c
has sub-classes: Command and Scripting Interpreter Execution^c, Exploitation for Client Execution^c, Inter-Process Communication Execution^c, Native API Execution^c, Scheduled Task/Job Execution^c, Shared Modules Execution^c, Signed Binary Proxy Execution^c, Signed Script Proxy Execution^c, Software Deployment Tools Execution^c, System Services^c, User Execution^c, Windows Management Instrumentation Execution^c
is also defined as: named individual

Exfiltration^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Exfiltration

has super-classes: Offensive Tactic^c
is also defined as: named individual

Exfiltration Over Alternative Protocol^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1048

has super-classes: Exfiltration Technique^c; produces^op some Internet Network Traffic^c
has sub-classes: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol^c, Exfiltration Over Symmetric Encrypted Non-C2 Protocol^c, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol^c
is also defined as: named individual

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1048.002

has super-classes: Exfiltration Over Alternative Protocol^c; may-transfer^op some Certificate File^c; produces^op some Outbound Internet Encrypted Traffic^c
is also defined as: named individual

Exfiltration Over C2 Channel^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1041

has super-classes: Exfiltration Technique^c; may-transfer^op some Certificate File^c; produces^op some Internet Network Traffic^c
is also defined as: named individual

Exfiltration Over Other Network Medium^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1011

has super-classes: Exfiltration Technique^c; produces^op some Internet Network Traffic^c
is also defined as: named individual

Exfiltration Over Physical Medium^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1052

has super-classes: Exfiltration Technique^c
has sub-classes: Exfiltration over USB^c

Exfiltration Over Symmetric Encrypted Non-C2 Protocol^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1048.001

has super-classes: Exfiltration Over Alternative Protocol^c; produces^op some Outbound Internet Encrypted Traffic^c
is also defined as: named individual

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1048.003

has super-classes: Exfiltration Over Alternative Protocol^c; produces^op some Outbound Internet Network Traffic^c
is also defined as: named individual

Exfiltration over USB^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1052.001

has super-classes: Exfiltration Over Physical Medium^c; modifies^op some Removable Media Device^c
is also defined as: named individual

Exfiltration Over Web Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1567

has super-classes: Exfiltration Technique^c; produces^op some Outbound Internet Web Traffic^c
has sub-classes: Exfiltration to Cloud Storage^c, Exfiltration to Code Repository^c
is also defined as: named individual

Exfiltration Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExfiltrationTechnique

has super-classes: Offensive Technique^c; enables^op some Exfiltration^c
has sub-classes: Automated Exfiltration^c, Data Transfer Size Limits^c, Exfiltration Over Alternative Protocol^c, Exfiltration Over C2 Channel^c, Exfiltration Over Other Network Medium^c, Exfiltration Over Physical Medium^c, Exfiltration Over Web Service^c, Scheduled Transfer^c
is also defined as: named individual

Exfiltration to Cloud Storage^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1567.002

has super-classes: Exfiltration Over Web Service^c; produces^op some Outbound Internet Encrypted Web Traffic^c
is also defined as: named individual

Exfiltration to Code Repository^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1567.001

has super-classes: Exfiltration Over Web Service^c; may-produce^op some Outbound Internet Encrypted Remote Terminal Traffic^c; may-produce^op some Outbound Internet Encrypted Web Traffic^c
is also defined as: named individual

Exploit Public-Facing Application^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1190

has super-classes: Initial Access Technique^c; injects^op some Database Query^c; modifies^op some Process Segment^c; produces^op some Inbound Internet Network Traffic^c
is also defined as: named individual

Exploitation for Client Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1203

has super-classes: Execution Technique^c; modifies^op some Process Code Segment^c; modifies^op some Stack Frame^c
is also defined as: named individual

Exploitation for Credential Access^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1212

has super-classes: Credential Access Technique^c; may-access^op some Authentication Service^c; may-access^op some Credential Management System^c; may-modify^op some Process Code Segment^c; may-modify^op some Stack Frame^c
is also defined as: named individual

Exploitation for Defense Evasion^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1211

has super-classes: Defense Evasion Technique^c; may-modify^op some Process Code Segment^c; may-modify^op some Stack Frame^c
is also defined as: named individual

Exploitation for Privilege Escalation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1068

has super-classes: Privilege Escalation Technique^c; enables^op some Privilege Escalation^c; may-modify^op some Stack Frame^c; modifies^op some Process Code Segment^c
is also defined as: named individual

Exploitation of Remote Services^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1210

has super-classes: Lateral Movement Technique^c; may-modify^op some Process Code Segment^c; may-modify^op some Process Segment^c; may-modify^op some Stack Frame^c; produces^op some Intranet Network Traffic^c
is also defined as: named individual

External Defacement^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1491.002

has super-classes: Defacement^c; modifies^op some Network Resource^c
is also defined as: named individual

External Knowledge Base^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExternalKnowledgeBase

has super-classes: Information Content Entity^c; Technique Reference^c
has members: Reference - CAR-2013-01-002: Autorun Differences -ⁿⁱ, Reference - CAR-2013-01-003: SMB Events Monitoring -ⁿⁱ, Reference - CAR-2013-02-003: Processes Spawning cmd.exe -ⁿⁱ, Reference - CAR-2013-02-008: Simultaneous Logins on a Host - MITREⁿⁱ, Reference - CAR-2013-02-012: User Logged in to Multiple Hosts - MITREⁿⁱ, Reference - CAR-2013-03-001: Reg.exe called from Command Shell - MITREⁿⁱ, Reference - CAR-2013-04-002: Quick execution of a series of suspicious commands - MITREⁿⁱ, Reference - CAR-2013-05-002: Suspicious Run Locations -ⁿⁱ, Reference - CAR-2013-05-003: SMB Write Request -ⁿⁱ, Reference - CAR-2013-05-004: Execution with AT -ⁿⁱ, Reference - CAR-2013-05-005: SMB Copy and Execution -ⁿⁱ, Reference - CAR-2013-07-001: Suspicious Arguments -ⁿⁱ, Reference - CAR-2013-07-002: RDP Connection Detection - MITREⁿⁱ, Reference - CAR-2013-07-005: Command Line Usage of Archiving Software -ⁿⁱ, Reference - CAR-2013-08-001: Execution with schtasks -ⁿⁱ, Reference - CAR-2013-09-003: SMB Session Setups - MITREⁿⁱ, Reference - CAR-2013-09-005: Service Outlier Executables -ⁿⁱ, Reference - CAR-2013-10-001: User Login Activity Monitoring - MITREⁿⁱ, Reference - CAR-2013-10-002: DLL Injection via Load Library - MITREⁿⁱ, Reference - CAR-2014-02-001: Service Binary Modifications - MITREⁿⁱ, Reference - CAR-2014-03-001: SMB Write Request - NamedPipes - MITREⁿⁱ, Reference - CAR-2014-03-005: Remotely Launched Executables via Services - MITREⁿⁱ, Reference - CAR-2014-03-006: RunDLL32.exe monitoring - MITREⁿⁱ, Reference - CAR-2014-04-003: Powershell Execution - MITREⁿⁱ, Reference - CAR-2014-05-001: RPC Activity - MITREⁿⁱ, Reference - CAR-2014-05-002: Services launching Cmd -ⁿⁱ, Reference - CAR-2014-07-001: Service Search Path Interception - MITREⁿⁱ, Reference - CAR-2014-11-002: Outlier Parents of Cmd - MITREⁿⁱ, Reference - CAR-2014-11-003: Debuggers for Accessibility Applications -ⁿⁱ, Reference - CAR-2014-11-003: Debuggers for Accessibility Applications - MITREⁿⁱ, Reference - CAR-2014-11-005: Remote Registry - MITREⁿⁱ, Reference - CAR-2014-11-006: Windows Remote Management (WinRM) - MITREⁿⁱ, Reference - CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC - MITREⁿⁱ, Reference - CAR-2014-11-008: Command Launched from WinLogon - MITREⁿⁱ, Reference - CAR-2014-12-001: Remotely Launched Executables via WMI - MITREⁿⁱ, Reference - CAR-2015-04-001: Remotely Scheduled Tasks via AT - MITREⁿⁱ, Reference - CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks - MITREⁿⁱ, Reference - CAR-2015-07-001: All Logins Since Last Boot - MITREⁿⁱ, Reference - CAR-2016-03-001: Host Discovery Commands - MITREⁿⁱ, Reference - CAR-2016-03-002: Create Remote Process via WMIC - MITREⁿⁱ, Reference - CAR-2016-04-002: User Activity from Clearing Event Logs - MITREⁿⁱ, Reference - CAR-2016-04-003: User Activity from Stopping Windows Defensive Services - MITREⁿⁱ, Reference - CAR-2016-04-004: Successful Local Account Loginⁿⁱ, Reference - CAR-2016-04-005: Remote Desktop Logon - MITREⁿⁱ, Reference - CAR-2019-04-001: UAC Bypass - MITREⁿⁱ, Reference - CAR-2019-04-002: Generic Regsvr32 - MITREⁿⁱ, Reference - CAR-2019-04-003: Squiblydoo - MITREⁿⁱ, Reference - CAR-2019-04-004: Credential Dumping via Mimikatz - MITREⁿⁱ, Reference - CAR-2019-07-001: Access Permission Modification - MITREⁿⁱ, Reference - CAR-2019-07-002: Lsass Process Dump via Procdump - MITREⁿⁱ, Reference - CAR-2019-08-001: Credential Dumping via Windows Task Manager - MITREⁿⁱ, Reference - CAR-2019-08-002: Active Directory Dumping via NTDSUtil - MITREⁿⁱ, Reference - CAR-2020-04-001: Shadow Copy Deletion - MITREⁿⁱ, Reference - CAR-2020-05-001: MiniDump of LSASS - MITREⁿⁱ, Reference - CAR-2020-05-003: Rare LolBAS Command Lines - MITREⁿⁱ, Reference - CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities - MITREⁿⁱ, Reference - CAR-2020-09-001: Scheduled Task - FileAccess - MITREⁿⁱ, Reference - CAR-2020-09-002: Component Object Model Hijacking - MITREⁿⁱ, Reference - CAR-2020-09-003: Indicator Blocking - Driver Unloaded - MITREⁿⁱ, Reference - CAR-2020-09-004: Credentials in Files & Registry - MITREⁿⁱ, Reference - CAR-2020-09-005: AppInit DLLs - MITREⁿⁱ, Reference - CAR-2020-11-001: Boot or Logon Initialization Scripts - MITREⁿⁱ, Reference - CAR-2020-11-002: Local Network Sniffing - MITREⁿⁱ, Reference - CAR-2020-11-003: DLL Injection with Mavinject - MITREⁿⁱ, Reference - CAR-2020-11-004: Processes Started From Irregular Parent - MITREⁿⁱ, Reference - CAR-2020-11-005: Clear Powershell Console Command History - MITREⁿⁱ, Reference - CAR-2020-11-006: Local Permission Group Discovery - MITREⁿⁱ, Reference - CAR-2020-11-007: Network Share Connection Removal - MITREⁿⁱ, Reference - CAR-2020-11-008: MSBuild and msxsl - MITREⁿⁱ, Reference - CAR-2020-11-009: Compiled HTML Access - MITREⁿⁱ, Reference - CAR-2020-11-010: CMSTP - MITREⁿⁱ, Reference - CAR-2020-11-011: Registry Edit from Screensaverⁿⁱ, Reference - CAR-2021-01-002: Unusually Long Command Line Strings - MITREⁿⁱ, Reference - CAR-2021-01-003: Clearing Windows Logs with Wevtutil - MITREⁿⁱ, Reference - CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe - MITREⁿⁱ, Reference - CAR-2021-01-006: Unusual Child Process spawned using DDE exploit - MITREⁿⁱ, Reference - CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt - MITREⁿⁱ, Reference - CAR-2021-01-008: Disable UAC - MITREⁿⁱ, Reference - CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe - MITREⁿⁱ, Reference - CAR-2021-02-001: Webshell-Indicative Process Tree - MITREⁿⁱ, Reference - CAR-2021-02-002: Get System Elevation - MITREⁿⁱ, Reference - CAR-2021-04-001: Common Windows Process Masquerading - MITREⁿⁱ, Reference - CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store - MITREⁿⁱ, Reference - CAR-2021-05-002: Batch File Write to System32 - MITREⁿⁱ, Reference - CAR-2021-05-003: BCDEdit Failure Recovery Modification - MITREⁿⁱ, Reference - CAR-2021-05-004: BITS Job Persistence - MITREⁿⁱ, Reference - CAR-2021-05-005: BITSAdmin Download File - MITREⁿⁱ, Reference - CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments - MITREⁿⁱ, Reference - CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments - MITREⁿⁱ, Reference - CAR-2021-05-008: Certutil exe certificate extraction - MITREⁿⁱ, Reference - CAR-2021-05-009: CertUtil With Decode Argument - MITREⁿⁱ, Reference - CAR-2021-05-010: Create local admin accounts using net exe - MITREⁿⁱ, Reference - CAR-2021-05-011: Create Remote Thread into LSASS - MITREⁿⁱ

External Proxy^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1090.002

has super-classes: Proxy^c; produces^op some Outbound Internet Network Traffic^c
is also defined as: named individual

External Remote Services^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1133

has super-classes: Initial Access Technique^c; Persistence Technique^c; produces^op some Authentication^c; produces^op some Authorization^c; produces^op some Network Session^c
is also defined as: named individual

Extra Window Memory Injection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.011

has super-classes: Process Injection^c

Fallback Channels^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1008

has super-classes: Command and Control Technique^c; produces^op some Outbound Internet Network Traffic^c
is also defined as: named individual

Fast Flux DNS^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1568.001

has super-classes: Dynamic Resolution^c

Fast Symbolic Link^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FastSymbolicLink

is defined by: http://dbpedia.org/resource/Symbolic_link#Storage_of_symbolic_links

Fast symbolic links, allow storage of the target path within the data structures used for storing file information on disk (e.g., within the inodes). This space normally stores a list of disk block addresses allocated to a file. Thus, symlinks with short target paths are accessed quickly. Systems with fast symlinks often fall back to using the original method if the target path exceeds the available inode space.

has super-classes: Symbolic Link^c; Unix Link^c
is disjoint with: Slow Symbolic Link^c

Feature Assessment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FeatureAssessment

has super-classes: Assessment^c
has sub-classes: Admin Feature Assessment^c, Defensive Technique Assessment^c

File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#File

has super-classes: Resource^c; contains^op some File Section^c; may-contain^op some File^c; may-contain^op some URL^c
has sub-classes: Archive File^c, Certificate File^c, Configuration File^c, Container Image^c, Document File^c, Executable File^c, Log File^c, NTFS Link^c, Object File^c, Operating System File^c, Password File^c, Shortcut File^c, Symbolic Link^c
is also defined as: named individual

File Access Pattern Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileAccessPatternAnalysis

has super-classes: Process Analysis^c; analyzes^op some Local Resource Access^c; analyzes^op some Read File^c
is also defined as: named individual

File Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileAnalysis

has super-classes: Defensive Technique^c; analyzes^op some File^c; enables^op some Detect^c
has sub-classes: Dynamic Analysis^c, Emulated File Analysis^c, File Content Rules^c, File Hashing^c
has members: Dynamic Analysisⁿⁱ, Emulated File Analysisⁿⁱ, File Content Rulesⁿⁱ, File Hashingⁿⁱ
is also defined as: named individual

File and Directory Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1083

has super-classes: Discovery Technique^c

File and Directory Permissions Modification^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1222

has super-classes: Defense Evasion Technique^c; modifies^op some Access Control Configuration^c
has sub-classes: Linux and Mac File and Directory Permissions Modification^c, Windows File and Directory Permissions Modification^c
is also defined as: named individual

File Carving^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileCarving

has super-classes: Network Traffic Analysis^c; analyzes^op some File Transfer Network Traffic^c
is also defined as: named individual

File Content Rules^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileContentRules

has super-classes: File Analysis^c
is also defined as: named individual

File Creation Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileCreationAnalysis

has super-classes: System Call Analysis^c; analyzes^op some Create File^c
is also defined as: named individual

File Deletion^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1070.004

has super-classes: Indicator Removal on Host^c; deletes^op some File^c; may-modify^op some File^c
is also defined as: named individual

File Encryption^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileEncryption

has super-classes: Platform Hardening^c; encrypts^op some File^c
is also defined as: named individual

File Hashing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileHashing

has super-classes: File Analysis^c
is also defined as: named individual

File Section^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileSection

has super-classes: Digital Artifact^c
has sub-classes: Image Segment^c, Resource Fork^c
is also defined as: named individual

File Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileServer

is defined by: http://dbpedia.org/resource/File_server

The term server highlights the role of the machine in the traditional client-server scheme, where the clients are the workstations using the storage. A file server does not normally perform computational tasks or run programs on behalf of its client workstations. File servers are commonly found in schools and offices, where users use a local area network to connect their client computers.

has super-classes: Server^c

File Share Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileShareService

A file sharing service (or file share service) provides the ability to share data across a network.

has super-classes: Network Service^c

File System^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileSystem

has super-classes: Digital Artifact^c; contains^op some Directory^c; contains^op some File^c; contains^op some File System Link^c; contains^op some File System Metadata^c
is also defined as: named individual

File System Link^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileSystemLink

has super-classes: Digital Artifact^c
has sub-classes: Hard Link^c, NTFS Link^c, Symbolic Link^c, Unix Link^c
is also defined as: named individual

File System Metadata^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileSystemMetadata

has super-classes: Metadata^c
is also defined as: named individual

File System Sensor^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileSystemSensor

has super-classes: Endpoint Sensor^c; monitors^op some File^c

File Transfer Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileTransferNetworkTraffic

has super-classes: Network Traffic^c
has sub-classes: Internet File Transfer Traffic^c, Intranet File Transfer Traffic^c, Outbound Internet File Transfer Traffic^c
is also defined as: named individual

File Transfer Protocols^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1071.002

has super-classes: Application Layer Protocol^c; produces^op some Outbound Internet File Transfer Traffic^c
is also defined as: named individual

Finger Print Scanner Input Device^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FingerPrintScannerInputDevice

is defined by: http://dbpedia.org/resource/Fingerprint#Fingerprint_sensors

A fingerprint sensor is an electronic device used to capture a digital image of the fingerprint pattern. The captured image is called a live scan. This live scan is digitally processed to create a biometric template (a collection of extracted features) which is stored and used for matching. Many technologies have been used including optical, capacitive, RF, thermal, piezoresistive, ultrasonic, piezoelectric, and MEMS.

has super-classes: Image Scanner Input Device^c

Firewall^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Firewall

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet. Firewalls are often categorized as either network firewalls or host-based firewalls. Network firewalls filter traffic between two or more networks and run on network hardware. Host-based firewalls run on host computers and control network traffic in and out of those machines. This definition refers to network firewalls.

has super-classes: Network Node^c
has sub-classes: Application Layer Firewall^c

Firmware^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Firmware

has super-classes: Software^c
has sub-classes: Microcode^c, Peripheral Firmware^c, System Firmware^c
is also defined as: named individual

Firmware Behavior Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FirmwareBehaviorAnalysis

has super-classes: Platform Monitoring^c; analyzes^op some Firmware^c
is also defined as: named individual

Firmware Corruption^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1495

has super-classes: Impact Technique^c

Firmware Embedded Monitoring Code^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FirmwareEmbeddedMonitoringCode

has super-classes: Platform Monitoring^c; analyzes^op some Firmware^c
is also defined as: named individual

Firmware Sensor^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FirmwareSensor

has super-classes: Endpoint Sensor^c; monitors^op some Firmware^c

Firmware Verification^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FirmwareVerification

has super-classes: Platform Monitoring^c; verifies^op some Firmware^c
has sub-classes: Peripheral Firmware Verification^c, System Firmware Verification^c
has members: Peripheral Firmware Verificationⁿⁱ, System Firmware Verificationⁿⁱ
is also defined as: named individual

First-stage Boot Loader^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#First-stageBootLoader

The very first routine run in order to load the operating system.

has super-classes: Boot Loader^c

Forced Authentication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1187

has super-classes: Credential Access Technique^c; may-modify^op some Windows Shortcut File^c; modifies^op some Authentication Log^c; produces^op some Authentication^c
is also defined as: named individual

Forward Proxy Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ForwardProxyServer

is defined by: http://dbpedia.org/resource/Open_proxy

An forward (or open) proxy is a proxy server that is accessible by any Internet user. Generally, a proxy server only allows users within a network group (i.e. a closed proxy) to store and forward Internet services such as DNS or web pages to reduce and control the bandwidth used by the group. With an open proxy, however, any user on the Internet is able to use this forwarding service.

has super-classes: Proxy Server^c

Forward Resolution Domain Denylisting^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ForwardResolutionDomainDenylisting

has super-classes: DNS Denylisting^c; blocks^op some Outbound Internet DNS Lookup Traffic^c
has sub-classes: Hierarchical Domain Denylisting^c, Homoglyph Denylisting^c
has members: Hierarchical Domain Denylistingⁿⁱ, Homoglyph Denylistingⁿⁱ
is also defined as: named individual

Forward Resolution IP Denylisting^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ForwardResolutionIPDenylisting

has super-classes: DNS Denylisting^c; blocks^op some Inbound Internet DNS Response Traffic^c
is also defined as: named individual

Gatekeeper Bypass^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1553.001

has super-classes: Subvert Trust Controls^c; modifies^op some File System Metadata^c
is also defined as: named individual

Get System Time^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#GetSystemTime

has super-classes: System Call^c
is also defined as: named individual

Global User Account^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#GlobalUserAccount

has super-classes: Domain User Account^c
is also defined as: named individual

Golden Ticket^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1558.001

has super-classes: Steal or Forge Kerberos Tickets^c; forges^op some Kerberos Ticket Granting Ticket^c
is also defined as: named individual

Graphical User Interface^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#GraphicalUserInterface

has super-classes: User Interface^c
is also defined as: named individual

Graphics Card Firmware^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#GraphicsCardFirmware

Firmware that is installed on computer graphics card.

has super-classes: Peripheral Firmware^c

Group Policy^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#GroupPolicy

has super-classes: Access Control Configuration^c
is also defined as: named individual

Group Policy Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1615

has super-classes: Discovery Technique^c; reads^op some Group Policy^c
is also defined as: named individual

Group Policy Modification^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1484

has super-classes: Defense Evasion Technique^c; Privilege Escalation Technique^c; modifies^op some Group Policy^c
is also defined as: named individual

Group Policy Preferences^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552.006

has super-classes: Unsecured Credentials^c; accesses^op some Group Policy^c
is also defined as: named individual

GUI Input Capture^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1056.002

has super-classes: Input Capture^c; accesses^op some Graphical User Interface^c
is also defined as: named individual

Guidance^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Guidance

has super-classes: Policy^c

Guideline Reference^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#GuidelineReference

has super-classes: Policy Reference^c
has members: Reference - Audit User Account Managementⁿⁱ, Reference - Digital Identity Guidelines 800-63-3ⁿⁱ, Reference - Platform Firmware Resiliency Guidelines - NISTⁿⁱ, Reference - Red Hat Enterprise Linux 8 Security Technical Implementation Guideⁿⁱ, Reference - Securing Web Transactionsⁿⁱ, Reference - Windows 10 STIGⁿⁱ

Hard Disk Firmware^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HardDiskFirmware

Firmware that is installed on a hard disk device.

has super-classes: Peripheral Firmware^c

Hard Link^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HardLink

is defined by: http://dbpedia.org/resource/Hard_link

In computing, a hard link is a directory entry that associates a name with a file on a file system. All directory-based file systems must have at least one hard link giving the original name for each file. The term "hard link" is usually only used in file systems that allow more than one hard link for the same file. Multiple hard links -- that is, multiple directory entries to the same file -- are supported by POSIX-compliant and partially POSIX-compliant operating systems, such as Linux, Android, macOS, and also Windows NT4 and later Windows NT operating systems.

has super-classes: File System Link^c
has sub-classes: NTFS Hard Link^c, Unix Hard Link^c

Harden^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Harden

has super-classes: Defensive Tactic^c
is also defined as: named individual

Hardware Additions^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1200

has super-classes: Initial Access Technique^c; connects^op some Hardware Device^c
is also defined as: named individual

Hardware Device^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HardwareDevice

has super-classes: Digital Artifact^c; Physical Artifact^c
has sub-classes: Input Device^c, Output Device^c, Removable Media Device^c, Security Token^c
is also defined as: named individual

Hardware Driver^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HardwareDriver

has super-classes: Digital Artifact^c; drives^op some Hardware Device^c
has sub-classes: Display Device Driver^c
is also defined as: named individual

Hardware-based Process Isolation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Hardware-basedProcessIsolation

has super-classes: Execution Isolation^c; isolates^op some Process^c
is also defined as: named individual

Heap Segment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HeapSegment

The heap segment (or free store) is a large pool of memory from which dynamic memory requests of a process are allocated and satisfied.

has super-classes: Process Segment^c

Hidden File System^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.005

has super-classes: Hide Artifacts^c; may-modify^op some System Configuration Database^c; modifies^op some Storage^c
is also defined as: named individual

Hidden Files and Directories^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.001

has super-classes: Hide Artifacts^c; modifies^op some File System Metadata^c
is also defined as: named individual

Hidden Users^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.002

has super-classes: Hide Artifacts^c; modifies^op some User Init Configuration File^c
is also defined as: named individual

Hidden Window^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.003

has super-classes: Hide Artifacts^c; may-modify^op some Property List File^c; may-modify^op some System Configuration Database^c
is also defined as: named individual

Hide Artifacts^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564

has super-classes: Defense Evasion Technique^c
has sub-classes: Email Hiding Rules^c, Hidden File System^c, Hidden Files and Directories^c, Hidden Users^c, Hidden Window^c, NTFS File Attributes^c, Resource Forking^c, Run Virtual Instance^c, VBA Stomping^c

Hierarchical Domain Denylisting^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HierarchicalDomainDenylisting

has super-classes: Forward Resolution Domain Denylisting^c
is also defined as: named individual

Hijack Execution Flow^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574

has super-classes: Defense Evasion Technique^c; Persistence Technique^c; Privilege Escalation Technique^c
has sub-classes: COR_PROFILER^c, DLL Search Order Hijacking^c, DLL Side-Loading^c, Dylib Hijacking^c, Executable Installer File Permissions Weakness^c, LD_PRELOAD^c, Path Interception by PATH Environment Variable^c, Path Interception by Search Order Hijacking^c, Path Interception by Unquoted Path^c, Services File Permissions Weakness^c, Services Registry Permissions Weakness^c

Homoglyph Denylisting^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HomoglyphDenylisting

has super-classes: Forward Resolution Domain Denylisting^c
is also defined as: named individual

Homoglyph Detection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HomoglyphDetection

has super-classes: Identifier Analysis^c; analyzes^op some Email^c; analyzes^op some URL^c
is also defined as: named individual

Host^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Host

has super-classes: Network Node^c; contains^op some Application^c; contains^op some Operating System^c; runs^op some Operating System^c
has sub-classes: Client Computer^c, Server^c
is also defined as: named individual

Host Configuration Sensor^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HostConfigurationSensor

has super-classes: Endpoint Sensor^c; monitors^op some Application Configuration^c; monitors^op some Operating System Configuration^c

Host-based Firewall^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Host-basedFirewall

has super-classes: System Software^c
is also defined as: named individual

Hostname^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Hostname

has super-classes: Identifier^c
is also defined as: named individual

HTML File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HTMLFile

A document file encoded in HTML.The HyperText Markup Language, or HTML is the standard markup language for documents designed to be displayed in a web browser. It can be assisted by technologies such as Cascading Style Sheets (CSS) and scripting languages such as JavaScript. Web browsers receive HTML documents from a web server or from local storage and render the documents into multimedia web pages. HTML describes the structure of a web page semantically and originally included cues for the appearance of the document.

has super-classes: Document File^c

HTML Smuggling^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1027.006

has super-classes: Obfuscated Files or Information^c; creates^op some JavaScript Blob^c; hides^op some Digital Artifact^c
is also defined as: named individual

Human Input Device Firmware^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HumanInputDeviceFirmware

Firmware that is installed on an HCI device such as a mouse or keyboard.

has super-classes: Peripheral Firmware^c

Identifier^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Identifier

has super-classes: Digital Artifact^c
has sub-classes: Domain Name^c, Hostname^c, IP Address^c, URL^c
is in domain of: addresses^op
is in range of: addressed-by^op
is also defined as: named individual

Identifier Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IdentifierAnalysis

has super-classes: Defensive Technique^c; enables^op some Detect^c
has sub-classes: Homoglyph Detection^c, URL Analysis^c
has members: Homoglyph Detectionⁿⁱ, URL Analysisⁿⁱ
is also defined as: named individual

IIS Components^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1505.004

has super-classes: Server Software Component^c; adds^op some Software^c
is also defined as: named individual

Image Code Segment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ImageCodeSegment

has super-classes: Image Segment^c; contains^op some Subroutine^c
has members: AMD64 Code Segmentⁿⁱ, ARM32 Code Segmentⁿⁱ, X86 Code Segmentⁿⁱ
is also defined as: named individual

Image Data Segment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ImageDataSegment

has super-classes: Image Segment^c
is also defined as: named individual

Image File Execution Options Injection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.012

has super-classes: Event Triggered Execution^c; modifies^op some System Configuration Database^c
is also defined as: named individual

Image Scanner Input Device^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ImageScannerInputDevice

is defined by: http://dbpedia.org/resource/Image_scanner

An image scanner -- often abbreviated to just scanner, is a device that optically scans images, printed text, handwriting or an object and converts it to a digital image. Commonly used in offices are variations of the desktop flatbed scanner where the document is placed on a glass window for scanning. Hand-held scanners, where the device is moved by hand, have evolved from text scanning "wands" to 3D scanners used for industrial design, reverse engineering, test and measurement, orthotics, gaming and other applications. Mechanically driven scanners that move the document are typically used for large-format documents, where a flatbed design would be impractical.

has super-classes: Video Input Device^c
has sub-classes: Barcode Scanner Input Device^c, Finger Print Scanner Input Device^c

Image Segment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ImageSegment

Image segments are distinct partitions of an object file. Both data and code segments are examples of image segments.

has super-classes: Binary Segment^c; File Section^c
has sub-classes: Image Code Segment^c, Image Data Segment^c

Impact^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Impact

has super-classes: Offensive Tactic^c
is also defined as: named individual

Impact Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ImpactTechnique

has super-classes: Offensive Technique^c; enables^op some Impact^c
has sub-classes: Account Access Removal^c, Data Destruction^c, Data Encrypted for Impact^c, Data Manipulation^c, Defacement^c, Disk Wipe^c, Endpoint Denial of Service^c, Firmware Corruption^c, Inhibit System Recovery^c, Network Denial of Service^c, Resource Hijacking^c, Service Stop^c, System Shutdown/Reboot^c
is also defined as: named individual

Impair Command History Logging^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562.003

has super-classes: Impair Defenses^c; may-modify^op some User Init Script^c; may-modify^op some Windows Registry Key^c; modifies^op some Process Environment Variable^c
is also defined as: named individual

Impair Defenses^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562

has super-classes: Defense Evasion Technique^c
has sub-classes: Disable Windows Event Logging^c, Disable or Modify System Firewall^c, Disable or Modify Tools^c, Downgrade Attack^c, Impair Command History Logging^c, Indicator Blocking^c, Safe Mode Boot^c

Impersonate User^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ImpersonateUser

has super-classes: System Call^c
has members: Impersonate Userⁿⁱ
is also defined as: named individual

Implant Container Image^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1525

has super-classes: Persistence Technique^c; adds^op some Container Image^c
is also defined as: named individual

In-memory Password Store^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#In-memoryPasswordStore

has super-classes: Password Store^c
is also defined as: named individual

Inbound Internet DNS Response Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InboundInternetDNSResponseTraffic

has super-classes: Inbound Internet Network Traffic^c
is also defined as: named individual

Inbound Internet Mail Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InboundInternetMailTraffic

has super-classes: Inbound Internet Network Traffic^c; Inbound Network Traffic^c; Mail Network Traffic^c
is also defined as: named individual

Inbound Internet Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InboundInternetNetworkTraffic

has super-classes: Inbound Network Traffic^c; Internet Network Traffic^c; produces^op some Network Traffic^c
has sub-classes: Inbound Internet DNS Response Traffic^c, Inbound Internet Mail Traffic^c
is also defined as: named individual

Inbound Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InboundNetworkTraffic

has super-classes: Network Traffic^c
has sub-classes: Inbound Internet Mail Traffic^c, Inbound Internet Network Traffic^c
is also defined as: named individual

Inbound Session Volume Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InboundSessionVolumeAnalysis

has super-classes: Network Traffic Analysis^c; analyzes^op some Inbound Internet Network Traffic^c
is also defined as: named individual

Inbound Traffic Filtering^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InboundTrafficFiltering

has super-classes: Network Traffic Filtering^c; filters^op some Inbound Network Traffic^c
is also defined as: named individual

Indicator Blocking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562.006

has super-classes: Impair Defenses^c

Indicator Removal from Tools^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1027.005

has super-classes: Obfuscated Files or Information^c

Indicator Removal on Host^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1070

has super-classes: Defense Evasion Technique^c
has sub-classes: Clear Command History^c, Clear Linux or Mac System Logs^c, Clear Windows Event Logs^c, File Deletion^c, Network Share Connection Removal^c, Timestomp^c

Indirect Branch Call Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IndirectBranchCallAnalysis

has super-classes: Process Analysis^c
is also defined as: named individual

Indirect Command Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1202

has super-classes: Defense Evasion Technique^c

Information Content Entity^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InformationContentEntity

is defined by: https://d3fend.mitre.org/ontologies/d3fend.owl

has super-classes: D3FEND Catalog Thing^c; archived-at^dp some any u r i
has sub-classes: Document^c, External Knowledge Base^c, License^c, Source Code^c
is in range of: cites^op

Ingress Tool Transfer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1105

has super-classes: Command and Control Technique^c; produces^op some Outbound Internet Network Traffic^c
is also defined as: named individual

Inhibit System Recovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1490

has super-classes: Impact Technique^c

Init Script^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InitScript

An init script (or initialization script) is an executable script that initializes the an application, a process, or a service's state. Examples include scripts run at boot by Unix or Windows, or those run to initialize a shell.

has super-classes: Executable Script^c
has sub-classes: Network Init Script File Resource^c, User Init Script^c

Initial Access^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InitialAccess

has super-classes: Offensive Tactic^c
is also defined as: named individual

Initial Access Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InitialAccessTechnique

has super-classes: Offensive Technique^c; enables^op some Initial Access^c
has sub-classes: Drive-by Compromise^c, Exploit Public-Facing Application^c, External Remote Services^c, Hardware Additions^c, Phishing^c, Replication Through Removable Media^c, Supply Chain Compromise^c, Trusted Relationship^c, Valid Accounts^c
is also defined as: named individual

Input Capture^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1056

has super-classes: Collection Technique^c; Credential Access Technique^c
has sub-classes: Credential API Hooking^c, GUI Input Capture^c, Keylogging^c, Web Portal Capture^c

Input Device^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InputDevice

has super-classes: Hardware Device^c; Local Resource^c
has sub-classes: Audio Input Device^c, Keyboard Input Device^c, Mouse Input Device^c, Video Input Device^c
is also defined as: named individual

Input Device Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InputDeviceAnalysis

has super-classes: Operating System Monitoring^c; analyzes^op some Input Device^c
is also defined as: named individual

Install Root Certificate^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1553.004

has super-classes: Subvert Trust Controls^c; modifies^op some Certificate Trust Store^c
is also defined as: named individual

InstallUtil Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.004

has super-classes: Signed Binary Proxy Execution^c

Instant Messaging Client^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InstantMessagingClient

is defined by: https://dbpedia.org/wiki/Instant_messaging

Client software used to engage in Instant Messaging, a type of online chat that offers real-time text transmission over the Internet. A LAN messenger operates in a similar way over a local area network. Short messages are typically transmitted between two parties, when each user chooses to complete a thought and select "send". Some IM applications can use push technology to provide real-time text, which transmits messages character by character, as they are composed. More advanced instant messaging can add file transfer, clickable hyperlinks, Voice over IP, or video chat.

has super-classes: Collaborative Software^c

Integrated Honeynet^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntegratedHoneynet

has super-classes: Decoy Environment^c; spoofs^op some Intranet Network^c
is also defined as: named individual

Integration Test Execution Tool^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntegrationTestExecutionTool

An integration test execution tool automatically performs integration testing. Integration testing (sometimes called integration and testing, abbreviated I&T) is the phase in software testing in which individual software modules are combined and tested as a group.

has super-classes: Test Execution Tool^c

Inter-Process Communication Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1559

has super-classes: Execution Technique^c; injects^op some Interprocess Communication^c
has sub-classes: Component Object Model Execution^c, Dynamic Data Exchange Execution^c
is also defined as: named individual

Internal Defacement^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1491.001

has super-classes: Defacement^c; modifies^op some Resource^c
is also defined as: named individual

Internal Proxy^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1090.001

has super-classes: Proxy^c; produces^op some Intranet Network Traffic^c
is also defined as: named individual

Internal Spearphishing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1534

has super-classes: Lateral Movement Technique^c; produces^op some Email^c
is also defined as: named individual

Internet Article^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InternetArticle

has super-classes: News Article^c
is also defined as: named individual

Internet Article Reference^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InternetArticleReference

has super-classes: Technique Reference^c
has members: Reference - Configure User Access Control and Permissionsⁿⁱ, Reference - Decoy Personas for Safeguarding Online Identity Using Deception -ⁿⁱ, Reference - Detection of Malicious IDNHomoglyph Domainsⁿⁱ, Reference - FWTK - Firewall Toolkit -ⁿⁱ, Reference - How ASLR protects Linux systems from buffer overflow attacks - Network Worldⁿⁱ, Reference - How to change registry values or permissions from a command line or a scriptⁿⁱ, Reference - How trust relationships work for resource forests in Azure Active Directory Domain Servicesⁿⁱ, Reference - Overview of the seccomp sandboxⁿⁱ, Reference - Pointer Authentication Project Zeroⁿⁱ, Reference - Security Technologies: Stack Smashing Protection (StackGuard) - Red Hatⁿⁱ, Reference - What is NX/XD feature?ⁿⁱ, Reference - http://www.biometric-solutions.com/keystroke-dynamics.html - biometric-solutions.comⁿⁱ

Internet DNS Lookup^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InternetDNSLookup

An internet Domain Name System (DNS) lookup is a DNS lookup made from a host on a network that is resolved after querying a DNS name server hosted on a different network.

has super-classes: DNS Lookup^c

Internet File Transfer Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InternetFileTransferTraffic

Internet file transfer network traffic is network traffic related to file transfers between network nodes that crosses a boundary between networks. This includes only network traffic conforming to standard file transfer protocols, not custom transfer protocols.

has super-classes: File Transfer Network Traffic^c; Internet Network Traffic^c

Internet Network^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InternetNetwork

is defined by: http://dbpedia.org/resource/Internetworking

A network of multiple, connected networks. Internetworking is the practice of connecting a computer network with other networks through the use of gateways that provide a common method of routing information packets between the networks. The resulting system of interconnected networks are called an internetwork, or simply an internet. Internetworking is a combination of the words inter ("between") and networking; not internet-working or international-network.

has super-classes: Network^c

Internet Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InternetNetworkTraffic

has super-classes: Network Traffic^c
has sub-classes: Inbound Internet Network Traffic^c, Internet File Transfer Traffic^c, Outbound Internet Network Traffic^c
is also defined as: named individual

Interprocess Communication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InterprocessCommunication

has super-classes: Digital Artifact^c
has sub-classes: Pipe^c
is also defined as: named individual

Intranet Administrative Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntranetAdministrativeNetworkTraffic

has super-classes: Administrative Network Traffic^c; Intranet Network Traffic^c
is also defined as: named individual

Intranet DNS Lookup^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntranetDNSLookup

An Intranet Domain Name System (DNS) lookup is a DNS lookup made from a host on a network that is resolved after querying a DNS name server hosted on a that same network.

has super-classes: DNS Lookup^c

Intranet File Transfer Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntranetFileTransferTraffic

has super-classes: File Transfer Network Traffic^c; Intranet Network Traffic^c
is also defined as: named individual

Intranet IPC Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntranetIPCNetworkTraffic

has super-classes: IPC Network Traffic^c; Intranet Network Traffic^c; may-contain^op some File^c
is also defined as: named individual

Intranet Multicast Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntranetMulticastNetworkTraffic

has super-classes: Intranet Network Traffic^c
is also defined as: named individual

Intranet Network^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntranetNetwork

has super-classes: Network^c
is also defined as: named individual

Intranet Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntranetNetworkTraffic

has super-classes: Network Traffic^c
has sub-classes: Intranet Administrative Network Traffic^c, Intranet File Transfer Traffic^c, Intranet IPC Network Traffic^c, Intranet Multicast Network Traffic^c, Intranet RPC Network Traffic^c, Intranet Web Network Traffic^c, Local Area Network Traffic^c
is also defined as: named individual

Intranet RPC Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntranetRPCNetworkTraffic

Intranet RPC network traffic is network traffic that does not cross a given network's boundaries and uses a standard remote procedure call (e.g., RFC 1050) protocol.

has super-classes: Intranet Network Traffic^c; RPC Network Traffic^c

Intranet Web Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntranetWebNetworkTraffic

has super-classes: Intranet Network Traffic^c; Web Network Traffic^c; may-contain^op some File^c
is also defined as: named individual

Intrusion Detection System^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntrusionDetectionSystem

is defined by: http://dbpedia.org/resource/Intrusion_detection_system

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

has super-classes: Network Node^c
has sub-classes: Intrusion Prevention System^c

Intrusion Prevention System^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntrusionPreventionSystem

is defined by: http://dbpedia.org/resource/Intrusion_detection_system#Intrusion_prevention

Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, report it and attempt to block or stop it. Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent or block intrusions that are detected. IPS can take such actions as sending an alarm, dropping detected malicious packets, resetting a connection or blocking traffic from the offending IP address. An IPS also can correct cyclic redundancy check (CRC) errors, defragment packet streams, mitigate TCP sequencing issues, and clean up unwanted transport and network layer options.

has super-classes: Intrusion Detection System^c

Invalid Code Signature^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.001

has super-classes: Masquerading^c; creates^op some Executable Binary^c
is also defined as: named individual

IO Port Restriction^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IOPortRestriction

has super-classes: Execution Isolation^c; filters^op some Hardware Device^c; filters^op some Input Device^c; filters^op some Removable Media Device^c
is also defined as: named individual

IP Address^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IPAddress

is defined by: http://dbpedia.org/resource/IP_address

An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.An IP address serves two main functions: host or network interface identification and location addressing. Internet Protocol version 4 (IPv4) defines an IP address as a 32-bit number. However, because of the growth of the Internet and the depletion of available IPv4 addresses, a new version of IP (IPv6), using 128 bits for the IP address, was standardized in 1998. IPv6 deployment has been ongoing since the mid-2000s.

has super-classes: Identifier^c

IP Phone^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IPPhone

is defined by: http://dbpedia.org/resource/VoIP_phone

A VoIP phone or IP phone uses voice over IP technologies for placing and transmitting telephone calls over an IP network, such as the Internet, instead of the traditional public switched telephone network (PSTN). Digital IP-based telephone service uses control protocols such as the Session Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP) or various other proprietary protocols.

has super-classes: Personal Computer^c

IPC Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IPCNetworkTraffic

IPC network traffic is network traffic related to inter-process communication (IPC) between network nodes..This includes only network traffic conforming to a standard IPC protocol; not custom protocols.

has super-classes: Network Traffic^c
has sub-classes: Intranet IPC Network Traffic^c

IPC Traffic Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IPCTrafficAnalysis

has super-classes: Network Traffic Analysis^c; analyzes^op some Intranet IPC Network Traffic^c
is also defined as: named individual

Isolate^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Isolate

has super-classes: Defensive Tactic^c
is also defined as: named individual

JavaScript Blob^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#JavaScriptBlob

has super-classes: Binary Large Object^c
is also defined as: named individual

JavaScript/JScript^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1059.007

has super-classes: Command and Scripting Interpreter Execution^c

Job Function Access Pattern Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#JobFunctionAccessPatternAnalysis

has super-classes: User Behavior Analysis^c; analyzes^op some Authorization^c
is also defined as: named individual

Journal Article^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#JournalArticle

has super-classes: Academic Article^c

Junk Data^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1001.001

has super-classes: Data Obfuscation^c

Kerberoasting^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1558.003

has super-classes: Steal or Forge Kerberos Tickets^c; may-produce^op some RPC Network Traffic^c
is also defined as: named individual

Kerberos TIcket^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#KerberosTicket

has super-classes: Access Token^c
has sub-classes: Kerberos Ticket Granting Service Ticket^c, Kerberos Ticket Granting Ticket^c
is also defined as: named individual

Kerberos Ticket Granting Service Ticket^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#KerberosTicketGrantingServiceTicket

A Kerberos ticket-granting service (TGS) ticket is given in response to requesting a Kerberos TGS request.

has super-classes: Kerberos TIcket^c

Kerberos Ticket Granting Ticket^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#KerberosTicketGrantingTicket

has super-classes: Kerberos TIcket^c; Ticket Granting Ticket^c
is also defined as: named individual

Kernel^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Kernel

has super-classes: System Software^c; contains^op some Kernel Process Table^c; loads^op some Application^c; manages^op some Operating System Process^c; manages^op some User Process^c; may-contain^op some Hardware Driver^c; may-contain^op some Kernel Module^c
is also defined as: named individual

Kernel API Sensor^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#KernelAPISensor

has super-classes: Endpoint Sensor^c; monitors^op some System Call^c

Kernel Module^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#KernelModule

has super-classes: Object File^c
is also defined as: named individual

Kernel Modules and Extensions^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.006

has super-classes: Boot or Logon Autostart Execution^c; modifies^op some Kernel Module^c
is also defined as: named individual

Kernel Process Table^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#KernelProcessTable

has super-classes: Digital Artifact^c
is also defined as: named individual

Kernel-based Process Isolation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Kernel-basedProcessIsolation

has super-classes: Execution Isolation^c
has sub-classes: Mandatory Access Control^c, System Call Filtering^c
has members: Mandatory Access Controlⁿⁱ, System Call Filteringⁿⁱ
is also defined as: named individual

Keyboard Input Device^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#KeyboardInputDevice

has super-classes: Input Device^c
is also defined as: named individual

Keychain^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1555.001

has super-classes: Credentials from Password Stores^c; accesses^op some MacOS Keychain^c
is also defined as: named individual

Keylogging^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1056.001

has super-classes: Input Capture^c; accesses^op some Keyboard Input Device^c
is also defined as: named individual

Kiosk Computer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#KioskComputer

is defined by: http://dbpedia.org/resource/Interactive_kiosk

An interactive kiosk is a computer terminal featuring specialized hardware and software that provides access to information and applications for communication, commerce, entertainment, or education. Early interactive kiosks sometimes resembled telephone booths, but have been embraced by retail, food service and hospitality to improve customer service and streamline operations. Interactive kiosks are typically placed in high foot traffic settings such as shops, hotel lobbies or airports.

has super-classes: Shared Computer^c

Laptop Computer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LaptopComputer

is defined by: http://dbpedia.org/resource/Laptop

A laptop computer (also laptop), is a small, portable personal computer (PC) with a "clamshell" form factor, typically having a thin LCD or LED computer screen mounted on the inside of the upper lid of the clamshell and an alphanumeric keyboard on the inside of the lower lid. The clamshell is opened up to use the computer. Laptops are folded shut for transportation, and thus are suitable for mobile use. Its name comes from lap, as it was deemed to be placed on a person's lap when being used. Although originally there was a distinction between laptops and notebooks (the former being bigger and heavier than the latter), as of 2014, there is often no longer any difference. Today, laptops are commonly used in a variety of settings, such as at work, in education, for playing games, web browsing

has super-classes: Personal Computer^c

Latency^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Latency

has super-classes: D3FEND Thing^c
has sub-classes: Analytic Latency^c, Eviction Latency^c

Lateral Movement^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LateralMovement

has super-classes: Offensive Tactic^c
is also defined as: named individual

Lateral Movement Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LateralMovementTechnique

has super-classes: Offensive Technique^c; enables^op some Lateral Movement^c
has sub-classes: Exploitation of Remote Services^c, Internal Spearphishing^c, Lateral Tool Transfer^c, Remote Service Session Hijacking^c, Remote Services^c, Replication Through Removable Media^c, Software Deployment Tools Execution^c, Taint Shared Content^c, Use Alternate Authentication Material^c
is also defined as: named individual

Lateral Tool Transfer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1570

has super-classes: Lateral Movement Technique^c; produces^op some Intranet File Transfer Traffic^c
is also defined as: named individual

Launch Agent^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1543.001

has super-classes: Create or Modify System Process^c; creates^op some Property List File^c
is also defined as: named individual

Launch Daemon^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1543.004

has super-classes: Create or Modify System Process^c; modifies^op some Property List File^c
is also defined as: named individual

Launchctl^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1569.001

has super-classes: System Services^c

Launchd^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1053.004

has super-classes: Scheduled Task/Job Execution^c; creates^op some Property List File^c
is also defined as: named individual

LC_LOAD_DYLIB Addition^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.006

has super-classes: Event Triggered Execution^c; modifies^op some Executable Binary^c
is also defined as: named individual

LD_PRELOAD^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.006

has super-classes: Hijack Execution Flow^c; modifies^op some Operating System Configuration File^c
is also defined as: named individual

Legacy System^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LegacySystem

has super-classes: Digital System^c
is also defined as: named individual

License^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#License

has super-classes: Information Content Entity^c
has sub-classes: Open Source License^c, Proprietary License^c

Linux and Mac File and Directory Permissions Modification^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1222.002

has super-classes: File and Directory Permissions Modification^c

LLMNR/NBT-NS Poisoning and SMB Relay^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1557.001

has super-classes: Man-in-the-Middle^c; produces^op some Intranet Multicast Network Traffic^c
is also defined as: named individual

Local Account^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1087.001

has super-classes: Create Account^c; creates^op some Local User Account^c
is also defined as: named individual

Local Account Monitoring^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LocalAccountMonitoring

has super-classes: User Behavior Analysis^c; analyzes^op some Local User Account^c
is also defined as: named individual

Local Accounts^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1078.003

has super-classes: Valid Accounts^c; uses^op some Local User Account^c
is also defined as: named individual

Local Area Network^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LocalAreaNetwork

has super-classes: Network^c; may-contain^op some Host^c
is also defined as: named individual

Local Area Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LocalAreaNetworkTraffic

has super-classes: Intranet Network Traffic^c
is also defined as: named individual

Local Authentication Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LocalAuthenticationService

A local authentication service running on a host can authenticate a user logged into just that local host computer.

has super-classes: Authentication Service^c; System Service Software^c

Local Authorization Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LocalAuthorizationService

A local authorization service running on a host can authorize a user logged into just that local host computer.

has super-classes: Authorization Service^c; System Service Software^c

Local Data Staging^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1074.001

has super-classes: Data Staged^c; modifies^op some Local Resource^c
is also defined as: named individual

Local Email Collection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1114.001

has super-classes: Email Collection^c; reads^op some Email^c
is also defined as: named individual

Local File Permissions^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LocalFilePermissions

has super-classes: Platform Hardening^c; restricts^op some Directory^c; restricts^op some File^c
is also defined as: named individual

Local Resource^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LocalResource

has super-classes: Resource^c
has sub-classes: Input Device^c, Startup Directory^c, System Configuration Init Resource^c, User Logon Init Resource^c
is also defined as: named individual

Local Resource Access^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LocalResourceAccess

has super-classes: Resource Access^c; accesses^op some Local Resource^c
is also defined as: named individual

Local User Account^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LocalUserAccount

has super-classes: User Account^c
is also defined as: named individual

Log^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Log

has super-classes: Digital Artifact^c
has sub-classes: Authentication Log^c, Authorization Log^c, Event Log^c, Packet Log^c
is also defined as: named individual

Log File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LogFile

has super-classes: File^c; contains^op some Log^c
has sub-classes: Command History Log File^c, Operating System Log File^c
is also defined as: named individual

Login Items^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.015

has super-classes: Boot or Logon Autostart Execution^c; modifies^op some User Logon Init Resource^c
is also defined as: named individual

Login Session^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LoginSession

has super-classes: Session^c
has sub-classes: Remote Session^c
is also defined as: named individual

Logon Script (Mac)^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1037.002

has super-classes: Boot or Logon Initialization Scripts^c; modifies^op some User Init Script^c
is also defined as: named individual

Logon Script (Windows)^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1037.001

has super-classes: Boot or Logon Initialization Scripts^c; modifies^op some User Init Script^c
is also defined as: named individual

Logon User^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LogonUser

has super-classes: System Call^c

LSA Secrets^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.004

has super-classes: OS Credential Dumping^c; may-access^op some Process^c; may-access^op some System Password Database^c
is also defined as: named individual

LSASS Driver^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.008

has super-classes: Boot or Logon Autostart Execution^c; may-create^op some Shared Library File^c; modifies^op some System Service Software^c
is also defined as: named individual

LSASS Memory^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.001

has super-classes: OS Credential Dumping^c; accesses^op some Authentication Service^c; accesses^op some Process^c
is also defined as: named individual

MacOS Keychain^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MacOSKeychain

has super-classes: Password Store^c
is also defined as: named individual

Mail Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MailNetworkTraffic

has super-classes: Network Traffic^c; contains^op some Email^c
has sub-classes: Inbound Internet Mail Traffic^c
is also defined as: named individual

Mail Protocols^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1071.003

has super-classes: Application Layer Protocol^c; produces^op some Outbound Internet Mail Traffic^c
is also defined as: named individual

Mail Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MailServer

has super-classes: Server^c
is also defined as: named individual

Mail Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MailService

A mail service provides the ability to send and receive mail across a computer network. The mail service runs on message transfer agents (i.e., mail servers) and is accessed by users through an email client.

has super-classes: Network Service^c

Make and Impersonate Token^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1134.003

has super-classes: Access Token Manipulation^c; copies^op some Access Token^c; creates^op some Login Session^c; may-modify^op some Event Log^c
is also defined as: named individual

Malicious File Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1204.002

has super-classes: User Execution^c; executes^op some Executable File^c
is also defined as: named individual

Malicious Link Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1204.001

has super-classes: User Execution^c; accesses^op some URL^c; produces^op some Outbound Internet Web Traffic^c
is also defined as: named individual

Man in the Browser^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1185

has super-classes: Collection Technique^c; produces^op some Web Network Traffic^c
is also defined as: named individual

Man-in-the-Middle^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1557

has super-classes: Collection Technique^c; Credential Access Technique^c; produces^op some Network Traffic^c
has sub-classes: LLMNR/NBT-NS Poisoning and SMB Relay^c
is also defined as: named individual

Mandatory Access Control^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MandatoryAccessControl

has super-classes: Kernel-based Process Isolation^c; isolates^op some Process^c
is also defined as: named individual

Masquerade Task or Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.004

has super-classes: Masquerading^c; modifies^op some Task Schedule^c
is also defined as: named individual

Masquerading^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036

has super-classes: Defense Evasion Technique^c
has sub-classes: Double File Extension^c, Invalid Code Signature^c, Masquerade Task or Service^c, Match Legitimate Name or Location^c, Rename System Utilities^c, Right-to-Left Override^c, Space after Filename^c

Match Legitimate Name or Location^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.005

has super-classes: Masquerading^c; invokes^op some Move File^c; may-create^op some File^c
is also defined as: named individual

Mavinject^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.013

has super-classes: Signed Binary Proxy Execution^c; invokes^op some Create Thread^c; modifies^op some Process Segment^c
is also defined as: named individual

Media Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MediaServer

is defined by: http://dbpedia.org/resource/Media_server

A media server is a computer appliance or an application software that stores digital media (video, audio or images) and makes it available over a network. Media servers range from servers that provide video on demand to smaller personal computers or NAS (Network Attached Storage) for the home.

has super-classes: Server^c

Memory Boundary Tracking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MemoryBoundaryTracking

has super-classes: Operating System Monitoring^c; analyzes^op some Process Code Segment^c
is also defined as: named individual

Message Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MessageAnalysis

has super-classes: Defensive Technique^c; enables^op some Detect^c
has sub-classes: Sender MTA Reputation Analysis^c, Sender Reputation Analysis^c
has members: Sender MTA Reputation Analysisⁿⁱ, Sender Reputation Analysisⁿⁱ
is also defined as: named individual

Message Authentication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MessageAuthentication

has super-classes: Message Hardening^c; authenticates^op some User to User Message^c
is also defined as: named individual

Message Encryption^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MessageEncryption

has super-classes: Message Hardening^c; encrypts^op some User to User Message^c
is also defined as: named individual

Message Hardening^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MessageHardening

has super-classes: Defensive Technique^c; enables^op some Harden^c
has sub-classes: Message Authentication^c, Message Encryption^c, Transfer Agent Authentication^c
has members: Message Authenticationⁿⁱ, Message Encryptionⁿⁱ, Transfer Agent Authenticationⁿⁱ
is also defined as: named individual

Message Transfer Agent^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MessageTransferAgent

has super-classes: Service Application^c
is also defined as: named individual

Metadata^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Metadata

is defined by: http://dbpedia.org/resource/Metadata

Metadata is "data [information] that provides information about other data". Three distinct types of metadata exist: structural metadata, descriptive metadata, and administrative metadata. Structural metadata is data about the containers of data. For instance a "book" contains data, and data about the book is metadata about that container of data. Descriptive metadata uses individual instances of application data or the data content.

has super-classes: Digital Artifact^c
has sub-classes: File System Metadata^c

Microcode^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Microcode

is defined by: http://dbpedia.org/resource/Microcode

Microcode is a computer hardware technique that interposes a layer of organization between the CPU hardware and the programmer-visible instruction set architecture of the computer. As such, the microcode is a layer of hardware-level instructions that implement higher-level machine code instructions or internal state machine sequencing in many digital processing elements.

has super-classes: Firmware^c

MMC^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.014

has super-classes: Signed Binary Proxy Execution^c; executes^op some Command^c; may-add^op some Software^c; may-modify^op some System Configuration Database^c
is also defined as: named individual

Mobile Phone^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MobilePhone

is defined by: http://dbpedia.org/resource/Mobile_phone

A mobile phone, cellular phone, cell phone, cellphone or hand phone, sometimes shortened to simply mobile, cell or just phone, is a portable telephone that can make and receive calls over a radio frequency link while the user is moving within a telephone service area. The radio frequency link establishes a connection to the switching systems of a mobile phone operator, which provides access to the public switched telephone network (PSTN). Modern mobile telephone services use a cellular network architecture and, therefore, mobile telephones are called cellular telephones or cell phones in North America. In addition to telephony, digital mobile phones (2G) support a variety of other services, such as text messaging, MMS, email, Internet access, short-range wireless communications (infrared,

has super-classes: Personal Computer^c

Modem^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Modem

is defined by: http://dbpedia.org/resource/Modem

A modem -- a portmanteau of "modulator-demodulator" -- is a hardware device that converts data into a format suitable for a transmission medium so that it can be transmitted from one computer to another (historically along telephone wires). A modem modulates one or more carrier wave signals to encode digital information for transmission and demodulates signals to decode the transmitted information. The goal is to produce a signal that can be transmitted easily and decoded reliably to reproduce the original digital data. Modems can be used with almost any means of transmitting analog signals from light-emitting diodes to radio. A common type of modem is one that turns the digital data of a computer into modulated electrical signal for transmission over telephone lines and demodulated by another modem at the receiver side to recover the digital data.

has super-classes: Network Node^c
has sub-classes: Dial Up Modem^c, Optical Modem^c, Radio Modem^c

Modify Authentication Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1556

has super-classes: Credential Access Technique^c; Defense Evasion Technique^c; modifies^op some Authentication Service^c
has sub-classes: Domain Controller Authentication^c, Network Device Authentication^c, Password Filter DLL^c, Pluggable Authentication Modules^c
is also defined as: named individual

Modify Registry^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1112

has super-classes: Defense Evasion Technique^c; modifies^op some Windows Registry^c
is also defined as: named individual

Monitoring^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Monitoring

is defined by: http://wordnet-rdf.princeton.edu/id/00881724-n

the act of observing something (and sometimes keeping a record of it)

has super-classes: D3FEND Thing^c

Mouse Input Device^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MouseInputDevice

is defined by: http://dbpedia.org/resource/Computer_mouse

A computer mouse (plural mice or mouses) is a hand-held pointing device that detects two-dimensional motion relative to a surface. This motion is typically translated into the motion of a pointer on a display, which allows a smooth control of the graphical user interface of a computer. In addition to moving a cursor, computer mice have one or more buttons to allow operations such as selection of a menu item on a display. Mice often also feature other elements, such as touch surfaces and scroll wheels, which enable additional control and dimensional input.

has super-classes: Input Device^c

Move File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MoveFile

has super-classes: System Call^c; modifies^op some File System Metadata^c
is also defined as: named individual

MSBuild^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1127.001

has super-classes: Trusted Developer Utilities Proxy Execution^c; modifies^op some Compiler Configuration File^c; runs^op some Compiler^c
is also defined as: named individual

Mshta Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.005

has super-classes: Signed Binary Proxy Execution^c

Msiexec Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.007

has super-classes: Signed Binary Proxy Execution^c

Multi-factor Authentication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Multi-factorAuthentication

has super-classes: Credential Hardening^c; authenticates^op some User Account^c
is also defined as: named individual

Multi-hop Proxy^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1090.003

has super-classes: Proxy^c; produces^op some Outbound Internet Network Traffic^c
is also defined as: named individual

Multi-Stage Channels^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1104

has super-classes: Command and Control Technique^c; produces^op some Outbound Internet Network Traffic^c
is also defined as: named individual

Native API Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1106

has super-classes: Execution Technique^c; invokes^op some System Call^c
is also defined as: named individual

Netsh Helper DLL^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.007

has super-classes: Event Triggered Execution^c; modifies^op some System Configuration Database Record^c; produces^op some Process^c
is also defined as: named individual

Network^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Network

A network is a group of computers that use a set of common communication protocols over digital interconnections for the purpose of sharing resources located on or provided by the network nodes. The interconnections between nodes are formed from a broad spectrum of telecommunication network technologies, based on physically wired, optical, and wireless radio-frequency methods that may be arranged in a variety of network topologies.

has super-classes: Digital Artifact^c
has sub-classes: Internet Network^c, Intranet Network^c, Local Area Network^c, Wide Area Network^c

Network Card Firmware^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkCardFirmware

Firmware that is installed on a network card (network interface controller).

has super-classes: Peripheral Firmware^c

Network Denial of Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1498

has super-classes: Impact Technique^c
has sub-classes: Direct Network Flood^c, Reflection Amplification^c, Service Exhaustion Flood^c

Network Device Authentication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1556.004

has super-classes: Modify Authentication Process^c

Network Device CLI^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1059.008

has super-classes: Command and Scripting Interpreter Execution^c

Network Directory Resource^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkDirectoryResource

has super-classes: Network File Share Resource^c; contains^op some Directory^c
is also defined as: named individual

Network File Resource^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkFileResource

has super-classes: Network File Share Resource^c; contains^op some File^c
has sub-classes: Network Init Script File Resource^c, Web File Resource^c
is also defined as: named individual

Network File Share Resource^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkFileShareResource

has super-classes: Network Resource^c
has sub-classes: Network Directory Resource^c, Network File Resource^c
is also defined as: named individual

Network Flow^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkFlow

has super-classes: Digital Artifact^c; summarizes^op some Network Traffic^c
is also defined as: named individual

Network Flow Sensor^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkFlowSensor

has super-classes: Network Sensor^c; monitors^op some Network Flow^c

Network Init Script File Resource^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkInitScriptFileResource

has super-classes: Init Script^c; Network File Resource^c
is also defined as: named individual

Network Isolation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkIsolation

has super-classes: Defensive Technique^c; enables^op some Isolate^c
has sub-classes: Broadcast Domain Isolation^c, DNS Allowlisting^c, DNS Denylisting^c, Encrypted Tunnels^c, Network Traffic Filtering^c
has members: Broadcast Domain Isolationⁿⁱ, DNS Allowlistingⁿⁱ, DNS Denylistingⁿⁱ, Encrypted Tunnelsⁿⁱ, Network Traffic Filteringⁿⁱ
is also defined as: named individual

Network Logon Script^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1037.003

has super-classes: Boot or Logon Initialization Scripts^c; modifies^op some Network Init Script File Resource^c
is also defined as: named individual

Network Node^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkNode

has super-classes: Digital Artifact^c; runs^op some Operating System^c
has sub-classes: Firewall^c, Host^c, Intrusion Detection System^c, Modem^c, Proxy Server^c, Router^c, Switch^c, Wireless Access Point^c
is also defined as: named individual

Network Packet^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkPackets

has super-classes: Network Traffic^c
is also defined as: named individual

Network Printer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkPrinter

is defined by: http://dbpedia.org/resource/Printer_(computing)

In computing, a network printer is a device that can be accessed over a network which makes a persistent representation of graphics or text, usually on paper. While most output is human-readable, bar code printers are an example of an expanded use for printers. The different types of printers include 3D printer, inkjet printer, laser printer, thermal printer, etc. Note that not all printers are networked and the digital information to be printed must be passed either by removable media or as directly connecting the printer to a computer (e.g., by USB.)

has super-classes: Shared Computer^c

Network Protocol Analyzer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkProtocolAnalyzer

has super-classes: Network Sensor^c; monitors^op some Network Traffic^c

Network Resource^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkResource

has super-classes: Remote Resource^c
has sub-classes: Network File Share Resource^c, Network Service^c, Server^c
is in range of: accesses^op
is also defined as: named individual

Network Resource Access^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkResourceAccess

has super-classes: Resource Access^c; accesses^op some Network Resource^c; accesses^op some Resource^c
has sub-classes: Web Resource Access^c
is also defined as: named individual

Network Sensor^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkSensor

has super-classes: Sensor^c
has sub-classes: Network Flow Sensor^c, Network Protocol Analyzer^c

Network Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkService

is defined by: http://dbpedia.org/resource/Network_service

In computer networking, a network service is an application running at the network application layer and above, that provides data storage, manipulation, presentation, communication or other capability which is often implemented using a client-server or peer-to-peer architecture based on application layer network protocols. Clients and servers will often have a user interface, and sometimes other hardware associated with it.

has super-classes: Network Resource^c
has sub-classes: Directory Service^c, File Share Service^c, Mail Service^c

Network Service Scanning^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1046

has super-classes: Discovery Technique^c

Network Session^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkSession

has super-classes: Network Traffic^c; contains^op some Network Packet^c
has sub-classes: Remote Command^c, Remote Terminal Session^c
is also defined as: named individual

Network Share Connection Removal^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1070.005

has super-classes: Indicator Removal on Host^c; unmounts^op some Network File Share Resource^c
is also defined as: named individual

Network Share Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1135

has super-classes: Discovery Technique^c

Network Sniffing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1040

has super-classes: Credential Access Technique^c; Discovery Technique^c; may-produce^op some DNS Lookup^c
is also defined as: named individual

Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkTraffic

has super-classes: Digital Artifact^c; may-contain^op some Domain Name^c; originates-from^op some Physical Location^c
has sub-classes: Administrative Network Traffic^c, DNS Network Traffic^c, File Transfer Network Traffic^c, IPC Network Traffic^c, Inbound Network Traffic^c, Internet Network Traffic^c, Intranet Network Traffic^c, Mail Network Traffic^c, Network Packet^c, Network Session^c, Outbound Network Traffic^c, RPC Network Traffic^c, Web Network Traffic^c
is also defined as: named individual

Network Traffic Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkTrafficAnalysis

has super-classes: Defensive Technique^c; enables^op some Detect^c
has sub-classes: Administrative Network Activity Analysis^c, Byte Sequence Emulation^c, Certificate Analysis^c, Client-server Payload Profiling^c, Connection Attempt Analysis^c, DNS Traffic Analysis^c, File Carving^c, IPC Traffic Analysis^c, Inbound Session Volume Analysis^c, Network Traffic Community Deviation^c, Per Host Download-Upload Ratio Analysis^c, Protocol Metadata Anomaly Detection^c, RPC Traffic Analysis^c, Relay Pattern Analysis^c, Remote Terminal Session Detection^c
has members: Administrative Network Activity Analysisⁿⁱ, Byte Sequence Emulationⁿⁱ, Certificate Analysisⁿⁱ, Client-server Payload Profilingⁿⁱ, Connection Attempt Analysisⁿⁱ, DNS Traffic Analysisⁿⁱ, File Carvingⁿⁱ, IPC Traffic Analysisⁿⁱ, Inbound Session Volume Analysisⁿⁱ, Network Traffic Analysisⁿⁱ, Network Traffic Community Deviationⁿⁱ, Per Host Download-Upload Ratio Analysisⁿⁱ, Protocol Metadata Anomaly Detectionⁿⁱ, RPC Traffic Analysisⁿⁱ, Relay Pattern Analysisⁿⁱ, Remote Terminal Session Detectionⁿⁱ
is also defined as: named individual

Network Traffic Community Deviation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkTrafficCommunityDeviation

has super-classes: Network Traffic Analysis^c; analyzes^op some Network Traffic^c
is also defined as: named individual

Network Traffic Filtering^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkTrafficFiltering

has super-classes: Network Isolation^c; filters^op some Network Traffic^c
has sub-classes: Inbound Traffic Filtering^c, Outbound Traffic Filtering^c
has members: Inbound Traffic Filteringⁿⁱ, Outbound Traffic Filteringⁿⁱ
is also defined as: named individual

News Article^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NewsArticle

has super-classes: Article^c
has sub-classes: Internet Article^c

Non-Application Layer Protocol^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1095

has super-classes: Command and Control Technique^c; produces^op some Outbound Internet Network Traffic^c
is also defined as: named individual

Non-Standard Encoding^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1132.002

has super-classes: Data Encoding^c

Non-Standard Port^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1571

has super-classes: Command and Control Technique^c; produces^op some Outbound Internet Network Traffic^c
is also defined as: named individual

NTDS^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.003

has super-classes: OS Credential Dumping^c; accesses^op some Encrypted Credential^c
is also defined as: named individual

NTFS File Attributes^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.004

has super-classes: Hide Artifacts^c; modifies^op some File System Metadata^c
is also defined as: named individual

NTFS Hard Link^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NTFSHardLink

is defined by: http://dbpedia.org/resource/NTFS_links

An NTFS hard link points to another file, and files share the same MFT entry (inode), in the same filesystem.

has super-classes: Hard Link^c; NTFS Link^c

NTFS Junction Point^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NTFSJunctionPoint

is defined by: http://dbpedia.org/resource/NTFS_links

NTFS junction points are are similar to NTFS symlinks but are defined only for directories. Only accepts local absolute paths.

has super-classes: NTFS Link^c; Symbolic Link^c

NTFS Link^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NTFSLink

The NTFS filesystem defines various ways to link files, i.e. to make a file point to another file or its contents. The object being pointed to is called the target. There are three classes of NTFS links: (a) Hard links, which have files share the same MFT entry (inode), in the same filesystem; (b) Symbolic links, which record the path of another file that the links contents should show and can accept relative paths; and (c) Junction points, which are similar to symlinks but defined only for directories and only accepts local absolute paths

has super-classes: File^c; File System Link^c
has sub-classes: NTFS Hard Link^c, NTFS Junction Point^c, NTFS Symbolic Link^c

NTFS Symbolic Link^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NTFSSymbolicLink

is defined by: http://dbpedia.org/resource/NTFS_links

An NTFS symbolic link records the path of another file that the links contents should show. Can accept relative paths. SMB networking (UNC path) and directory support added in NTFS 3.1.

has super-classes: NTFS Link^c; Symbolic Link^c

Obfuscated Files or Information^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1027

has super-classes: Defense Evasion Technique^c
has sub-classes: Binary Padding^c, Compile After Delivery^c, HTML Smuggling^c, Indicator Removal from Tools^c, Software Packing^c, Steganography^c

Object File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ObjectFile

has super-classes: File^c
has sub-classes: Kernel Module^c, Shared Library File^c
is also defined as: named individual

Odbcconf Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.008

has super-classes: Signed Binary Proxy Execution^c

Offensive Tactic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OffensiveTactic

is defined by: https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf

Per ATT&CK, these are defined as Tactical Goals, not Tactics per se. Many children also fit definition of tactics. Some are neither tactics or tactical goals really (e.g., Execution, which is a useful grouping, but an action, not really a tactic or technique.

has super-classes: ATTACK Thing^c; enabled-by^op some Offensive Technique^c; display-order^dp some integer
has sub-classes: Collection^c, Command And Control^c, Credential Access^c, Defense Evasion^c, Discovery^c, Execution^c, Exfiltration^c, Impact^c, Initial Access^c, Lateral Movement^c, Persistence^c, Privilege Escalation^c
has members: Collectionⁿⁱ, Command And Controlⁿⁱ, Credential Accessⁿⁱ, Defense Evasionⁿⁱ, Discoveryⁿⁱ, Executionⁿⁱ, Exfiltrationⁿⁱ, Impactⁿⁱ, Initial Accessⁿⁱ, Lateral Movementⁿⁱ, Persistenceⁿⁱ, Privilege Escalationⁿⁱ

Offensive Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OffensiveTechnique

is defined by: https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf

has super-classes: ATTACK Thing^c; Technique^c; enables^op some Offensive Tactic^c; display-order^dp some integer
has sub-classes: Collection Technique^c, Command and Control Technique^c, Credential Access Technique^c, Defense Evasion Technique^c, Discovery Technique^c, Execution Technique^c, Exfiltration Technique^c, Impact Technique^c, Initial Access Technique^c, Lateral Movement Technique^c, Persistence Technique^c, Privilege Escalation Technique^c
is in domain of: attack-id, attack-kb-annotation
is in range of: may-be-tactically-associated-with^op

Office Application^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OfficeApplication

has super-classes: User Application^c
is also defined as: named individual

Office Application File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OfficeApplicationFile

has super-classes: Document File^c
is also defined as: named individual

Office Application Startup^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1137

has super-classes: Persistence Technique^c
has sub-classes: Add-ins^c, Office Template Macros^c, Office Test^c, Outlook Forms^c, Outlook Home Page^c, Outlook Rules^c

Office Template Macros^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1137.001

has super-classes: Office Application Startup^c; may-add^op some Executable Script^c; may-modify^op some Executable Script^c; may-modify^op some System Configuration Database Record^c
is also defined as: named individual

Office Test^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1137.002

has super-classes: Office Application Startup^c; modifies^op some System Configuration Database Record^c
is also defined as: named individual

One-time Password^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#One-timePassword

has super-classes: Credential Hardening^c; authenticates^op some User Account^c; use-limits^op some Password^c
is also defined as: named individual

One-Way Communication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1102.003

has super-classes: Web Service^c

Open File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OpenFile

is defined by: http://dbpedia.org/resource/Open_(system_call)

For most file systems, a program initializes access to a file in a file system using the open system call. This allocates resources associated to the file (the file descriptor), and returns a handle that the process will use to refer to that file. In some cases the open is performed by the first access. During the open, the filesystem may allocate memory for buffers, or it may wait until the first operation. Various other errors which may occur during the open include directory update failures, un-permitted multiple connections, media failures, communication link failures and device failures.

has super-classes: System Call^c

Open Source License^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OpenSourceLicense

has super-classes: License^c

Open-source Developer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Open-sourceDeveloper

has super-classes: Product Developer^c

Operating System^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperatingSystem

has super-classes: Digital Artifact^c; contains^op some Kernel^c; contains^op some System Service Software^c; may-contain^op some Operating System Configuration Component^c
is also defined as: named individual

Operating System Configuration^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperatingSystemConfiguration

Information used to configure the services, parameters, and initial settings for an operating system.

has super-classes: Configuration Bearing Entity^c
has sub-classes: Operating System Configuration Component^c

Operating System Configuration Component^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperatingSystemConfigurationComponent

has super-classes: Operating System Configuration^c
has sub-classes: System Configuration Database Record^c, System Firewall Configuration^c, System Init Configuration^c
is also defined as: named individual

Operating System Configuration File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperatingSystemConfigurationFile

has super-classes: Configuration File^c; Operating System File^c
is also defined as: named individual

Operating System Executable File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperatingSystemExecutableFile

has super-classes: Operating System File^c
is also defined as: named individual

Operating System File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperatingSystemFile

has super-classes: File^c
has sub-classes: Operating System Configuration File^c, Operating System Executable File^c, Operating System Log File^c, Operating System Shared Library File^c
is also defined as: named individual

Operating System Log File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperatingSystemLogFile

has super-classes: Log File^c; Operating System File^c
is also defined as: named individual

Operating System Monitoring^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperatingSystemMonitoring

has super-classes: Platform Monitoring^c
has sub-classes: Endpoint Health Beacon^c, Input Device Analysis^c, Memory Boundary Tracking^c, Scheduled Job Analysis^c, System Daemon Monitoring^c, System File Analysis^c, System Init Config Analysis^c, User Session Init Config Analysis^c
has members: Endpoint Health Beaconⁿⁱ, Input Device Analysisⁿⁱ, Memory Boundary Trackingⁿⁱ, Scheduled Job Analysisⁿⁱ, System Daemon Monitoringⁿⁱ, System File Analysisⁿⁱ, System Init Config Analysisⁿⁱ, User Session Init Config Analysisⁿⁱ
is also defined as: named individual

Operating System Packaging Tool^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperatingSystemPackagingTool

A software packaging tool oriented on building a software package for a particular operating system (e.g. rpmbuild.)

has super-classes: Software Packaging Tool^c

Operating System Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperatingSystemProcess

has super-classes: Process^c
has sub-classes: System Init Process^c, Task Scheduler Process^c
is also defined as: named individual

Operating System Shared Library File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperatingSystemSharedLibraryFile

has super-classes: Operating System File^c; Shared Library File^c
is also defined as: named individual

Operations Center Computer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperationsCenterComputer

is defined by: http://dbpedia.org/resource/Mainframe_computer

Mainframe computers or mainframes (colloquially referred to as "big iron") are computers used primarily by large organizations for critical applications; bulk data processing, such as census, industry and consumer statistics, and enterprise resource planning; and transaction processing. They are larger and have more processing power than some other classes of computers: minicomputers, servers, workstations, and personal computers.

has super-classes: Shared Computer^c

Optical Modem^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OpticalModem

is defined by: http://dbpedia.org/resource/Modem#Optical_modem

A modem that connects to a fiber optic network is known as an optical network terminal (ONT) or optical network unit (ONU). These are commonly used in fiber to the home installations, installed inside or outside a house to convert the optical medium to a copper Ethernet interface, after which a router or gateway is often installed to perform authentication, routing, NAT, and other typical consumer internet functions, in addition to "triple play" features such as telephony and television service.

has super-classes: Modem^c

Orchestration Controller^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OrchestrationController

has super-classes: Orchestration Server^c; contains^op some Container Orchestration Software^c
is also defined as: named individual

Orchestration Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OrchestrationServer

A d3f:Server which is involved with the orchestration of workloads or the execution of orchestrated workloads.

has super-classes: Server^c
has sub-classes: Orchestration Controller^c, Orchestration Worker^c

Orchestration Worker^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OrchestrationWorker

A d3f:Server which receives commands from a d3f:OrchestrationController to execute workloads.

has super-classes: Orchestration Server^c

Organization^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Organization

has super-classes: Agent^c
has sub-classes: Provider^c

OS Credential Dumping^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003

has super-classes: Credential Access Technique^c; accesses^op some Credential^c
has sub-classes: /etc/passwd and /etc/shadow^c, Cached Domain Credentials^c, DCSync^c, LSA Secrets^c, LSASS Memory^c, NTDS^c, Proc Filesystem^c, Security Account Manager^c
is also defined as: named individual

Outbound Internet DNS Lookup Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundInternetDNSLookupTraffic

has super-classes: DNS Network Traffic^c; Outbound Internet Network Traffic^c; Outbound Network Traffic^c; may-contain^op some DNS Lookup^c
is also defined as: named individual

Outbound Internet Encrypted Remote Terminal Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundInternetEncryptedRemoteTerminalTraffic

has super-classes: Outbound Internet Encrypted Traffic^c
is also defined as: named individual

Outbound Internet Encrypted Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundInternetEncryptedTraffic

has super-classes: Outbound Internet Network Traffic^c
has sub-classes: Outbound Internet Encrypted Remote Terminal Traffic^c, Outbound Internet Encrypted Web Traffic^c
is also defined as: named individual

Outbound Internet Encrypted Web Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundInternetEncryptedWebTraffic

has super-classes: Outbound Internet Encrypted Traffic^c; Outbound Internet Web Traffic^c
is also defined as: named individual

Outbound Internet File Transfer Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundInternetFileTransferTraffic

has super-classes: File Transfer Network Traffic^c; Outbound Internet Network Traffic^c; Outbound Network Traffic^c; contains^op some File^c
is also defined as: named individual

Outbound Internet Mail Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundInternetMailTraffic

has super-classes: Outbound Internet Network Traffic^c
is also defined as: named individual

Outbound Internet Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundInternetNetworkTraffic

has super-classes: Internet Network Traffic^c; Outbound Network Traffic^c
has sub-classes: Outbound Internet DNS Lookup Traffic^c, Outbound Internet Encrypted Traffic^c, Outbound Internet File Transfer Traffic^c, Outbound Internet Mail Traffic^c, Outbound Internet RPC Traffic^c, Outbound Internet Web Traffic^c
is also defined as: named individual

Outbound Internet RPC Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundInternetRPCTraffic

Outbound internet RPC traffic is RPC traffic that is: (a) on an outgoing connection initiated from a host within a network to a host outside the network, and (b) using a standard RPC protocol.

has super-classes: Outbound Internet Network Traffic^c; Outbound Network Traffic^c; RPC Network Traffic^c

Outbound Internet Web Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundInternetWebTraffic

has super-classes: Outbound Internet Network Traffic^c; Web Network Traffic^c; may-contain^op some URL^c
has sub-classes: Outbound Internet Encrypted Web Traffic^c
is also defined as: named individual

Outbound Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundNetworkTraffic

has super-classes: Network Traffic^c
has sub-classes: Outbound Internet DNS Lookup Traffic^c, Outbound Internet File Transfer Traffic^c, Outbound Internet Network Traffic^c, Outbound Internet RPC Traffic^c
is also defined as: named individual

Outbound Traffic Filtering^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundTrafficFiltering

has super-classes: Network Traffic Filtering^c; filters^op some Outbound Network Traffic^c
is also defined as: named individual

Outlook Forms^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1137.003

has super-classes: Office Application Startup^c; adds^op some Office Application File^c
is also defined as: named individual

Outlook Home Page^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1137.004

has super-classes: Office Application Startup^c; modifies^op some Application Configuration Database^c
is also defined as: named individual

Outlook Rules^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1137.005

has super-classes: Office Application Startup^c; modifies^op some Application Configuration Database^c
is also defined as: named individual

Output Device^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutputDevice

is defined by: http://dbpedia.org/resource/Output_device

An output device is any piece of computer hardware equipment which converts information into human-readable form. It can be text, graphics, tactile, audio, and video. Some of the output devices are Visual Display Units (VDU) i.e. a Monitor, Printer, Graphic Output devices, Plotters, Speakers etc. A new type of Output device is been developed these days, known as Speech synthesizer, a mechanism attached to the computer which produces verbal output sounding almost like human speeches.

has super-classes: Hardware Device^c
has sub-classes: Display Adapter^c

Packet Log^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PacketLog

has super-classes: Log^c; records^op some Network Session^c
is also defined as: named individual

Parent PID Spoofing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1134.004

has super-classes: Access Token Manipulation^c; invokes^op some Create Process^c
is also defined as: named individual

Parent Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ParentProcess

is defined by: http://dbpedia.org/resource/Parent_process

In computing, a parent process is a process that has created one or more child processes.

has super-classes: Process^c

Partition^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Partition

has super-classes: Digital Artifact^c
is also defined as: named individual

Partition Table^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PartitionTable

has super-classes: Digital Artifact^c; addresses^op some Partition^c
is also defined as: named individual

Pass The Hash^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1550.002

has super-classes: Use Alternate Authentication Material^c; creates^op some Authentication^c
is also defined as: named individual

Pass The Ticket^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1550.003

has super-classes: Use Alternate Authentication Material^c; creates^op some Authentication^c
is also defined as: named individual

Passive Certificate Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PassiveCertificateAnalysis

has super-classes: Certificate Analysis^c
has members: Passive Certificate Analysisⁿⁱ
is also defined as: named individual

Password^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Password

has super-classes: Credential^c
has sub-classes: Encrypted Password^c
is also defined as: named individual

Password Cracking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1110.002

has super-classes: Brute Force^c; accesses^op some Password^c
is also defined as: named individual

Password Database^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PasswordDatabase

A password database is a database that holds passwords for user accounts and is usually encrypted (i.e.., the passwords are hashed). Password databases are found supporting system services (such as SAM) or part of user applications such as password managers.

has super-classes: Database^c
has sub-classes: Password File^c, Password Store^c, System Password Database^c

Password File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PasswordFile

has super-classes: File^c; Password Database^c
is also defined as: named individual

Password Filter DLL^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1556.002

has super-classes: Modify Authentication Process^c; creates^op some Shared Library File^c; modifies^op some System Configuration Database Record^c
is also defined as: named individual

Password Guessing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1110.001

has super-classes: Brute Force^c; accesses^op some Password^c; modifies^op some Authentication Log^c; produces^op some Authentication^c
is also defined as: named individual

Password Manager^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PasswordManager

is defined by: http://dbpedia.org/resource/Password_manager

A password manager is a software application or hardware that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password: a single, ideally very strong password which grants the user access to their entire password database. Some password managers store passwords on the user's computer (called offline password managers), whereas others store data in the provider's cloud (often called online password managers). However offline password managers also offer data storage in the user's own cloud accounts rather than the provider's cloud. While the core functionality of a password manager is to securely store large collections of passwords, many provide additional features such as form filling and password generation.

has super-classes: Application^c

Password Policy Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1201

has super-classes: Discovery Technique^c

Password Spraying^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1110.003

has super-classes: Brute Force^c; accesses^op some Password^c; may-create^op some Intranet Administrative Network Traffic^c; modifies^op some Authentication Log^c; produces^op some Authentication^c
is also defined as: named individual

Password Store^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PasswordStore

has super-classes: Password Database^c
has sub-classes: In-memory Password Store^c, MacOS Keychain^c
is also defined as: named individual

Patent^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Patent

has super-classes: Document^c
is also defined as: named individual

Patent Reference^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PatentReference

has super-classes: Technique Reference^c
has members: Reference - Privacy and security systems and methods of useⁿⁱ, Reference - Account monitoring - Forescout Technologiesⁿⁱ, Reference - Active firewall system and methodology - McAfee LLCⁿⁱ, Reference - Anomaly Detection Using Adaptive Behavioral Profiles - Securonix Incⁿⁱ, Reference - Anti-tamper system with self-adjusting guards - ARXAN TECHNOLOGIES Incⁿⁱ, Reference - Approaches for securing an internet endpoint using fine-grained operating system virtualization - Bromium, Inc.ⁿⁱ, Reference - Architecture of transparent network security for application containers - Neuvector Incⁿⁱ, Reference - Automatically generating network resource groups and assigning customized decoy policies thereto - Illusive Networks Ltdⁿⁱ, Reference - Automatically generating rules for connection security - Microsoftⁿⁱ, Reference - Biometric Challenge-Response Authentication - Accentureⁿⁱ, Reference - Broadcast isolation and level 3 network switch - Hewlett Packard Enterprise Development LPⁿⁱ, Reference - Computational modeling and classification of data streams - Crowdstrike Incⁿⁱ, Reference - Computer Worm Defense System and Method - FireEye Incⁿⁱ, Reference - Computer motherboard having peripheral security functionsⁿⁱ, Reference - Computer-implemented methods and systems for identifying visually similar text character strings - Greathorn Incⁿⁱ, Reference - Computing apparatus with automatic integrity reference generation and maintenance - Tripwire, Inc.ⁿⁱ, Reference - Content extractor and analysis system - Bit 9 Inc, Carbon Black Incⁿⁱ, Reference - Deception-Based Responses to Security Attacks - Crowdstrike Incⁿⁱ, Reference - Decoy Network-Based Service for Deceiving Attackers - Amazon Technologiesⁿⁱ, Reference - Decoy and deceptive data object technology - Cymmetria Incⁿⁱ, Reference - Decoy and deceptive data object technology - Cymmetria, Inc.ⁿⁱ, Reference - Detecting network reconnaissance by tracking intranet dark-net communications - VECTRA NETWORKS Incⁿⁱ, Reference - Detecting script-based malware - Crowdstrike Incⁿⁱ, Reference - Deterministic method for detecting and blocking of exploits on interpreted code - K2 Cyber Security Incⁿⁱ, Reference - Distributed meta-information query in a network - Bit 9 Incⁿⁱ, Reference - Domain age registration alert - Inc Rapid7 Inc RAPID7 Incⁿⁱ, Reference - Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network - Palo Alto Networks Incⁿⁱ, Reference - Embedding contexts for on-line threats into response policy zones - Verisign Incⁿⁱ, Reference - End-to-end certificate pinningⁿⁱ, Reference - File-modifying malware detection - Crowdstrike Incⁿⁱ, Reference - Firewall for interent access - Secure Computing LLCⁿⁱ, Reference - Firewall for processing a connectionless network packet - National Security Agencyⁿⁱ, Reference - Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network - National Security Agencyⁿⁱ, Reference - Firewalls that filter based upon protocol commands - Intel Corpⁿⁱ, Reference - Firmware Embedded Monitoring Code Red Balloonⁿⁱ, Reference - Firmware Verification Eclypsiumⁿⁱ, Reference - Firmware Verification Trapezoidⁿⁱ, Reference - Framework for notifying a directory service of authentication events processed outside the directory service - Oracle International Corpⁿⁱ, Reference - Guards for application in software tamperproofing - Purdue Research Foundationⁿⁱ, Reference - Hardware-assisted system and method for detecting and analyzing system calls made to an operting system kernel - Endgame Incⁿⁱ, Reference - Heuristic botnet detection - Palo Alto Networks Incⁿⁱ, Reference - Host intrusion prevention system using software and user behavior analysis - Sophos Ltdⁿⁱ, Reference - Identification and extraction of key forensics indicators of compromise using subject-specific filesystem viewsⁿⁱ, Reference - Identification of visual international domain name collisions - Verisign Incⁿⁱ, Reference - Identifying a denial-of-service attack in a cloud-based proxy service - Cloudfare Inc.ⁿⁱ, Reference - Inferential exploit attempt detection - Crowdstrike Incⁿⁱ, Reference - Instant process termination tool to recover control of an information handling system - Dell Products LPⁿⁱ, Reference - Integrity assurance through early loading in the boot phase - Crowdstrike Incⁿⁱ, Reference - Intrusion detection using a heartbeat - Sophos Ltdⁿⁱ, Reference - Isolation of applications within a virtual machine - Bromium, Inc.ⁿⁱ, Reference - Malicious relay detection on networks - VECTRA NETWORKS Incⁿⁱ, Reference - Malware analysis system - Palo Alto Networks Incⁿⁱ, Reference - Malware detection in event loops - Crowdstrike Incⁿⁱ, Reference - Malware detection using local computational models - Crowdstrike Incⁿⁱ, Reference - Method and Apparatus for Detecting Malicious Websites - Endgame Incⁿⁱ, Reference - Method and Apparatus for Network Fraud Detection and Remediation Through Analytics - Idaptive LLCⁿⁱ, Reference - Method and apparatus for increasing the speed at which computer viruses are detected - McAfee LLCⁿⁱ, Reference - Method and apparatus for utilizing a token for resource access - Rsa Security Inc.ⁿⁱ, Reference - Method and system for UDP flood attack detection - Riorey LLCⁿⁱ, Reference - Method and system for controlling communication portsⁿⁱ, Reference - Method and system for detecting algorithm-generated domains - VECTRA NETWORKS Incⁿⁱ, Reference - Method and system for detecting external control of compromised hosts - VECTRA NETWORKS Incⁿⁱ, Reference - Method and system for detecting malicious payloads - Vectra Networks Incⁿⁱ, Reference - Method and system for detecting restricted content associated with retrieved content - Sophos Ltdⁿⁱ, Reference - Method and system for detecting suspicious administrative activity - Vectra Networks Incⁿⁱ, Reference - Method and system for detecting threats using metadata vectors - VECTRA NETWORKS Incⁿⁱ, Reference - Method and system for detecting threats using passive cluster mapping - Vectra Networks Incⁿⁱ, Reference - Method and system for providing software updates to local machinesⁿⁱ, Reference - Method for controlling computer network security - Checkpoint Software Technologies Ltdⁿⁱ, Reference - Method for file encryptionⁿⁱ, Reference - Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system - Symantec Corporationⁿⁱ, Reference - Mock attack cybersecurity training system and methods - WOMBAT SECURITY TECHNOLOGIES Incⁿⁱ, Reference - Modeling user access to computer resources - Daedalus Group LLC (formerly IBM)ⁿⁱ, Reference - Modification of a Server to Mimic a Deception Mechanism - Acalvio Technologies Incⁿⁱ, Reference - Network firewall with proxy - Secure Computing LLCⁿⁱ, Reference - Open source intelligence deceptions - Illusive Networks Ltdⁿⁱ, Reference - Post sandbox methods and systems for detecting and blocking zero-day exploits via api call validation - K2 Cyber Security Incⁿⁱ, Reference - Preventing execution of task scheduled malware - McAfee LLCⁿⁱ, Reference - Private virtual local area network isolation - Cisco Technology Incⁿⁱ, Reference - Protected computing environment - Microsoft Technology Licensing LLCⁿⁱ, Reference - Protecting against distributed denial of service attacks - Cisco Technology Inc.ⁿⁱ, Reference - Protecting against distributed network flood attacks - Juniper Networks Inc.ⁿⁱ, Reference - RPC call interception - Crowdstrike Incⁿⁱ, Reference - Secure caching of server credentials - Dell Products LPⁿⁱ, Reference - Security System with Methodology for Interprocess Communication Control - Check Point Software Tech Incⁿⁱ, Reference - Sinkholing bad network domains by registering the bad network domains on the internet - Palo Alto Networks Incⁿⁱ, Reference - Supply chain cyber-deception - Cymmetria, Inc.ⁿⁱ, Reference - Synchronizing a honey network configuration to reflect a target network environment - Palo Alto Networks Incⁿⁱ, Reference - System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis - Silver Tail Systemsⁿⁱ, Reference - System and Method for Network Security Including Detection of Attacks Through Partner Websites - EMC IP Holding Co LLCⁿⁱ, Reference - System and Method for Process Hollowing Detection - Carbon Black Incⁿⁱ, Reference - System and a method for identifying the presence of malware and ransomware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Incⁿⁱ, Reference - System and method for detecting homoglyph attacks with a siamese convolutional neural network - Endgame Incⁿⁱ, Reference - System and method for detecting malware injected into memory of a computing device - Endgame Incⁿⁱ, Reference - System and method for identifying the presence of malware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Incⁿⁱ, Reference - System and method for internet security - Cylance Incⁿⁱ, Reference - System and method for providing an actively invalidated client-side network resource cache - IMVUⁿⁱ, Reference - System and method for validating in-memory integrity of executable files to identify malicious activity - Endgame Incⁿⁱ, Reference - System and method thereof for identifying and responding to security incidents based on preemptive forensics - Palo Alto Networks Incⁿⁱ, Reference - System and methods thereof for causality identification and attributions determination of processes in a network - Palo Alto Networks IncCyber Secdo Ltdⁿⁱ, Reference - System and methods thereof for detection of persistent threats in a computerized environment background - Palo Alto Networks IncCyber Secdo Ltdⁿⁱ, Reference - System and methods thereof for identification of suspicious system processes - Palo Alto Networks Incⁿⁱ, Reference - System and methods thereof for logical identification of malicious threats across a plurality of end-point devices (epd) communicatively connected by a network - Palo Alto Networks IncCyber Secdo Ltdⁿⁱ, Reference - System and methods thereof for preventing ransomware from encrypting data elements stored in a memory of a computer-based system - Palo Alto Networks Incⁿⁱ, Reference - System for detecting threats using scenario-based tracking of internal and external network traffic - VECTRA NETWORKS Incⁿⁱ, Reference - System for implementing threat detection using daily network traffic community outliers - VECTRA NETWORKS Incⁿⁱ, Reference - System for implementing threat detection using threat and risk assessment of asset-actor interactions - VECTRA NETWORKS Incⁿⁱ, Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Incⁿⁱ, Reference - Systems and methods for detecting and/or handling targeted attacks in the email channel - Graphus Incⁿⁱ, Reference - Systems and methods for detecting credential theft - Symantec Corpⁿⁱ, Reference - Tamper proof mutating software - ARXAN TECHNOLOGIES Incⁿⁱ, Reference - Techniques for impeding and detecting network threats - Verisign Incⁿⁱ, Reference - Threat detection for return oriented programming - Crowdstrike Incⁿⁱ, Reference - Threat detection through the accumulated detection of threat characteristics - Sophos Ltdⁿⁱ, Reference - Trusted Communications With Child Processes - Microsoft Technology Licensing LLCⁿⁱ, Reference - USB filter for hub malicious code prevention systemⁿⁱ, Reference - Use of an application controller to monitor and control software file and application environments - Sophos Ltdⁿⁱ, Reference - Virtualized process isolation - Advanced Micro Devices Incⁿⁱ

Path Interception by PATH Environment Variable^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.007

has super-classes: Hijack Execution Flow^c; creates^op some Executable File^c
is also defined as: named individual

Path Interception by Search Order Hijacking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.008

has super-classes: Hijack Execution Flow^c; creates^op some Executable File^c
is also defined as: named individual

Path Interception by Unquoted Path^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.009

has super-classes: Hijack Execution Flow^c; creates^op some Executable File^c
is also defined as: named individual

Per Host Download-Upload Ratio Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PerHostDownload-UploadRatioAnalysis

has super-classes: Network Traffic Analysis^c; analyzes^op some Network Traffic^c
is also defined as: named individual

Peripheral Device Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1120

has super-classes: Discovery Technique^c

Peripheral Firmware^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PeripheralFirmware

has super-classes: Firmware^c
has sub-classes: Graphics Card Firmware^c, Hard Disk Firmware^c, Human Input Device Firmware^c, Network Card Firmware^c, Peripheral Hub Firmware^c
is also defined as: named individual

Peripheral Firmware Verification^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PeripheralFirmwareVerification

has super-classes: Firmware Verification^c; verifies^op some Peripheral Firmware^c
is also defined as: named individual

Peripheral Hub Firmware^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PeripheralHubFirmware

Firmware that is installed on peripheral hub device such as a USB or Firewire hub.

has super-classes: Peripheral Firmware^c

Permission Groups Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1069

has super-classes: Discovery Technique^c

Persistence^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Persistence

has super-classes: Offensive Tactic^c
is also defined as: named individual

Persistence Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PersistenceTechnique

has super-classes: Offensive Technique^c; enables^op some Persistence^c
has sub-classes: Account Manipulation^c, BITS Jobs^c, Boot or Logon Autostart Execution^c, Boot or Logon Initialization Scripts^c, Browser Extensions^c, Compromise Client Software Binary^c, Create Account^c, Create or Modify System Process^c, Event Triggered Execution^c, External Remote Services^c, Hijack Execution Flow^c, Implant Container Image^c, Office Application Startup^c, Pre-OS Boot^c, Scheduled Task/Job Execution^c, Server Software Component^c, Traffic Signaling^c, Valid Accounts^c
is also defined as: named individual

Person^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Person

has super-classes: Agent^c; name^dp some string

Personal Computer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PersonalComputer

is defined by: http://dbpedia.org/resource/Personal_computer

A personal computer (PC) is a multi-purpose computer whose size, capabilities, and price make it feasible for individual use. Personal computers are intended to be operated directly by an end user, rather than by a computer expert or technician. Unlike large, costly minicomputers and mainframes, time-sharing by many people at the same time is not used with personal computers. PCs have in practice become powerful enough that they may be shared by multiple users at any given time, though this is not common practice nor the primary purpose of a PC.

has super-classes: Client Computer^c
has sub-classes: Desktop Computer^c, IP Phone^c, Laptop Computer^c, Mobile Phone^c, Tablet Computer^c

Phishing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1566

has super-classes: Initial Access Technique^c
has sub-classes: Spearphishing Attachment^c, Spearphishing Link^c, Spearphishing Via Service^c

Physical Artifact^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PhysicalArtifact

has super-classes: Artifact^c; Physical Object^c
has sub-classes: Hardware Device^c

Physical Location^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PhysicalLocation

has super-classes: Digital Artifact^c
is also defined as: named individual

Physical Object^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PhysicalObject

has super-classes: D3FEND Thing^c; has-location^op some Physical Location^c
has sub-classes: Physical Artifact^c

Pipe^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Pipe

is defined by: http://www.linfo.org/pipe.html

In Unix-like computer operating systems, a pipeline is a mechanism for inter-process communication using message passing. In the strictest sense, a pipe is a single segment of a pipeline, allowing one process to pass information forward to another. Network pipes allow processes on different hosts to interact.

has super-classes: Interprocess Communication^c

Platform^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Platform

has super-classes: Digital Artifact^c; contains^op some Firmware^c; contains^op some Hardware Device^c; contains^op some Operating System^c
is also defined as: named individual

Platform Hardening^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PlatformHardening

has super-classes: Defensive Technique^c; enables^op some Harden^c
has sub-classes: Bootloader Authentication^c, Disk Encryption^c, Driver Load Integrity Checking^c, File Encryption^c, Local File Permissions^c, RF Shielding^c, Software Update^c, System Configuration Permissions^c, TPM Boot Integrity^c
has members: Bootloader Authenticationⁿⁱ, Disk Encryptionⁿⁱ, Driver Load Integrity Checkingⁿⁱ, Executable Allowlistingⁿⁱ, File Encryptionⁿⁱ, Local File Permissionsⁿⁱ, RF Shieldingⁿⁱ, Software Updateⁿⁱ, System Configuration Permissionsⁿⁱ, TPM Boot Integrityⁿⁱ
is also defined as: named individual

Platform Monitoring^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PlatformMonitoring

has super-classes: Defensive Technique^c; enables^op some Detect^c
has sub-classes: Firmware Behavior Analysis^c, Firmware Embedded Monitoring Code^c, Firmware Verification^c, Operating System Monitoring^c
has members: Firmware Behavior Analysisⁿⁱ, Firmware Embedded Monitoring Codeⁿⁱ, Firmware Verificationⁿⁱ, Operating System Monitoringⁿⁱ
is also defined as: named individual

Plist Modification^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.011

has super-classes: Boot or Logon Autostart Execution^c; modifies^op some Application Configuration File^c
is also defined as: named individual

Pluggable Authentication Modules^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1556.003

has super-classes: Modify Authentication Process^c; may-modify^op some Operating System Configuration File^c; may-modify^op some Operating System Shared Library File^c
is also defined as: named individual

Pointer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Pointer

has super-classes: Digital Artifact^c
has sub-classes: Saved Instruction Pointer^c
is also defined as: named individual

Pointer Authentication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PointerAuthentication

has super-classes: Application Hardening^c; authenticates^op some Pointer^c
is also defined as: named individual

Policy^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Policy

has super-classes: Document^c
has sub-classes: Guidance^c

Policy Reference^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PolicyReference

has super-classes: Technique Reference^c
has sub-classes: Guideline Reference^c

Port Knocking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1205.001

has super-classes: Traffic Signaling^c; produces^op some Network Traffic^c
is also defined as: named individual

Port Monitors^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.010

has super-classes: Boot or Logon Autostart Execution^c; modifies^op some System Configuration Database Record^c
is also defined as: named individual

Portable Executable Injection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.002

has super-classes: Process Injection^c; may-add^op some Object File^c
is also defined as: named individual

Portfolio Assessment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PortfolioAssessment

has super-classes: Assessment^c; has-evidence^op some Capability Assessment^c

POSIX Symbolic Link^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#POSIXSymbolicLink

is defined by: http://dbpedia.org/resource/Symbolic_link

A POSIX-compliant symbolic link. These are often fast symbolic links, but need not be.

has super-classes: Symbolic Link^c; Unix Link^c

PowerShell Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1059.001

has super-classes: Command and Scripting Interpreter Execution^c

PowerShell Profile^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.013

has super-classes: Event Triggered Execution^c; modifies^op some PowerShell Profile Script^c
is also defined as: named individual

PowerShell Profile Script^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PowerShellProfileScript

has super-classes: User Init Script^c
is also defined as: named individual

Pre-OS Boot^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1542

has super-classes: Defense Evasion Technique^c; Persistence Technique^c
has sub-classes: Bootkit^c, Component Firmware^c, System Firmware^c

Print Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PrintServer

is defined by: http://dbpedia.org/resource/Print_server

A print server, or printer server, is a device that connects printers to client computers over a network. It accepts print jobs from the computers and sends the jobs to the appropriate printers, queuing the jobs locally to accommodate the fact that work may arrive more quickly than the printer can actually handle.

has super-classes: Server^c

Private Key^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PrivateKey

has super-classes: Asymmetric Key^c
is also defined as: named individual

Private Keys^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552.004

has super-classes: Unsecured Credentials^c; accesses^op some Private Key^c
is also defined as: named individual

Privilege Escalation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PrivilegeEscalation

has super-classes: Offensive Tactic^c
is also defined as: named individual

Privilege Escalation Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PrivilegeEscalationTechnique

has super-classes: Offensive Technique^c; enables^op some Privilege Escalation^c
has sub-classes: Abuse Elevation Control Mechanism^c, Access Token Manipulation^c, Boot or Logon Autostart Execution^c, Boot or Logon Initialization Scripts^c, Create Account^c, Create or Modify System Process^c, Event Triggered Execution^c, Exploitation for Privilege Escalation^c, Group Policy Modification^c, Hijack Execution Flow^c, Process Injection^c, Scheduled Task/Job Execution^c, Valid Accounts^c
is also defined as: named individual

Privileged User Account^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PrivilegedUserAccount

is defined by: https://www.ssh.com/iam/user/privileged-account

A privileged account is a user account that has more privileges than ordinary users. Privileged accounts might, for example, be able to install or remove software, upgrade the operating system, or modify system or application configurations. They might also have access to files that are not normally accessible to standard users. Typical examples are root and administrator accounts. But there also service accounts, system accounts, etc. Privileged accounts are especially powerful, and should be monitored especially closely.

has super-classes: User Account^c

Proc Filesystem^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.007

has super-classes: OS Credential Dumping^c; accesses^op some Operating System File^c; accesses^op some Process Image^c
is also defined as: named individual

Proc Memory^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.009

has super-classes: Process Injection^c; accesses^op some Operating System File^c; may-modify^op some Operating System File^c
is also defined as: named individual

procedure^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Procedure

has super-classes: D3FEND Thing^c; implements^op some Technique^c; start^op some step^c
has sub-classes: Use Case Procedure^c
has members: Procedure 1 - T1134.001 Access Token Manipulationⁿⁱ

Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Process

has super-classes: Digital Artifact^c; contains^op some Process Image^c; process-image-path^op some Executable Binary^c; process-user^op some User Account^c; process-command-line-arguments^dp some string; process-environmental-variables^dp some string; process-identifier^dp some integer; process-security-context^dp some string
has sub-classes: Child Process^c, Operating System Process^c, Parent Process^c, User Process^c
is in domain of: process-security-context^dp
has members: BSD Processⁿⁱ, Linux Processⁿⁱ, Windows Processⁿⁱ, iOS Processⁿⁱ, macOS Processⁿⁱ
is also defined as: named individual

Process Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessAnalysis

has super-classes: Defensive Technique^c; enables^op some Detect^c
has sub-classes: Database Query String Analysis^c, File Access Pattern Analysis^c, Indirect Branch Call Analysis^c, Process Code Segment Verification^c, Process Self-Modification Detection^c, Process Spawn Analysis^c, Script Execution Analysis^c, Shadow Stack Comparisons^c, System Call Analysis^c
has members: Database Query String Analysisⁿⁱ, File Access Pattern Analysisⁿⁱ, Indirect Branch Call Analysisⁿⁱ, Process Code Segment Verificationⁿⁱ, Process Self-Modification Detectionⁿⁱ, Process Spawn Analysisⁿⁱ, Script Execution Analysisⁿⁱ, Shadow Stack Comparisonsⁿⁱ, System Call Analysisⁿⁱ
is also defined as: named individual

Process Code Segment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessCodeSegment

has super-classes: Process Segment^c; contains^op some Subroutine^c
has members: AMD64 Code Segmentⁿⁱ, ARM32 Code Segmentⁿⁱ, X86 Code Segmentⁿⁱ
is also defined as: named individual

Process Code Segment Verification^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessCodeSegmentVerification

has super-classes: Process Analysis^c; verifies^op some Process Code Segment^c
is also defined as: named individual

Process Data Segment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessDataSegment

A process data segment, is a portion of the program's virtual address space that contains executable instructions and corresponds to the loaded image data segment.

has super-classes: Process Segment^c

Process Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1057

has super-classes: Discovery Technique^c

Process Doppelgänging^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.013

has super-classes: Process Injection^c; invokes^op some Create Process^c
is also defined as: named individual

Process Environment Variable^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessEnvironmentVariable

has super-classes: Application Configuration^c
is also defined as: named individual

Process Eviction^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessEviction

has super-classes: Defensive Technique^c; enables^op some Evict^c
has sub-classes: Process Termination^c
has members: Process Terminationⁿⁱ
is also defined as: named individual

Process Hollowing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.012

has super-classes: Process Injection^c; modifies^op some Process Code Segment^c
is also defined as: named individual

Process Image^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessImage

has super-classes: Digital Artifact^c; contains^op some Process Segment^c
is also defined as: named individual

Process Injection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055

has super-classes: Defense Evasion Technique^c; Privilege Escalation Technique^c
has sub-classes: Asynchronous Procedure Call^c, Dynamic-link Library Injection^c, Extra Window Memory Injection^c, Portable Executable Injection^c, Proc Memory^c, Process Doppelgänging^c, Process Hollowing^c, Ptrace System Calls^c, Thread Execution Hijacking^c, Thread Local Storage^c, VDSO Hijacking^c

Process Lineage Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessLineageAnalysis

has super-classes: Process Spawn Analysis^c; analyzes^op some Process^c; analyzes^op some Process Tree^c
is also defined as: named individual

Process Segment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessSegment

has super-classes: Binary Segment^c
has sub-classes: Heap Segment^c, Process Code Segment^c, Process Data Segment^c, Stack Segment^c
is also defined as: named individual

Process Segment Execution Prevention^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessSegmentExecutionPrevention

has super-classes: Application Hardening^c; neutralizes^op some Process Segment^c
is also defined as: named individual

Process Self-Modification Detection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessSelf-ModificationDetection

has super-classes: Process Analysis^c; analyzes^op some Process^c
is also defined as: named individual

Process Spawn Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessSpawnAnalysis

has super-classes: Process Analysis^c; analyzes^op some Create Process^c; analyzes^op some Process^c
has sub-classes: Process Lineage Analysis^c
has members: Process Lineage Analysisⁿⁱ
is also defined as: named individual

Process Termination^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessTermination

has super-classes: Process Eviction^c; terminates^op some Process^c
is also defined as: named individual

Process Tree^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessTree

has super-classes: Digital Artifact^c; contains^op some Process^c
is also defined as: named individual

Product^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Product

has super-classes: Capability Implementation^c
has sub-classes: Appliance^c, Software Product^c

Product Developer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProductDeveloper

has super-classes: Provider^c; produces^op some Product^c
has sub-classes: Open-source Developer^c

Property List File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PropertyListFile

has super-classes: Configuration File^c
is also defined as: named individual

Proposition^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Proposition

is defined by: http://semanticscience.org/resource/SIO_000256

has super-classes: D3FEND Catalog Thing^c
has sub-classes: Statement^c

Proprietary License^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProprietaryLicense

has super-classes: License^c

Protocol Impersonation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1001.003

has super-classes: Data Obfuscation^c

Protocol Metadata Anomaly Detection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProtocolMetadataAnomalyDetection

has super-classes: Network Traffic Analysis^c; analyzes^op some Network Traffic^c
is also defined as: named individual

Protocol Tunneling^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1572

has super-classes: Command and Control Technique^c; produces^op some Outbound Internet Network Traffic^c
is also defined as: named individual

Provider^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Provider

has super-classes: Organization^c; produces^op some Capability Implementation^c
has sub-classes: Product Developer^c, Service Provider^c, Vendor^c

Proxy^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1090

has super-classes: Command and Control Technique^c
has sub-classes: Domain Fronting^c, External Proxy^c, Internal Proxy^c, Multi-hop Proxy^c

Proxy Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProxyServer

is defined by: http://dbpedia.org/resource/Proxy_server

In computer networking, a proxy server is a server application or appliance that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.

has super-classes: Network Node^c; Server^c
has sub-classes: Forward Proxy Server^c, Reverse Proxy Server^c

Ptrace System Calls^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.008

has super-classes: Process Injection^c; invokes^op some System Call^c
is also defined as: named individual

Public Key^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PublicKey

has super-classes: Asymmetric Key^c
is also defined as: named individual

PubPrn Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1216.001

has super-classes: Signed Script Proxy Execution^c

Python Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1059.006

has super-classes: Command and Scripting Interpreter Execution^c

Query Registry^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1012

has super-classes: Discovery Technique^c

Radio Modem^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RadioModem

is defined by: http://dbpedia.org/resource/Modem#Radio

A radio modem provides the means to send digital data wirelessly. Radio modems are used to communicate by direct broadcast satellite, WiFi, WiMax, mobile phones, GPS, Bluetooth and NFC. Modern telecommunications and data networks also make extensive use of radio modems where long distance data links are required. Such systems are an important part of the PSTN, and are also in common use for high-speed computer network links to outlying areas where fiber optic is not economical.

has super-classes: Modem^c

Rc.common^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1037.004

has super-classes: Boot or Logon Initialization Scripts^c; modifies^op some System Init Script^c
is also defined as: named individual

RDP Hijacking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1563.002

has super-classes: Remote Service Session Hijacking^c; accesses^op some RDP Session^c
is also defined as: named individual

RDP Session^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RDPSession

has super-classes: Remote Session^c
is also defined as: named individual

Re-opened Applications^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.007

has super-classes: Boot or Logon Autostart Execution^c; modifies^op some Application Configuration File^c
is also defined as: named individual

Read File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ReadFile

has super-classes: System Call^c
is also defined as: named individual

Record^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Record

is defined by: http://dbpedia.org/resource/Record_(computer_science)

In computer science, a record (also called struct or compound data) is a basic data structure. A record is a collection of fields, possibly of different data types, typically in fixed number and sequence . The fields of a record may also be called members, particularly in object-oriented programming. Fields may also be called elements, though these risk confusion with the elements of a collection. A tuple may or may not be considered a record, and vice versa, depending on conventions and the specific programming language.

has super-classes: Digital Artifact^c
has sub-classes: Application Configuration Database Record^c, Boot Record^c, DNS Record^c, System Configuration Database Record^c, System Utilization Record^c

Reference^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference

has super-classes: D3FEND Thing^c
is in domain of: d3fend-kb-reference-annotation, kb-abstract, kb-author, kb-mitre-analysis, kb-reference-of^op, kb-reference-title^dp

Reference Type^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ReferenceType

has super-classes: D3FEND Thing^c
has members: Bookⁿⁱ, Internet Articleⁿⁱ, Marketing Materialⁿⁱ, Patentⁿⁱ, Source Codeⁿⁱ, User Manualⁿⁱ

Reflection Amplification^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1498.002

has super-classes: Network Denial of Service^c; produces^op some Inbound Internet Network Traffic^c
is also defined as: named individual

Reflective Code Loading^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1620

has super-classes: Defense Evasion Technique^c; modifies^op some Process Segment^c
is also defined as: named individual

Registry Run Keys / Startup Folder^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.001

has super-classes: Boot or Logon Autostart Execution^c; may-modify^op some System Configuration Init Database Record^c; may-modify^op some User Startup Script File^c
is also defined as: named individual

Regsvcs/Regasm Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.009

has super-classes: Signed Binary Proxy Execution^c

Regsvr32 Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.010

has super-classes: Signed Binary Proxy Execution^c

Relay Pattern Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RelayPatternAnalysis

has super-classes: Network Traffic Analysis^c; analyzes^op some Outbound Internet Network Traffic^c
is also defined as: named individual

Remote Access Software^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1219

has super-classes: Command and Control Technique^c; produces^op some Outbound Internet Network Traffic^c
is also defined as: named individual

Remote Authentication Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemoteAuthenticationService

A remote authentication service provides for the authentication of a user across a network (i.e., remotely).

has super-classes: Authentication Service^c

Remote Authorization Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemoteAuthorizationService

A remote authorization service provides for the authorization of a user across a network (i.e., remotely).

has super-classes: Authorization Service^c

Remote Command^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemoteCommand

A remote command is a command sent from one computer to another to be executed on the remote computer. One example of this, is through a command-line interface (CLI) like using Invoke-Command from PowerShell or a command sent through an ssh session. This class generalizes to all means of sending a command through an established protocol to control capabilities on a remote computer.

has super-classes: Command^c; Network Session^c
has sub-classes: Remote Database Query^c, Remote Procedure Call^c

Remote Data Staging^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1074.002

has super-classes: Data Staged^c; modifies^op some Network Resource^c
is also defined as: named individual

Remote Database Query^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemoteDatabaseQuery

A remote query session enabling a user to make an SQL, SPARQL, or similar query over the network from one host to another.

has super-classes: Database Query^c; Remote Command^c

Remote Desktop Protocol^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1021.001

has super-classes: Remote Services^c; creates^op some RDP Session^c; produces^op some Administrative Network Traffic^c
is also defined as: named individual

Remote Email Collection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1114.002

has super-classes: Email Collection^c; accesses^op some Mail Server^c
is also defined as: named individual

Remote Procedure Call^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemoteProcedureCall

is defined by: http://dbpedia.org/resource/Remote_procedure_call

In distributed computing a remote procedure call (RPC) is when a computer program causes a procedure (subroutine) to execute in another address space (commonly on another computer on a shared network), which is coded as if it were a normal (local) procedure call, without the programmer explicitly coding the details for the remote interaction. That is, the programmer writes essentially the same code whether the subroutine is local to the executing program, or remote. This is a form of client-server interaction (caller is client, executor is server), typically implemented via a request-response message-passing system. The object-oriented programming analog is remote method invocation (RMI). The RPC model implies a level of location transparency.

has super-classes: Remote Command^c

Remote Resource^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemoteResource

In computing, a remote resource is a computer resource made available from one host to other hosts on a computer network. It is a device or piece of information on a computer that can be remotely accessed from another computer, typically via a local area network or an enterprise intranet.

has super-classes: Resource^c
has sub-classes: Network Resource^c

Remote Service Session Hijacking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1563

has super-classes: Lateral Movement Technique^c; accesses^op some Remote Session^c; produces^op some Administrative Network Traffic^c
has sub-classes: RDP Hijacking^c, SSH Hijacking^c
is also defined as: named individual

Remote Services^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1021

has super-classes: Lateral Movement Technique^c; produces^op some Intranet Network Traffic^c
has sub-classes: Distributed Component Object Model^c, Remote Desktop Protocol^c, SMB/Windows Admin Shares^c, SSH^c, VNC^c, Windows Remote Management^c
is also defined as: named individual

Remote Session^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemoteSession

has super-classes: Login Session^c
has sub-classes: RDP Session^c, SSH Session^c
is also defined as: named individual

Remote System Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1018

has super-classes: Discovery Technique^c

Remote Terminal Session^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemoteTerminalSession

A remote terminal session is a session that provides a user access from one host to another host via a terminal.

has super-classes: Network Session^c

Remote Terminal Session Detection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemoteTerminalSessionDetection

has super-classes: Network Traffic Analysis^c; analyzes^op some Network Traffic^c
is also defined as: named individual

Removable Media Device^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemovableMediaDevice

has super-classes: Hardware Device^c
is also defined as: named individual

Rename System Utilities^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.003

has super-classes: Masquerading^c; may-create^op some Executable File^c; may-modify^op some Operating System Executable File^c
is also defined as: named individual

Replication Through Removable Media^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1091

has super-classes: Initial Access Technique^c; Lateral Movement Technique^c; executes^op some Removable Media Device^c
is also defined as: named individual

Resource^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Resource

has super-classes: Digital Artifact^c
has sub-classes: Configuration Bearing Entity^c, File^c, Local Resource^c, Remote Resource^c
is in domain of: addressed-by^op
is in range of: addresses^op
is also defined as: named individual

Resource Access^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ResourceAccess

has super-classes: Digital Event^c; User Action^c
has sub-classes: Local Resource Access^c, Network Resource Access^c
is also defined as: named individual

Resource Access Pattern Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ResourceAccessPatternAnalysis

has super-classes: User Behavior Analysis^c; analyzes^op some Authentication^c; analyzes^op some Authorization^c
is also defined as: named individual

Resource Fork^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ResourceFork

has super-classes: File Section^c
is also defined as: named individual

Resource Forking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.009

has super-classes: Hide Artifacts^c; may-create^op some Resource Fork^c; may-modify^op some Resource Fork^c
is also defined as: named individual

Resource Hijacking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1496

has super-classes: Impact Technique^c

Reverse Proxy Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ReverseProxyServer

is defined by: http://dbpedia.org/resource/Reverse_proxy

In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the proxy server itself. Unlike a forward proxy, which is an intermediary for its associated clients to contact any server, a reverse proxy is an intermediary for its associated servers to be contacted by any client. In other words, a proxy acts on behalf of the client(s), while a reverse proxy acts on behalf of the server(s); a reverse proxy is usually an internal-facing proxy used as a 'front-end' to control and protect access to a server on a private network.

has super-classes: Proxy Server^c

Reverse Resolution Domain Denylisting^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ReverseResolutionDomainDenylisting

has super-classes: DNS Denylisting^c; blocks^op some Inbound Internet DNS Response Traffic^c
is also defined as: named individual

Reverse Resolution IP Denylisting^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ReverseResolutionIPDenylisting

has super-classes: DNS Denylisting^c; blocks^op some Outbound Internet DNS Lookup Traffic^c
is also defined as: named individual

RF Shielding^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RFShielding

has super-classes: Platform Hardening^c
is also defined as: named individual

Right-to-Left Override^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.002

has super-classes: Masquerading^c; modifies^op some File System Metadata^c
is also defined as: named individual

Rogue Domain Controller^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1207

has super-classes: Defense Evasion Technique^c; modifies^op some System Configuration Database^c; produces^op some Intranet Administrative Network Traffic^c
is also defined as: named individual

Rootkit^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1014

has super-classes: Defense Evasion Technique^c; may-modify^op some Boot Sector^c; may-modify^op some Firmware^c; may-modify^op some Kernel^c; may-modify^op some Kernel Module^c; may-modify^op some Shared Library File^c
is also defined as: named individual

Router^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Router

is defined by: http://dbpedia.org/resource/Router_(computing)

A router is a networking device that forwards data packets between computer networks. Routers perform the traffic directing functions on the Internet. Data sent through the internet, such as a web page or email, is in the form of data packets. A packet is typically forwarded from one router to another router through the networks that constitute an internetwork (e.g. the Internet) until it reaches its destination node.

has super-classes: Network Node^c
has sub-classes: Wireless Router^c

RPC Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RPCNetworkTraffic

has super-classes: Network Traffic^c
has sub-classes: Intranet RPC Network Traffic^c, Outbound Internet RPC Traffic^c
is also defined as: named individual

RPC Traffic Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RPCTrafficAnalysis

has super-classes: Network Traffic Analysis^c; analyzes^op some RPC Network Traffic^c
is also defined as: named individual

Run Virtual Instance^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.006

has super-classes: Hide Artifacts^c; creates^op some File^c; executes^op some Virtualization Software^c; may-add^op some Virtualization Software^c; may-create^op some Directory^c
is also defined as: named individual

Rundll32 Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.011

has super-classes: Signed Binary Proxy Execution^c; invokes^op some Create Process^c; loads^op some Shared Library File^c
is also defined as: named individual

Runtime Data Manipulation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1565.003

has super-classes: Data Manipulation^c; may-modify^op some Executable File^c
is also defined as: named individual

Safe Mode Boot^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562.009

has super-classes: Impair Defenses^c; disables^op some Endpoint Sensor^c; disables^op some System Configuration Init Database Record^c; may-modify^op some Endpoint Health Beacon^c
is also defined as: named individual

Saved Instruction Pointer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SavedInstructionPointer

A saved instruction pointer points to the instruction that generated an exception (trap or fault).

has super-classes: Pointer^c; Stack Component^c

Scan^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Scan

has super-classes: Defensive Tactic^c
is also defined as: named individual

Scheduled Job Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ScheduledJobAnalysis

has super-classes: Operating System Monitoring^c; analyzes^op some Task Schedule^c
is also defined as: named individual

Scheduled Task/Job Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1053

has super-classes: Execution Technique^c; Persistence Technique^c; Privilege Escalation Technique^c; invokes^op some Create Process^c; modifies^op some Task Schedule^c
has sub-classes: At (Linux) Execution^c, At (Windows) Execution^c, Cron Execution^c, Launchd^c, Schtasks Execution^c
is also defined as: named individual

Scheduled Transfer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1029

has super-classes: Exfiltration Technique^c; produces^op some Internet Network Traffic^c
is also defined as: named individual

Schtasks Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1053.005

Renamed from ATT&CK to be consistent with at, launchd, cron siblings; name as is looks like parent. Not sure why parent is not just Scheduled Task [Execution[.

has super-classes: Scheduled Task/Job Execution^c

Screen Capture^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1113

has super-classes: Collection Technique^c; accesses^op some Display Server^c
is also defined as: named individual

Screensaver^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.002

has super-classes: Event Triggered Execution^c; creates^op some Executable File^c; modifies^op some System Configuration Database Record^c
is also defined as: named individual

Script Application Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ScriptApplicationProcess

has super-classes: Application Process^c; interprets^op some Executable Script^c
is also defined as: named individual

Script Execution Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ScriptExecutionAnalysis

has super-classes: Process Analysis^c; analyzes^op some Script Application Process^c
is also defined as: named individual

Second-stage Boot Loader^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Second-stageBootLoader

An optional, often feature rich, second stage set of routines run in order to load the operating system.

has super-classes: Boot Loader^c

Security Account Manager^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.002

has super-classes: OS Credential Dumping^c; may-access^op some Authentication Service^c; may-access^op some Process^c; may-access^op some System Password Database^c
is also defined as: named individual

Security Software Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1518.001

has super-classes: Software Discovery^c; may-access^op some File System Metadata^c; may-access^op some Kernel Process Table^c; may-access^op some System Configuration Database Record^c; may-access^op some System Firewall Configuration^c
is also defined as: named individual

Security Support Provider^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.005

has super-classes: Boot or Logon Autostart Execution^c; modifies^op some System Configuration Database Record^c
is also defined as: named individual

Security Token^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SecurityToken

has super-classes: Hardware Device^c; contains^op some Access Token^c
is also defined as: named individual

Securityd Memory^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1555.002

has super-classes: Credentials from Password Stores^c; accesses^op some In-memory Password Store^c
is also defined as: named individual

Segment Address Offset Randomization^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SegmentAddressOffsetRandomization

has super-classes: Application Hardening^c; obfuscates^op some Process Segment^c
is also defined as: named individual

Sender MTA Reputation Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SenderMTAReputationAnalysis

has super-classes: Message Analysis^c; analyzes^op some Email^c
is also defined as: named individual

Sender Reputation Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SenderReputationAnalysis

has super-classes: Message Analysis^c; analyzes^op some Email^c
is also defined as: named individual

Sensor^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Sensor

has super-classes: D3FEND Thing^c
has sub-classes: Cloud Service Sensor^c, Endpoint Sensor^c, Network Sensor^c

Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Server

is defined by: http://dbpedia.org/resource/Server_(computing)

In computing, a server is a piece of computer hardware or software (computer program) that provides functionality for other programs or devices, called "clients". This architecture is called the client-server model. Servers can provide various functionalities, often called "services", such as sharing data or resources among multiple clients, or performing computation for a client. A single server can serve multiple clients, and a single client can use multiple servers. A client process may run on the same device or may connect over a network to a server on a different device. Typical servers are database servers, file servers, mail servers, print servers, web servers, game servers, and application servers.

has super-classes: Host^c; Network Resource^c
has sub-classes: Authentication Server^c, Computing Server^c, DNS Server^c, Database Server^c, File Server^c, Mail Server^c, Media Server^c, Orchestration Server^c, Print Server^c, Proxy Server^c, VPN Server^c, Web Server^c

Server Software Component^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1505

has super-classes: Persistence Technique^c
has sub-classes: IIS Components^c, SQL Stored Procedures^c, Transport Agent^c, Web Shell^c

Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Service

has super-classes: Capability Implementation^c
has sub-classes: Software Service^c

Service Application^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ServiceApplication

has super-classes: Application^c
has sub-classes: Authentication Service^c, Authorization Service^c, Container Orchestration Software^c, Container Runtime^c, Credential Management System^c, Message Transfer Agent^c, Software Deployment Tool^c, Virtualization Software^c, Web Server Application^c
is also defined as: named individual

Service Binary Verification^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ServiceBinaryVerification

has super-classes: System File Analysis^c; verifies^op some Service Application^c
is also defined as: named individual

Service Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1569.002

has super-classes: System Services^c

Service Exhaustion Flood^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1499.002

has super-classes: Network Denial of Service^c; produces^op some Inbound Internet Network Traffic^c
is also defined as: named individual

Service Provider^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ServiceProvider

has super-classes: Provider^c; provides^op some Service^c

Service Stop^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1489

has super-classes: Impact Technique^c

Services File Permissions Weakness^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.010

has super-classes: Hijack Execution Flow^c; modifies^op some Service Application^c
is also defined as: named individual

Services Registry Permissions Weakness^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.011

has super-classes: Hijack Execution Flow^c; modifies^op some System Configuration Init Database Record^c
is also defined as: named individual

Session^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Session

is defined by: http://dbpedia.org/resource/Session_(computer_science)

In computer science, in particular networking, a session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (see Login session). A session is set up or established at a certain point in time, and then torn down at some later point. An established communication session may involve more than one message in each direction. A session is typically, but not always, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.

has super-classes: Digital Artifact^c
has sub-classes: Login Session^c

Session Cookie^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SessionCookie

has super-classes: Credential^c
is also defined as: named individual

Session Duration Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SessionDurationAnalysis

has super-classes: User Behavior Analysis^c; analyzes^op some Authentication^c; analyzes^op some Authorization^c
is also defined as: named individual

Setuid and Setgid^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1548.001

has super-classes: Abuse Elevation Control Mechanism^c; modifies^op some Access Control Configuration^c
is also defined as: named individual

Shadow Stack Comparisons^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ShadowStackComparisons

has super-classes: Process Analysis^c; analyzes^op some Stack Frame^c
is also defined as: named individual

Shared Computer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SharedComputer

A computer whose resources are intended to be shared widely.

has super-classes: Client Computer^c
has sub-classes: Kiosk Computer^c, Network Printer^c, Operations Center Computer^c, Thin Client Computer^c

Shared Library File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SharedLibraryFile

has super-classes: Object File^c
has sub-classes: Operating System Shared Library File^c
is also defined as: named individual

Shared Modules Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1129

has super-classes: Execution Technique^c

Sharepoint^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1213.002

has super-classes: Data from Information Repositories^c; accesses^op some Web File Resource^c
is also defined as: named individual

Shim^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Shim

has super-classes: Software^c
has sub-classes: Application Shim^c
is also defined as: named individual

Shim Database^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ShimDatabase

has super-classes: Application Configuration Database^c
is also defined as: named individual

Shortcut File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ShortcutFile

A shortcut file, or shortcut, is a handle that allows the user to find a file or resource located in a different directory or folder from the place where the shortcut is located. Shortcuts, which are supported by the graphical file browsers of some operating systems, may resemble symbolic links but differ in a number of important ways. One difference is what type of software is able to follow them: - Symbolic links are automatically resolved by the file system. Any software program, upon accessing a symbolic link, will see the target instead, whether the program is aware of symbolic links or not. - Shortcuts are treated like ordinary files by the file system and by software programs that are not aware of them. Only software programs that understand shortcuts (such as the Windows shell and file browsers) treat them as references to other files. Another difference are the capabilities of the mechanism: - Microsoft Windows shortcuts normally refer to a destination by an absolute path (starting from the root directory), whereas POSIX symbolic links can refer to destinations via either an absolute or a relative path. The latter is useful if both the location and destination of the symbolic link share a common path prefix[clarification needed], but that prefix is not yet known when the symbolic link is created (e.g., in an archive file that can be unpacked anywhere). - Microsoft Windows application shortcuts contain additional metadata that can be associated with the destination, whereas POSIX symbolic links are just strings that will be interpreted as absolute or relative pathnames. - Unlike symbolic links, Windows shortcuts maintain their references to their targets even when the target is moved or renamed. Windows domain clients may subscribe to a Windows service called Distributed Link Tracking to track the changes in files and folders to which they are interested. The service maintains the integrity of shortcuts, even when files and folders are moved across the network.[14] Additionally, in Windows 9x and later, Windows shell tries to find the target of a broken shortcut before proposing to delete it.

has super-classes: File^c
has sub-classes: Windows Shortcut File^c

Shortcut Modification^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.009

has super-classes: Boot or Logon Autostart Execution^c; may-modify^op some Symbolic Link^c; may-modify^op some User Startup Script File^c
is also defined as: named individual

SID-History Injection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1134.005

has super-classes: Access Token Manipulation^c; modifies^op some Access Control Configuration^c
is also defined as: named individual

Signed Binary Proxy Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218

has super-classes: Defense Evasion Technique^c; Execution Technique^c
has sub-classes: CMSTP^c, Compiled HTML File^c, Control Panel Execution^c, InstallUtil Execution^c, MMC^c, Mavinject^c, Mshta Execution^c, Msiexec Execution^c, Odbcconf Execution^c, Regsvcs/Regasm Execution^c, Regsvr32 Execution^c, Rundll32 Execution^c

Signed Script Proxy Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1216

has super-classes: Defense Evasion Technique^c; Execution Technique^c
has sub-classes: PubPrn Execution^c

Silver Ticket^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1558.002

has super-classes: Steal or Forge Kerberos Tickets^c

SIP and Trust Provider Hijacking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1553.003

has super-classes: Subvert Trust Controls^c; modifies^op some System Configuration Database Record^c
is also defined as: named individual

Slow Symbolic Link^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SlowSymbolicLink

A slow symbolic link is any symbolic link on a Unix filesystem that is not a fast symbolic link; slow symlink is thus retroactively termed from fast symlink. Slow symbolic links stored the symbolic link information as data in regular files.

has super-classes: Symbolic Link^c; Unix Link^c
has sub-classes: Alias^c
is disjoint with: Fast Symbolic Link^c

SMB/Windows Admin Shares^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1021.002

has super-classes: Remote Services^c

Software^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Software

has super-classes: Digital Artifact^c; contains^op some Executable File^c
has sub-classes: Application^c, Firmware^c, Shim^c, Software Patch^c, Subroutine^c, System Service Software^c, System Software^c, Utility Software^c
is also defined as: named individual

Software Artifact Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SoftwareArtifactServer

A software artifact server provides access to the software artifacts in a software repository. A software repository, or "repo" for short, is a storage location for software packages. Often a table of contents is stored, as well as metadata. Repositories group packages. Sometimes the grouping is for a programming language, such as CPAN for the Perl programming language, sometimes for an entire operating system, sometimes the license of the contents is the criteria. At client side, a package manager helps installing from and updating the repositories.

has super-classes: Artifact Server^c

Software Deployment Tool^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SoftwareDeploymentTool

has super-classes: Service Application^c
is also defined as: named individual

Software Deployment Tools Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1072

has super-classes: Execution Technique^c; Lateral Movement Technique^c; adds^op some File^c; executes^op some Software Deployment Tool^c; installs^op some Software^c
is also defined as: named individual

Software Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1518

has super-classes: Discovery Technique^c
has sub-classes: Security Software Discovery^c

Software Packaging Tool^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SoftwarePackagingTool

A tool that automates the process of packaging either or both binary code and source code for use on one or more target platforms.

has super-classes: Build Tool^c
has sub-classes: Container Build Tool^c, Operating System Packaging Tool^c

Software Packing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1027.002

has super-classes: Obfuscated Files or Information^c; obfuscates^op some Executable File^c
is also defined as: named individual

Software Patch^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SoftwarePatch

is defined by: http://dbpedia.org/resource/Patch_(computing)

A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bugfixes or bug fixes, and improving the usability or performance. Although meant to fix problems, poorly designed patches can sometimes introduce new problems (see software regressions). In some special cases updates may knowingly break the functionality, for instance, by removing components for which the update provider is no longer licensed or disabling a device.

has super-classes: Software^c

Software Product^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SoftwareProduct

has super-classes: Product^c

Software Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SoftwareService

has super-classes: Service^c

Software Update^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SoftwareUpdate

has super-classes: Platform Hardening^c; updates^op some Software^c
is also defined as: named individual

Source Code^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SourceCode

has super-classes: Information Content Entity^c
is also defined as: named individual

Source Code Analyzer Tool^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SourceCodeAnalyzerTool

A source code analyzer tool is a static analysis tool that operates specifically on source code, but not object code.

has super-classes: Static Analysis Tool^c

Source Code Reference^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SourceCodeReference

has super-classes: Technique Reference^c
has members: Reference - Muninⁿⁱ

Space after Filename^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.006

has super-classes: Masquerading^c; creates^op some File^c
is also defined as: named individual

Spearphishing Attachment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1566.001

has super-classes: Phishing^c; produces^op some Email^c; produces^op some Inbound Internet Mail Traffic^c
is also defined as: named individual

Spearphishing Link^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1566.002

has super-classes: Phishing^c; produces^op some Email^c; produces^op some Inbound Internet Mail Traffic^c; produces^op some URL^c
is also defined as: named individual

Spearphishing Via Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1566.003

has super-classes: Phishing^c; produces^op some File^c; produces^op some URL^c
is also defined as: named individual

Specification^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Specification

has super-classes: Document^c

Specification Reference^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SpecificationReference

has super-classes: Technique Reference^c
has members: LUKS1 On-Disk Format SpecificationVersion 1.2.3ⁿⁱ, Reference - DNS Whitelist (DNSWL) Email Authentication Method Extensionⁿⁱ, Reference - Pointer Authentication on ARMv8.3ⁿⁱ, Reference - RFC 2289 - A One-Time Password Systemⁿⁱ, Reference - RFC 6376: DomainKeys Identified Mail (DKIM) Signatures - IETFⁿⁱ, Reference - RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email - IETFⁿⁱ, Reference - RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC) - IETFⁿⁱ, Reference - Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1ⁿⁱ, Reference - Security Architecture for the Internet Protocolⁿⁱ, Reference - TPM 2.0 Library Specification - Trusted Computing Group, Incorporatedⁿⁱ, Reference - Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilitiesⁿⁱ, Reference - UEFI Platform Initialization (PI) Specificationⁿⁱ, TCG Trusted Attestation Protocol Use Cases for TPM Families 1.2 and 2.0 and DICEⁿⁱ, Trusted Attestation Protocol Use Casesⁿⁱ, Web Authentication: An API for accessing Public Key Credentials Level 2ⁿⁱ

SQL Stored Procedures^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1505.001

has super-classes: Server Software Component^c; creates^op some Stored Procedure^c; invokes^op some Create Process^c
is also defined as: named individual

SSH^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1021.004

has super-classes: Remote Services^c; creates^op some SSH Session^c; produces^op some Administrative Network Traffic^c
is also defined as: named individual

SSH Authorized Keys^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1098.004

has super-classes: Account Manipulation^c

SSH Hijacking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1563.001

has super-classes: Remote Service Session Hijacking^c; accesses^op some SSH Session^c
is also defined as: named individual

SSH Session^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SSHSession

has super-classes: Remote Session^c
is also defined as: named individual

Stack Component^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StackComponent

A stack component is any component of a call stack used for stack-based memory allocation in a running process. Examples include saved instruction pointers, stack frames, and stack frame canaries.

has super-classes: Digital Artifact^c
has sub-classes: Saved Instruction Pointer^c, Stack Frame^c, Stack Frame Canary^c

Stack Frame^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StackFrame

has super-classes: Stack Component^c; may-contain^op some Pointer^c; may-contain^op some Stack Frame Canary^c
is also defined as: named individual

Stack Frame Canary^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StackFrameCanary

has super-classes: Stack Component^c
is also defined as: named individual

Stack Frame Canary Validation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StackFrameCanaryValidation

has super-classes: Application Hardening^c; validates^op some Stack Frame^c
has members: GNU GCC StackGuardⁿⁱ, Microsoft VCCLCompilerTool BufferSecurityCheckⁿⁱ
is also defined as: named individual

Stack Segment^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StackSegment

has super-classes: Process Segment^c; contains^op some Stack Frame^c
is also defined as: named individual

Standalone Honeynet^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StandaloneHoneynet

has super-classes: Decoy Environment^c; spoofs^op some Intranet Network^c
is also defined as: named individual

Standard Encoding^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1132.001

has super-classes: Data Encoding^c

Startup Directory^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StartupDirectory

A startup directory is a directory containing executable files or links to executable files which are run when a user logs in or when a system component or service is started.

has super-classes: Directory^c; Local Resource^c

Startup Items^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1037.005

has super-classes: Boot or Logon Initialization Scripts^c; modifies^op some System Startup Directory^c
is also defined as: named individual

Statement^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Statement

is defined by: http://semanticscience.org/resource/SIO_001183

A statement is a proposition that is either (a) a meaningful declarative sentence that is either true or false, or (b) that which a true or false declarative sentence asserts.

has super-classes: Proposition^c
has sub-classes: Capability Feature Claim^c

Static Analysis Tool^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StaticAnalysisTool

is defined by: http://dbpedia.org/resource/Static_program_analysis

A static [program] analysis tool performs an automated analysis of computer software without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing. In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code.

has super-classes: Code Analyzer^c
has sub-classes: Source Code Analyzer Tool^c

Steal Application Access Token^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1528

has super-classes: Credential Access Technique^c; accesses^op some Access Token^c
is also defined as: named individual

Steal or Forge Kerberos Tickets^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1558

has super-classes: Credential Access Technique^c; may-access^op some Kerberos TIcket^c; may-create^op some Kerberos TIcket^c
has sub-classes: Golden Ticket^c, Kerberoasting^c, Silver Ticket^c
is also defined as: named individual

Steal Web Session Cookie^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1539

has super-classes: Credential Access Technique^c; accesses^op some Session Cookie^c
is also defined as: named individual

Steganography^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1001.002

has super-classes: Data Obfuscation^c

Steganography^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1027.003

has super-classes: Obfuscated Files or Information^c

step^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Step

has super-classes: D3FEND Thing^c; end^op some step^c; fork^op some step^c; may-be-associated-with^op some Artifact^c; next^op some step^c
has sub-classes: Use Case Step^c
has members: Step 1 - Copy Tokenⁿⁱ, Step 2 - Impersonate Userⁿⁱ

Storage^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Storage

has super-classes: Digital Artifact^c; may-contain^op some File System^c
has sub-classes: Cloud Storage^c
is also defined as: named individual

Stored Data Manipulation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1565.001

has super-classes: Data Manipulation^c; modifies^op some File^c
is also defined as: named individual

Stored Procedure^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StoredProcedure

has super-classes: Subroutine^c
is also defined as: named individual

Strong Password Policy^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StrongPasswordPolicy

has super-classes: Credential Hardening^c; strengthens^op some Password^c; strengthens^op some User Account^c
is also defined as: named individual

Subroutine^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Subroutine

has super-classes: Software^c
has sub-classes: Exception Handler^c, Stored Procedure^c
is also defined as: named individual

Subvert Trust Controls^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1553

has super-classes: Defense Evasion Technique^c
has sub-classes: Code Signing^c, Gatekeeper Bypass^c, Install Root Certificate^c, SIP and Trust Provider Hijacking^c

Sudo and Sudo Caching^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1548.003

has super-classes: Abuse Elevation Control Mechanism^c; may-modify^op some Event Log^c; modifies^op some Operating System Configuration File^c
is also defined as: named individual

Supply Chain Compromise^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1195

has super-classes: Initial Access Technique^c; modifies^op some Digital Artifact^c
has sub-classes: Compromise Hardware Supply Chain^c, Compromise Software Dependencies and Development Tools^c, Compromise Software Supply Chain^c
is also defined as: named individual

Switch^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Switch

is defined by: http://dbpedia.org/resource/Network_switch

A network switch (also called switching hub, bridging hub, and by the IEEE MAC bridge) is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device. A network switch is a multiport network bridge that uses MAC addresses to forward data at the data link layer (layer 2) of the OSI model. Some switches can also forward data at the network layer (layer 3) by additionally incorporating routing functionality. Such switches are commonly known as layer-3 switches or multilayer switches.

has super-classes: Network Node^c

Symbolic Link^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SymbolicLink

has super-classes: File^c; File System Link^c; addresses^op some File^c
has sub-classes: Fast Symbolic Link^c, NTFS Junction Point^c, NTFS Symbolic Link^c, POSIX Symbolic Link^c, Slow Symbolic Link^c
is also defined as: named individual

Symmetric Cryptography^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1573.001

has super-classes: Encrypted Channel^c; creates^op some Outbound Internet Encrypted Traffic^c
is also defined as: named individual

Symmetric Key^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SymmetricKey

A symmetric key is a single key used for both encryption and decryption and used with a symmetric-key algorithm. Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption, in comparison to public-key encrytption (also known as asymmetric key encryption).

has super-classes: Cryptographic Key^c

System Call^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemCall

has super-classes: Digital Artifact^c; Digital Event^c; executes^op some Subroutine^c
has sub-classes: Authenticate User^c, Connect Socket^c, Copy Token^c, Create File^c, Create Process^c, Create Socket^c, Create Thread^c, Get System Time^c, Impersonate User^c, Logon User^c, Move File^c, Open File^c, Read File^c, Terminate Process^c, Trace Process^c, Write File^c
is also defined as: named individual

System Call Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemCallAnalysis

has super-classes: Process Analysis^c; analyzes^op some System Call^c
has sub-classes: File Creation Analysis^c
has members: File Creation Analysisⁿⁱ
is also defined as: named individual

System Call Filtering^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemCallFiltering

has super-classes: Kernel-based Process Isolation^c; filters^op some System Call^c
is also defined as: named individual

System Checks^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1497.001

has super-classes: Virtualization/Sandbox Evasion^c

System Configuration Database^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemConfigurationDatabase

has super-classes: Database^c; contains^op some System Configuration Database Record^c
has sub-classes: Windows Registry^c
is also defined as: named individual

System Configuration Database Record^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemConfigurationDatabaseRecord

has super-classes: Operating System Configuration Component^c; Record^c
has sub-classes: System Configuration Init Database Record^c, Windows Registry Key^c
is also defined as: named individual

System Configuration Init Database Record^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemConfigurationInitDatabaseRecord

has super-classes: System Configuration Database Record^c; System Configuration Init Resource^c; System Init Configuration^c
is also defined as: named individual

System Configuration Init Resource^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemConfigurationInitResource

A system configuration initialization resource has information for initializing (booting) a system.

has super-classes: Local Resource^c
has sub-classes: System Configuration Init Database Record^c, System Init Script^c, System Startup Directory^c

System Configuration Permissions^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemConfigurationPermissions

has super-classes: Platform Hardening^c; restricts^op value Operating System Configuration
is also defined as: named individual

System Daemon Monitoring^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemDaemonMonitoring

has super-classes: Operating System Monitoring^c; monitors^op some Operating System Process^c
is also defined as: named individual

System File Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemFileAnalysis

has super-classes: Operating System Monitoring^c; analyzes^op some Operating System File^c
has sub-classes: Service Binary Verification^c
has members: Service Binary Verificationⁿⁱ
is also defined as: named individual

System Firewall Configuration^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemFirewallConfiguration

has super-classes: Operating System Configuration Component^c; configures^op some Host-based Firewall^c
is also defined as: named individual

System Firmware^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemFirmware

has super-classes: Firmware^c
is also defined as: named individual

System Firmware^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1542.001

has super-classes: Pre-OS Boot^c; modifies^op some System Firmware^c
is also defined as: named individual

System Firmware Verification^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemFirmwareVerification

has super-classes: Firmware Verification^c; verifies^op some System Firmware^c
is also defined as: named individual

System Information Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1082

has super-classes: Discovery Technique^c

System Init Config Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemInitConfigAnalysis

has super-classes: Operating System Monitoring^c; analyzes^op some System Init Configuration^c
is also defined as: named individual

System Init Configuration^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemInitConfiguration

has super-classes: Operating System Configuration Component^c
has sub-classes: System Configuration Init Database Record^c, System Init Script^c, System Startup Directory^c
is also defined as: named individual

System Init Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemInitProcess

A system initialization process is a process that executes to initialize (boot) an operating system.

has super-classes: Operating System Process^c

System Init Script^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemInitScript

has super-classes: Executable Script^c; System Configuration Init Resource^c; System Init Configuration^c
is also defined as: named individual

System Language Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1614.001

has super-classes: System Location Discovery^c; queries^op some System Configuration Database^c
is also defined as: named individual

System Location Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1614

has super-classes: Discovery Technique^c; accesses^op some Configuration Bearing Entity^c
has sub-classes: System Language Discovery^c
is also defined as: named individual

System Network Configuration Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1016

has super-classes: Discovery Technique^c

System Network Connections Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1049

has super-classes: Discovery Technique^c

System Owner/User Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1033

has super-classes: Discovery Technique^c

System Password Database^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemPasswordDatabase

has super-classes: Password Database^c
is also defined as: named individual

System Service Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1007

has super-classes: Discovery Technique^c

System Service Software^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemServiceSoftware

has super-classes: Software^c; contains^op some Operating System File^c
has sub-classes: Local Authentication Service^c, Local Authorization Service^c, Task Scheduler Software^c
is also defined as: named individual

System Services^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1569

This technique has been deprecated.

has super-classes: Execution Technique^c
has sub-classes: Launchctl^c, Service Execution^c

System Shutdown/Reboot^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1529

has super-classes: Impact Technique^c

System Software^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemSoftware

Computer software which enables operating system or platform functionality.

has super-classes: Software^c
has sub-classes: Host-based Firewall^c, Kernel^c

System Startup Directory^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemStartupDirectory

has super-classes: Directory^c; System Configuration Init Resource^c; System Init Configuration^c
is also defined as: named individual

System Time Application^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemTimeApplication

has super-classes: Utility Software^c
is also defined as: named individual

System Time Discovery^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1124

has super-classes: Discovery Technique^c

System Utilization Record^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemUtilizationRecord

A system utilization record is a record for the tracking of resource utilization e.g. CPU, Disk, Network, Memory Bandwidth, GPU, or other resources for a given time period.

has super-classes: Record^c

Systemd Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1543.002

has super-classes: Create or Modify System Process^c; may-create^op some Operating System Configuration File^c; may-modify^op some Operating System Configuration File^c
is also defined as: named individual

Tablet Computer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TabletComputer

is defined by: http://dbpedia.org/resource/Tablet_computer

A tablet computer, commonly shortened to tablet, is a mobile device, typically with a mobile operating system and touchscreen display processing circuitry, and a rechargeable battery in a single, thin and flat package. Tablets, being computers, do what other personal computers do, but lack some input/output (I/O) abilities that others have. Modern tablets largely resemble modern smartphones, the only differences being that tablets are relatively larger than smartphones, with screens 7 inches (18 cm) or larger, measured diagonally, and may not support access to a cellular network.

has super-classes: Personal Computer^c

Taint Shared Content^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1080

has super-classes: Lateral Movement Technique^c; modifies^op some Network Resource^c
is also defined as: named individual

Target Audience^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TargetAudience

has super-classes: D3FEND Use Case Thing^c
is disjoint with: D3FEND Use Case^c, Use Case Goal^c, Use Case Prerequisite^c, Use Case Procedure^c, Use Case Step^c

Task Schedule^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TaskSchedule

has super-classes: Digital Artifact^c
is also defined as: named individual

Task Scheduler Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TaskSchedulerProcess

A task scheduler process is an operating system process that executes scheduled tasks (time-scheduling in the sense of wall clock time; not operating system scheduling of processes for multitasking).

has super-classes: Operating System Process^c

Task Scheduler Software^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TaskSchedulerSoftware

A task scheduler software is operating system software that when run executes scheduled tasks (time-scheduling in the sense of wall clock time; not operating system scheduling of processes for multitasking). Processes running such software are task scheduler processes.

has super-classes: System Service Software^c

Technique^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Technique

has super-classes: D3FEND Thing^c; associated-with^op some Digital Artifact^c; implemented-by^op some procedure^c
has sub-classes: Defensive Technique^c, Offensive Technique^c
is in domain of: kb-article
is in range of: kb-reference-of^op

Technique Reference^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TechniqueReference

A reference used to develop KB articles.

has super-classes: D3FEND Thing^c; kb-reference-of^op some Defensive Technique^c; has-link^dp some any u r i; kb-reference-title^dp some string
has sub-classes: Academic Paper Reference^c, Book Reference^c, External Knowledge Base^c, Internet Article Reference^c, Patent Reference^c, Policy Reference^c, Source Code Reference^c, Specification Reference^c, User Manual Reference^c
has members: Reference - Certificate Transparencyⁿⁱ, Reference - Certificate and Public Key Pinningⁿⁱ, Reference - FWTK Documentation - fwtk.orgⁿⁱ, Reference - StreamingPhishⁿⁱ, Reference - Use Rkill to Stop Malware Processes - ghacks.netⁿⁱ

Template Injection^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1221

has super-classes: Defense Evasion Technique^c

Terminate Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TerminateProcess

is defined by: http://dbpedia.org/resource/Exit_(system_call)

On many computer operating systems, a computer process terminates its execution by making an exit system call. More generally, an exit in a multithreading environment means that a thread of execution has stopped running. For resource management, the operating system reclaims resources (memory, files, etc.) that were used by the process. The process is said to be a dead process after it terminates.

has super-classes: System Call^c

Test Execution Tool^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TestExecutionTool

is defined by: http://dbpedia.org/resource/Test_execution_engine

A test execution tool is a type of software used to test software, hardware or complete systems. Synonyms of test execution tool include test execution engine, test executive, test manager, test sequencer. Two common forms in which a test execution engine may appear are as a: (a) module of a test software suite (test bench) or an integrated development environment, or (b) stand-alone application software.

has super-classes: Developer Application^c
has sub-classes: Integration Test Execution Tool^c, Unit Test Execution Tool^c

Thin Client Computer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ThinClientComputer

is defined by: http://dbpedia.org/resource/Thin_client

A thin client is a lightweight computer that has been optimized for establishing a remote connection with a server-based computing environment. The server does most of the work, which can include launching software programs, performing calculations, and storing data. This contrasts with a fat client or a conventional personal computer; the former is also intended for working in a client-server model but has significant local processing power, while the latter aims to perform its function mostly locally. Thin clients are shared computers as the thin client's computing resources are provided by a remote server.

has super-classes: Shared Computer^c
has sub-classes: Zero Client Computer^c

Thread Execution Hijacking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.003

has super-classes: Process Injection^c; invokes^op some System Call^c; may-add^op some Executable Binary^c
is also defined as: named individual

Thread Local Storage^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.005

has super-classes: Process Injection^c; invokes^op some System Call^c
is also defined as: named individual

Ticket Granting Ticket^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TicketGrantingTicket

is defined by: http://dbpedia.org/resource/Ticket_Granting_Ticket

In some computer security systems, a Ticket Granting Ticket or Ticket to Get Tickets (TGT) is a small, encrypted identification file with a limited validity period. After authentication, this file is granted to a user for data traffic protection by the key distribution center (KDC) subsystem of authentication services such as Kerberos. The TGT file contains the session key, its expiration date, and the user's IP address, which protects the user from man-in-the-middle attacks. The TGT is used to obtain a service ticket from Ticket Granting Service (TGS). User is granted access to network services only after this service ticket is provided.

has super-classes: Access Token^c
has sub-classes: Kerberos Ticket Granting Ticket^c

Time Based Evasion^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1497.003

has super-classes: Virtualization/Sandbox Evasion^c; may-invoke^op some Get System Time^c; may-run^op some System Time Application^c
is also defined as: named individual

Time Providers^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.003

has super-classes: Boot or Logon Autostart Execution^c; modifies^op some System Configuration Database Record^c
is also defined as: named individual

Timestomp^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1070.006

has super-classes: Indicator Removal on Host^c; forges^op some File System Metadata^c
is also defined as: named individual

Token Impersonation/Theft^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1134.001

has super-classes: Access Token Manipulation^c; copies^op some Access Token^c
is also defined as: named individual

TPM Boot Integrity^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TPMBootIntegrity

has super-classes: Platform Hardening^c
is also defined as: named individual

Trace Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TraceProcess

A trace system call provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers. It is primarily used to implement breakpoint debugging and system call tracing.

has super-classes: System Call^c

Traffic Signaling^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1205

has super-classes: Command and Control Technique^c; Defense Evasion Technique^c; Persistence Technique^c; produces^op some Network Traffic^c
has sub-classes: Port Knocking^c
is also defined as: named individual

Transfer Agent Authentication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TransferAgentAuthentication

has super-classes: Message Hardening^c
is also defined as: named individual

Transmitted Data Manipulation^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1565.002

has super-classes: Data Manipulation^c; may-modify^op some Network Traffic^c
is also defined as: named individual

Transport Agent^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1505.002

has super-classes: Server Software Component^c; adds^op some Message Transfer Agent^c; modifies^op some Mail Server^c
is also defined as: named individual

Trap^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.005

has super-classes: Event Triggered Execution^c; executes^op some Command^c; may-create^op some Executable Script^c; may-modify^op some Executable Script^c; modifies^op some Event Log^c
is also defined as: named individual

Trust Store^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TrustStore

Stores public information necessary to determine if another party can be trusted.

has super-classes: Digital Artifact^c
has sub-classes: Certificate Trust Store^c

Trusted Developer Utilities Proxy Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1127

has super-classes: Defense Evasion Technique^c
has sub-classes: MSBuild^c

Trusted Relationship^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1199

has super-classes: Initial Access Technique^c; creates^op some Login Session^c; produces^op some Intranet Network Traffic^c
is also defined as: named individual

Two-Factor Authentication Interception^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1111

has super-classes: Credential Access Technique^c; may-access^op some Security Token^c
is also defined as: named individual

Unit Test Execution Tool^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UnitTestExecutionTool

An unit test execution tool automatically performs unit testing. Unit testing is a software testing method by which individual units of source code are tested to determine whether they are fit for use. Unit test execution tools work with sets of one or more computer program modules together with associated control data, usage procedures, and operating procedures. This contrasts with integration testing, which tests inter-unit dependencies and the modules as a group.

has super-classes: Test Execution Tool^c

Unix Hard Link^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UnixHardLink

is defined by: http://dbpedia.org/resource/Hard_link

A Unix hard link is a hard link on a Unix file system.

has super-classes: Hard Link^c; Unix Link^c

Unix Link^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UnixLink

A Unix link is a file link in a Unix file system.

has super-classes: File System Link^c
has sub-classes: Fast Symbolic Link^c, POSIX Symbolic Link^c, Slow Symbolic Link^c, Unix Hard Link^c

Unix Shell Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1059.004

has super-classes: Command and Scripting Interpreter Execution^c

Unsecured Credentials^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552

has super-classes: Credential Access Technique^c; accesses^op some Credential^c
has sub-classes: Bash History^c, Cloud Instance Metadata API^c, Credentials in Files^c, Credentials in Registry^c, Group Policy Preferences^c, Private Keys^c
is also defined as: named individual

Unused/Unsupported Cloud Regions^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1535

has super-classes: Defense Evasion Technique^c

URL^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#URL

has super-classes: Identifier^c; addresses^op some Resource^c
has members: HTTP URLⁿⁱ, HTTPS URLⁿⁱ, Web Socket URLⁿⁱ
is also defined as: named individual

URL Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#URLAnalysis

has super-classes: Identifier Analysis^c; analyzes^op some URL^c
is also defined as: named individual

Use Alternate Authentication Material^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1550

has super-classes: Defense Evasion Technique^c; Lateral Movement Technique^c; accesses^op some Authentication Service^c
has sub-classes: Application Access Token^c, Pass The Hash^c, Pass The Ticket^c, Web Session Cookie^c
is also defined as: named individual

Use Case Goal^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UseCaseGoal

has super-classes: D3FEND Use Case Thing^c
is disjoint with: D3FEND Use Case^c, Target Audience^c, Use Case Prerequisite^c, Use Case Procedure^c, Use Case Step^c

Use Case Prerequisite^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UseCasePrerequisite

has super-classes: D3FEND Use Case Thing^c
is disjoint with: D3FEND Use Case^c, Target Audience^c, Use Case Goal^c, Use Case Procedure^c, Use Case Step^c

Use Case Procedure^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UseCaseProcedure

has super-classes: D3FEND Use Case Thing^c; procedure^c
is disjoint with: D3FEND Use Case^c, Target Audience^c, Use Case Goal^c, Use Case Prerequisite^c, Use Case Step^c

Use Case Step^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UseCaseStep

has super-classes: D3FEND Use Case Thing^c; step^c
is disjoint with: D3FEND Use Case^c, Target Audience^c, Use Case Goal^c, Use Case Prerequisite^c, Use Case Procedure^c

User^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#User

has super-classes: Digital Artifact^c; has-account^op some User Account^c
is also defined as: named individual

User Account^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserAccount

has super-classes: Digital Artifact^c
has sub-classes: Cloud User Account^c, Default User Account^c, Domain User Account^c, Local User Account^c, Privileged User Account^c
has members: LDIF Recordⁿⁱ
is also defined as: named individual

User Account Permissions^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserAccountPermissions

has super-classes: Credential Hardening^c; restricts^op some User Account^c
is also defined as: named individual

User Action^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserAction

has super-classes: Digital Artifact^c; Digital Event^c
has sub-classes: Authentication^c, Authorization^c, Resource Access^c
is also defined as: named individual

User Activity Based Checks^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1497.002

has super-classes: Virtualization/Sandbox Evasion^c

User Application^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserApplication

A user application is executed for that an individual user on a user's personal computer or remotely by means of virtualization. This is in contrast to service applications or enterprise software.

has super-classes: Application^c
has sub-classes: Browser^c, Browser Extension^c, Collaborative Software^c, Developer Application^c, Office Application^c

User Behavior^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserBehavior

has super-classes: Digital Artifact^c; contains^op some User Action^c
is also defined as: named individual

User Behavior Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserBehaviorAnalysis

has super-classes: Defensive Technique^c; enables^op some Detect^c
has sub-classes: Authentication Event Thresholding^c, Authorization Event Thresholding^c, Credential Compromise Scope Analysis^c, Domain Account Monitoring^c, Job Function Access Pattern Analysis^c, Local Account Monitoring^c, Resource Access Pattern Analysis^c, Session Duration Analysis^c, User Data Transfer Analysis^c, User Geolocation Logon Pattern Analysis^c, Web Session Activity Analysis^c
has members: Authentication Event Thresholdingⁿⁱ, Authorization Event Thresholdingⁿⁱ, Credential Compromise Scope Analysisⁿⁱ, Domain Account Monitoringⁿⁱ, Job Function Access Pattern Analysisⁿⁱ, Local Account Monitoringⁿⁱ, Resource Access Pattern Analysisⁿⁱ, Session Duration Analysisⁿⁱ, User Data Transfer Analysisⁿⁱ, User Geolocation Logon Pattern Analysisⁿⁱ, Web Session Activity Analysisⁿⁱ
is also defined as: named individual

User Data Transfer Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserDataTransferAnalysis

has super-classes: User Behavior Analysis^c; analyzes^op some Resource Access^c
is also defined as: named individual

User Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1204

has super-classes: Execution Technique^c
has sub-classes: Malicious File Execution^c, Malicious Link Execution^c

User Geolocation Logon Pattern Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserGeolocationLogonPatternAnalysis

has super-classes: User Behavior Analysis^c; analyzes^op some Network Traffic^c
is also defined as: named individual

User Init Configuration File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserInitConfigurationFile

has super-classes: Configuration File^c; User Logon Init Resource^c
is also defined as: named individual

User Init Script^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserInitScript

has super-classes: Executable Script^c; Init Script^c; User Logon Init Resource^c
has sub-classes: PowerShell Profile Script^c
is also defined as: named individual

User Interface^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserInterface

is defined by: http://dbpedia.org/resource/User_interface

The user interface (UI), in the industrial design field of human-machine interaction, is the space where interactions between humans and machines occur. The goal of this interaction is to allow effective operation and control of the machine from the human end, whilst the machine simultaneously feeds back information that aids the operators' decision-making process. Examples of this broad concept of user interfaces include the interactive aspects of computer operating systems, hand tools, heavy machinery operator controls, and process controls. The design considerations applicable when creating user interfaces are related to or involve such disciplines as ergonomics and psychology.

has super-classes: Digital Artifact^c
has sub-classes: Command Line Interface^c, Graphical User Interface^c

User Logon Init Resource^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserLogonInitResource

has super-classes: Local Resource^c
has sub-classes: User Init Configuration File^c, User Init Script^c, User Startup Directory^c, User Startup Script File^c
is also defined as: named individual

User Manual^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserManual

has super-classes: Document^c
has members: Reference - Registry Key Security and Access Rightsⁿⁱ
is also defined as: named individual

User Manual Reference^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserManualReference

has super-classes: Technique Reference^c
has members: Reference - /DYNAMICBASE (Use address space layout randomization) - Microsoft Docsⁿⁱ, Reference - /GS (Buffer Security Check) - Microsoft Docsⁿⁱ, Reference - /SAFESEH (Image has Safe Exception Handlers) - Microsoft Docsⁿⁱ, Reference - Mitigate threats by using Windows 10 security features: Data Execution Prevention - Microsoftⁿⁱ, Reference - Reverse DNS Blocking - Barracuda Networksⁿⁱ, Reference - Use DNS Policy for Applying Filters on DNS Queriesⁿⁱ

User Process^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserProcess

has super-classes: Process^c
has sub-classes: Application Process^c
is also defined as: named individual

User Session Init Config Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserSessionInitConfigAnalysis

has super-classes: Operating System Monitoring^c; analyzes^op some User Init Configuration File^c
is also defined as: named individual

User Startup Directory^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserStartupDirectory

has super-classes: User Logon Init Resource^c; contains^op some User Startup Script File^c
is also defined as: named individual

User Startup Script File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserStartupScriptFile

has super-classes: Executable Script^c; User Logon Init Resource^c
is also defined as: named individual

User to User Message^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserToUserMessage

has super-classes: Digital Artifact^c; has-recipient^op some User Account^c; has-sender^op some User Account^c
is also defined as: named individual

Utility Software^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UtilitySoftware

is defined by: http://dbpedia.org/resource/Utility_software

Utility applications are software applications designed to help to analyze, configure, optimize or maintain a computer. It is used to support the computer infrastructure - in contrast to application software, which is aimed at directly performing tasks that benefit ordinary users. However, utilities often form part of the application systems. For example, a batch job may run user-written code to update a database and may then include a step that runs a utility to back up the database, or a job may run a utility to compress a disk before copying files.

has super-classes: Software^c
has sub-classes: System Time Application^c

Valid Accounts^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1078

has super-classes: Defense Evasion Technique^c; Initial Access Technique^c; Persistence Technique^c; Privilege Escalation Technique^c; produces^op some Authentication^c; produces^op some Authorization^c; uses^op some User Account^c
has sub-classes: Cloud Accounts^c, Default Accounts^c, Domain Accounts^c, Local Accounts^c
is also defined as: named individual

VBA Stomping^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.007

has super-classes: Hide Artifacts^c; modifies^op some Office Application File^c
is also defined as: named individual

VBScript Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1059.005

has super-classes: Command and Scripting Interpreter Execution^c

VDSO Hijacking^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.014

has super-classes: Process Injection^c; accesses^op some Shared Library File^c; invokes^op some System Call^c
is also defined as: named individual

Vendor^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Vendor

has super-classes: Provider^c; sells^op some Capability Implementation^c

Version Control Tool^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#VersionControlTool

is defined by: http://dbpedia.org/resource/Version_control

Version control tools are tools that used to conduct version control. A component of software configuration management, version control, also known as revision control, source control, or source code management systems are systems responsible for the management of changes to documents, computer programs, large web sites, and other collections of information. Changes are usually identified by a number or letter code, termed the "revision number", "revision level", or simply "revision". For example, an initial set of files is "revision 1". When the first change is made, the resulting set is "revision 2", and so on. Each revision is associated with a timestamp and the person making the change. Revisions can be compared, restored, and with some types of files, merged.

has super-classes: Developer Application^c

Video Capture^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1125

has super-classes: Collection Technique^c; accesses^op some Video Input Device^c
is also defined as: named individual

Video Input Device^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#VideoInputDevice

has super-classes: Input Device^c
has sub-classes: Image Scanner Input Device^c
is also defined as: named individual

Virtualization Software^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#VirtualizationSoftware

has super-classes: Service Application^c
is also defined as: named individual

Virtualization/Sandbox Evasion^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1497

has super-classes: Defense Evasion Technique^c
has sub-classes: System Checks^c, Time Based Evasion^c, User Activity Based Checks^c

VNC^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1021.005

has super-classes: Remote Services^c

Volume^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Volume

has super-classes: Digital Artifact^c
is also defined as: named individual

Volume Boot Record^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#VolumeBootRecord

has super-classes: Boot Record^c
is also defined as: named individual

VPN Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#VPNServer

is defined by: https://www.techopedia.com/definition/30750/vpn-server

A VPN server is a type of server that enables hosting and delivery of VPN services. It is a combination of VPN hardware and software technologies that provides VPN clients with connectivity to a secure and/or private network, or rather, the VPN.

has super-classes: Server^c

Web Application Firewall^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebApplicationFirewall

is defined by: http://dbpedia.org/resource/Web_application_firewall

A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.

has super-classes: Application Layer Firewall^c

Web Application Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebApplicationServer

is defined by: http://dbpedia.org/resource/Application_server

A web application server is a web server that hosts applications. Application server frameworks are software frameworks for building application servers. An application server framework provides both facilities to create web applications and a server environment to run them. In the case of Java application servers, the server behaves like an extended virtual machine for running applications, transparently handling connections to the database on one side, and, often, connections to the Web client on the other.

has super-classes: Web Server^c

Web Authentication^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebAuthentication

has super-classes: Authentication^c; may-create^op some Session Cookie^c
has sub-classes: Cloud Service Authentication^c
is also defined as: named individual

Web File Resource^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebFileResource

has super-classes: Network File Resource^c; addressed-by^op some URL^c
is also defined as: named individual

Web Network Traffic^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebNetworkTraffic

has super-classes: Network Traffic^c
has sub-classes: Intranet Web Network Traffic^c, Outbound Internet Web Traffic^c
is also defined as: named individual

Web Portal Capture^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1056.003

has super-classes: Input Capture^c; modifies^op some Web Server Application^c
is also defined as: named individual

Web Protocols^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1071.001

has super-classes: Application Layer Protocol^c; may-transfer^op some Certificate File^c; produces^op some Outbound Internet Web Traffic^c
is also defined as: named individual

Web Resource Access^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebResourceAccess

has super-classes: Network Resource Access^c
is also defined as: named individual

Web Script File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebScriptFile

has super-classes: Executable Script^c
is also defined as: named individual

Web Server^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebServer

has super-classes: Server^c
has sub-classes: Artifact Server^c, Web Application Server^c
is also defined as: named individual

Web Server Application^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebServerApplication

has super-classes: Service Application^c
is also defined as: named individual

Web Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1102

has super-classes: Command and Control Technique^c; produces^op some Outbound Internet Web Traffic^c
has sub-classes: Bidirectional Communication^c, Dead Drop Resolver^c, One-Way Communication^c
is also defined as: named individual

Web Session Activity Analysis^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebSessionActivityAnalysis

has super-classes: User Behavior Analysis^c; analyzes^op some Web Resource Access^c
is also defined as: named individual

Web Session Cookie^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1550.004

has super-classes: Use Alternate Authentication Material^c; adds^op some Session Cookie^c; produces^op some Web Network Traffic^c
is also defined as: named individual

Web Shell^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1505.003

has super-classes: Server Software Component^c; adds^op some Web Script File^c; modifies^op some Web Server^c; produces^op some Process^c
is also defined as: named individual

Wide Area Network^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WideAreaNetwork

is defined by: http://dbpedia.org/resource/Local_area_network

By contrast to a local area network (LAN), a wide area network (WAN), not only covers a larger geographic distance, but also generally involves leased telecommunication circuits or Internet links.

has super-classes: Network^c

Windows Command Shell Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1059.003

has super-classes: Command and Scripting Interpreter Execution^c

Windows File and Directory Permissions Modification^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1222.001

has super-classes: File and Directory Permissions Modification^c

Windows Management Instrumentation Event Subscription^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.003

has super-classes: Event Triggered Execution^c; modifies^op some Event Log^c; produces^op some Intranet Administrative Network Traffic^c
is also defined as: named individual

Windows Management Instrumentation Execution^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1047

has super-classes: Execution Technique^c

Windows Registry^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WindowsRegistry

has super-classes: System Configuration Database^c
is also defined as: named individual

Windows Registry Key^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WindowsRegistryKey

has super-classes: System Configuration Database Record^c; windows-registry-key^dp some string; windows-registry-value^dp some string
is also defined as: named individual

Windows Remote Management^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1021.006

has super-classes: Remote Services^c

Windows Service^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1543.003

has super-classes: Create or Modify System Process^c; modifies^op some System Configuration Database^c
is also defined as: named individual

Windows Shortcut File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WindowsShortcutFile

has super-classes: Shortcut File^c
is also defined as: named individual

Winlogon Helper DLL^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.004

has super-classes: Boot or Logon Autostart Execution^c; modifies^op some System Configuration Database Record^c
is also defined as: named individual

Wireless Access Point^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WirelessAccessPoint

is defined by: http://dbpedia.org/resource/Wireless_access_point

In computer networking, a wireless access point (WAP), or more generally just access point (AP), is a networking hardware device that allows other Wi-Fi devices to connect to a wired network. The AP usually connects to a router (via a wired network) as a standalone device, but it can also be an integral component of the router itself. An AP is differentiated from a hotspot which is a physical location where Wi-Fi access is available.

has super-classes: Network Node^c
has sub-classes: Wireless Router^c

Wireless Router^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WirelessRouter

is defined by: http://dbpedia.org/resource/Wireless_router

A wireless router is a device that performs the functions of a router and also includes the functions of a wireless access point. It is used to provide access to the Internet or a private computer network. Depending on the manufacturer and model, it can function in a wired local area network, in a wireless-only LAN, or in a mixed wired and wireless network.

has super-classes: Router^c; Wireless Access Point^c

Write File^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WriteFile

is defined by: http://dbpedia.org/resource/Write_(system_call)

The write is one of the most basic routines provided by a Unix-like operating system kernel. It writes data from a buffer declared by the user to a given device, such as a file. This is the primary way to output data from a program by directly using a system call. The destination is identified by a numeric code. The data to be written, for instance a piece of text, is defined by a pointer and a size, given in number of bytes. write thus takes three arguments.

has super-classes: System Call^c

XSL Script Processing^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1220

has super-classes: Defense Evasion Technique^c; adds^op some File^c; interprets^op some Executable Script^c; invokes^op some Create Process^c
is also defined as: named individual

Zero Client Computer^c back to ToC or Class ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ZeroClientComputer

is defined by: http://dbpedia.org/resource/Thin_client#Zero_client

Zero client is also referred as ultra thin client, contains no moving parts but centralizes all processing and storage to just what is running on the server. As a result, it requires no local driver to install, no patch management, and no local operating system licensing fees or updates. The device consumes very little power and is tamper-resistant and completely incapable of storing any data locally, providing a more secure endpoint.

has super-classes: Thin Client Computer^c

Named Individuals

.bash_profile and .bashrc
/etc/passwd and /etc/shadow
Accessibility Features
Account Access Removal
Account Locking
Account Manipulation
Account Use Policies
Active Certificate Analysis
Active Directory Configuration
Add Office 365 Global Administrator Role
Add-ins
Additional Azure Service Principal Credentials
Administrative Network Activity Analysis
Adobe PDF File 1.3
AMD64 Code Segment
Antivirus/Antimalware
AppCert DLLs
AppInit DLLs
Application
Application Access Token
Application Configuration Database
Application Configuration File
Application Configuration Hardening
Application Developer Guidance
Application Hardening
Application Isolation and Sandboxing
Application Layer Protocol
Application Process
Application Shimming
Archive Collected Data
Archive via Custom Method
Archive via Library
Archive via Utility
ARM32 Code Segment
ASCII Domain Name
Asymmetric Cryptography
Asynchronous Procedure Call
Audio Capture
Audit
Authentication
Authentication Cache Invalidation
Authentication Event Thresholding
Authentication Log
Authentication Package
Authorization
Authorization Event Thresholding
Authorization Log
Automated Collection
Automated Exfiltration
Bash History
Bash Script File
Behavior Prevention on Endpoint
Binary Padding
Biometric Authentication
BITS Jobs
Block Device
Book
Boot Integrity
Bootkit
Bootloader Authentication
Broadcast Domain Isolation
Browser
Browser Extension
Browser Extensions
BSD Process
Bypass User Access Control
Byte Sequence Emulation
Cached Domain Credentials
Call Stack
Certificate
Certificate Analysis
Certificate File
Certificate Pinning
Certificate Trust Store
Certificate-based Authentication
Change Default File Association
Clear Command History
Clear Linux or Mac System Logs
Clear Windows Event Logs
Client-server Payload Profiling
Clipboard Data
Cloud Account
Cloud Accounts
Cloud Instance Metadata API
Cloud Service Dashboard
Cloud Service Discovery
Cloud Storage Object Discovery
CMSTP
Code Repositories
Code Repository
Code Signing
Code Signing
Collection
Collection Technique
Command And Control
Command and Control Technique
Command and Scripting Interpreter Execution
Command History Log File
Communication Through Removable Media
Compile After Delivery
Compiled HTML File
Compiler
Component Firmware
Component Object Model Hijacking
Compromise Client Software Binary
Compromise Hardware Supply Chain
Compromise Software Dependencies and Development Tools
Compromise Software Supply Chain
Confluence
Connected Honeynet
Connection Attempt Analysis
Container Runtime
Control Panel Execution
Copy Token
COR_PROFILER
Create Account
Create File
Create Process with Token
Credential
Credential Access
Credential Access Protection
Credential Access Technique
Credential API Hooking
Credential Compromise Scope Analysis
Credential Eviction
Credential Hardening
Credential Stuffing
Credential Transmission Scoping
Credentials from Password Stores
Credentials from Web Browsers
Credentials in Files
Credentials in Registry
Data Backup
Data Encoding
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Obfuscation
Data Staged
Data Transfer Size Limits
Database Query String Analysis
Database Server
DCSync
Dead Code Elimination
Deceive
Decoy Artifact
Decoy Environment
Decoy File
Decoy Network Resource
Decoy Object
Decoy Persona
Decoy Public Release
Decoy Session Token
Decoy User Credential
Default Accounts
Defense Evasion
Defense Evasion Technique
Defensive Technique
Deobfuscate/Decode Files or Information
Detect
Direct Network Flood
Direct Volume Access
Directory
Disable or Modify System Firewall
Disable or Modify Tools
Disable or Remove Feature or Program
Disable Windows Event Logging
Discovery
Discovery Technique
Disk Content Wipe
Disk Encryption
Disk Structure Wipe
Display Device Driver
DLL Search Order Hijacking
DLL Side-Loading
DNS
DNS Allowlisting
DNS Denylisting
DNS Traffic Analysis
Do Not Mitigate
Document File
Domain Account
Domain Account Monitoring
Domain Accounts
Domain Fronting
Domain Registration
Domain Trust Policy
Double File Extension
Downgrade Attack
Drive-by Compromise
Driver Load Integrity Checking
Dylib Hijacking
Dynamic Analysis
Dynamic Resolution
Dynamic-link Library Injection
Elevated Execution with Prompt
Email
Email Attachment
Email Collection
Email Forwarding Rule
Email Hiding Rules
Emond
Emulated File Analysis
Enclave
Encrypt Sensitive Information
Encrypted Channel
Encrypted Tunnels
Endpoint Health Beacon
Environment Variable Permissions
Evict
Exception Handler Pointer Validation
Exchange Email Delegate Permissions
Executable Allowlisting
Executable Binary
Executable Denylisting
Executable Installer File Permissions Weakness
Execution
Execution Isolation
Execution Prevention
Execution Technique
Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Exfiltration Over C2 Channel
Exfiltration Over Other Network Medium
Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Exfiltration over USB
Exfiltration Over Web Service
Exfiltration Technique
Exfiltration to Cloud Storage
Exfiltration to Code Repository
Exploit Protection
Exploit Public-Facing Application
Exploitation for Client Execution
Exploitation for Credential Access
Exploitation for Defense Evasion
Exploitation for Privilege Escalation
Exploitation of Remote Services
External Defacement
External Proxy
External Remote Services
Fallback Channels
File
File Access Pattern Analysis
File Analysis
File and Directory Permissions Modification
File Carving
File Content Rules
File Creation Analysis
File Deletion
File Encryption
File Hashing
File System
File Transfer Protocols
Filter Network Traffic
Firmware Behavior Analysis
Firmware Embedded Monitoring Code
Firmware Verification
Forced Authentication
Forward Resolution Domain Denylisting
Forward Resolution IP Denylisting
FQDN Domain Name
Gatekeeper Bypass
GNU GCC StackGuard
Golden Ticket
Group Policy Discovery
Group Policy Modification
Group Policy Preferences
GUI Input Capture
Harden
Hardware Additions
Hardware Driver
Hardware-based Process Isolation
Hidden File System
Hidden Files and Directories
Hidden Users
Hidden Window
Hierarchical Domain Denylisting
Homoglyph Denylisting
Homoglyph Detection
Host
Hostname
HTML Smuggling
HTTP URL
HTTPS URL
Identifier Analysis
IIS Components
Image Code Segment
Image File Execution Options Injection
Impact
Impact Technique
Impair Command History Logging
Impersonate User
Implant Container Image
Inbound Internet Network Traffic
Inbound Session Volume Analysis
Inbound Traffic Filtering
Indirect Branch Call Analysis
Ingress Tool Transfer
Initial Access
Initial Access Technique
Input Device Analysis
Install Root Certificate
Integrated Honeynet
Inter-Process Communication Execution
Internal Defacement
Internal Proxy
Internal Spearphishing
Internationalized Domain Name
Internet Article
Intranet IPC Network Traffic
Intranet Web Network Traffic
Invalid Code Signature
IO Port Restriction
iOS Process
IPC Traffic Analysis
Isolate
Javascript File
Job Function Access Pattern Analysis
Kerberoasting
Kernel
Kernel Modules and Extensions
Kernel-based Process Isolation
Keychain
Keylogging
Lateral Movement
Lateral Movement Technique
Lateral Tool Transfer
Launch Agent
Launch Daemon
Launchd
LC_LOAD_DYLIB Addition
LD_PRELOAD
LDIF Record
Limit Access to Resource Over Network
Limit Hardware Installation
Limit Software Installation
Linux ELF File 32bit
Linux ELF File 64bit
Linux Exec
Linux Process
LLMNR/NBT-NS Poisoning and SMB Relay
Local Account
Local Account Monitoring
Local Accounts
Local Area Network
Local Data Staging
Local Email Collection
Local File Permissions
Local Resource Access
Log File
Login Items
Logon Script (Mac)
Logon Script (Windows)
LSA Secrets
LSASS Driver
LSASS Memory
Lua Script File
LUKS1 On-Disk Format SpecificationVersion 1.2.3
macOS Process
Mail Network Traffic
Mail Protocols
Make and Impersonate Token
Malicious File Execution
Malicious Link Execution
Man in the Browser
Man-in-the-Middle
Mandatory Access Control
Marketing Material
Masquerade Task or Service
Match Legitimate Name or Location
Mavinject
Memory Boundary Tracking
Message Analysis
Message Authentication
Message Encryption
Message Hardening
Microsoft VCCLCompilerTool BufferSecurityCheck
Microsoft Word DOC File
Microsoft Word DOCB File
Microsoft Word DOCM File
Microsoft Word DOCX File
Microsoft Word DOT File
Microsoft Word DOTM File
Microsoft Word DOTX File
Microsoft Word WBK File
MMC
Modify Authentication Process
Modify Registry
Move File
MSBuild
MSG Email File
Multi-factor Authentication
Multi-factor Authentication
Multi-hop Proxy
Multi-Stage Channels
Native API Execution
Netsh Helper DLL
Network Directory Resource
Network File Resource
Network Flow
Network Intrusion Prevention
Network Isolation
Network Logon Script
Network Node
Network Resource Access
Network Segmentation
Network Session
Network Share Connection Removal
Network Sniffing
Network Traffic
Network Traffic Analysis
Network Traffic Community Deviation
Network Traffic Filtering
Non-Application Layer Protocol
non-real-time-analytic
non-real-time-eviction
Non-Standard Port
NTDS
NTFS File Attributes
Office Template Macros
Office Test
One-time Password
Operating System
Operating System Configuration
Operating System Monitoring
Orchestration Controller
OS Credential Dumping
Outbound Internet DNS Lookup Traffic
Outbound Internet File Transfer Traffic
Outbound Internet Web Traffic
Outbound Traffic Filtering
Outlook Forms
Outlook Home Page
Outlook Rules
Packet Log
Parent PID Spoofing
Partition Table
Pass The Hash
Pass The Ticket
Passive Certificate Analysis
Password Cracking
Password Filter DLL
Password Guessing
Password Policies
Password Spraying
Patent
Path Interception by PATH Environment Variable
Path Interception by Search Order Hijacking
Path Interception by Unquoted Path
PE32 Executable File
PE32+ Executable File
Per Host Download-Upload Ratio Analysis
Peripheral Firmware Verification
Persistence
Persistence Technique
Platform
Platform Hardening
Platform Monitoring
Plist Modification
Pluggable Authentication Modules
Pointer Authentication
Port Knocking
Port Monitors
Portable Executable Injection
PowerShell Profile
Powershell Script File
Pre-compromise
Private Keys
Privilege Escalation
Privilege Escalation Technique
Privileged Account Management
Privileged Process Integrity
Proc Filesystem
Proc Memory
Procedure 1 - T1134.001 Access Token Manipulation
Process
Process Analysis
Process Code Segment
Process Code Segment Verification
Process Doppelgänging
Process Eviction
Process Hollowing
Process Image
Process Lineage Analysis
Process Segment Execution Prevention
Process Self-Modification Detection
Process Spawn Analysis
Process Termination
Process Tree
Protocol Metadata Anomaly Detection
Protocol Tunneling
Ptrace System Calls
Python Script File
Rc.common
RDP Hijacking
Re-opened Applications
real-time-analytic
real-time-eviction
Reference - Privacy and security systems and methods of use
Reference - Tokenless biometric transaction authorization method and system
Reference - /DYNAMICBASE (Use address space layout randomization) - Microsoft Docs
Reference - /GS (Buffer Security Check) - Microsoft Docs
Reference - /SAFESEH (Image has Safe Exception Handlers) - Microsoft Docs
Reference - Account monitoring - Forescout Technologies
Reference - Active firewall system and methodology - McAfee LLC
Reference - Analysis of the Windows Vista Security Model - Symantec Corporation
Reference - Anomaly Detection Using Adaptive Behavioral Profiles - Securonix Inc
Reference - Anti-tamper system with self-adjusting guards - ARXAN TECHNOLOGIES Inc
Reference - Apparatus for to provide content to and query a reverse domain name system server - Barrracuda Networks
Reference - Approaches for securing an internet endpoint using fine-grained operating system virtualization - Bromium, Inc.
Reference - Architecture of transparent network security for application containers - Neuvector Inc
Reference - Audit User Account Management
Reference - Automatically generating network resource groups and assigning customized decoy policies thereto - Illusive Networks Ltd
Reference - Automatically generating rules for connection security - Microsoft
Reference - Biometric Challenge-Response Authentication - Accenture
Reference - Broadcast isolation and level 3 network switch - Hewlett Packard Enterprise Development LP
Reference - CAR-2013-01-002: Autorun Differences -
Reference - CAR-2013-01-003: SMB Events Monitoring -
Reference - CAR-2013-02-003: Processes Spawning cmd.exe -
Reference - CAR-2013-02-008: Simultaneous Logins on a Host - MITRE
Reference - CAR-2013-02-012: User Logged in to Multiple Hosts - MITRE
Reference - CAR-2013-03-001: Reg.exe called from Command Shell - MITRE
Reference - CAR-2013-04-002: Quick execution of a series of suspicious commands - MITRE
Reference - CAR-2013-05-002: Suspicious Run Locations -
Reference - CAR-2013-05-003: SMB Write Request -
Reference - CAR-2013-05-004: Execution with AT -
Reference - CAR-2013-05-005: SMB Copy and Execution -
Reference - CAR-2013-07-001: Suspicious Arguments -
Reference - CAR-2013-07-002: RDP Connection Detection - MITRE
Reference - CAR-2013-07-005: Command Line Usage of Archiving Software -
Reference - CAR-2013-08-001: Execution with schtasks -
Reference - CAR-2013-09-003: SMB Session Setups - MITRE
Reference - CAR-2013-09-005: Service Outlier Executables -
Reference - CAR-2013-10-001: User Login Activity Monitoring - MITRE
Reference - CAR-2013-10-002: DLL Injection via Load Library - MITRE
Reference - CAR-2014-02-001: Service Binary Modifications - MITRE
Reference - CAR-2014-03-001: SMB Write Request - NamedPipes - MITRE
Reference - CAR-2014-03-005: Remotely Launched Executables via Services - MITRE
Reference - CAR-2014-03-006: RunDLL32.exe monitoring - MITRE
Reference - CAR-2014-04-003: Powershell Execution - MITRE
Reference - CAR-2014-05-001: RPC Activity - MITRE
Reference - CAR-2014-05-002: Services launching Cmd -
Reference - CAR-2014-07-001: Service Search Path Interception - MITRE
Reference - CAR-2014-11-002: Outlier Parents of Cmd - MITRE
Reference - CAR-2014-11-003: Debuggers for Accessibility Applications -
Reference - CAR-2014-11-003: Debuggers for Accessibility Applications - MITRE
Reference - CAR-2014-11-005: Remote Registry - MITRE
Reference - CAR-2014-11-006: Windows Remote Management (WinRM) - MITRE
Reference - CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC - MITRE
Reference - CAR-2014-11-008: Command Launched from WinLogon - MITRE
Reference - CAR-2014-12-001: Remotely Launched Executables via WMI - MITRE
Reference - CAR-2015-04-001: Remotely Scheduled Tasks via AT - MITRE
Reference - CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks - MITRE
Reference - CAR-2015-07-001: All Logins Since Last Boot - MITRE
Reference - CAR-2016-03-001: Host Discovery Commands - MITRE
Reference - CAR-2016-03-002: Create Remote Process via WMIC - MITRE
Reference - CAR-2016-04-002: User Activity from Clearing Event Logs - MITRE
Reference - CAR-2016-04-003: User Activity from Stopping Windows Defensive Services - MITRE
Reference - CAR-2016-04-004: Successful Local Account Login
Reference - CAR-2016-04-005: Remote Desktop Logon - MITRE
Reference - CAR-2019-04-001: UAC Bypass - MITRE
Reference - CAR-2019-04-002: Generic Regsvr32 - MITRE
Reference - CAR-2019-04-003: Squiblydoo - MITRE
Reference - CAR-2019-04-004: Credential Dumping via Mimikatz - MITRE
Reference - CAR-2019-07-001: Access Permission Modification - MITRE
Reference - CAR-2019-07-002: Lsass Process Dump via Procdump - MITRE
Reference - CAR-2019-08-001: Credential Dumping via Windows Task Manager - MITRE
Reference - CAR-2019-08-002: Active Directory Dumping via NTDSUtil - MITRE
Reference - CAR-2020-04-001: Shadow Copy Deletion - MITRE
Reference - CAR-2020-05-001: MiniDump of LSASS - MITRE
Reference - CAR-2020-05-003: Rare LolBAS Command Lines - MITRE
Reference - CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities - MITRE
Reference - CAR-2020-09-001: Scheduled Task - FileAccess - MITRE
Reference - CAR-2020-09-002: Component Object Model Hijacking - MITRE
Reference - CAR-2020-09-003: Indicator Blocking - Driver Unloaded - MITRE
Reference - CAR-2020-09-004: Credentials in Files & Registry - MITRE
Reference - CAR-2020-09-005: AppInit DLLs - MITRE
Reference - CAR-2020-11-001: Boot or Logon Initialization Scripts - MITRE
Reference - CAR-2020-11-002: Local Network Sniffing - MITRE
Reference - CAR-2020-11-003: DLL Injection with Mavinject - MITRE
Reference - CAR-2020-11-004: Processes Started From Irregular Parent - MITRE
Reference - CAR-2020-11-005: Clear Powershell Console Command History - MITRE
Reference - CAR-2020-11-006: Local Permission Group Discovery - MITRE
Reference - CAR-2020-11-007: Network Share Connection Removal - MITRE
Reference - CAR-2020-11-008: MSBuild and msxsl - MITRE
Reference - CAR-2020-11-009: Compiled HTML Access - MITRE
Reference - CAR-2020-11-010: CMSTP - MITRE
Reference - CAR-2020-11-011: Registry Edit from Screensaver
Reference - CAR-2021-01-002: Unusually Long Command Line Strings - MITRE
Reference - CAR-2021-01-003: Clearing Windows Logs with Wevtutil - MITRE
Reference - CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe - MITRE
Reference - CAR-2021-01-006: Unusual Child Process spawned using DDE exploit - MITRE
Reference - CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt - MITRE
Reference - CAR-2021-01-008: Disable UAC - MITRE
Reference - CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe - MITRE
Reference - CAR-2021-02-001: Webshell-Indicative Process Tree - MITRE
Reference - CAR-2021-02-002: Get System Elevation - MITRE
Reference - CAR-2021-04-001: Common Windows Process Masquerading - MITRE
Reference - CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store - MITRE
Reference - CAR-2021-05-002: Batch File Write to System32 - MITRE
Reference - CAR-2021-05-003: BCDEdit Failure Recovery Modification - MITRE
Reference - CAR-2021-05-004: BITS Job Persistence - MITRE
Reference - CAR-2021-05-005: BITSAdmin Download File - MITRE
Reference - CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments - MITRE
Reference - CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments - MITRE
Reference - CAR-2021-05-008: Certutil exe certificate extraction - MITRE
Reference - CAR-2021-05-009: CertUtil With Decode Argument - MITRE
Reference - CAR-2021-05-010: Create local admin accounts using net exe - MITRE
Reference - CAR-2021-05-011: Create Remote Thread into LSASS - MITRE
Reference - Certificate and Public Key Pinning
Reference - Certificate Transparency
Reference - Computational modeling and classification of data streams - Crowdstrike Inc
Reference - Computer motherboard having peripheral security functions
Reference - Computer Worm Defense System and Method - FireEye Inc
Reference - Computer-implemented methods and systems for identifying visually similar text character strings - Greathorn Inc
Reference - Computing apparatus with automatic integrity reference generation and maintenance - Tripwire, Inc.
Reference - Configure User Access Control and Permissions
Reference - Content extractor and analysis system - Bit 9 Inc, Carbon Black Inc
Reference - Continuous authentication by analysis of keyboard typing characteristics - Bradford Univ., UK
Reference - Dead code elimination
Reference - Deception-Based Responses to Security Attacks - Crowdstrike Inc
Reference - Decoy and deceptive data object technology - Cymmetria Inc
Reference - Decoy and deceptive data object technology - Cymmetria, Inc.
Reference - Decoy Network-Based Service for Deceiving Attackers - Amazon Technologies
Reference - Decoy Personas for Safeguarding Online Identity Using Deception -
Reference - DETECTING DDoS ATTACK USING Snort -
Reference - Detecting network reconnaissance by tracking intranet dark-net communications - VECTRA NETWORKS Inc
Reference - Detecting script-based malware - Crowdstrike Inc
Reference - Detection of Malicious IDNHomoglyph Domains
Reference - Deterministic method for detecting and blocking of exploits on interpreted code - K2 Cyber Security Inc
Reference - Digital Identity Guidelines 800-63-3
Reference - Distributed meta-information query in a network - Bit 9 Inc
Reference - DNS Whitelist (DNSWL) Email Authentication Method Extension
Reference - Domain age registration alert - Inc Rapid7 Inc RAPID7 Inc
Reference - Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network - Palo Alto Networks Inc
Reference - Embedding contexts for on-line threats into response policy zones - Verisign Inc
Reference - End-to-end certificate pinning
Reference - Enhancing Network Security By Preventing User-Initiated Malware Execution -
Reference - File and Folder Permissions
Reference - File-modifying malware detection - Crowdstrike Inc
Reference - Firewall for interent access - Secure Computing LLC
Reference - Firewall for processing a connectionless network packet - National Security Agency
Reference - Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network - National Security Agency
Reference - Firewalls that filter based upon protocol commands - Intel Corp
Reference - Firmware Behavior Analysis ConFirm
Reference - Firmware Behavior Analysis VIPER
Reference - Firmware Embedded Monitoring Code Red Balloon
Reference - Firmware Embedded Monitoring Code Symbiotes
Reference - Firmware Verification Eclypsium
Reference - Firmware Verification Trapezoid
Reference - Framework for notifying a directory service of authentication events processed outside the directory service - Oracle International Corp
Reference - FWTK - Firewall Toolkit -
Reference - FWTK Documentation - fwtk.org
Reference - Guards for application in software tamperproofing - Purdue Research Foundation
Reference - Hardware-assisted system and method for detecting and analyzing system calls made to an operting system kernel - Endgame Inc
Reference - Heuristic botnet detection - Palo Alto Networks Inc
Reference - Host intrusion prevention system using software and user behavior analysis - Sophos Ltd
Reference - How ASLR protects Linux systems from buffer overflow attacks - Network World
Reference - How to change registry values or permissions from a command line or a script
Reference - How trust relationships work for resource forests in Azure Active Directory Domain Services
Reference - http://www.biometric-solutions.com/keystroke-dynamics.html - biometric-solutions.com
Reference - Identification and extraction of key forensics indicators of compromise using subject-specific filesystem views
Reference - Identification of visual international domain name collisions - Verisign Inc
Reference - Identifying a denial-of-service attack in a cloud-based proxy service - Cloudfare Inc.
Reference - Indirect Branching Calls
Reference - Inferential exploit attempt detection - Crowdstrike Inc
Reference - Instant process termination tool to recover control of an information handling system - Dell Products LP
Reference - Integrity assurance through early loading in the boot phase - Crowdstrike Inc
Reference - Intrusion detection using a heartbeat - Sophos Ltd
Reference - Isolation of applications within a virtual machine - Bromium, Inc.
Reference - Malicious relay detection on networks - VECTRA NETWORKS Inc
Reference - Malware analysis system - Palo Alto Networks Inc
Reference - Malware detection in event loops - Crowdstrike Inc
Reference - Malware detection using local computational models - Crowdstrike Inc
Reference - Method and Apparatus for Detecting Malicious Websites - Endgame Inc
Reference - Method and apparatus for increasing the speed at which computer viruses are detected - McAfee LLC
Reference - Method and Apparatus for Network Fraud Detection and Remediation Through Analytics - Idaptive LLC
Reference - Method and apparatus for utilizing a token for resource access - Rsa Security Inc.
Reference - Method and system for controlling communication ports
Reference - Method and system for detecting algorithm-generated domains - VECTRA NETWORKS Inc
Reference - Method and system for detecting external control of compromised hosts - VECTRA NETWORKS Inc
Reference - Method and system for detecting malicious payloads - Vectra Networks Inc
Reference - Method and system for detecting restricted content associated with retrieved content - Sophos Ltd
Reference - Method and system for detecting suspicious administrative activity - Vectra Networks Inc
Reference - Method and system for detecting threats using metadata vectors - VECTRA NETWORKS Inc
Reference - Method and system for detecting threats using passive cluster mapping - Vectra Networks Inc
Reference - Method and system for providing software updates to local machines
Reference - Method and system for UDP flood attack detection - Riorey LLC
Reference - Method for controlling computer network security - Checkpoint Software Technologies Ltd
Reference - Method for file encryption
Reference - Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system - Symantec Corporation
Reference - Mitigate threats by using Windows 10 security features: Data Execution Prevention - Microsoft
Reference - Mock attack cybersecurity training system and methods - WOMBAT SECURITY TECHNOLOGIES Inc
Reference - Modeling user access to computer resources - Daedalus Group LLC (formerly IBM)
Reference - Modification of a Server to Mimic a Deception Mechanism - Acalvio Technologies Inc
Reference - Munin
Reference - Network firewall with proxy - Secure Computing LLC
Reference - Network-Based Buffer Overflow Detection by Exploit Code Analysis - Information Security Research Centre
Reference - Network-level polymorphic shellcode detection using emulation
Reference - Open source intelligence deceptions - Illusive Networks Ltd
Reference - OS Query Windows User Collection Code
Reference - Overview of the seccomp sandbox
Reference - Platform Firmware Resiliency Guidelines - NIST
Reference - Pointer Authentication on ARMv8.3
Reference - Pointer Authentication Project Zero
Reference - Post sandbox methods and systems for detecting and blocking zero-day exploits via api call validation - K2 Cyber Security Inc
Reference - Predicting Domain Generation Algorithms with Long Short-Term Memory Networks -
Reference - Preventing execution of task scheduled malware - McAfee LLC
Reference - Private virtual local area network isolation - Cisco Technology Inc
Reference - Protected computing environment - Microsoft Technology Licensing LLC
Reference - Protecting against distributed denial of service attacks - Cisco Technology Inc.
Reference - Protecting against distributed network flood attacks - Juniper Networks Inc.
Reference - Red Hat Enterprise Linux 8 Security Technical Implementation Guide
Reference - Registry Key Security and Access Rights
Reference - Reverse DNS Blocking - Barracuda Networks
Reference - RFC 2289 - A One-Time Password System
Reference - RFC 6376: DomainKeys Identified Mail (DKIM) Signatures - IETF
Reference - RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email - IETF
Reference - RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC) - IETF
Reference - RPC call interception - Crowdstrike Inc
Reference - Secure caching of server credentials - Dell Products LP
Reference - Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1
Reference - Securing Web Transactions
Reference - Securing Web Transactions TLS Server Certificate Management - Appendix A Passive Inspection
Reference - Security Architecture for the Internet Protocol
Reference - Security System with Methodology for Interprocess Communication Control - Check Point Software Tech Inc
Reference - Security Technologies: Stack Smashing Protection (StackGuard) - Red Hat
Reference - Sinkholing bad network domains by registering the bad network domains on the internet - Palo Alto Networks Inc
Reference - StreamingPhish
Reference - Supply chain cyber-deception - Cymmetria, Inc.
Reference - Synchronizing a honey network configuration to reflect a target network environment - Palo Alto Networks Inc
Reference - System and a method for identifying the presence of malware and ransomware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Inc
Reference - System and method for detecting homoglyph attacks with a siamese convolutional neural network - Endgame Inc
Reference - System and method for detecting malware injected into memory of a computing device - Endgame Inc
Reference - System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis - Silver Tail Systems
Reference - System and method for identifying the presence of malware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Inc
Reference - System and method for internet security - Cylance Inc
Reference - System and Method for Network Security Including Detection of Attacks Through Partner Websites - EMC IP Holding Co LLC
Reference - System and Method for Process Hollowing Detection - Carbon Black Inc
Reference - System and method for providing an actively invalidated client-side network resource cache - IMVU
Reference - System and method for validating in-memory integrity of executable files to identify malicious activity - Endgame Inc
Reference - System and method thereof for identifying and responding to security incidents based on preemptive forensics - Palo Alto Networks Inc
Reference - System and methods thereof for causality identification and attributions determination of processes in a network - Palo Alto Networks IncCyber Secdo Ltd
Reference - System and methods thereof for detection of persistent threats in a computerized environment background - Palo Alto Networks IncCyber Secdo Ltd
Reference - System and methods thereof for identification of suspicious system processes - Palo Alto Networks Inc
Reference - System and methods thereof for logical identification of malicious threats across a plurality of end-point devices (epd) communicatively connected by a network - Palo Alto Networks IncCyber Secdo Ltd
Reference - System and methods thereof for preventing ransomware from encrypting data elements stored in a memory of a computer-based system - Palo Alto Networks Inc
Reference - System for detecting threats using scenario-based tracking of internal and external network traffic - VECTRA NETWORKS Inc
Reference - System for implementing threat detection using daily network traffic community outliers - VECTRA NETWORKS Inc
Reference - System for implementing threat detection using threat and risk assessment of asset-actor interactions - VECTRA NETWORKS Inc
Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Inc
Reference - Systems and methods for detecting and/or handling targeted attacks in the email channel - Graphus Inc
Reference - Systems and methods for detecting credential theft - Symantec Corp
Reference - Tamper proof mutating software - ARXAN TECHNOLOGIES Inc
Reference - Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities
Reference - Techniques for impeding and detecting network threats - Verisign Inc
Reference - Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords
Reference - Threat detection for return oriented programming - Crowdstrike Inc
Reference - Threat detection through the accumulated detection of threat characteristics - Sophos Ltd
Reference - TPM 2.0 Library Specification - Trusted Computing Group, Incorporated
Reference - Trusted Communications With Child Processes - Microsoft Technology Licensing LLC
Reference - UEFI Platform Initialization (PI) Specification
Reference - USB filter for hub malicious code prevention system
Reference - Use DNS Policy for Applying Filters on DNS Queries
Reference - Use of an application controller to monitor and control software file and application environments - Sophos Ltd
Reference - Use Rkill to Stop Malware Processes - ghacks.net
Reference - Virtualized process isolation - Advanced Micro Devices Inc
Reference - What is NX/XD feature?
Reference - Windows 10 STIG
Reflection Amplification
Reflective Code Loading
Registry Run Keys / Startup Folder
Relay Pattern Analysis
Remote Access Software
Remote Data Staging
Remote Data Storage
Remote Desktop Protocol
Remote Email Collection
Remote Service Session Hijacking
Remote Services
Remote Terminal Session Detection
Rename System Utilities
Replication Through Removable Media
Resource Access Pattern Analysis
Resource Forking
Restrict File and Directory Permissions
Restrict Library Loading
Restrict Registry Permission
Restrict Web-Based Content
Reverse Resolution Domain Denylisting
Reverse Resolution IP Denylisting
RF Shielding
Right-to-Left Override
Rogue Domain Controller
Rootkit
RPC Traffic Analysis
Ruby Script File
Run Virtual Instance
Rundll32 Execution
Runtime Data Manipulation
Safe Mode Boot
Scan
Scheduled Job Analysis
Scheduled Task/Job Execution
Scheduled Transfer
Screen Capture
Screensaver
Script Application Process
Script Execution Analysis
Security Account Manager
Security Software Discovery
Security Support Provider
Security Token
Securityd Memory
Segment Address Offset Randomization
Sender MTA Reputation Analysis
Sender Reputation Analysis
Service Binary Verification
Service Exhaustion Flood
Services File Permissions Weakness
Services Registry Permissions Weakness
Session Duration Analysis
Setuid and Setgid
Shadow Stack Comparisons
Sharepoint
Shortcut Modification
SID-History Injection
SIP and Trust Provider Hijacking
Software
Software Configuration
Software Deployment Tools Execution
Software Packing
Software Update
Source Code
Space after Filename
Spearphishing Attachment
Spearphishing Link
Spearphishing Via Service
SQL Stored Procedures
SSH
SSH Hijacking
SSL/TLS Inspection
Stack Frame
Stack Frame Canary Validation
Stack Segment
Standalone Honeynet
Startup Items
Steal Application Access Token
Steal or Forge Kerberos Tickets
Steal Web Session Cookie
Step 1 - Copy Token
Step 2 - Impersonate User
Storage
Stored Data Manipulation
Strong Password Policy
Sudo and Sudo Caching
Supply Chain Compromise
Symbolic Link
Symmetric Cryptography
System Call
System Call Analysis
System Call Filtering
System Configuration Database
System Configuration Permissions
System Daemon Monitoring
System File Analysis
System Firewall Configuration
System Firmware
System Firmware Verification
System Init Config Analysis
System Language Discovery
System Location Discovery
System Service Software
Systemd Service
Taint Shared Content
TCG Trusted Attestation Protocol Use Cases for TPM Families 1.2 and 2.0 and DICE
Thread Execution Hijacking
Thread Local Storage
Threat Intelligence Program
Time Based Evasion
Time Providers
Timestomp
Token Impersonation/Theft
TPM Boot Integrity
Traffic Signaling
Transfer Agent Authentication
Transmitted Data Manipulation
Transport Agent
Trap
Trusted Attestation Protocol Use Cases
Trusted Relationship
Two-Factor Authentication Interception
Unsecured Credentials
Update Software
URL
URL Analysis
Use Alternate Authentication Material
User
User Account Control
User Account Management
User Account Permissions
User Behavior
User Behavior Analysis
User Data Transfer Analysis
User Geolocation Logon Pattern Analysis
User Manual
User Session Init Config Analysis
User Startup Directory
User to User Message
User Training
Valid Accounts
VBA Stomping
VDSO Hijacking
Video Capture
Vulnerability Scanning
Web Authentication
Web Authentication: An API for accessing Public Key Credentials Level 2
Web File Resource
Web Portal Capture
Web Protocols
Web Service
Web Session Activity Analysis
Web Session Cookie
Web Shell
Web Socket URL
WHOIS Compatible Domain Registration
Windows Batch File
Windows Management Instrumentation Event Subscription
Windows Process
Windows Service
Winlogon Helper DLL
X86 Code Segment
XSL Script Processing

.bash_profile and .bashrcⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.004

has facts: modifies^op User Init Configuration File
is also defined as: class

/etc/passwd and /etc/shadowⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.008

has facts: accesses^op Encrypted Credential; accesses^op Password File
is also defined as: class

Accessibility Featuresⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.008

has facts: may-create^op Intranet Administrative Network Traffic; may-modify^op Executable Binary; may-modify^op System Configuration Database Record
is also defined as: class

Account Access Removalⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1531

has facts: modifies^op User Account
is also defined as: class

Account Lockingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AccountLocking

belongs to: Credential Eviction^c
has facts: date created^dp "2020-08-05T00:00:00"^^date time; d3fend-id^dp "D3-AL"; disables^op User Account; kb-reference^op Reference - Account monitoring - Forescout Technologies; kb-reference^op Reference - Framework for notifying a directory service of authentication events processed outside the directory service - Oracle International Corp
is also defined as: class

Account Manipulationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1098

has facts: modifies^op User Account
is also defined as: class

Account Use Policiesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1036

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp "D3-AZET may be related (is potentially related though not called out in ATT&CK definition.)"; related^op Account Locking; related^op Authentication Cache Invalidation; related^op Authentication Event Thresholding

Active Certificate Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ActiveCertificateAnalysis

belongs to: Active Certificate Analysis^c; Certificate Analysis^c
has facts: date created^dp "2020-08-05T00:00:00"^^date time; d3fend-id^dp "D3-ACA"; kb-reference^op Reference - Securing Web Transactions
is also defined as: class

Active Directory Configurationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1015

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp "M1015 scope is broad, touches on an wide variety of techniques in D3FEND."; related^op Authentication Cache Invalidation; related^op Domain Trust Policy; related^op User Account Permissions

Add Office 365 Global Administrator Roleⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1098.003

has facts: modifies^op Global User Account
is also defined as: class

Add-insⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1137.006

has facts: adds^op Software; may-modify^op System Configuration Database; modifies^op Office Application
is also defined as: class

Additional Azure Service Principal Credentialsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1098.001

has facts: creates^op Credential; produces^op Intranet Administrative Network Traffic
is also defined as: class

Administrative Network Activity Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AdministrativeNetworkActivityAnalysis

belongs to: Network Traffic Analysis^c
has facts: analyzes^op Intranet Administrative Network Traffic; date created^dp "2020-08-05T00:00:00"^^date time; d3fend-id^dp "D3-ANAA"; kb-reference^op Reference - Method and system for detecting suspicious administrative activity - Vectra Networks Inc; kb-reference^op Reference - CAR-2014-11-005: Remote Registry - MITRE; kb-reference^op Reference - CAR-2014-11-006: Windows Remote Management (WinRM) - MITRE
is also defined as: class

Adobe PDF File 1.3ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AdobePDFFile1.3

belongs to: Document File^c
has facts: may-contain^op Javascript File

AMD64 Code Segmentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AMD64CodeSegment

belongs to: Image Code Segment^c; Process Code Segment^c

Antivirus/Antimalwareⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1049

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp "Process Analysis and subclasses."; related^op File Content Rules; related^op File Hashing; related^op Process Analysis

AppCert DLLsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.009

has facts: invokes^op Create Process; loads^op Shared Library File; modifies^op System Configuration Database Record
is also defined as: class

AppInit DLLsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.010

has facts: invokes^op Create Process; loads^op Shared Library File; modifies^op System Configuration Database Record
is also defined as: class

Applicationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Application

has facts: may-contain^op Application Configuration; uses^op Resource
is also defined as: class

Application Access Tokenⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1550.001

has facts: may-produce^op Network Traffic; uses^op Access Token
is also defined as: class

Application Configuration Databaseⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationConfigurationDatabase

has facts: contains^op Application Configuration Database Record
is also defined as: class

Application Configuration Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationConfigurationFile

has facts: contains^op Application Configuration
is also defined as: class

Application Configuration Hardeningⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationConfigurationHardening

belongs to: Application Hardening^c
has facts: d3fend-id^dp "D3-ACH"; hardens^op Application Configuration; kb-reference^op Reference - Red Hat Enterprise Linux 8 Security Technical Implementation Guide; kb-reference^op Reference - Windows 10 STIG
is also defined as: class

Application Developer Guidanceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1013

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp "A future release of D3FEND will define a taxonomy of Source Code Hardening Techniques."

Application Hardeningⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationHardening

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-AH"; enables^op Harden
is also defined as: class

Application Isolation and Sandboxingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1048

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp ""Sandboxing" is often used to describe a detection environment which includes some forms of analysis (see D3-DA.)" Many forms of isolation (e.g., quarantining) are more static in nature and simply limit software's access to system resources."; related^op Dynamic Analysis; related^op Hardware-based Process Isolation; related^op Mandatory Access Control; related^op System Call Filtering

Application Layer Protocolⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1071

has facts: may-transfer^op Certificate File; produces^op Outbound Internet Network Traffic
is also defined as: class

Application Processⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ApplicationProcess

has facts: runs^op Application
is also defined as: class

Application Shimmingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.011

has facts: creates^op Shim; modifies^op Shim Database
is also defined as: class

Archive Collected Dataⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1560

has facts: creates^op Archive File
is also defined as: class

Archive via Custom Methodⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1560.003

has facts: creates^op Custom Archive File
is also defined as: class

Archive via Libraryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1560.002

has facts: creates^op Archive File
is also defined as: class

Archive via Utilityⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1560.001

has facts: creates^op Archive File
is also defined as: class

ARM32 Code Segmentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ARM32CodeSegment

belongs to: Image Code Segment^c; Process Code Segment^c

ASCII Domain Nameⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ASCIIDomainName

belongs to: Domain Name^c

Asymmetric Cryptographyⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1573.002

has facts: creates^op Outbound Internet Encrypted Traffic; may-transfer^op Certificate File
is also defined as: class

Asynchronous Procedure Callⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.004

has facts: may-invoke^op Create Process
is also defined as: class

Audio Captureⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1123

has facts: accesses^op Audio Input Device
is also defined as: class

Auditⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1047

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp "M1047 scope is broad, touches on an wide variety of techniques in d3fend."; related^op Domain Account Monitoring; related^op Local Account Monitoring; related^op System File Analysis

Authenticationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Authentication

belongs to: Authentication^c
has facts: authenticates^op User; may-create^op Intranet Network Traffic; originates-from^op Physical Location
is also defined as: class

Authentication Cache Invalidationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthenticationCacheInvalidation

belongs to: Credential Eviction^c
has facts: d3fend-id^dp "D3-ANCI"; deletes^op Credential; kb-reference^op Reference - Secure caching of server credentials - Dell Products LP; kb-reference^op Reference - System and method for providing an actively invalidated client-side network resource cache - IMVU
is also defined as: class

Authentication Event Thresholdingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthenticationEventThresholding

belongs to: User Behavior Analysis^c
has facts: analyzes^op Authentication; date created^dp "2020-08-05T00:00:00"^^date time; d3fend-id^dp "D3-ANET"; kb-reference^op Reference - Method and Apparatus for Network Fraud Detection and Remediation Through Analytics - Idaptive LLC; kb-reference^op Reference - CAR-2013-02-008: Simultaneous Logins on a Host - MITRE; kb-reference^op Reference - CAR-2013-02-012: User Logged in to Multiple Hosts - MITRE; kb-reference^op Reference - CAR-2013-10-001: User Login Activity Monitoring - MITRE; kb-reference^op Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Inc
is also defined as: class

Authentication Logⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthenticationLog

has facts: records^op Authentication
is also defined as: class

Authentication Packageⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.002

has facts: modifies^op System Configuration Database Record
is also defined as: class

Authorizationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Authorization

has facts: authorizes^op Network Resource Access
is also defined as: class

Authorization Event Thresholdingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthorizationEventThresholding

belongs to: User Behavior Analysis^c
has facts: analyzes^op Authorization; date created^dp "2020-08-05T00:00:00"^^date time; d3fend-id^dp "D3-AZET"; kb-reference^op Reference - Method and Apparatus for Network Fraud Detection and Remediation Through Analytics - Idaptive LLC; kb-reference^op Reference - CAR-2013-09-003: SMB Session Setups - MITRE; kb-reference^op Reference - CAR-2013-02-012: User Logged in to Multiple Hosts - MITRE; kb-reference^op Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Inc
is also defined as: class

Authorization Logⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AuthorizationLog

has facts: records^op Network Resource Access
is also defined as: class

Automated Collectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1119

has facts: accesses^op File
is also defined as: class

Automated Exfiltrationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1020

has facts: produces^op Internet Network Traffic
is also defined as: class

Bash Historyⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552.003

has facts: accesses^op Command History Log File
is also defined as: class

Bash Script Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BashScriptFile

belongs to: Executable Script^c

Behavior Prevention on Endpointⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1040

belongs to: ATTACK Mitigation^c
has facts: related^op Authentication Event Thresholding; related^op Authorization Event Thresholding; related^op Job Function Access Pattern Analysis; related^op Resource Access Pattern Analysis; related^op Session Duration Analysis; related^op User Data Transfer Analysis; related^op User Geolocation Logon Pattern Analysis; related^op Web Session Activity Analysis

Binary Paddingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1027.001

has facts: modifies^op Executable Binary
is also defined as: class

Biometric Authenticationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BiometricAuthentication

belongs to: Credential Hardening^c
has facts: authenticates^op User Account; d3fend-id^dp "D3-BAN"; kb-reference^op Biometric Authentication; kb-reference^op Reference - Tokenless biometric transaction authorization method and system; kb-reference^op Reference - http://www.biometric-solutions.com/keystroke-dynamics.html - biometric-solutions.com
is also defined as: class

BITS Jobsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1197

has facts: may-produce^op Intranet IPC Network Traffic; may-produce^op Intranet Web Network Traffic; may-produce^op Outbound Internet Web Traffic
is also defined as: class

Block Deviceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BlockDevice

has facts: contains^op Boot Sector; contains^op Partition; contains^op Partition Table; may-contain^op Volume
is also defined as: class

Bookⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Book

belongs to: Reference Type^c

Boot Integrityⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1046

belongs to: ATTACK Mitigation^c
has facts: related^op Bootloader Authentication; related^op TPM Boot Integrity

Bootkitⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1542.003

has facts: may-modify^op Boot Loader; may-modify^op Boot Sector; may-modify^op Volume Boot Record
is also defined as: class

Bootloader Authenticationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BootloaderAuthentication

belongs to: Platform Hardening^c
has facts: authenticates^op Boot Loader; d3fend-id^dp "D3-BA"; kb-reference^op Reference - UEFI Platform Initialization (PI) Specification
is also defined as: class

Broadcast Domain Isolationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BroadcastDomainIsolation

belongs to: Network Isolation^c
has facts: d3fend-id^dp "D3-BDI"; filters^op Local Area Network Traffic; kb-reference^op Reference - Broadcast isolation and level 3 network switch - Hewlett Packard Enterprise Development LP; kb-reference^op Reference - Private virtual local area network isolation - Cisco Technology Inc
is also defined as: class

Browserⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Browser

has facts: may-contain^op Browser Extension
is also defined as: class

Browser Extensionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BrowserExtension

has facts: extends^op Browser
is also defined as: class

Browser Extensionsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1176

has facts: modifies^op Browser Extension
is also defined as: class

BSD Processⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#BSDProcess

belongs to: Process^c

Bypass User Access Controlⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1548.002

has facts: executes^op Executable File; invokes^op Create Process; may-modify^op System Configuration Database Record
is also defined as: class

Byte Sequence Emulationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ByteSequenceEmulation

belongs to: Network Traffic Analysis^c
has facts: d3fend-id^dp "D3-BSE"; kb-reference^op Reference - Network-level polymorphic shellcode detection using emulation; kb-reference^op Reference - Network-Based Buffer Overflow Detection by Exploit Code Analysis - Information Security Research Centre
is also defined as: class

Cached Domain Credentialsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.005

has facts: accesses^op Encrypted Credential; may-modify^op Log
is also defined as: class

Call Stackⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CallStack

has facts: contains^op Stack Frame
is also defined as: class

Certificateⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Certificate

has facts: contains^op Identifier; contains^op Public Key
is also defined as: class

Certificate Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CertificateAnalysis

belongs to: Certificate Analysis^c; Network Traffic Analysis^c
has facts: analyzes^op Certificate File; d3fend-id^dp "D3-CA"; kb-reference^op Reference - Securing Web Transactions
is also defined as: class

Certificate Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CertificateFile

has facts: contains^op Certificate
is also defined as: class

Certificate Pinningⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CertificatePinning

belongs to: Credential Hardening^c
has facts: authenticates^op Public Key; d3fend-id^dp "D3-CP"; kb-reference^op Reference - Certificate and Public Key Pinning; kb-reference^op Reference - End-to-end certificate pinning
is also defined as: class

Certificate Trust Storeⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CertificateTrustStore

has facts: contains^op Certificate
is also defined as: class

Certificate-based Authenticationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Certificate-basedAuthentication

belongs to: Credential Hardening^c
has facts: d3fend-id^dp "D3-CBAN"; kb-reference^op Reference - Tokenless biometric transaction authorization method and system
is also defined as: class

Change Default File Associationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.001

has facts: modifies^op System Configuration Database Record
is also defined as: class

Clear Command Historyⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1070.003

has facts: modifies^op Command History Log
is also defined as: class

Clear Linux or Mac System Logsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1070.002

has facts: modifies^op Operating System Log File
is also defined as: class

Clear Windows Event Logsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1070.001

has facts: modifies^op Event Log
is also defined as: class

Client-server Payload Profilingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Client-serverPayloadProfiling

belongs to: Network Traffic Analysis^c
has facts: analyzes^op Network Traffic; d3fend-id^dp "D3-CSPP"; kb-reference^op Reference - Method and system for detecting malicious payloads - Vectra Networks Inc
is also defined as: class

Clipboard Dataⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1115

has facts: reads^op Clipboard
is also defined as: class

Cloud Accountⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1087.004

has facts: creates^op Cloud User Account
is also defined as: class

Cloud Accountsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1078.004

has facts: uses^op Cloud User Account
is also defined as: class

Cloud Instance Metadata APIⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552.005

has facts: accesses^op Cloud Instance Metadata
is also defined as: class

Cloud Service Dashboardⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1538

has facts: accesses^op Cloud Configuration
is also defined as: class

Cloud Service Discoveryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1526

has facts: reads^op Cloud Configuration
is also defined as: class

Cloud Storage Object Discoveryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1619

has facts: accesses^op Cloud Storage
is also defined as: class

CMSTPⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.003

has facts: invokes^op Create Process; may-produce^op Network Traffic
is also defined as: class

Code Repositoriesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1213.003

has facts: reads^op Code Repository
is also defined as: class

Code Repositoryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CodeRepository

has facts: contains^op Source Code
is also defined as: class

Code Signingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1045

belongs to: ATTACK Mitigation^c
has facts: related^op Driver Load Integrity Checking; related^op Executable Allowlisting; related^op Service Binary Verification

Code Signingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1553.002

has facts: enables^op Defense Evasion
is also defined as: class

Collectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Collection

belongs to: Offensive Tactic^c
has facts: display-order^dp "9"^^integer
is also defined as: class

Collection Techniqueⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CollectionTechnique

has facts: enables^op Collection
is also defined as: class

Command And Controlⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CommandAndControl

belongs to: Offensive Tactic^c
has facts: display-order^dp "10"^^integer
is also defined as: class

Command and Control Techniqueⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CommandAndControlTechnique

has facts: enables^op Command And Control
is also defined as: class

Command and Scripting Interpreter Executionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1059

has facts: executes^op Executable Script
is also defined as: class

Command History Log Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CommandHistoryLogFile

has facts: contains^op Command History Log
is also defined as: class

Communication Through Removable Mediaⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1092

has facts: modifies^op Removable Media Device
is also defined as: class

Compile After Deliveryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1027.004

has facts: creates^op Executable File
is also defined as: class

Compiled HTML Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.001

has facts: invokes^op Create File; invokes^op Create Process
is also defined as: class

Compilerⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Compiler

has facts: reads^op Compiler Configuration File
is also defined as: class

Component Firmwareⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1542.002

has facts: modifies^op Firmware
is also defined as: class

Component Object Model Hijackingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.015

has facts: loads^op Executable Binary; modifies^op System Configuration Database
is also defined as: class

Compromise Client Software Binaryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1554

has facts: modifies^op Client Application
is also defined as: class

Compromise Hardware Supply Chainⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1195.003

has facts: modifies^op Hardware Device
is also defined as: class

Compromise Software Dependencies and Development Toolsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1195.001

has facts: modifies^op Software
is also defined as: class

Compromise Software Supply Chainⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1195.002

has facts: modifies^op Software
is also defined as: class

Confluenceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1213.001

has facts: accesses^op Web File Resource
is also defined as: class

Connected Honeynetⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ConnectedHoneynet

belongs to: Decoy Environment^c
has facts: d3fend-id^dp "D3-CHN"; kb-reference^op Reference - Modification of a Server to Mimic a Deception Mechanism - Acalvio Technologies Inc; spoofs^op Local Area Network
is also defined as: class

Connection Attempt Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ConnectionAttemptAnalysis

belongs to: Network Traffic Analysis^c
has facts: analyzes^op Intranet Network Traffic; d3fend-id^dp "D3-CAA"; kb-reference^op Reference - Detecting network reconnaissance by tracking intranet dark-net communications - VECTRA NETWORKS Inc
is also defined as: class

Container Runtimeⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ContainerRuntime

has facts: runs^op Container Image
is also defined as: class

Control Panel Executionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.002

has facts: invokes^op Create Process; may-modify^op System Configuration Database Record
is also defined as: class

Copy Tokenⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CopyToken

belongs to: Copy Token^c
is also defined as: class

COR_PROFILERⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.012

has facts: adds^op Shared Library File; modifies^op System Configuration Database Record
is also defined as: class

Create Accountⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1136

has facts: creates^op User Account
is also defined as: class

Create Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CreateFile

has facts: creates^op File
is also defined as: class

Create Process with Tokenⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1134.002

has facts: copies^op Access Token; may-modify^op Event Log
is also defined as: class

Credentialⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Credential

has facts: authenticates^op User Account
is also defined as: class

Credential Accessⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialAccess

belongs to: Offensive Tactic^c
has facts: display-order^dp "6"^^integer
is also defined as: class

Credential Access Protectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1043

belongs to: ATTACK Mitigation^c
has facts: related^op Hardware-based Process Isolation

Credential Access Techniqueⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialAccessTechnique

has facts: accesses^op Credential; enables^op Credential Access
is also defined as: class

Credential API Hookingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1056.004

has facts: may-modify^op Process Code Segment
is also defined as: class

Credential Compromise Scope Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialCompromiseScopeAnalysis

belongs to: User Behavior Analysis^c
has facts: analyzes^op Credential; d3fend-id^dp "D3-CCSA"; kb-reference^op Reference - CAR-2015-07-001: All Logins Since Last Boot - MITRE; kb-reference^op Reference - Systems and methods for detecting credential theft - Symantec Corp
is also defined as: class

Credential Evictionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialEviction

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-CE"; enables^op Evict
is also defined as: class

Credential Hardeningⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialHardening

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-CH"; enables^op Harden
is also defined as: class

Credential Stuffingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1110.004

has facts: may-create^op Intranet Administrative Network Traffic; modifies^op Authentication Log; produces^op Authentication
is also defined as: class

Credential Transmission Scopingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialTransmissionScoping

belongs to: Credential Hardening^c
has facts: d3fend-id^dp "D3-CTS"; kb-reference^op Web Authentication: An API for accessing Public Key Credentials Level 2; restricts^op Credential
is also defined as: class

Credentials from Password Storesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1555

has facts: accesses^op Password Store
is also defined as: class

Credentials from Web Browsersⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1555.003

has facts: may-access^op In-memory Password Store
is also defined as: class

Credentials in Filesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552.001

has facts: accesses^op File
is also defined as: class

Credentials in Registryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552.002

has facts: accesses^op System Configuration Database
is also defined as: class

Data Backupⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1053

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp "Comprehensive IT disaster recovery plans are outside the current scope of D3FEND."

Data Encodingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1132

has facts: produces^op Outbound Internet Network Traffic
is also defined as: class

Data from Information Repositoriesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1213

has facts: accesses^op Resource
is also defined as: class

Data from Local Systemⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1005

has facts: accesses^op Local Resource
is also defined as: class

Data from Network Shared Driveⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1039

has facts: accesses^op Network File Share Resource
is also defined as: class

Data from Removable Mediaⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1025

has facts: accesses^op Removable Media Device
is also defined as: class

Data Obfuscationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1001

has facts: produces^op Outbound Internet Network Traffic
is also defined as: class

Data Stagedⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1074

has facts: reads^op Resource
is also defined as: class

Data Transfer Size Limitsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1030

has facts: produces^op Internet Network Traffic
is also defined as: class

Database Query String Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DatabaseQueryStringAnalysis

belongs to: Process Analysis^c
has facts: analyzes^op Database Query; d3fend-id^dp "D3-DQSA"; kb-reference^op Reference - System and method for internet security - Cylance Inc
is also defined as: class

Database Serverⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DatabaseServer

has facts: contains^op Database
is also defined as: class

DCSyncⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.006

has facts: may-modify^op Event Log; produces^op Intranet Administrative Network Traffic
is also defined as: class

Dead Code Eliminationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DeadCodeElimination

belongs to: Application Hardening^c
has facts: d3fend-id^dp "D3-DCE"; kb-reference^op Reference - Dead code elimination
is also defined as: class

Deceiveⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Deceive

belongs to: Defensive Tactic^c
has facts: display-order^dp "3"^^integer
is also defined as: class

Decoy Artifactⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyArtifact

has facts: may-contain^op Digital Artifact
is also defined as: class

Decoy Environmentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyEnvironment

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-DE"; enables^op Deceive; manages^op Decoy Artifact
is also defined as: class

Decoy Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyFile

belongs to: Decoy Object^c
has facts: d3fend-id^dp "D3-DF"; kb-reference^op Reference - Open source intelligence deceptions - Illusive Networks Ltd; kb-reference^op Reference - System and a method for identifying the presence of malware and ransomware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Inc; kb-reference^op Reference - System and methods thereof for preventing ransomware from encrypting data elements stored in a memory of a computer-based system - Palo Alto Networks Inc; kb-reference^op Reference - Supply chain cyber-deception - Cymmetria, Inc.; spoofs^op File
is also defined as: class

Decoy Network Resourceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyNetworkResource

belongs to: Decoy Object^c
has facts: d3fend-id^dp "D3-DNR"; kb-reference^op Reference - Automatically generating network resource groups and assigning customized decoy policies thereto - Illusive Networks Ltd; kb-reference^op Reference - Deception-Based Responses to Security Attacks - Crowdstrike Inc; kb-reference^op Reference - Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network - Palo Alto Networks Inc; kb-reference^op Reference - System and method for identifying the presence of malware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Inc; spoofs^op Network Resource
is also defined as: class

Decoy Objectⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyObject

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-DO"; enables^op Deceive
is also defined as: class

Decoy Personaⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyPersona

belongs to: Decoy Object^c
has facts: d3fend-id^dp "D3-DP"; kb-reference^op Reference - Decoy Personas for Safeguarding Online Identity Using Deception -; kb-reference^op Reference - Decoy and deceptive data object technology - Cymmetria, Inc.; spoofs^op User
is also defined as: class

Decoy Public Releaseⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyPublicRelease

belongs to: Decoy Object^c
has facts: d3fend-id^dp "D3-DPR"; kb-reference^op Reference - Mock attack cybersecurity training system and methods - WOMBAT SECURITY TECHNOLOGIES Inc
is also defined as: class

Decoy Session Tokenⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoySessionToken

belongs to: Decoy Object^c
has facts: d3fend-id^dp "D3-DST"; kb-reference^op Reference - Decoy and deceptive data object technology - Cymmetria Inc; spoofs^op Access Token
is also defined as: class

Decoy User Credentialⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DecoyUserCredential

belongs to: Decoy Object^c
has facts: d3fend-id^dp "D3-DUC"; kb-reference^op Reference - Decoy Network-Based Service for Deceiving Attackers - Amazon Technologies; kb-reference^op Reference - Decoy and deceptive data object technology - Cymmetria Inc; kb-reference^op Reference - System and method for identifying the presence of malware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Inc; spoofs^op Credential
is also defined as: class

Default Accountsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1078.001

has facts: uses^op Default User Account
is also defined as: class

Defense Evasionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DefenseEvasion

belongs to: Offensive Tactic^c
has facts: display-order^dp "5"^^integer
is also defined as: class

Defense Evasion Techniqueⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DefenseEvasionTechnique

has facts: enables^op Defense Evasion
is also defined as: class

Defensive Techniqueⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DefensiveTechnique

has facts: enables^op Defensive Tactic
is also defined as: class

Deobfuscate/Decode Files or Informationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1140

has facts: invokes^op Create Process; may-add^op Executable File; may-modify^op Event Log
is also defined as: class

Detectⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Detect

belongs to: Defensive Tactic^c
has facts: display-order^dp "1"^^integer
is also defined as: class

Direct Network Floodⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1498.001

has facts: creates^op Inbound Internet Network Traffic
is also defined as: class

Direct Volume Accessⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1006

has facts: accesses^op Volume
is also defined as: class

Directoryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Directory

has facts: may-contain^op File
is also defined as: class

Disable or Modify System Firewallⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562.004

has facts: modifies^op System Firewall Configuration
is also defined as: class

Disable or Modify Toolsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562.001

has facts: disables^op Operating System Process
is also defined as: class

Disable or Remove Feature or Programⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1042

belongs to: ATTACK Mitigation^c
has facts: related^op Application Configuration Hardening; related^op Executable Denylisting; related^op Mandatory Access Control

Disable Windows Event Loggingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562.002

has facts: may-modify^op Application Configuration; may-modify^op Operating System Configuration Component
is also defined as: class

Discoveryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Discovery

belongs to: Offensive Tactic^c
has facts: display-order^dp "7"^^integer
is also defined as: class

Discovery Techniqueⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DiscoveryTechnique

has facts: enables^op Discovery
is also defined as: class

Disk Content Wipeⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1561.001

has facts: may-modify^op Boot Sector; may-modify^op Partition; may-modify^op Partition Table; may-modify^op Volume; modifies^op Block Device
is also defined as: class

Disk Encryptionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DiskEncryption

belongs to: Platform Hardening^c
has facts: d3fend-id^dp "D3-DENCR"; encrypts^op Storage; kb-reference^op LUKS1 On-Disk Format SpecificationVersion 1.2.3
is also defined as: class

Disk Structure Wipeⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1561.002

has facts: may-modify^op Boot Sector; may-modify^op Partition Table
is also defined as: class

Display Device Driverⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DisplayDeviceDriver

has facts: drives^op Display Adapter
is also defined as: class

DLL Search Order Hijackingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.001

has facts: may-create^op Shared Library File
is also defined as: class

DLL Side-Loadingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.002

has facts: may-create^op Shared Library File; may-modify^op Shared Library File
is also defined as: class

DNSⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1071.004

has facts: produces^op Outbound Internet DNS Lookup Traffic
is also defined as: class

DNS Allowlistingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DNSAllowlisting

belongs to: Network Isolation^c
has facts: blocks^op Outbound Internet DNS Lookup Traffic; d3fend-id^dp "D3-DNSAL"; kb-reference^op Reference - DNS Whitelist (DNSWL) Email Authentication Method Extension
is also defined as: class

DNS Denylistingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DNSDenylisting

belongs to: Network Isolation^c
has facts: blocks^op DNS Network Traffic; d3fend-id^dp "D3-DNSDL"; kb-reference^op Reference - Use DNS Policy for Applying Filters on DNS Queries
is also defined as: class

DNS Traffic Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DNSTrafficAnalysis

belongs to: Network Traffic Analysis^c
has facts: analyzes^op Outbound Internet DNS Lookup Traffic; d3fend-id^dp "D3-DNSTA"; kb-reference^op Reference - Domain age registration alert - Inc Rapid7 Inc RAPID7 Inc; kb-reference^op Reference - Heuristic botnet detection - Palo Alto Networks Inc; kb-reference^op Reference - Method and system for detecting algorithm-generated domains - VECTRA NETWORKS Inc; kb-reference^op Reference - Predicting Domain Generation Algorithms with Long Short-Term Memory Networks -; kb-reference^op Reference - Sinkholing bad network domains by registering the bad network domains on the internet - Palo Alto Networks Inc; may-contain^op DNS Lookup
is also defined as: class

Do Not Mitigateⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1055

belongs to: ATTACK Mitigation^c

Document Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DocumentFile

has facts: may-contain^op Executable Script
is also defined as: class

Domain Accountⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1087.002

has facts: creates^op Domain User Account
is also defined as: class

Domain Account Monitoringⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DomainAccountMonitoring

belongs to: User Behavior Analysis^c
has facts: d3fend-id^dp "D3-DAM"; kb-reference^op Reference - Audit User Account Management; monitors^op Domain User Account
is also defined as: class

Domain Accountsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1078.002

has facts: uses^op Domain User Account
is also defined as: class

Domain Frontingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1090.004

has facts: produces^op Outbound Internet Encrypted Web Traffic
is also defined as: class

Domain Registrationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DomainRegistration

has facts: may-contain^op Domain Name
is also defined as: class

Domain Trust Policyⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DomainTrustPolicy

belongs to: Credential Hardening^c
has facts: d3fend-id^dp "D3-DTP"; kb-reference^op Reference - How trust relationships work for resource forests in Azure Active Directory Domain Services; restricts^op Directory Service; restricts^op Domain Account
is also defined as: class

Double File Extensionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.007

has facts: modifies^op File System Metadata
is also defined as: class

Downgrade Attackⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562.010

has facts: accesses^op Legacy System
is also defined as: class

Drive-by Compromiseⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1189

has facts: modifies^op Process Segment; produces^op Outbound Internet Network Traffic; produces^op URL
is also defined as: class

Driver Load Integrity Checkingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DriverLoadIntegrityChecking

belongs to: Platform Hardening^c
has facts: authenticates^op Hardware Driver; d3fend-id^dp "D3-DLIC"; kb-reference^op Reference - Integrity assurance through early loading in the boot phase - Crowdstrike Inc; kb-reference^op Reference - Protected computing environment - Microsoft Technology Licensing LLC
is also defined as: class

Dylib Hijackingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.004

has facts: may-create^op Shared Library File; may-modify^op Shared Library File
is also defined as: class

Dynamic Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DynamicAnalysis

belongs to: File Analysis^c
has facts: analyzes^op Document File; analyzes^op Executable File; d3fend-id^dp "D3-DA"; kb-reference^op Reference - Malware analysis system - Palo Alto Networks Inc; kb-reference^op Reference - Use of an application controller to monitor and control software file and application environments - Sophos Ltd
is also defined as: class

Dynamic Resolutionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1568

has facts: produces^op Outbound Internet DNS Lookup Traffic
is also defined as: class

Dynamic-link Library Injectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.001

has facts: adds^op Shared Library File; invokes^op System Call; loads^op Shared Library File
is also defined as: class

Elevated Execution with Promptⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1548.004

has facts: creates^op System Configuration Database; invokes^op System Call
is also defined as: class

Emailⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Email

has facts: may-contain^op File; may-contain^op URL
is also defined as: class

Email Attachmentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EmailAttachment

has facts: attached-to^op Email
is also defined as: class

Email Collectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1114

has facts: accesses^op Resource
is also defined as: class

Email Forwarding Ruleⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1114.003

has facts: modifies^op Application Configuration
is also defined as: class

Email Hiding Rulesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.008

has facts: may-create^op Email Rule; may-modify^op Email Rule; modifies^op Application Configuration
is also defined as: class

Emondⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.014

has facts: may-create^op Property List File; may-modify^op Property List File; modifies^op Configuration Bearing Entity
is also defined as: class

Emulated File Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EmulatedFileAnalysis

belongs to: File Analysis^c
has facts: analyzes^op Document File; analyzes^op Executable File; d3fend-id^dp "D3-EFA"; kb-reference^op Reference - Network-level polymorphic shellcode detection using emulation
is also defined as: class

Enclaveⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Enclave

has facts: may-contain^op Local Area Network
is also defined as: class

Encrypt Sensitive Informationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1041

belongs to: ATTACK Mitigation^c
has facts: related^op Disk Encryption; related^op Encrypted Tunnels; related^op File Encryption; related^op Message Encryption

Encrypted Channelⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1573

has facts: produces^op Outbound Internet Encrypted Traffic
is also defined as: class

Encrypted Tunnelsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EncryptedTunnels

belongs to: Network Isolation^c
has facts: d3fend-id^dp "D3-ET"; isolates^op Intranet Network; kb-reference^op Reference - Security Architecture for the Internet Protocol
is also defined as: class

Endpoint Health Beaconⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#EndpointHealthBeacon

belongs to: Operating System Monitoring^c
has facts: d3fend-id^dp "D3-EHB"; kb-reference^op Reference - Intrusion detection using a heartbeat - Sophos Ltd
is also defined as: class

Environment Variable Permissionsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1039

belongs to: ATTACK Mitigation^c
has facts: related^op Application Configuration Hardening; related^op System File Analysis

Evictⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Evict

belongs to: Defensive Tactic^c
has facts: display-order^dp "4"^^integer
is also defined as: class

Exception Handler Pointer Validationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExceptionHandlerPointerValidation

belongs to: Application Hardening^c
has facts: d3fend-id^dp "D3-EHPV"; kb-reference^op Reference - /SAFESEH (Image has Safe Exception Handlers) - Microsoft Docs; validates^op Pointer
is also defined as: class

Exchange Email Delegate Permissionsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1098.002

has facts: modifies^op Domain User Account
is also defined as: class

Executable Allowlistingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutableAllowlisting

belongs to: Platform Hardening^c
has facts: blocks^op Executable File; d3fend-id^dp "D3-EAL"; kb-reference^op Reference - Enhancing Network Security By Preventing User-Initiated Malware Execution -; kb-reference^op Reference - Computing apparatus with automatic integrity reference generation and maintenance - Tripwire, Inc.
is also defined as: class

Executable Binaryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutableBinary

has facts: contains^op Image Code Segment; contains^op Image Data Segment; may-interpret^op Executable Script
is also defined as: class

Executable Denylistingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutableDenylisting

belongs to: Execution Isolation^c
has facts: blocks^op Executable File; d3fend-id^dp "D3-EDL"; kb-reference^op Reference - Method and apparatus for increasing the speed at which computer viruses are detected - McAfee LLC; kb-reference^op Reference - Content extractor and analysis system - Bit 9 Inc, Carbon Black Inc
is also defined as: class

Executable Installer File Permissions Weaknessⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.005

has facts: modifies^op Service Application
is also defined as: class

Executionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Execution

belongs to: Offensive Tactic^c
has facts: display-order^dp "2"^^integer
is also defined as: class

Execution Isolationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutionIsolation

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-EI"; enables^op Isolate
is also defined as: class

Execution Preventionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1038

belongs to: ATTACK Mitigation^c
has facts: related^op Driver Load Integrity Checking; related^op Executable Allowlisting; related^op Executable Denylisting; related^op Process Segment Execution Prevention

Execution Techniqueⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutionTechnique

has facts: enables^op Execution
is also defined as: class

Exfiltrationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Exfiltration

belongs to: Offensive Tactic^c
has facts: display-order^dp "11"^^integer
is also defined as: class

Exfiltration Over Alternative Protocolⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1048

has facts: produces^op Internet Network Traffic
is also defined as: class

Exfiltration Over Asymmetric Encrypted Non-C2 Protocolⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1048.002

has facts: may-transfer^op Certificate File; produces^op Outbound Internet Encrypted Traffic
is also defined as: class

Exfiltration Over C2 Channelⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1041

has facts: may-transfer^op Certificate File; produces^op Internet Network Traffic
is also defined as: class

Exfiltration Over Other Network Mediumⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1011

has facts: produces^op Internet Network Traffic
is also defined as: class

Exfiltration Over Symmetric Encrypted Non-C2 Protocolⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1048.001

has facts: produces^op Outbound Internet Encrypted Traffic
is also defined as: class

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocolⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1048.003

has facts: produces^op Outbound Internet Network Traffic
is also defined as: class

Exfiltration over USBⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1052.001

has facts: modifies^op Removable Media Device
is also defined as: class

Exfiltration Over Web Serviceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1567

has facts: produces^op Outbound Internet Web Traffic
is also defined as: class

Exfiltration Techniqueⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExfiltrationTechnique

has facts: enables^op Exfiltration
is also defined as: class

Exfiltration to Cloud Storageⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1567.002

has facts: produces^op Outbound Internet Encrypted Web Traffic
is also defined as: class

Exfiltration to Code Repositoryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1567.001

has facts: may-produce^op Outbound Internet Encrypted Remote Terminal Traffic; may-produce^op Outbound Internet Encrypted Web Traffic
is also defined as: class

Exploit Protectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1050

belongs to: ATTACK Mitigation^c
has facts: related^op Application Hardening; related^op Exception Handler Pointer Validation; related^op Inbound Traffic Filtering; related^op Shadow Stack Comparisons

Exploit Public-Facing Applicationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1190

has facts: injects^op Database Query; modifies^op Process Segment; produces^op Inbound Internet Network Traffic
is also defined as: class

Exploitation for Client Executionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1203

has facts: modifies^op Process Code Segment; modifies^op Stack Frame
is also defined as: class

Exploitation for Credential Accessⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1212

has facts: may-access^op Authentication Service; may-access^op Credential Management System; may-modify^op Process Code Segment; may-modify^op Stack Frame
is also defined as: class

Exploitation for Defense Evasionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1211

has facts: may-modify^op Process Code Segment; may-modify^op Stack Frame
is also defined as: class

Exploitation for Privilege Escalationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1068

has facts: enables^op Privilege Escalation; may-modify^op Stack Frame; modifies^op Process Code Segment
is also defined as: class

Exploitation of Remote Servicesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1210

has facts: may-modify^op Process Code Segment; may-modify^op Process Segment; may-modify^op Stack Frame; produces^op Intranet Network Traffic
is also defined as: class

External Defacementⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1491.002

has facts: modifies^op Network Resource
is also defined as: class

External Proxyⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1090.002

has facts: produces^op Outbound Internet Network Traffic
is also defined as: class

External Remote Servicesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1133

has facts: produces^op Authentication; produces^op Authorization; produces^op Network Session
is also defined as: class

Fallback Channelsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1008

has facts: produces^op Outbound Internet Network Traffic
is also defined as: class

Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#File

has facts: contains^op File Section; may-contain^op File; may-contain^op URL
is also defined as: class

File Access Pattern Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileAccessPatternAnalysis

belongs to: Process Analysis^c
has facts: analyzes^op Local Resource Access; analyzes^op Read File; d3fend-id^dp "D3-FAPA"; kb-reference^op Reference - File-modifying malware detection - Crowdstrike Inc
is also defined as: class

File Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileAnalysis

belongs to: Defensive Technique^c
has facts: analyzes^op File; d3fend-id^dp "D3-FA"; enables^op Detect
is also defined as: class

File and Directory Permissions Modificationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1222

has facts: modifies^op Access Control Configuration
is also defined as: class

File Carvingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileCarving

belongs to: Network Traffic Analysis^c
has facts: analyzes^op File Transfer Network Traffic; d3fend-id^dp "D3-FC"; kb-reference^op Reference - Computer Worm Defense System and Method - FireEye Inc
is also defined as: class

File Content Rulesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileContentRules

belongs to: File Analysis^c
has facts: d3fend-id^dp "D3-FCR"; kb-reference^op Reference - Computational modeling and classification of data streams - Crowdstrike Inc; kb-reference^op Reference - Detecting script-based malware - Crowdstrike Inc; kb-reference^op Reference - Distributed meta-information query in a network - Bit 9 Inc; kb-reference^op Reference - System and methods thereof for logical identification of malicious threats across a plurality of end-point devices (epd) communicatively connected by a network - Palo Alto Networks IncCyber Secdo Ltd
is also defined as: class

File Creation Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileCreationAnalysis

belongs to: System Call Analysis^c
has facts: analyzes^op Create File; d3fend-id^dp "D3-FCA"; kb-reference^op Reference - CAR-2019-07-002: Lsass Process Dump via Procdump - MITRE; kb-reference^op Reference - CAR-2020-09-001: Scheduled Task - FileAccess - MITRE
is also defined as: class

File Deletionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1070.004

has facts: deletes^op File; may-modify^op File
is also defined as: class

File Encryptionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileEncryption

belongs to: Platform Hardening^c
has facts: d3fend-id^dp "D3-FE"; encrypts^op File; kb-reference^op Reference - Method for file encryption
is also defined as: class

File Hashingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileHashing

belongs to: File Analysis^c
has facts: d3fend-id^dp "D3-FH"; kb-reference^op Reference - Munin
is also defined as: class

File Systemⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FileSystem

has facts: contains^op Directory; contains^op File; contains^op File System Link; contains^op File System Metadata
is also defined as: class

File Transfer Protocolsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1071.002

has facts: produces^op Outbound Internet File Transfer Traffic
is also defined as: class

Filter Network Trafficⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1037

belongs to: ATTACK Mitigation^c
has facts: related^op Network Isolation

Firmware Behavior Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FirmwareBehaviorAnalysis

belongs to: Platform Monitoring^c
has facts: analyzes^op Firmware; d3fend-id^dp "D3-FBA"; kb-reference^op Reference - Firmware Behavior Analysis ConFirm; kb-reference^op Reference - Firmware Behavior Analysis VIPER
is also defined as: class

Firmware Embedded Monitoring Codeⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FirmwareEmbeddedMonitoringCode

belongs to: Platform Monitoring^c
has facts: analyzes^op Firmware; d3fend-id^dp "D3-FEMC"; kb-reference^op Reference - Firmware Embedded Monitoring Code Red Balloon; kb-reference^op Reference - Firmware Embedded Monitoring Code Symbiotes
is also defined as: class

Firmware Verificationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FirmwareVerification

belongs to: Platform Monitoring^c
has facts: d3fend-id^dp "D3-FV"; kb-reference^op Reference - Firmware Verification Eclypsium; kb-reference^op Reference - Firmware Verification Trapezoid; kb-reference^op Reference - Platform Firmware Resiliency Guidelines - NIST; verifies^op Firmware
is also defined as: class

Forced Authenticationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1187

has facts: may-modify^op Windows Shortcut File; modifies^op Authentication Log; produces^op Authentication
is also defined as: class

Forward Resolution Domain Denylistingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ForwardResolutionDomainDenylisting

belongs to: DNS Denylisting^c
has facts: blocks^op Outbound Internet DNS Lookup Traffic; d3fend-id^dp "D3-FRDDL"; kb-reference^op Reference - Use DNS Policy for Applying Filters on DNS Queries
is also defined as: class

Forward Resolution IP Denylistingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ForwardResolutionIPDenylisting

belongs to: DNS Denylisting^c
has facts: blocks^op Inbound Internet DNS Response Traffic; d3fend-id^dp "D3-FRIDL"; kb-reference^op Reference - Use DNS Policy for Applying Filters on DNS Queries
is also defined as: class

FQDN Domain Nameⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#FQDNDomainName

belongs to: Domain Name^c

Gatekeeper Bypassⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1553.001

has facts: modifies^op File System Metadata
is also defined as: class

GNU GCC StackGuardⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#GNUGCCStackGuard

belongs to: Stack Frame Canary Validation^c

Golden Ticketⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1558.001

has facts: forges^op Kerberos Ticket Granting Ticket
is also defined as: class

Group Policy Discoveryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1615

has facts: reads^op Group Policy
is also defined as: class

Group Policy Modificationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1484

has facts: modifies^op Group Policy
is also defined as: class

Group Policy Preferencesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552.006

has facts: accesses^op Group Policy
is also defined as: class

GUI Input Captureⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1056.002

has facts: accesses^op Graphical User Interface
is also defined as: class

Hardenⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Harden

belongs to: Defensive Tactic^c
has facts: display-order^dp "0"^^integer
is also defined as: class

Hardware Additionsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1200

has facts: connects^op Hardware Device
is also defined as: class

Hardware Driverⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HardwareDriver

has facts: drives^op Hardware Device
is also defined as: class

Hardware-based Process Isolationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Hardware-basedProcessIsolation

belongs to: Execution Isolation^c
has facts: d3fend-id^dp "D3-HBPI"; isolates^op Process; kb-reference^op Reference - Virtualized process isolation - Advanced Micro Devices Inc; kb-reference^op Reference - Approaches for securing an internet endpoint using fine-grained operating system virtualization - Bromium, Inc.; kb-reference^op Reference - Isolation of applications within a virtual machine - Bromium, Inc.
is also defined as: class

Hidden File Systemⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.005

has facts: may-modify^op System Configuration Database; modifies^op Storage
is also defined as: class

Hidden Files and Directoriesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.001

has facts: modifies^op File System Metadata
is also defined as: class

Hidden Usersⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.002

has facts: modifies^op User Init Configuration File
is also defined as: class

Hidden Windowⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.003

has facts: may-modify^op Property List File; may-modify^op System Configuration Database
is also defined as: class

Hierarchical Domain Denylistingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HierarchicalDomainDenylisting

belongs to: Forward Resolution Domain Denylisting^c
has facts: d3fend-id^dp "D3-HDDL"; kb-reference^op Reference - Use DNS Policy for Applying Filters on DNS Queries
is also defined as: class

Homoglyph Denylistingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HomoglyphDenylisting

belongs to: Forward Resolution Domain Denylisting^c
has facts: d3fend-id^dp "D3-HDL"; kb-reference^op Reference - Detection of Malicious IDNHomoglyph Domains
is also defined as: class

Homoglyph Detectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HomoglyphDetection

belongs to: Identifier Analysis^c
has facts: analyzes^op Email; analyzes^op URL; d3fend-id^dp "D3-HD"; kb-reference^op Reference - Computer-implemented methods and systems for identifying visually similar text character strings - Greathorn Inc; kb-reference^op Reference - System and method for detecting homoglyph attacks with a siamese convolutional neural network - Endgame Inc
is also defined as: class

Hostⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Host

has facts: contains^op Application; contains^op Operating System; runs^op Operating System
is also defined as: class

Hostnameⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Hostname

belongs to: Domain Name^c
is also defined as: class

HTML Smugglingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1027.006

has facts: creates^op JavaScript Blob; hides^op Digital Artifact
is also defined as: class

HTTP URLⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HTTPURL

belongs to: URL^c

HTTPS URLⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HTTPSURL

belongs to: URL^c

Identifier Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IdentifierAnalysis

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-ID"; enables^op Detect
is also defined as: class

IIS Componentsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1505.004

has facts: adds^op Software
is also defined as: class

Image Code Segmentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ImageCodeSegment

has facts: contains^op Subroutine
is also defined as: class

Image File Execution Options Injectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.012

has facts: modifies^op System Configuration Database
is also defined as: class

Impactⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Impact

belongs to: Offensive Tactic^c
has facts: display-order^dp "12"^^integer
is also defined as: class

Impact Techniqueⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ImpactTechnique

has facts: enables^op Impact
is also defined as: class

Impair Command History Loggingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562.003

has facts: may-modify^op User Init Script; may-modify^op Windows Registry Key; modifies^op Process Environment Variable
is also defined as: class

Impersonate Userⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ImpersonateUser

belongs to: Impersonate User^c
is also defined as: class

Implant Container Imageⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1525

has facts: adds^op Container Image
is also defined as: class

Inbound Internet Network Trafficⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InboundInternetNetworkTraffic

has facts: produces^op Network Traffic
is also defined as: class

Inbound Session Volume Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InboundSessionVolumeAnalysis

belongs to: Network Traffic Analysis^c
has facts: analyzes^op Inbound Internet Network Traffic; d3fend-id^dp "D3-ISVA"; kb-reference^op Reference - Identifying a denial-of-service attack in a cloud-based proxy service - Cloudfare Inc.; kb-reference^op Reference - Method and system for UDP flood attack detection - Riorey LLC; kb-reference^op Reference - Protecting against distributed denial of service attacks - Cisco Technology Inc.; kb-reference^op Reference - Protecting against distributed network flood attacks - Juniper Networks Inc.; kb-reference^op Reference - DETECTING DDoS ATTACK USING Snort -
is also defined as: class

Inbound Traffic Filteringⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InboundTrafficFiltering

belongs to: Network Traffic Filtering^c
has facts: d3fend-id^dp "D3-ITF"; filters^op Inbound Network Traffic; kb-reference^op Reference - Active firewall system and methodology - McAfee LLC; kb-reference^op Reference - Automatically generating rules for connection security - Microsoft; kb-reference^op Reference - FWTK - Firewall Toolkit -; kb-reference^op Reference - Firewall for interent access - Secure Computing LLC; kb-reference^op Reference - Firewall for processing a connectionless network packet - National Security Agency; kb-reference^op Reference - Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network - National Security Agency; kb-reference^op Reference - Firewalls that filter based upon protocol commands - Intel Corp; kb-reference^op Reference - Method for controlling computer network security - Checkpoint Software Technologies Ltd; kb-reference^op Reference - Network firewall with proxy - Secure Computing LLC
is also defined as: class

Indirect Branch Call Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IndirectBranchCallAnalysis

belongs to: Process Analysis^c
has facts: d3fend-id^dp "D3-IBCA"; kb-reference^op Reference - Indirect Branching Calls
is also defined as: class

Ingress Tool Transferⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1105

has facts: produces^op Outbound Internet Network Traffic
is also defined as: class

Initial Accessⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InitialAccess

belongs to: Offensive Tactic^c
has facts: display-order^dp "1"^^integer
is also defined as: class

Initial Access Techniqueⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InitialAccessTechnique

has facts: enables^op Initial Access
is also defined as: class

Input Device Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InputDeviceAnalysis

belongs to: Operating System Monitoring^c
has facts: analyzes^op Input Device; d3fend-id^dp "D3-IDA"; kb-reference^op Reference - http://www.biometric-solutions.com/keystroke-dynamics.html - biometric-solutions.com; kb-reference^op Reference - Continuous authentication by analysis of keyboard typing characteristics - Bradford Univ., UK
is also defined as: class

Install Root Certificateⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1553.004

has facts: modifies^op Certificate Trust Store
is also defined as: class

Integrated Honeynetⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntegratedHoneynet

belongs to: Decoy Environment^c
has facts: d3fend-id^dp "D3-IHN"; kb-reference^op Reference - Synchronizing a honey network configuration to reflect a target network environment - Palo Alto Networks Inc; spoofs^op Intranet Network
is also defined as: class

Inter-Process Communication Executionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1559

has facts: injects^op Interprocess Communication
is also defined as: class

Internal Defacementⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1491.001

has facts: modifies^op Resource
is also defined as: class

Internal Proxyⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1090.001

has facts: produces^op Intranet Network Traffic
is also defined as: class

Internal Spearphishingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1534

has facts: produces^op Email
is also defined as: class

Internationalized Domain Nameⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InternationalizedDomainName

belongs to: Domain Name^c

Internet Articleⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#InternetArticle

belongs to: Reference Type^c
is also defined as: class

Intranet IPC Network Trafficⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntranetIPCNetworkTraffic

has facts: may-contain^op File
is also defined as: class

Intranet Web Network Trafficⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IntranetWebNetworkTraffic

has facts: may-contain^op File
is also defined as: class

Invalid Code Signatureⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.001

has facts: creates^op Executable Binary
is also defined as: class

IO Port Restrictionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IOPortRestriction

belongs to: Execution Isolation^c
has facts: d3fend-id^dp "D3-IOPR"; filters^op Hardware Device; filters^op Input Device; filters^op Removable Media Device; kb-reference^op Reference - Computer motherboard having peripheral security functions; kb-reference^op Reference - Method and system for controlling communication ports; kb-reference^op Reference - USB filter for hub malicious code prevention system
is also defined as: class

iOS Processⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#iOSProcess

belongs to: Process^c

IPC Traffic Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#IPCTrafficAnalysis

belongs to: Network Traffic Analysis^c
has facts: analyzes^op Intranet IPC Network Traffic; d3fend-id^dp "D3-IPCTA"; kb-reference^op Reference - Security System with Methodology for Interprocess Communication Control - Check Point Software Tech Inc; kb-reference^op Reference - CAR-2013-05-005: SMB Copy and Execution -; kb-reference^op Reference - CAR-2013-01-003: SMB Events Monitoring -; kb-reference^op Reference - CAR-2013-09-003: SMB Session Setups - MITRE; kb-reference^op Reference - CAR-2014-03-001: SMB Write Request - NamedPipes - MITRE; kb-reference^op Reference - CAR-2013-05-003: SMB Write Request -; kb-reference^op Reference - CAR-2015-04-001: Remotely Scheduled Tasks via AT - MITRE
is also defined as: class

Isolateⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Isolate

belongs to: Defensive Tactic^c
has facts: display-order^dp "2"^^integer
is also defined as: class

Javascript Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#JavascriptFile

belongs to: Executable Script^c

Job Function Access Pattern Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#JobFunctionAccessPatternAnalysis

belongs to: User Behavior Analysis^c
has facts: analyzes^op Authorization; d3fend-id^dp "D3-JFAPA"; kb-reference^op Reference - Anomaly Detection Using Adaptive Behavioral Profiles - Securonix Inc
is also defined as: class

Kerberoastingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1558.003

has facts: may-produce^op RPC Network Traffic
is also defined as: class

Kernelⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Kernel

has facts: contains^op Kernel Process Table; loads^op Application; manages^op Operating System Process; manages^op User Process; may-contain^op Hardware Driver; may-contain^op Kernel Module
is also defined as: class

Kernel Modules and Extensionsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.006

has facts: modifies^op Kernel Module
is also defined as: class

Kernel-based Process Isolationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Kernel-basedProcessIsolation

belongs to: Execution Isolation^c
has facts: d3fend-id^dp "D3-KBPI"; kb-reference^op Reference - Overview of the seccomp sandbox
is also defined as: class

Keychainⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1555.001

has facts: accesses^op MacOS Keychain
is also defined as: class

Keyloggingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1056.001

has facts: accesses^op Keyboard Input Device
is also defined as: class

Lateral Movementⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LateralMovement

belongs to: Offensive Tactic^c
has facts: display-order^dp "8"^^integer
is also defined as: class

Lateral Movement Techniqueⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LateralMovementTechnique

has facts: enables^op Lateral Movement
is also defined as: class

Lateral Tool Transferⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1570

has facts: produces^op Intranet File Transfer Traffic
is also defined as: class

Launch Agentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1543.001

has facts: creates^op Property List File
is also defined as: class

Launch Daemonⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1543.004

has facts: modifies^op Property List File
is also defined as: class

Launchdⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1053.004

has facts: creates^op Property List File
is also defined as: class

LC_LOAD_DYLIB Additionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.006

has facts: modifies^op Executable Binary
is also defined as: class

LD_PRELOADⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.006

has facts: modifies^op Operating System Configuration File
is also defined as: class

LDIF Recordⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LDIFRecord

belongs to: User Account^c

Limit Access to Resource Over Networkⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1035

belongs to: ATTACK Mitigation^c
has facts: related^op Network Isolation

Limit Hardware Installationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1034

belongs to: ATTACK Mitigation^c
has facts: related^op IO Port Restriction

Limit Software Installationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1033

belongs to: ATTACK Mitigation^c
has facts: related^op Executable Allowlisting; related^op Executable Denylisting

Linux ELF File 32bitⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LinuxELFFile32bit

test

belongs to: Executable Binary^c

Linux ELF File 64bitⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LinuxELFFile64bit

belongs to: Executable Binary^c

Linux Execⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LinuxExec

belongs to: Create Process^c

Linux Processⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LinuxProcess

belongs to: Process^c

LLMNR/NBT-NS Poisoning and SMB Relayⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1557.001

has facts: produces^op Intranet Multicast Network Traffic
is also defined as: class

Local Accountⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1087.001

has facts: creates^op Local User Account
is also defined as: class

Local Account Monitoringⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LocalAccountMonitoring

belongs to: User Behavior Analysis^c
has facts: analyzes^op Local User Account; d3fend-id^dp "D3-LAM"; kb-reference^op Reference - Audit User Account Management; kb-reference^op Reference - CAR-2016-04-004: Successful Local Account Login; kb-reference^op Reference - OS Query Windows User Collection Code
is also defined as: class

Local Accountsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1078.003

has facts: uses^op Local User Account
is also defined as: class

Local Area Networkⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LocalAreaNetwork

has facts: may-contain^op Host
is also defined as: class

Local Data Stagingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1074.001

has facts: modifies^op Local Resource
is also defined as: class

Local Email Collectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1114.001

has facts: reads^op Email
is also defined as: class

Local File Permissionsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LocalFilePermissions

belongs to: Platform Hardening^c
has facts: d3fend-id^dp "D3-LFP"; kb-reference^op Reference - File and Folder Permissions; restricts^op Directory; restricts^op File
is also defined as: class

Local Resource Accessⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LocalResourceAccess

has facts: accesses^op Local Resource
is also defined as: class

Log Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LogFile

has facts: contains^op Log
is also defined as: class

Login Itemsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.015

has facts: modifies^op User Logon Init Resource
is also defined as: class

Logon Script (Mac)ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1037.002

has facts: modifies^op User Init Script
is also defined as: class

Logon Script (Windows)ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1037.001

has facts: modifies^op User Init Script
is also defined as: class

LSA Secretsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.004

has facts: may-access^op Process; may-access^op System Password Database
is also defined as: class

LSASS Driverⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.008

has facts: may-create^op Shared Library File; modifies^op System Service Software
is also defined as: class

LSASS Memoryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.001

has facts: accesses^op Authentication Service; accesses^op Process
is also defined as: class

Lua Script Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LuaScriptFile

belongs to: Executable Script^c

LUKS1 On-Disk Format SpecificationVersion 1.2.3ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LUKS1On-DiskFormatSpecificationVersion1.2.3

belongs to: Specification Reference^c
has facts: has-link^dp "https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf"^^any u r i; kb-reference-of^op Disk Encryption; kb-reference-title^dp "LUKS1 On-Disk Format SpecificationVersion 1.2.3"

macOS Processⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#macOSProcess

belongs to: Process^c

Mail Network Trafficⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MailNetworkTraffic

has facts: contains^op Email
is also defined as: class

Mail Protocolsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1071.003

has facts: produces^op Outbound Internet Mail Traffic
is also defined as: class

Make and Impersonate Tokenⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1134.003

has facts: copies^op Access Token; creates^op Login Session; may-modify^op Event Log
is also defined as: class

Malicious File Executionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1204.002

has facts: executes^op Executable File
is also defined as: class

Malicious Link Executionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1204.001

has facts: accesses^op URL; produces^op Outbound Internet Web Traffic
is also defined as: class

Man in the Browserⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1185

has facts: produces^op Web Network Traffic
is also defined as: class

Man-in-the-Middleⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1557

has facts: produces^op Network Traffic
is also defined as: class

Mandatory Access Controlⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MandatoryAccessControl

belongs to: Kernel-based Process Isolation^c
has facts: d3fend-id^dp "D3-MAC"; isolates^op Process; kb-reference^op Reference - Analysis of the Windows Vista Security Model - Symantec Corporation; kb-reference^op Reference - Architecture of transparent network security for application containers - Neuvector Inc
is also defined as: class

Marketing Materialⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MarketingMaterial

belongs to: Reference Type^c

Masquerade Task or Serviceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.004

has facts: modifies^op Task Schedule
is also defined as: class

Match Legitimate Name or Locationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.005

has facts: invokes^op Move File; may-create^op File
is also defined as: class

Mavinjectⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.013

has facts: invokes^op Create Thread; modifies^op Process Segment
is also defined as: class

Memory Boundary Trackingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MemoryBoundaryTracking

belongs to: Operating System Monitoring^c
has facts: analyzes^op Process Code Segment; d3fend-id^dp "D3-MBT"; kb-reference^op Reference - Inferential exploit attempt detection - Crowdstrike Inc
is also defined as: class

Message Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MessageAnalysis

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-MA"; enables^op Detect
is also defined as: class

Message Authenticationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MessageAuthentication

belongs to: Message Hardening^c
has facts: authenticates^op User to User Message; d3fend-id^dp "D3-MAN"; kb-reference^op Reference - RFC 6376: DomainKeys Identified Mail (DKIM) Signatures - IETF; kb-reference^op Reference - Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1
is also defined as: class

Message Encryptionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MessageEncryption

belongs to: Message Hardening^c
has facts: d3fend-id^dp "D3-MENCR"; encrypts^op User to User Message; kb-reference^op Reference - Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1
is also defined as: class

Message Hardeningⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MessageHardening

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-MH"; enables^op Harden
is also defined as: class

Microsoft VCCLCompilerTool BufferSecurityCheckⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MicrosoftVCCLCompilerToolBufferSecurityCheck

belongs to: Stack Frame Canary Validation^c

Microsoft Word DOC Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MicrosoftWordDOCFile

belongs to: Document File^c

Microsoft Word DOCB Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MicrosoftWordDOCBFile

belongs to: Document File^c

Microsoft Word DOCM Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MicrosoftWordDOCMFile

belongs to: Document File^c

Microsoft Word DOCX Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MicrosoftWordDOCXFile

belongs to: Document File^c

Microsoft Word DOT Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MicrosoftWordDOTFile

belongs to: Document File^c

Microsoft Word DOTM Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MicrosoftWordDOTMFile

belongs to: Document File^c

Microsoft Word DOTX Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MicrosoftWordDOTXFile

belongs to: Document File^c

Microsoft Word WBK Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MicrosoftWordWBKFile

belongs to: Document File^c

MMCⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.014

has facts: executes^op Command; may-add^op Software; may-modify^op System Configuration Database
is also defined as: class

Modify Authentication Processⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1556

has facts: modifies^op Authentication Service
is also defined as: class

Modify Registryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1112

has facts: modifies^op Windows Registry
is also defined as: class

Move Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MoveFile

has facts: modifies^op File System Metadata
is also defined as: class

MSBuildⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1127.001

has facts: modifies^op Compiler Configuration File; runs^op Compiler
is also defined as: class

MSG Email Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#MSGEmailFile

belongs to: Email^c

Multi-factor Authenticationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1032

belongs to: ATTACK Mitigation^c
has facts: related^op Multi-factor Authentication

Multi-factor Authenticationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Multi-factorAuthentication

belongs to: Credential Hardening^c
has facts: authenticates^op User Account; d3fend-id^dp "D3-MFA"; kb-reference^op Reference - Method and apparatus for utilizing a token for resource access - Rsa Security Inc.
is also defined as: class

Multi-hop Proxyⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1090.003

has facts: produces^op Outbound Internet Network Traffic
is also defined as: class

Multi-Stage Channelsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1104

has facts: produces^op Outbound Internet Network Traffic
is also defined as: class

Native API Executionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1106

has facts: invokes^op System Call
is also defined as: class

Netsh Helper DLLⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.007

has facts: modifies^op System Configuration Database Record; produces^op Process
is also defined as: class

Network Directory Resourceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkDirectoryResource

has facts: contains^op Directory
is also defined as: class

Network File Resourceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkFileResource

has facts: contains^op File
is also defined as: class

Network Flowⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkFlow

has facts: summarizes^op Network Traffic
is also defined as: class

Network Intrusion Preventionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1031

belongs to: ATTACK Mitigation^c
has facts: related^op Inbound Traffic Filtering; related^op Network Traffic Analysis; related^op Outbound Traffic Filtering

Network Isolationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkIsolation

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-NI"; enables^op Isolate
is also defined as: class

Network Logon Scriptⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1037.003

has facts: modifies^op Network Init Script File Resource
is also defined as: class

Network Nodeⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkNode

has facts: runs^op Operating System
is also defined as: class

Network Resource Accessⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkResourceAccess

has facts: accesses^op Network Resource; accesses^op Resource
is also defined as: class

Network Segmentationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1030

belongs to: ATTACK Mitigation^c
has facts: related^op Broadcast Domain Isolation; related^op Encrypted Tunnels; related^op Inbound Session Volume Analysis; related^op Inbound Traffic Filtering

Network Sessionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkSession

has facts: contains^op Network Packet
is also defined as: class

Network Share Connection Removalⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1070.005

has facts: unmounts^op Network File Share Resource
is also defined as: class

Network Sniffingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1040

has facts: may-produce^op DNS Lookup
is also defined as: class

Network Trafficⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkTraffic

has facts: may-contain^op Domain Name; originates-from^op Physical Location
is also defined as: class

Network Traffic Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkTrafficAnalysis

belongs to: Network Traffic Analysis^c
has facts: d3fend-id^dp "D3-NTA"; enables^op Detect
is also defined as: class

Network Traffic Community Deviationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkTrafficCommunityDeviation

belongs to: Network Traffic Analysis^c
has facts: analyzes^op Network Traffic; d3fend-id^dp "D3-NTCD"; kb-reference^op Reference - System for implementing threat detection using daily network traffic community outliers - VECTRA NETWORKS Inc
is also defined as: class

Network Traffic Filteringⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#NetworkTrafficFiltering

belongs to: Network Isolation^c
has facts: d3fend-id^dp "D3-NTF"; filters^op Network Traffic; kb-reference^op Reference - Active firewall system and methodology - McAfee LLC; kb-reference^op Reference - Automatically generating rules for connection security - Microsoft; kb-reference^op Reference - FWTK - Firewall Toolkit -; kb-reference^op Reference - Firewall for interent access - Secure Computing LLC; kb-reference^op Reference - Firewall for processing a connectionless network packet - National Security Agency; kb-reference^op Reference - Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network - National Security Agency; kb-reference^op Reference - Firewalls that filter based upon protocol commands - Intel Corp; kb-reference^op Reference - Method for controlling computer network security - Checkpoint Software Technologies Ltd; kb-reference^op Reference - Network firewall with proxy - Secure Computing LLC
is also defined as: class

Non-Application Layer Protocolⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1095

has facts: produces^op Outbound Internet Network Traffic
is also defined as: class

non-real-time-analyticⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#non-real-time-analytic

belongs to: Analytic Latency^c

non-real-time-evictionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#non-real-time-eviction

belongs to: Eviction Latency^c

Non-Standard Portⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1571

has facts: produces^op Outbound Internet Network Traffic
is also defined as: class

NTDSⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.003

has facts: accesses^op Encrypted Credential
is also defined as: class

NTFS File Attributesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.004

has facts: modifies^op File System Metadata
is also defined as: class

Office Template Macrosⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1137.001

has facts: may-add^op Executable Script; may-modify^op Executable Script; may-modify^op System Configuration Database Record
is also defined as: class

Office Testⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1137.002

has facts: modifies^op System Configuration Database Record
is also defined as: class

One-time Passwordⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#One-timePassword

belongs to: Credential Hardening^c
has facts: authenticates^op User Account; d3fend-id^dp "D3-OTP"; kb-reference^op Reference - RFC 2289 - A One-Time Password System; use-limits^op Password
is also defined as: class

Operating Systemⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperatingSystem

has facts: contains^op Kernel; contains^op System Service Software; may-contain^op Operating System Configuration Component
is also defined as: class

Operating System Configurationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1028

belongs to: ATTACK Mitigation^c
has facts: related^op Platform Hardening

Operating System Monitoringⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OperatingSystemMonitoring

belongs to: Platform Monitoring^c
has facts: d3fend-id^dp "D3-OSM"; enables^op Detect; kb-reference^op Reference - Host intrusion prevention system using software and user behavior analysis - Sophos Ltd; kb-reference^op Reference - CAR-2016-04-002: User Activity from Clearing Event Logs - MITRE
is also defined as: class

Orchestration Controllerⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OrchestrationController

has facts: contains^op Container Orchestration Software
is also defined as: class

OS Credential Dumpingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003

has facts: accesses^op Credential
is also defined as: class

Outbound Internet DNS Lookup Trafficⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundInternetDNSLookupTraffic

has facts: may-contain^op DNS Lookup
is also defined as: class

Outbound Internet File Transfer Trafficⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundInternetFileTransferTraffic

has facts: contains^op File
is also defined as: class

Outbound Internet Web Trafficⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundInternetWebTraffic

has facts: may-contain^op URL
is also defined as: class

Outbound Traffic Filteringⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutboundTrafficFiltering

belongs to: Network Traffic Filtering^c
has facts: d3fend-id^dp "D3-OTF"; filters^op Outbound Network Traffic; kb-reference^op Reference - Automatically generating rules for connection security - Microsoft
is also defined as: class

Outlook Formsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1137.003

has facts: adds^op Office Application File
is also defined as: class

Outlook Home Pageⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1137.004

has facts: modifies^op Application Configuration Database
is also defined as: class

Outlook Rulesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1137.005

has facts: modifies^op Application Configuration Database
is also defined as: class

Packet Logⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PacketLog

has facts: records^op Network Session
is also defined as: class

Parent PID Spoofingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1134.004

has facts: invokes^op Create Process
is also defined as: class

Partition Tableⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PartitionTable

has facts: addresses^op Partition
is also defined as: class

Pass The Hashⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1550.002

has facts: creates^op Authentication
is also defined as: class

Pass The Ticketⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1550.003

has facts: creates^op Authentication
is also defined as: class

Passive Certificate Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PassiveCertificateAnalysis

belongs to: Certificate Analysis^c; Passive Certificate Analysis^c
has facts: d3fend-id^dp "D3-PCA"; kb-reference^op Reference - Certificate Transparency; kb-reference^op Reference - StreamingPhish
is also defined as: class

Password Crackingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1110.002

has facts: accesses^op Password
is also defined as: class

Password Filter DLLⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1556.002

has facts: creates^op Shared Library File; modifies^op System Configuration Database Record
is also defined as: class

Password Guessingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1110.001

has facts: accesses^op Password; modifies^op Authentication Log; produces^op Authentication
is also defined as: class

Password Policiesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1027

belongs to: ATTACK Mitigation^c
has facts: related^op One-time Password; related^op Strong Password Policy

Password Sprayingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1110.003

has facts: accesses^op Password; may-create^op Intranet Administrative Network Traffic; modifies^op Authentication Log; produces^op Authentication
is also defined as: class

Patentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Patent

belongs to: Reference Type^c
is also defined as: class

Path Interception by PATH Environment Variableⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.007

has facts: creates^op Executable File
is also defined as: class

Path Interception by Search Order Hijackingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.008

has facts: creates^op Executable File
is also defined as: class

Path Interception by Unquoted Pathⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.009

has facts: creates^op Executable File
is also defined as: class

PE32 Executable Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PE32ExecutableFile

belongs to: Executable Binary^c

PE32+ Executable Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PE32PLUSExecutableFile

belongs to: Executable Binary^c

Per Host Download-Upload Ratio Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PerHostDownload-UploadRatioAnalysis

belongs to: Network Traffic Analysis^c
has facts: analyzes^op Network Traffic; d3fend-id^dp "D3-PHDURA"; kb-reference^op Reference - System for detecting threats using scenario-based tracking of internal and external network traffic - VECTRA NETWORKS Inc
is also defined as: class

Peripheral Firmware Verificationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PeripheralFirmwareVerification

belongs to: Firmware Verification^c
has facts: d3fend-id^dp "D3-PFV"; kb-reference^op Reference - Firmware Verification Eclypsium; kb-reference^op Reference - Firmware Verification Trapezoid; verifies^op Peripheral Firmware
is also defined as: class

Persistenceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Persistence

belongs to: Offensive Tactic^c
has facts: display-order^dp "3"^^integer
is also defined as: class

Persistence Techniqueⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PersistenceTechnique

has facts: enables^op Persistence
is also defined as: class

Platformⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Platform

has facts: contains^op Firmware; contains^op Hardware Device; contains^op Operating System
is also defined as: class

Platform Hardeningⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PlatformHardening

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-PH"; enables^op Harden
is also defined as: class

Platform Monitoringⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PlatformMonitoring

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-PM"; enables^op Detect
is also defined as: class

Plist Modificationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.011

has facts: modifies^op Application Configuration File
is also defined as: class

Pluggable Authentication Modulesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1556.003

has facts: may-modify^op Operating System Configuration File; may-modify^op Operating System Shared Library File
is also defined as: class

Pointer Authenticationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PointerAuthentication

belongs to: Application Hardening^c
has facts: authenticates^op Pointer; d3fend-id^dp "D3-PAN"; kb-reference^op Reference - Pointer Authentication on ARMv8.3; kb-reference^op Reference - Pointer Authentication Project Zero
is also defined as: class

Port Knockingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1205.001

has facts: produces^op Network Traffic
is also defined as: class

Port Monitorsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.010

has facts: modifies^op System Configuration Database Record
is also defined as: class

Portable Executable Injectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.002

has facts: may-add^op Object File
is also defined as: class

PowerShell Profileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.013

has facts: modifies^op PowerShell Profile Script
is also defined as: class

Powershell Script Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PowershellScriptFile

belongs to: Executable Script^c

Pre-compromiseⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1056

belongs to: ATTACK Mitigation^c
has facts: related^op Decoy Environment; related^op Decoy Object

Private Keysⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552.004

has facts: accesses^op Private Key
is also defined as: class

Privilege Escalationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PrivilegeEscalation

belongs to: Offensive Tactic^c
has facts: display-order^dp "4"^^integer
is also defined as: class

Privilege Escalation Techniqueⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PrivilegeEscalationTechnique

has facts: enables^op Privilege Escalation
is also defined as: class

Privileged Account Managementⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1026

belongs to: ATTACK Mitigation^c
has facts: related^op Domain Account Monitoring; related^op Local Account Monitoring; related^op Strong Password Policy

Privileged Process Integrityⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1025

belongs to: ATTACK Mitigation^c
has facts: related^op Bootloader Authentication; related^op Driver Load Integrity Checking; related^op Mandatory Access Control; related^op Process Segment Execution Prevention

Proc Filesystemⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.007

has facts: accesses^op Operating System File; accesses^op Process Image
is also defined as: class

Proc Memoryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.009

has facts: accesses^op Operating System File; may-modify^op Operating System File
is also defined as: class

Procedure 1 - T1134.001 Access Token Manipulationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#procedure-1

belongs to: procedure^c
has facts: implements^op Token Impersonation/Theft; start^op Step 1 - Copy Token

Processⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Process

has facts: contains^op Process Image; process-image-path^op Executable Binary; process-user^op User Account
is also defined as: class

Process Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessAnalysis

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-PA"; enables^op Detect
is also defined as: class

Process Code Segmentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessCodeSegment

has facts: contains^op Subroutine
is also defined as: class

Process Code Segment Verificationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessCodeSegmentVerification

belongs to: Process Analysis^c
has facts: d3fend-id^dp "D3-PCSV"; kb-reference^op Reference - Anti-tamper system with self-adjusting guards - ARXAN TECHNOLOGIES Inc; kb-reference^op Reference - Guards for application in software tamperproofing - Purdue Research Foundation; kb-reference^op Reference - System and method for detecting malware injected into memory of a computing device - Endgame Inc; kb-reference^op Reference - System and method for validating in-memory integrity of executable files to identify malicious activity - Endgame Inc; kb-reference^op Reference - Tamper proof mutating software - ARXAN TECHNOLOGIES Inc; kb-reference^op Reference - Threat detection through the accumulated detection of threat characteristics - Sophos Ltd; verifies^op Process Code Segment
is also defined as: class

Process Doppelgängingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.013

has facts: invokes^op Create Process
is also defined as: class

Process Evictionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessEviction

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-PE"; enables^op Evict
is also defined as: class

Process Hollowingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.012

has facts: modifies^op Process Code Segment
is also defined as: class

Process Imageⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessImage

has facts: contains^op Process Segment
is also defined as: class

Process Lineage Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessLineageAnalysis

belongs to: Process Spawn Analysis^c
has facts: analyzes^op Process; analyzes^op Process Tree; d3fend-id^dp "D3-PLA"; kb-reference^op Reference - CAR-2014-11-008: Command Launched from WinLogon - MITRE; kb-reference^op Reference - CAR-2014-11-003: Debuggers for Accessibility Applications - MITRE; kb-reference^op Reference - CAR-2019-04-002: Generic Regsvr32 - MITRE; kb-reference^op Reference - CAR-2014-11-002: Outlier Parents of Cmd - MITRE; kb-reference^op Reference - CAR-2013-02-003: Processes Spawning cmd.exe -; kb-reference^op Reference - CAR-2013-04-002: Quick execution of a series of suspicious commands - MITRE; kb-reference^op Reference - System and methods thereof for causality identification and attributions determination of processes in a network - Palo Alto Networks IncCyber Secdo Ltd; kb-reference^op Reference - System and methods thereof for identification of suspicious system processes - Palo Alto Networks Inc; kb-reference^op Reference - CAR-2013-03-001: Reg.exe called from Command Shell - MITRE; kb-reference^op Reference - CAR-2014-12-001: Remotely Launched Executables via WMI - MITRE; kb-reference^op Reference - CAR-2013-09-005: Service Outlier Executables -; kb-reference^op Reference - CAR-2014-07-001: Service Search Path Interception - MITRE; kb-reference^op Reference - CAR-2014-05-002: Services launching Cmd -; kb-reference^op Reference - CAR-2019-04-001: UAC Bypass - MITRE; kb-reference^op Reference - CAR-2020-11-002: Local Network Sniffing - MITRE; kb-reference^op Reference - CAR-2020-11-004: Processes Started From Irregular Parent - MITRE; kb-reference^op Reference - CAR-2021-02-002: Get System Elevation - MITRE; kb-reference^op Reference - CAR-2021-05-003: BCDEdit Failure Recovery Modification - MITRE
is also defined as: class

Process Segment Execution Preventionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessSegmentExecutionPrevention

belongs to: Application Hardening^c
has facts: d3fend-id^dp "D3-PSEP"; kb-reference^op Reference - Mitigate threats by using Windows 10 security features: Data Execution Prevention - Microsoft; kb-reference^op Reference - What is NX/XD feature?; neutralizes^op Process Segment
is also defined as: class

Process Self-Modification Detectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessSelf-ModificationDetection

belongs to: Process Analysis^c
has facts: analyzes^op Process; d3fend-id^dp "D3-PSMD"; kb-reference^op Reference - System and Method for Process Hollowing Detection - Carbon Black Inc
is also defined as: class

Process Spawn Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessSpawnAnalysis

belongs to: Process Analysis^c
has facts: analyzes^op Create Process; analyzes^op Process; d3fend-id^dp "D3-PSA"; kb-reference^op Reference - CAR-2019-08-002: Active Directory Dumping via NTDSUtil - MITRE; kb-reference^op Reference - CAR-2013-07-005: Command Line Usage of Archiving Software -; kb-reference^op Reference - CAR-2016-03-002: Create Remote Process via WMIC - MITRE; kb-reference^op Reference - CAR-2019-04-004: Credential Dumping via Mimikatz - MITRE; kb-reference^op Reference - CAR-2016-03-001: Host Discovery Commands - MITRE; kb-reference^op Reference - CAR-2019-07-002: Lsass Process Dump via Procdump - MITRE; kb-reference^op Reference - CAR-2014-04-003: Powershell Execution - MITRE; kb-reference^op Reference - CAR-2014-03-006: RunDLL32.exe monitoring - MITRE; kb-reference^op Reference - CAR-2019-04-003: Squiblydoo - MITRE; kb-reference^op Reference - CAR-2013-07-001: Suspicious Arguments -; kb-reference^op Reference - CAR-2013-05-002: Suspicious Run Locations -; kb-reference^op Reference - CAR-2020-04-001: Shadow Copy Deletion - MITRE; kb-reference^op Reference - CAR-2020-05-003: Rare LolBAS Command Lines - MITRE; kb-reference^op Reference - CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities - MITRE; kb-reference^op Reference - CAR-2020-09-003: Indicator Blocking - Driver Unloaded - MITRE; kb-reference^op Reference - CAR-2020-09-004: Credentials in Files & Registry - MITRE; kb-reference^op Reference - CAR-2020-11-001: Boot or Logon Initialization Scripts - MITRE; kb-reference^op Reference - CAR-2020-11-003: DLL Injection with Mavinject - MITRE; kb-reference^op Reference - CAR-2020-11-005: Clear Powershell Console Command History - MITRE; kb-reference^op Reference - CAR-2020-11-006: Local Permission Group Discovery - MITRE; kb-reference^op Reference - CAR-2020-11-007: Network Share Connection Removal - MITRE; kb-reference^op Reference - CAR-2020-11-008: MSBuild and msxsl - MITRE; kb-reference^op Reference - CAR-2020-11-009: Compiled HTML Access - MITRE; kb-reference^op Reference - CAR-2021-01-002: Unusually Long Command Line Strings - MITRE; kb-reference^op Reference - CAR-2021-01-003: Clearing Windows Logs with Wevtutil - MITRE; kb-reference^op Reference - CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe - MITRE; kb-reference^op Reference - CAR-2021-01-006: Unusual Child Process spawned using DDE exploit - MITRE; kb-reference^op Reference - CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt - MITRE; kb-reference^op Reference - CAR-2021-01-008: Disable UAC - MITRE; kb-reference^op Reference - CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe - MITRE; kb-reference^op Reference - CAR-2021-02-001: Webshell-Indicative Process Tree - MITRE; kb-reference^op Reference - CAR-2021-04-001: Common Windows Process Masquerading - MITRE; kb-reference^op Reference - CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store - MITRE; kb-reference^op Reference - CAR-2021-05-002: Batch File Write to System32 - MITRE; kb-reference^op Reference - CAR-2021-05-003: BCDEdit Failure Recovery Modification - MITRE; kb-reference^op Reference - CAR-2021-05-004: BITS Job Persistence - MITRE; kb-reference^op Reference - CAR-2021-05-005: BITSAdmin Download File - MITRE; kb-reference^op Reference - CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments - MITRE; kb-reference^op Reference - CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments - MITRE; kb-reference^op Reference - CAR-2021-05-008: Certutil exe certificate extraction - MITRE; kb-reference^op Reference - CAR-2021-05-009: CertUtil With Decode Argument - MITRE; kb-reference^op Reference - CAR-2021-05-010: Create local admin accounts using net exe - MITRE
is also defined as: class

Process Terminationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessTermination

belongs to: Process Eviction^c
has facts: d3fend-id^dp "D3-PT"; kb-reference^op Reference - Instant process termination tool to recover control of an information handling system - Dell Products LP; kb-reference^op Reference - Malware detection using local computational models - Crowdstrike Inc; terminates^op Process
is also defined as: class

Process Treeⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessTree

has facts: contains^op Process
is also defined as: class

Protocol Metadata Anomaly Detectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProtocolMetadataAnomalyDetection

belongs to: Network Traffic Analysis^c
has facts: analyzes^op Network Traffic; d3fend-id^dp "D3-PMAD"; kb-reference^op Reference - Method and system for detecting threats using metadata vectors - VECTRA NETWORKS Inc; kb-reference^op Reference - Method and system for detecting threats using passive cluster mapping - Vectra Networks Inc; kb-reference^op Reference - System for implementing threat detection using daily network traffic community outliers - VECTRA NETWORKS Inc
is also defined as: class

Protocol Tunnelingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1572

has facts: produces^op Outbound Internet Network Traffic
is also defined as: class

Ptrace System Callsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.008

has facts: invokes^op System Call
is also defined as: class

Python Script Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PythonScriptFile

belongs to: Executable Script^c

Rc.commonⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1037.004

has facts: modifies^op System Init Script
is also defined as: class

RDP Hijackingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1563.002

has facts: accesses^op RDP Session
is also defined as: class

Re-opened Applicationsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.007

has facts: modifies^op Application Configuration File
is also defined as: class

real-time-analyticⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#real-time-analytic

belongs to: Analytic Latency^c

real-time-evictionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#real-time-eviction

belongs to: Eviction Latency^c

Reference - Privacy and security systems and methods of useⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-PrivacyAndSecuritySystemsAndMethodsOfUse

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US10128890B2/en"^^any u r i; kb-reference-title^dp "Privacy and security systems and methods of use"

Reference - Tokenless biometric transaction authorization method and systemⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-TokenlessBiometricTransactionAuthorizationMethodAndSystem

has facts: has-link^dp "https://patents.google.com/patent/US5870723A/"^^any u r i; kb-reference-of^op Biometric Authentication; kb-reference-title^dp "Tokenless biometric transaction authorization method and system"

Reference - /DYNAMICBASE (Use address space layout randomization) - Microsoft Docsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_DYNAMICBASE_UseAddressSpaceLayoutRandomization_MicrosoftDocs

belongs to: User Manual Reference^c
has facts: has-link^dp "https://docs.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019"^^any u r i; kb-reference-of^op Segment Address Offset Randomization; kb-reference-title^dp "/DYNAMICBASE (Use address space layout randomization)"

Reference - /GS (Buffer Security Check) - Microsoft Docsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_GS_BufferSecurityCheck_MicrosoftDocs

belongs to: User Manual Reference^c
has facts: has-link^dp "https://docs.microsoft.com/en-us/cpp/build/reference/gs-buffer-security-check?view=vs-2019"^^any u r i; kb-reference-of^op Stack Frame Canary Validation; kb-reference-title^dp "/GS (Buffer Security Check)"

Reference - /SAFESEH (Image has Safe Exception Handlers) - Microsoft Docsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SAFESEH_ImageHasSafeExceptionHandlers_MicrosoftDocs

belongs to: User Manual Reference^c
has facts: has-link^dp "https://docs.microsoft.com/en-us/cpp/build/reference/safeseh-image-has-safe-exception-handlers?view=msvc-160"^^any u r i; kb-reference-of^op Exception Handler Pointer Validation; kb-reference-title^dp "/SAFESEH (Image has Safe Exception Handlers)"

Reference - Account monitoring - Forescout Technologiesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_AccountMonitoring_ForescoutTechnologies

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20190205511A1"^^any u r i; kb-reference-of^op Account Locking; kb-reference-title^dp "Account monitoring"

Reference - Active firewall system and methodology - McAfee LLCⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ActiveFirewallSystemAndMethodology_McAfeeLLC

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US6550012B1"^^any u r i; kb-reference-of^op Inbound Traffic Filtering; kb-reference-title^dp "Active firewall system and methodology"

Reference - Analysis of the Windows Vista Security Model - Symantec Corporationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_AnalysisOfTheWindowsVistaSecurityModel_SymantecCorporation

belongs to: Academic Paper Reference^c
has facts: has-link^dp "https://web.archive.org/web/20140407025337/http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf"^^any u r i; kb-reference-of^op Mandatory Access Control; kb-reference-title^dp "Analysis of the Windows Vista Security Model"

Reference - Anomaly Detection Using Adaptive Behavioral Profiles - Securonix Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_AnomalyDetectionUsingAdaptiveBehavioralProfiles_SecuronixInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20160226901A1"^^any u r i; kb-reference-of^op Job Function Access Pattern Analysis; kb-reference-title^dp "Anomaly Detection Using Adaptive Behavioral Profiles"

Reference - Anti-tamper system with self-adjusting guards - ARXAN TECHNOLOGIES Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_Anti-tamperSystemWithSelf-adjustingGuards_ARXANTECHNOLOGIESInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20150052603A1"^^any u r i; kb-reference-of^op Process Code Segment Verification; kb-reference-title^dp "Anti-tamper system with self-adjusting guards"

Reference - Apparatus for to provide content to and query a reverse domain name system server - Barrracuda Networksⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ApparatusForToProvideContentToAndQueryAReverseDomainNameSystemServer

has facts: has-link^dp "https://patents.google.com/patent/US20100174829A1/en?oq=20100174829"^^any u r i; kb-reference-of^op Reverse Resolution Domain Denylisting; kb-reference-title^dp "Apparatus for to provide content to and query a reverse domain name system server"

Reference - Approaches for securing an internet endpoint using fine-grained operating system virtualization - Bromium, Inc.ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ApproachesForSecuringAnInternetEndpointUsingFine-grainedOperatingSystemVirtualization_Bromium,Inc.

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20110296412A1"^^any u r i; kb-reference-of^op Hardware-based Process Isolation; kb-reference-title^dp "Approaches for securing an internet endpoint using fine-grained operating system virtualization"

Reference - Architecture of transparent network security for application containers - Neuvector Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ArchitectureOfTransparentNetworkSecurityForApplicationContainers_NeuvectorInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170093922A1"^^any u r i; kb-reference-of^op Mandatory Access Control; kb-reference-title^dp "Architecture of transparent network security for application containers"

Reference - Audit User Account Managementⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-AuditUserAccountManagement

belongs to: Guideline Reference^c
has facts: has-link^dp "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management"^^any u r i; kb-reference-of^op Domain Account Monitoring; kb-reference-of^op Local Account Monitoring; kb-reference-title^dp "Audit User Account Management"

Reference - Automatically generating network resource groups and assigning customized decoy policies thereto - Illusive Networks Ltdⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_AutomaticallyGeneratingNetworkResourceGroupsAndAssigningCustomizedDecoyPoliciesThereto_IllusiveNetworksLtd

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170310689A1"^^any u r i; kb-reference-of^op Decoy Network Resource; kb-reference-title^dp "Automatically generating network resource groups and assigning customized decoy policies thereto"

Reference - Automatically generating rules for connection security - Microsoftⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_AutomaticallyGeneratingRulesForConnectionSecurity_Microsoft

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20120054825"^^any u r i; kb-reference-of^op Inbound Traffic Filtering; kb-reference-of^op Outbound Traffic Filtering; kb-reference-title^dp "Automatically generating rules for connection security"

Reference - Biometric Challenge-Response Authentication - Accentureⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-BiometricChallenge-ResponseAuthentication-Accenture

belongs to: Patent Reference^c
has facts: has-link^dp "https://www.patentguru.com/US2021110015A1"^^any u r i; kb-reference-of^op Multi-factor Authentication; kb-reference-title^dp "Biometric Challenge-Response Authentication"

Reference - Broadcast isolation and level 3 network switch - Hewlett Packard Enterprise Development LPⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_BroadcastIsolationAndLevel3NetworkSwitch_HewlettPackardEnterpriseDevelopmentLP

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US5920699A"^^any u r i; kb-reference-of^op Broadcast Domain Isolation; kb-reference-title^dp "Broadcast isolation and level 3 network switch"

Reference - CAR-2013-01-002: Autorun Differences -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AutorunDifferences_

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-01-002/"^^any u r i; kb-reference-of^op System File Analysis; kb-reference-title^dp "CAR-2013-01-002: Autorun Differences"

Reference - CAR-2013-01-003: SMB Events Monitoring -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SMBEventsMonitoring_

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-01-003/"^^any u r i; kb-reference-of^op IPC Traffic Analysis; kb-reference-title^dp "CAR-2013-01-003: SMB Events Monitoring"

Reference - CAR-2013-02-003: Processes Spawning cmd.exe -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ProcessesSpawningCmd.exe_

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-02-003/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2013-02-003: Processes Spawning cmd.exe"

Reference - CAR-2013-02-008: Simultaneous Logins on a Host - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SimultaneousLoginsOnAHost_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-02-008/"^^any u r i; kb-reference-of^op Authentication Event Thresholding; kb-reference-title^dp "CAR-2013-02-008: Simultaneous Logins on a Host"

Reference - CAR-2013-02-012: User Logged in to Multiple Hosts - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserLoggedInToMultipleHosts_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-02-012/"^^any u r i; kb-reference-of^op Authentication Event Thresholding; kb-reference-of^op Authorization Event Thresholding; kb-reference-title^dp "CAR-2013-02-012: User Logged in to Multiple Hosts"

Reference - CAR-2013-03-001: Reg.exe called from Command Shell - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reg.exeCalledFromCommandShell_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-03-001/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2013-03-001: Reg.exe called from Command Shell"

Reference - CAR-2013-04-002: Quick execution of a series of suspicious commands - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#QuickExecutionOfASeriesOfSuspiciousCommands_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-04-002/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2013-04-002: Quick execution of a series of suspicious commands"

Reference - CAR-2013-05-002: Suspicious Run Locations -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SuspiciousRunLocations_

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-05-002/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2013-05-002: Suspicious Run Locations"

Reference - CAR-2013-05-003: SMB Write Request -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SMBWriteRequest_

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-05-003/"^^any u r i; kb-reference-of^op IPC Traffic Analysis; kb-reference-title^dp "CAR-2013-05-003: SMB Write Request"

Reference - CAR-2013-05-004: Execution with AT -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutionWithAT_

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-05-004/"^^any u r i; kb-reference-of^op Scheduled Job Analysis; kb-reference-title^dp "CAR-2013-05-004: Execution with AT"

Reference - CAR-2013-05-005: SMB Copy and Execution -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SMBCopyAndExecution_

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-05-005/"^^any u r i; kb-reference-of^op IPC Traffic Analysis; kb-reference-title^dp "CAR-2013-05-005: SMB Copy and Execution"

Reference - CAR-2013-07-001: Suspicious Arguments -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SuspiciousArguments_

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-07-001/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2013-07-001: Suspicious Arguments"

Reference - CAR-2013-07-002: RDP Connection Detection - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RDPConnectionDetection_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-07-002"^^any u r i; kb-reference-of^op Remote Terminal Session Detection; kb-reference-title^dp "CAR-2013-07-002: RDP Connection Detection"

Reference - CAR-2013-07-005: Command Line Usage of Archiving Software -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CommandLineUsageOfArchivingSoftware_

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-07-005/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2013-07-005: Command Line Usage of Archiving Software"

Reference - CAR-2013-08-001: Execution with schtasks -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ExecutionWithSchtasks_

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-08-001/"^^any u r i; kb-reference-of^op Scheduled Job Analysis; kb-reference-title^dp "CAR-2013-08-001: Execution with schtasks"

Reference - CAR-2013-09-003: SMB Session Setups - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SMBSessionSetups_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-09-003/"^^any u r i; kb-reference-of^op Authorization Event Thresholding; kb-reference-of^op IPC Traffic Analysis; kb-reference-title^dp "CAR-2013-09-003: SMB Session Setups"

Reference - CAR-2013-09-005: Service Outlier Executables -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ServiceOutlierExecutables_

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-09-005/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2013-09-005: Service Outlier Executables"

Reference - CAR-2013-10-001: User Login Activity Monitoring - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserLoginActivityMonitoring_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-10-001/"^^any u r i; kb-reference-of^op Authentication Event Thresholding; kb-reference-title^dp "CAR-2013-10-001: User Login Activity Monitoring"

Reference - CAR-2013-10-002: DLL Injection via Load Library - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DLLInjectionViaLoadLibrary_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2013-10-002/"^^any u r i; kb-reference-of^op System Call Analysis; kb-reference-title^dp "CAR-2013-10-002: DLL Injection via Load Library"

Reference - CAR-2014-02-001: Service Binary Modifications - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ServiceBinaryModifications_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2014-02-001/"^^any u r i; kb-reference-of^op Service Binary Verification; kb-reference-title^dp "CAR-2014-02-001: Service Binary Modifications"

Reference - CAR-2014-03-001: SMB Write Request - NamedPipes - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SMBWriteRequest-NamedPipes_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2014-03-001/"^^any u r i; kb-reference-of^op IPC Traffic Analysis; kb-reference-of^op RPC Traffic Analysis; kb-reference-title^dp "CAR-2014-03-001: SMB Write Request - NamedPipes"

Reference - CAR-2014-03-005: Remotely Launched Executables via Services - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemotelyLaunchedExecutablesViaServices_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2014-03-005/"^^any u r i; kb-reference-of^op RPC Traffic Analysis; kb-reference-title^dp "CAR-2014-03-005: Remotely Launched Executables via Services"

Reference - CAR-2014-03-006: RunDLL32.exe monitoring - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RunDLL32.exeMonitoring_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2014-03-006/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2014-03-006: RunDLL32.exe monitoring"

Reference - CAR-2014-04-003: Powershell Execution - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#PowershellExecution_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2014-04-003/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2014-04-003: Powershell Execution"

Reference - CAR-2014-05-001: RPC Activity - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2014-05-001%3ARPCActivity-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2014-05-001/"^^any u r i; kb-reference-of^op RPC Traffic Analysis; kb-reference-title^dp "CAR-2014-05-001: RPC Activity"

Reference - CAR-2014-05-002: Services launching Cmd -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ServicesLaunchingCmd_

belongs to: External Knowledge Base^c
has facts: has-link^dp ""^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2014-05-002: Services launching Cmd"

Reference - CAR-2014-07-001: Service Search Path Interception - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ServiceSearchPathInterception_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2014-07-001/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2014-07-001: Service Search Path Interception"

Reference - CAR-2014-11-002: Outlier Parents of Cmd - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#OutlierParentsOfCmd_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2014-11-002/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2014-11-002: Outlier Parents of Cmd"

Reference - CAR-2014-11-003: Debuggers for Accessibility Applications -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DebuggersForAccessibilityApplications_

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2014-11-003/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2014-11-003: Debuggers for Accessibility Applications"

Reference - CAR-2014-11-003: Debuggers for Accessibility Applications - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DebuggersForAccessibilityApplications_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2014-11-006/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2014-11-003: Debuggers for Accessibility Applications"

Reference - CAR-2014-11-005: Remote Registry - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemoteRegistry_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2014-11-005/"^^any u r i; kb-reference-of^op Administrative Network Activity Analysis; kb-reference-title^dp "CAR-2014-11-005: Remote Registry"

Reference - CAR-2014-11-006: Windows Remote Management (WinRM) - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WindowsRemoteManagement_WinRM_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp ""^^any u r i; kb-reference-of^op Administrative Network Activity Analysis; kb-reference-title^dp "CAR-2014-11-006: Windows Remote Management (WinRM)"

Reference - CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_CAR-2014-11-007-RemoteWindowsManagementInstrumentation_WMI_OverRPC_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp ""^^any u r i; kb-reference-of^op RPC Traffic Analysis; kb-reference-title^dp "CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC"

Reference - CAR-2014-11-008: Command Launched from WinLogon - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CommandLaunchedFromWinLogon_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2014-11-008/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2014-11-008: Command Launched from WinLogon"

Reference - CAR-2014-12-001: Remotely Launched Executables via WMI - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemotelyLaunchedExecutablesViaWMI_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2014-12-001/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-of^op RPC Traffic Analysis; kb-reference-title^dp "CAR-2014-12-001: Remotely Launched Executables via WMI"

Reference - CAR-2015-04-001: Remotely Scheduled Tasks via AT - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2015-04-001%3ARemotelyScheduledTasksViaAT-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2015-04-001/"^^any u r i; kb-reference-of^op IPC Traffic Analysis; kb-reference-title^dp "CAR-2015-04-001: Remotely Scheduled Tasks via AT"

Reference - CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemotelyScheduledTasksViaSchtasks_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2015-04-002/"^^any u r i; kb-reference-of^op RPC Traffic Analysis; kb-reference-title^dp "CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks"

Reference - CAR-2015-07-001: All Logins Since Last Boot - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AllLoginsSinceLastBoot_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2015-07-001/"^^any u r i; kb-reference-of^op Credential Compromise Scope Analysis; kb-reference-title^dp "CAR-2015-07-001: All Logins Since Last Boot"

Reference - CAR-2016-03-001: Host Discovery Commands - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#HostDiscoveryCommands_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2016-03-001/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2016-03-001: Host Discovery Commands"

Reference - CAR-2016-03-002: Create Remote Process via WMIC - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CreateRemoteProcessViaWMIC_MITRE_Other

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2016-03-002/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-of^op RPC Traffic Analysis; kb-reference-title^dp "CAR-2016-03-002: Create Remote Process via WMIC"

Reference - CAR-2016-04-002: User Activity from Clearing Event Logs - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserActivityFromClearingEventLogs_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2016-04-002/"^^any u r i; kb-reference-of^op System File Analysis; kb-reference-title^dp "CAR-2016-04-002: User Activity from Clearing Event Logs"

Reference - CAR-2016-04-003: User Activity from Stopping Windows Defensive Services - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserActivityFromStoppingWindowsDefensiveServices_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2016-04-003/"^^any u r i; kb-reference-of^op System Daemon Monitoring; kb-reference-title^dp "CAR-2016-04-003: User Activity from Stopping Windows Defensive Services"

Reference - CAR-2016-04-004: Successful Local Account Loginⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2016-04-004_SuccessfulLocalAccountLogin

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2016-04-004/"^^any u r i; kb-reference-of^op Local Account Monitoring; kb-reference-title^dp "Reference - CAR-2016-04-004: Successful Local Account Login"

Reference - CAR-2016-04-005: Remote Desktop Logon - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemoteDesktopLogon_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2016-04-005/"^^any u r i; kb-reference-of^op Remote Terminal Session Detection; kb-reference-title^dp "CAR-2016-04-005: Remote Desktop Logon"

Reference - CAR-2019-04-001: UAC Bypass - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UACBypass_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2019-04-001/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2019-04-001: UAC Bypass"

Reference - CAR-2019-04-002: Generic Regsvr32 - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#GenericRegsvr32_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2019-04-002/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2019-04-002: Generic Regsvr32"

Reference - CAR-2019-04-003: Squiblydoo - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Squiblydoo_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2019-04-003/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2019-04-003: Squiblydoo"

Reference - CAR-2019-04-004: Credential Dumping via Mimikatz - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialDumpingViaMimikatz_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2019-04-004/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2019-04-004: Credential Dumping via Mimikatz"

Reference - CAR-2019-07-001: Access Permission Modification - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#AccessPermissionModification_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2019-07-001/"^^any u r i; kb-reference-of^op System File Analysis; kb-reference-title^dp "CAR-2019-07-001: Access Permission Modification"

Reference - CAR-2019-07-002: Lsass Process Dump via Procdump - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#LsassProcessDumpViaProcdump_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2019-07-002/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2019-07-002: Lsass Process Dump via Procdump"

Reference - CAR-2019-08-001: Credential Dumping via Windows Task Manager - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#CredentialDumpingViaWindowsTaskManager_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2019-08-001/"^^any u r i; kb-reference-of^op System Call Analysis; kb-reference-title^dp "CAR-2019-08-001: Credential Dumping via Windows Task Manager"

Reference - CAR-2019-08-002: Active Directory Dumping via NTDSUtil - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ActiveDirectoryDumpingViaNTDSUtil_MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2019-08-002/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2019-08-002: Active Directory Dumping via NTDSUtil"

Reference - CAR-2020-04-001: Shadow Copy Deletion - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-04-001%3AShadowCopyDeletion-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-04-001/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2020-04-001: Shadow Copy Deletion"

Reference - CAR-2020-05-001: MiniDump of LSASS - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-05-001%3AMiniDumpOfLSASS-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-05-001/"^^any u r i; kb-reference-of^op System Call Analysis; kb-reference-title^dp "CAR-2020-05-001: MiniDump of LSASS"

Reference - CAR-2020-05-003: Rare LolBAS Command Lines - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-05-003%3ARareLolBASCommandLines-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-05-003/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2020-05-003: Rare LolBAS Command Lines"

Reference - CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-08-001%3ANTFSAlternateDataStreamExecution-SystemUtilities-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-08-001/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2020-08-001: NTFS Alternate Data Stream Execution - System Utilities"

Reference - CAR-2020-09-001: Scheduled Task - FileAccess - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-09-001%3AScheduledTask-FileAccess-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-09-001/"^^any u r i; kb-reference-of^op File Creation Analysis; kb-reference-title^dp "CAR-2020-09-001: Scheduled Task - FileAccess"

Reference - CAR-2020-09-002: Component Object Model Hijacking - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-09-002%3AComponentObjectModelHijacking-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-09-002/"^^any u r i; kb-reference-of^op User Session Init Config Analysis; kb-reference-title^dp "CAR-2020-09-002: Component Object Model Hijacking"

Reference - CAR-2020-09-003: Indicator Blocking - Driver Unloaded - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-09-003%3AIndicatorBlocking-DriverUnloaded-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-09-003/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2020-09-003: Indicator Blocking - Driver Unloaded"

Reference - CAR-2020-09-004: Credentials in Files & Registry - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-09-004%3ACredentialsInFiles%26Registry-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-09-004/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2020-09-004: Credentials in Files & Registry"

Reference - CAR-2020-09-005: AppInit DLLs - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-09-005%3AAppInitDLLs-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-09-005/"^^any u r i; kb-reference-of^op System Init Config Analysis; kb-reference-title^dp "CAR-2020-09-005: AppInit DLLs"

Reference - CAR-2020-11-001: Boot or Logon Initialization Scripts - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-11-001%3ABootOrLogonInitializationScripts-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-11-001/"^^any u r i; kb-reference-of^op System Init Config Analysis; kb-reference-title^dp "CAR-2020-11-001: Boot or Logon Initialization Scripts"

Reference - CAR-2020-11-002: Local Network Sniffing - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-11-002%3ALocalNetworkSniffing-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-11-002/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2020-11-002: Local Network Sniffing"

Reference - CAR-2020-11-003: DLL Injection with Mavinject - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-11-003%3ADLLInjectionWithMavinject-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-11-003/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2020-11-003: DLL Injection with Mavinject"

Reference - CAR-2020-11-004: Processes Started From Irregular Parent - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-11-004%3AProcessesStartedFromIrregularParent-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-11-004/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2020-11-004: Processes Started From Irregular Parent"

Reference - CAR-2020-11-005: Clear Powershell Console Command History - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-11-005%3AClearPowershellConsoleCommandHistory-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-11-005/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2020-11-005: Clear Powershell Console Command History"

Reference - CAR-2020-11-006: Local Permission Group Discovery - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-11-006%3ALocalPermissionGroupDiscovery-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-11-006/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2020-11-006: Local Permission Group Discovery"

Reference - CAR-2020-11-007: Network Share Connection Removal - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-11-007%3ANetworkShareConnectionRemoval-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-11-007/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2020-11-007: Network Share Connection Removal"

Reference - CAR-2020-11-008: MSBuild and msxsl - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-11-008%3AMSBuildAndMsxsl-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-11-008/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2020-11-008: MSBuild and msxsl"

Reference - CAR-2020-11-009: Compiled HTML Access - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-11-009%3ACompiledHTMLAccess-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-11-009/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2020-11-009: Compiled HTML Access"

Reference - CAR-2020-11-010: CMSTP - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-11-010%3ACMSTP-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-11-010/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2020-11-010: CMSTP"

Reference - CAR-2020-11-011: Registry Edit from Screensaverⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2020-11-011%3ARegistryEditFromScreensaver

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2020-11-011/"^^any u r i; kb-reference-of^op User Session Init Config Analysis; kb-reference-title^dp "CAR-2020-11-011: Registry Edit from Screensaver"

Reference - CAR-2021-01-002: Unusually Long Command Line Strings - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-01-002%3AUnusuallyLongCommandLineStrings-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-01-002/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-01-002: Unusually Long Command Line Strings"

Reference - CAR-2021-01-003: Clearing Windows Logs with Wevtutil - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-01-003%3AClearingWindowsLogsWithWevtutil-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-01-003/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-01-003: Clearing Windows Logs with Wevtutil"

Reference - CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-01-004%3AUnusualChildProcessForSpoolsv.ExeOrConnhost.Exe-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-01-004/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-01-004: Unusual Child Process for Spoolsv.Exe or Connhost.Exe"

Reference - CAR-2021-01-006: Unusual Child Process spawned using DDE exploit - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-01-006%3AUnusualChildProcessSpawnedUsingDDEExploit-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-01-006/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-01-006: Unusual Child Process spawned using DDE exploit"

Reference - CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-01-007%3ADetectingTamperingOfWindowsDefenderCommandPrompt-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-01-007/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt"

Reference - CAR-2021-01-008: Disable UAC - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-01-008%3ADisableUAC-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-01-008/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-01-008: Disable UAC"

Reference - CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-01-009%3ADetectingShadowCopyDeletionViaVssadmin.exe-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-01-009/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-01-009: Detecting Shadow Copy Deletion via Vssadmin.exe"

Reference - CAR-2021-02-001: Webshell-Indicative Process Tree - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-02-001%3AWebshell-IndicativeProcessTree-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-02-001/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-02-001: Webshell-Indicative Process Tree"

Reference - CAR-2021-02-002: Get System Elevation - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-02-002%3AGetSystemElevation-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-02-002/"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "CAR-2021-02-002: Get System Elevation"

Reference - CAR-2021-04-001: Common Windows Process Masquerading - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-04-001%3ACommonWindowsProcessMasquerading-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-04-001/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-04-001: Common Windows Process Masquerading"

Reference - CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-05-001%3AAttemptToAddCertificateToUntrustedStore-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-05-001/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-05-001: Attempt To Add Certificate To Untrusted Store"

Reference - CAR-2021-05-002: Batch File Write to System32 - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-05-002%3ABatchFileWriteToSystem32-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-05-002/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-05-002: Batch File Write to System32"

Reference - CAR-2021-05-003: BCDEdit Failure Recovery Modification - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-05-003%3ABCDEditFailureRecoveryModification-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-05-003/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-05-003: BCDEdit Failure Recovery Modification"

Reference - CAR-2021-05-004: BITS Job Persistence - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-05-004%3ABITSJobPersistence-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-05-004/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-05-004: BITS Job Persistence"

Reference - CAR-2021-05-005: BITSAdmin Download File - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-05-005%3ABITSAdminDownloadFile-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-05-005/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-05-005: BITSAdmin Download File"

Reference - CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-05-006%3ACertUtilDownloadWithURLCacheAndSplitArguments-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-05-006/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-05-006: CertUtil Download With URLCache and Split Arguments"

Reference - CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-05-007%3ACertUtilDownloadWithVerifyCtlAndSplitArguments-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-05-007/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-05-007: CertUtil Download With VerifyCtl and Split Arguments"

Reference - CAR-2021-05-008: Certutil exe certificate extraction - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-05-008%3ACertutilExeCertificateExtraction-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-05-008/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-05-008: Certutil exe certificate extraction"

Reference - CAR-2021-05-009: CertUtil With Decode Argument - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-05-009%3ACertUtilWithDecodeArgument-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-05-009/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-05-009: CertUtil With Decode Argument"

Reference - CAR-2021-05-010: Create local admin accounts using net exe - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-05-010%3ACreateLocalAdminAccountsUsingNetExe-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-05-010/"^^any u r i; kb-reference-of^op Process Spawn Analysis; kb-reference-title^dp "CAR-2021-05-010: Create local admin accounts using net exe"

Reference - CAR-2021-05-011: Create Remote Thread into LSASS - MITREⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CAR-2021-05-011%3ACreateRemoteThreadIntoLSASS-MITRE

belongs to: External Knowledge Base^c
has facts: has-link^dp "https://car.mitre.org/analytics/CAR-2021-05-011/"^^any u r i; kb-reference-of^op System Call Analysis; kb-reference-title^dp "CAR-2021-05-011: Create Remote Thread into LSASS"

Reference - Certificate and Public Key Pinningⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CertificateAndPublicKeyPinning

belongs to: Technique Reference^c
has facts: has-link^dp "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning"^^any u r i; kb-reference-of^op Certificate Pinning; kb-reference-title^dp "Certificate and Public Key Pinning"

Reference - Certificate Transparencyⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-CertificateTransparency

belongs to: Technique Reference^c
has facts: has-link^dp "https://www.certificate-transparency.org/"^^any u r i; kb-reference-of^op Passive Certificate Analysis; kb-reference-title^dp "Certificate Transparency"

Reference - Computational modeling and classification of data streams - Crowdstrike Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ComputationalModelingAndClassificationOfDataStreams_CrowdstrikeInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20180197089A1/en?oq=US-2018197089-A1"^^any u r i; kb-reference-of^op File Content Rules; kb-reference-title^dp "Computational modeling and classification of data streams"

Reference - Computer motherboard having peripheral security functionsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-ComputerMotherboardHavingPeripheralSecurityFunctions

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US8869308B2/en"^^any u r i; kb-reference-of^op IO Port Restriction; kb-reference-title^dp "Computer motherboard having peripheral security functions"

Reference - Computer Worm Defense System and Method - FireEye Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ComputerWormDefenseSystemAndMethod_FireEyeInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20130036472A1"^^any u r i; kb-reference-of^op File Carving; kb-reference-title^dp "Computer Worm Defense System and Method"

Reference - Computer-implemented methods and systems for identifying visually similar text character strings - Greathorn Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_Computer-implementedMethodsAndSystemsForIdentifyingVisuallySimilarTextCharacterStrings_GreathornInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US10320815B2/en?oq=US-10320815-B2"^^any u r i; kb-reference-of^op Homoglyph Detection; kb-reference-title^dp "Computer-implemented methods and systems for identifying visually similar text character strings"

Reference - Computing apparatus with automatic integrity reference generation and maintenance - Tripwire, Inc.ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ComputingApparatusWithAutomaticIntegrityReferenceGenerationAndMaintenance_Tripwire,Inc.

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20040060046A1"^^any u r i; kb-reference-of^op Executable Allowlisting; kb-reference-title^dp "Computing apparatus with automatic integrity reference generation and maintenance"

Reference - Configure User Access Control and Permissionsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-ConfigureUserAccessControlAndPermissions

belongs to: Internet Article Reference^c
has facts: has-link^dp "https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/user-access-control"^^any u r i; kb-reference-of^op User Account Permissions; kb-reference-title^dp "Configure User Access Control and Permissions"

Reference - Content extractor and analysis system - Bit 9 Inc, Carbon Black Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ContentExtractorAndAnalysisSystem_Bit9Inc,CarbonBlackInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20070028110A1"^^any u r i; kb-reference-of^op Executable Denylisting; kb-reference-title^dp "Content extractor and analysis system"

Reference - Continuous authentication by analysis of keyboard typing characteristics - Bradford Univ., UKⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ContinuousAuthenticationByAnalysisOfKeyboardTypingCharacteristics_BradfordUniv.,UK

belongs to: Academic Paper Reference^c
has facts: has-link^dp "https://ieeexplore.ieee.org/document/491588?reload=true&arnumber=491588"^^any u r i; kb-reference-of^op Input Device Analysis; kb-reference-title^dp "Continuous authentication by analysis of keyboard typing characteristics"

Reference - Dead code eliminationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-DeadCodeElimination

belongs to: Academic Paper Reference^c
has facts: has-link^dp "https://nebelwelt.net/files/15LangSec.pdf"^^any u r i; kb-reference-of^op Dead Code Elimination; kb-reference-title^dp "The Correctness-Security Gap in Compiler Optimization"

Reference - Deception-Based Responses to Security Attacks - Crowdstrike Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_Deception-BasedResponsesToSecurityAttacks_CrowdstrikeInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20140250524A1/en?oq=US-2014250524-A1"^^any u r i; kb-reference-of^op Decoy Network Resource; kb-reference-title^dp "Deception-Based Responses to Security Attacks"

Reference - Decoy and deceptive data object technology - Cymmetria Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_DecoyAndDeceptiveDataObjectTechnology_CymmetriaInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170134423A1"^^any u r i; kb-reference-of^op Decoy Session Token; kb-reference-of^op Decoy User Credential; kb-reference-title^dp "Decoy and deceptive data object technology"

Reference - Decoy and deceptive data object technology - Cymmetria, Inc.ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_DecoyAndDeceptiveDataObjectTechnology_Cymmetria,Inc.

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170134423A1"^^any u r i; kb-reference-of^op Decoy Persona; kb-reference-title^dp "Decoy and deceptive data object technology"

Reference - Decoy Network-Based Service for Deceiving Attackers - Amazon Technologiesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-DecoyNetwork-BasedServiceForDeceivingAttackers-AmazonTechnologies

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US10873601B1"^^any u r i; kb-reference-of^op Decoy User Credential; kb-reference-title^dp "Decoy network-based service for deceiving attackers"

Reference - Decoy Personas for Safeguarding Online Identity Using Deception -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_DecoyPersonasForSafeguardingOnlineIdentityUsingDeception_

belongs to: Internet Article Reference^c
has facts: has-link^dp "https://web.archive.org/web/20180407204216/https://isc.sans.edu/diary/Decoy+Personas+for+Safeguarding+Online+Identity+Using+Deception/16159"^^any u r i; kb-reference-of^op Decoy Persona; kb-reference-title^dp "Decoy Personas for Safeguarding Online Identity Using Deception"

Reference - DETECTING DDoS ATTACK USING Snort -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_DETECTINGDDoSATTACKUSINGSnort_

belongs to: Academic Paper Reference^c
has facts: has-link^dp "https://www.researchgate.net/publication/338660054_DETECTING_DDoS_ATTACK_USING_Snort"^^any u r i; kb-reference-of^op Inbound Session Volume Analysis; kb-reference-title^dp "DETECTING DDoS ATTACK USING Snort"

Reference - Detecting network reconnaissance by tracking intranet dark-net communications - VECTRA NETWORKS Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_DetectingNetworkReconnaissanceByTrackingIntranetDark-netCommunications_VECTRANETWORKSInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20150264078A1"^^any u r i; kb-reference-of^op Connection Attempt Analysis; kb-reference-title^dp "Detecting network reconnaissance by tracking intranet dark-net communications"

Reference - Detecting script-based malware - Crowdstrike Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_DetectingScript-basedMalware_CrowdstrikeInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20190188384A1"^^any u r i; kb-reference-of^op File Content Rules; kb-reference-of^op Script Execution Analysis; kb-reference-title^dp "Detecting script-based malware"

Reference - Detection of Malicious IDNHomoglyph Domainsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-DetectionOfMaliciousIDNHomoglyphDomains

belongs to: Internet Article Reference^c
has facts: has-link^dp "http://essay.utwente.nl/79263/1/Yazdani_MA_EEMCS.pdf"^^any u r i; kb-reference-of^op Homoglyph Denylisting; kb-reference-title^dp "Detection of Malicious IDN Homoglyph Domains Using Active DNS Measurements"

Reference - Deterministic method for detecting and blocking of exploits on interpreted code - K2 Cyber Security Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_DeterministicMethodForDetectingAndBlockingOfExploitsOnInterpretedCode_K2CyberSecurityInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20190180036A1/en?oq=US-2019180036-A1"^^any u r i; kb-reference-of^op System Call Analysis; kb-reference-title^dp "Deterministic method for detecting and blocking of exploits on interpreted code"

Reference - Digital Identity Guidelines 800-63-3ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-DigitalIdentityGuidelines800-63-3

belongs to: Guideline Reference^c
has facts: has-link^dp "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf"^^any u r i; kb-reference-of^op Strong Password Policy; kb-reference-title^dp "Digital Identity Guidelines"

Reference - Distributed meta-information query in a network - Bit 9 Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_DistributedMeta-informationQueryInANetwork_Bit9Inc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20070028302A1/en?oq=US-2007028302-A1"^^any u r i; kb-reference-of^op File Content Rules; kb-reference-title^dp "Distributed meta-information query in a network"

Reference - DNS Whitelist (DNSWL) Email Authentication Method Extensionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-DNSWhitelist-DNSWL-EmailAuthenticationMethodExtension

belongs to: Specification Reference^c
has facts: has-link^dp "https://datatracker.ietf.org/doc/html/rfc8904"^^any u r i; kb-reference-of^op DNS Allowlisting; kb-reference-title^dp "DNS Whitelist (DNSWL) Email Authentication Method Extension"

Reference - Domain age registration alert - Inc Rapid7 Inc RAPID7 Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_DomainAgeRegistrationAlert_IncRapid7IncRAPID7Inc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170026400A1/"^^any u r i; kb-reference-of^op DNS Traffic Analysis; kb-reference-title^dp "Domain age registration alert"

Reference - Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network - Palo Alto Networks Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_DynamicSelectionAndGenerationOfAVirtualCloneForDetonationOfSuspiciousContentWithinAHoneyNetwork_PaloAltoNetworksInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US9882929B1/en?oq=US-9882929-B1"^^any u r i; kb-reference-of^op Decoy Network Resource; kb-reference-of^op Standalone Honeynet; kb-reference-title^dp "Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network"

Reference - Embedding contexts for on-line threats into response policy zones - Verisign Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-EmbeddingContextsForOn-lineThreatsIntoResponsePolicyZones-VerisignInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US10440059B1"^^any u r i; kb-reference-of^op Hierarchical Domain Denylisting; kb-reference-title^dp "Embedding contexts for on-line threats into response policy zones"

Reference - End-to-end certificate pinningⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-End-to-endCertificatePinning

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US9847992B2/en?q=certificate+pinning&oq=certificate+pinning"^^any u r i; kb-reference-of^op Certificate Pinning; kb-reference-title^dp "End-to-end Certificate Pinning"

Reference - Enhancing Network Security By Preventing User-Initiated Malware Execution -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_EnhancingNetworkSecurityByPreventingUser-InitiatedMalwareExecution_

belongs to: Academic Paper Reference^c
has facts: has-link^dp "https://ieeexplore.ieee.org/document/1425209"^^any u r i; kb-reference-of^op Executable Allowlisting; kb-reference-title^dp "Enhancing Network Security By Preventing User-Initiated Malware Execution"

Reference - File and Folder Permissionsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-FileAndFolderPermissions

has facts: has-link^dp "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727008(v=technet.10)?redirectedfrom=MSDN"^^any u r i; kb-reference-of^op Local File Permissions; kb-reference-title^dp "File and Folder Permissions"

Reference - File-modifying malware detection - Crowdstrike Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_File-modifyingMalwareDetection_CrowdstrikeInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20180121650A1/en?oq=US-2018121650-A1"^^any u r i; kb-reference-of^op File Access Pattern Analysis; kb-reference-title^dp "File-modifying malware detection"

Reference - Firewall for interent access - Secure Computing LLCⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_FirewallForInterentAccess_SecureComputingLLC

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/GB2317539A"^^any u r i; kb-reference-of^op Inbound Traffic Filtering; kb-reference-title^dp "Firewall for interent access"

Reference - Firewall for processing a connectionless network packet - National Security Agencyⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_FirewallForProcessingAConnectionlessNetworkPacket_NationalSecurityAgency

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US7073196B1"^^any u r i; kb-reference-of^op Inbound Traffic Filtering; kb-reference-title^dp "Firewall for processing a connectionless network packet"

Reference - Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network - National Security Agencyⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_FirewallForProcessingConnection-orientedAndConnectionlessDatagramsOverAConnection-orientedNetwork_NationalSecurityAgency

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US6615358B1"^^any u r i; kb-reference-of^op Inbound Traffic Filtering; kb-reference-title^dp "Firewall for processing connection-oriented and connectionless datagrams over a connection-oriented network"

Reference - Firewalls that filter based upon protocol commands - Intel Corpⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_FirewallsThatFilterBasedUponProtocolCommands_IntelCorp

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US6832256B1"^^any u r i; kb-reference-of^op Inbound Traffic Filtering; kb-reference-title^dp "Firewalls that filter based upon protocol commands"

Reference - Firmware Behavior Analysis ConFirmⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-FirmwareBehaviorAnalysisConFirm

belongs to: Academic Paper Reference^c
has facts: has-link^dp "http://sites.nyuad.nyu.edu/moma/pdfs/pubs/C22.pdf"^^any u r i; kb-reference-of^op Firmware Behavior Analysis; kb-reference-title^dp "ConFirm: Detecting Firmware Modifications in Embedded Systems using Hardware Performance Counters"

Reference - Firmware Behavior Analysis VIPERⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-FirmwareBehaviorAnalysisVIPER

belongs to: Academic Paper Reference^c
has facts: has-link^dp "https://dl.acm.org/doi/pdf/10.1145/2046707.2046711"^^any u r i; kb-reference-of^op Firmware Behavior Analysis; kb-reference-title^dp "VIPER: Verifying the Integrity of PERipherals' Firmware"

Reference - Firmware Embedded Monitoring Code Red Balloonⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-FirmwareEmbeddedMonitoringCodeRedBalloon

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US10657262B1/en"^^any u r i; kb-reference-of^op Firmware Embedded Monitoring Code; kb-reference-title^dp "Method and apparatus for securing embedded device firmware"

Reference - Firmware Embedded Monitoring Code Symbiotesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-FirmwareEmbeddedMonitoringCodeSymbiotes

belongs to: Academic Paper Reference^c
has facts: has-link^dp "http://nsl.cs.columbia.edu/projects/minestrone/papers/Symbiotes.pdf"^^any u r i; kb-reference-of^op Firmware Embedded Monitoring Code; kb-reference-title^dp "Defending Embedded Systems with Software Symbiotes"

Reference - Firmware Verification Eclypsiumⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-FirmwareVerificationEclypsium

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20200074086A1/en"^^any u r i; kb-reference-of^op Firmware Verification; kb-reference-title^dp "Methods and systems for hardware and firmware security monitoring"

Reference - Firmware Verification Trapezoidⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-FirmwareVerificationTrapezoid

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US9674183B2/en"^^any u r i; kb-reference-of^op Firmware Verification; kb-reference-title^dp "System and method for hardware-based trust control management"

Reference - Framework for notifying a directory service of authentication events processed outside the directory service - Oracle International Corpⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_FrameworkForNotifyingADirectoryServiceOfAuthenticationEventsProcessedOutsideTheDirectoryService_OracleInternationalCorp

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20090077645A1"^^any u r i; kb-reference-of^op Account Locking; kb-reference-title^dp "Framework for notifying a directory service of authentication events processed outside the directory service"

Reference - FWTK - Firewall Toolkit -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_FWTK-FirewallToolkit_

belongs to: Internet Article Reference^c
has facts: has-link^dp "https://blogs.gartner.com/john_pescatore/2008/10/02/this-week-in-network-security-history-the-firewall-toolkit/"^^any u r i; kb-reference-title^dp "FWTK - Firewall Toolkit"

Reference - FWTK Documentation - fwtk.orgⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-FWTKDocumentation-Fwtk.org

belongs to: Technique Reference^c
has facts: has-link^dp "https://web.archive.org/web/20070510153306/http://www.fwtk.org/fwtk/docs/documentation.html#1.1"^^any u r i; kb-reference-of^op Inbound Traffic Filtering; kb-reference-title^dp "FWTK Documentation"

Reference - Guards for application in software tamperproofing - Purdue Research Foundationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_GuardsForApplicationInSoftwareTamperproofing_PurdueResearchFoundation

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US7287166B1/en?oq=US-7287166-B1"^^any u r i; kb-reference-of^op Process Code Segment Verification; kb-reference-title^dp "Guards for application in software tamperproofing"

Reference - Hardware-assisted system and method for detecting and analyzing system calls made to an operting system kernel - Endgame Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_Hardware-assistedSystemAndMethodForDetectingAndAnalyzingSystemCallsMadeToAnOpertingSystemKernel_EndgameInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20180032728A1/en?oq=US20180032728-A1"^^any u r i; kb-reference-of^op System Call Analysis; kb-reference-title^dp "Hardware-assisted system and method for detecting and analyzing system calls made to an operting system kernel"

Reference - Heuristic botnet detection - Palo Alto Networks Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_HeuristicBotnetDetection_PaloAltoNetworksInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20160156644A1"^^any u r i; kb-reference-of^op DNS Traffic Analysis; kb-reference-title^dp "Heuristic botnet detection"

Reference - Host intrusion prevention system using software and user behavior analysis - Sophos Ltdⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20110023115A1"^^any u r i; kb-reference-of^op Resource Access Pattern Analysis; kb-reference-of^op System Daemon Monitoring; kb-reference-of^op Web Session Activity Analysis; kb-reference-title^dp "Host intrusion prevention system using software and user behavior analysis"

Reference - How ASLR protects Linux systems from buffer overflow attacks - Network Worldⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_HowASLRProtectsLinuxSystemsFromBufferOverflowAttacks_NetworkWorld

belongs to: Internet Article Reference^c
has facts: has-link^dp "https://www.networkworld.com/article/3331199/what-does-aslr-do-for-linux.html"^^any u r i; kb-reference-of^op Segment Address Offset Randomization; kb-reference-title^dp "How ASLR protects Linux systems from buffer overflow attacks"

Reference - How to change registry values or permissions from a command line or a scriptⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-HowToChangeRegistryValuesOrPermissionsFromACommandLineOrAScript

belongs to: Internet Article Reference^c
has facts: has-link^dp "https://docs.microsoft.com/en-us/troubleshoot/windows-client/application-management/change-registry-values-permissions"^^any u r i; kb-reference-title^dp "How to change registry values or permissions from a command line or a script"

Reference - How trust relationships work for resource forests in Azure Active Directory Domain Servicesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-HowTrustRelationshipsWorkForResourceForestsInAzureActiveDirectoryDomainServices

belongs to: Internet Article Reference^c
has facts: has-link^dp "https://docs.microsoft.com/en-us/azure/active-directory-domain-services/concepts-forest-trust"^^any u r i; kb-reference-of^op Domain Trust Policy; kb-reference-title^dp "How trust relationships work for resource forests in Azure Active Directory Domain Services"

Reference - http://www.biometric-solutions.com/keystroke-dynamics.html - biometric-solutions.comⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_www.biometric-solutions.com_keystroke-dynamics

belongs to: Internet Article Reference^c
has facts: has-link^dp "http://www.biometric-solutions.com/keystroke-dynamics.html"^^any u r i; kb-reference-of^op Input Device Analysis; kb-reference-title^dp "Keystroke Dynamics"

Reference - Identification and extraction of key forensics indicators of compromise using subject-specific filesystem viewsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-IdentificationAndExtractionOfKeyForensicsIndicatorsOfCompromiseUsingSubject-specificFilesystemViews

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20200004962A1/en"^^any u r i; kb-reference-title^dp "Identification and extraction of key forensics indicators of compromise using subject-specific filesystem views"

Reference - Identification of visual international domain name collisions - Verisign Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-IdentificationOfVisualInternationalDomainNameCollisions-VerisignInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US10599836B2/en"^^any u r i; kb-reference-of^op Homoglyph Detection; kb-reference-title^dp "Identification of visual international domain name collisions"

Reference - Identifying a denial-of-service attack in a cloud-based proxy service - Cloudfare Inc.ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-IdentifyingADenial-of-serviceAttackInACloud-basedProxyService-CloudfareInc.

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US8613089B1"^^any u r i; kb-reference-of^op Inbound Session Volume Analysis; kb-reference-title^dp "Identifying a denial-of-service attack in a cloud-based proxy service"

Reference - Indirect Branching Callsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-IndirectBranchingCalss

belongs to: Academic Paper Reference^c
has facts: has-link^dp "https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1048.1241&rep=rep1&type=pdf"^^any u r i; kb-reference-of^op Indirect Branch Call Analysis; kb-reference-title^dp "Transparent ROP Exploit Mitigation using Indirect Branch Tracing"

Reference - Inferential exploit attempt detection - Crowdstrike Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_InferentialExploitAttemptDetection_CrowdstrikeInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US10216934B2/en?oq=US-10216934-B2"^^any u r i; kb-reference-of^op Memory Boundary Tracking; kb-reference-title^dp "Inferential exploit attempt detection"

Reference - Instant process termination tool to recover control of an information handling system - Dell Products LPⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_InstantProcessTerminationToolToRecoverControlOfAnInformationHandlingSystem_DellProductsLP

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20060236108A1/en"^^any u r i; kb-reference-of^op Process Termination; kb-reference-title^dp "Instant process termination tool to recover control of an information handling system"

Reference - Integrity assurance through early loading in the boot phase - Crowdstrike Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_IntegrityAssuranceThroughEarlyLoadingInTheBootPhase_CrowdstrikeInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170061127A1"^^any u r i; kb-reference-of^op Driver Load Integrity Checking; kb-reference-title^dp "Integrity assurance through early loading in the boot phase"

Reference - Intrusion detection using a heartbeat - Sophos Ltdⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_IntrusionDetectionUsingAHeartbeat_SophosLtd

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20180191752A1"^^any u r i; kb-reference-of^op Endpoint Health Beacon; kb-reference-title^dp "Intrusion detection using a heartbeat"

Reference - Isolation of applications within a virtual machine - Bromium, Inc.ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_IsolationOfApplicationsWithinAVirtualMachine_Bromium,Inc.

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US9921860B1"^^any u r i; kb-reference-of^op Hardware-based Process Isolation; kb-reference-title^dp "Isolation of applications within a virtual machine"

Reference - Malicious relay detection on networks - VECTRA NETWORKS Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MaliciousRelayDetectionOnNetworks_VECTRANETWORKSInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20150264083A1"^^any u r i; kb-reference-of^op Relay Pattern Analysis; kb-reference-title^dp "Malicious relay detection on networks"

Reference - Malware analysis system - Palo Alto Networks Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MalwareAnalysisSystem_PaloAltoNetworksInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20150319136A1"^^any u r i; kb-reference-of^op Dynamic Analysis; kb-reference-title^dp "Malware analysis system"

Reference - Malware detection in event loops - Crowdstrike Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MalwareDetectionInEventLoops_CrowdstrikeInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20190205530A1"^^any u r i; kb-reference-of^op System Call Analysis; kb-reference-title^dp "Malware detection in event loops"

Reference - Malware detection using local computational models - Crowdstrike Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MalwareDetectionUsingLocalComputationalModels_CrowdstrikeInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20190026466A1"^^any u r i; kb-reference-of^op Process Termination; kb-reference-title^dp "Malware detection using local computational models"

Reference - Method and Apparatus for Detecting Malicious Websites - Endgame Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MethodAndApparatusForDetectingMaliciousWebsites_EndgameInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20140331319A1"^^any u r i; kb-reference-of^op URL Analysis; kb-reference-title^dp "Method and Apparatus for Detecting Malicious Websites"

Reference - Method and apparatus for increasing the speed at which computer viruses are detected - McAfee LLCⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MethodAndApparatusForIncreasingTheSpeedAtWhichComputerVirusesAreDetected_McAfeeLLC

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US5502815A"^^any u r i; kb-reference-of^op Executable Denylisting; kb-reference-title^dp "Method and apparatus for increasing the speed at which computer viruses are detected"

Reference - Method and Apparatus for Network Fraud Detection and Remediation Through Analytics - Idaptive LLCⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20190081968A1/en"^^any u r i; kb-reference-of^op Authentication Event Thresholding; kb-reference-of^op Authorization Event Thresholding; kb-reference-of^op Resource Access Pattern Analysis; kb-reference-of^op Session Duration Analysis; kb-reference-of^op User Geolocation Logon Pattern Analysis; kb-reference-title^dp "Method and Apparatus for Network Fraud Detection and Remediation Through Analytics"

Reference - Method and apparatus for utilizing a token for resource access - Rsa Security Inc.ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MethodAndApparatusForUtilizingATokenForResourceAccess_RsaSecurityInc.

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US5657388A/en"^^any u r i; kb-reference-of^op Multi-factor Authentication; kb-reference-title^dp "Method and apparatus for utilizing a token for resource access"

Reference - Method and system for controlling communication portsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-MethodAndSystemForControllingCommunicationPorts

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US8566924"^^any u r i; kb-reference-of^op IO Port Restriction; kb-reference-title^dp "Method and system for controlling communication ports"

Reference - Method and system for detecting algorithm-generated domains - VECTRA NETWORKS Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MethodAndSystemForDetectingAlgorithm-generatedDomains_VECTRANETWORKSInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20150264070A1"^^any u r i; kb-reference-of^op DNS Traffic Analysis; kb-reference-title^dp "Method and system for detecting algorithm-generated domains"

Reference - Method and system for detecting external control of compromised hosts - VECTRA NETWORKS Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MethodAndSystemForDetectingExternalControlOfCompromisedHosts_VECTRANETWORKSInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US9407647B2/en?oq=US-9407647-B2"^^any u r i; kb-reference-of^op Remote Terminal Session Detection; kb-reference-title^dp "Method and system for detecting external control of compromised hosts"

Reference - Method and system for detecting malicious payloads - Vectra Networks Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MethodAndSystemForDetectingMaliciousPayloads_VectraNetworksInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/EP3293937A1/en?oq=EP-3293937-A1"^^any u r i; kb-reference-of^op Client-server Payload Profiling; kb-reference-title^dp "Method and system for detecting malicious payloads"

Reference - Method and system for detecting restricted content associated with retrieved content - Sophos Ltdⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MethodAndSystemForDetectingRestrictedContentAssociatedWithRetrievedContent_SophosLtd

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20160359883A1"^^any u r i; kb-reference-of^op URL Analysis; kb-reference-title^dp "Method and system for detecting restricted content associated with retrieved content"

Reference - Method and system for detecting suspicious administrative activity - Vectra Networks Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MethodAndSystemForDetectingSuspiciousAdministrativeActivity_VectraNetworksInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20180077186A1"^^any u r i; kb-reference-of^op Administrative Network Activity Analysis; kb-reference-title^dp "Method and system for detecting suspicious administrative activity"

Reference - Method and system for detecting threats using metadata vectors - VECTRA NETWORKS Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MethodAndSystemForDetectingThreatsUsingMetadataVectors_VECTRANETWORKSInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20160191551A1"^^any u r i; kb-reference-of^op Protocol Metadata Anomaly Detection; kb-reference-title^dp "Method and system for detecting threats using metadata vectors"

Reference - Method and system for detecting threats using passive cluster mapping - Vectra Networks Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MethodAndSystemForDetectingThreatsUsingPassiveClusterMapping_VectraNetworksInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20160149936A1"^^any u r i; kb-reference-of^op Protocol Metadata Anomaly Detection; kb-reference-title^dp "Method and system for detecting threats using passive cluster mapping"

Reference - Method and system for providing software updates to local machinesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-MethodAndSystemForProvidingSoftwareUpdatesToLocalMachines

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US10474448B2/en"^^any u r i; kb-reference-title^dp "Method and system for providing software updates to local machines"

Reference - Method and system for UDP flood attack detection - Riorey LLCⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-MethodAndSystemForUDPFloodAttackDetection-RioreyLLC

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US8307430B1"^^any u r i; kb-reference-of^op Inbound Session Volume Analysis; kb-reference-title^dp "Method and system for UDP flood attack detection"

Reference - Method for controlling computer network security - Checkpoint Software Technologies Ltdⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MethodForControllingComputerNetworkSecurity_CheckpointSoftwareTechnologiesLtd

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/EP0658837B1/"^^any u r i; kb-reference-of^op Inbound Traffic Filtering; kb-reference-title^dp "Method for controlling computer network security"

Reference - Method for file encryptionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-MethodForFileEncryption

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US9521123B2/en"^^any u r i; kb-reference-of^op File Encryption; kb-reference-title^dp "Method for file encryption"

Reference - Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system - Symantec Corporationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MethodUsingKernelModeAssistanceForTheDetectionAndRemovalOfThreatsWhichAreActivelyPreventingDetectionAndRemovalFromARunningSystem_SymantecCorporation

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US8239947B1"^^any u r i; kb-reference-of^op System Daemon Monitoring; kb-reference-title^dp "Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system"

Reference - Mitigate threats by using Windows 10 security features: Data Execution Prevention - Microsoftⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#DataExecutionPrevention_Microsoft

belongs to: User Manual Reference^c
has facts: has-link^dp "https://docs.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#data-execution-prevention"^^any u r i; kb-reference-of^op Process Segment Execution Prevention; kb-reference-title^dp "Mitigate threats by using Windows 10 security features: Data Execution Prevention"

Reference - Mock attack cybersecurity training system and methods - WOMBAT SECURITY TECHNOLOGIES Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_MockAttackCybersecurityTrainingSystemAndMethods_WOMBATSECURITYTECHNOLOGIESInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US9558677B2/"^^any u r i; kb-reference-of^op Decoy Public Release; kb-reference-title^dp "Mock attack cybersecurity training system and methods"

Reference - Modeling user access to computer resources - Daedalus Group LLC (formerly IBM)ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ModelingUserAccessToComputerResources_DaedalusGroupLLC

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US8214364B2"^^any u r i; kb-reference-of^op Resource Access Pattern Analysis; kb-reference-title^dp "Modeling user access to computer resources"

Reference - Modification of a Server to Mimic a Deception Mechanism - Acalvio Technologies Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ModificationOfAServerToMimicADeceptionMechanism_AcalvioTechnologiesInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170149825A1"^^any u r i; kb-reference-of^op Connected Honeynet; kb-reference-title^dp "Modification of a Server to Mimic a Deception Mechanism"

Reference - Muninⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-Munin

belongs to: Source Code Reference^c
has facts: has-link^dp "https://github.com/Neo23x0/munin"^^any u r i; kb-reference-title^dp "Online Hash Checker for Virustotal and Other Services"

Reference - Network firewall with proxy - Secure Computing LLCⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_NetworkFirewallWithProxy_SecureComputingLLC

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/GB2318031A"^^any u r i; kb-reference-of^op Inbound Traffic Filtering; kb-reference-title^dp "Network firewall with proxy"

Reference - Network-Based Buffer Overflow Detection by Exploit Code Analysis - Information Security Research Centreⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_Network-BasedBufferOverflowDetectionByExploitCodeAnalysis_InformationSecurityResearchCentre

belongs to: Academic Paper Reference^c
has facts: has-link^dp "https://eprints.qut.edu.au/21172/1/21172.pdf"^^any u r i; kb-reference-of^op Byte Sequence Emulation; kb-reference-title^dp "Network-Based Buffer Overflow Detection by Exploit Code Analysis"

Reference - Network-level polymorphic shellcode detection using emulationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-Network-levelPolymorphicShellcodeDetectionUsingEmulation

belongs to: Academic Paper Reference^c
has facts: has-link^dp "https://www.cs.unc.edu/~fabian/course_papers/polymorphic-detect.pdf"^^any u r i; kb-reference-of^op Byte Sequence Emulation; kb-reference-title^dp "Network-level polymorphic shellcode detection using emulation"

Reference - Open source intelligence deceptions - Illusive Networks Ltdⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_OpenSourceIntelligenceDeceptions_IllusiveNetworksLtd

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US10333976B1/en?assignee=Illusive+Networks+Ltd&oq=Illusive+Networks+Ltd+"^^any u r i; kb-reference-of^op Decoy File; kb-reference-title^dp "Open source intelligence deceptions"

Reference - OS Query Windows User Collection Codeⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-OSQueryWindowsUserCollectionCode

has facts: has-link^dp "https://github.com/osquery/osquery/blob/d2be385d71f401c85872f00d479df8f499164c5a/osquery/tables/system/windows/users.cpp"^^any u r i; kb-reference-title^dp "OS Query Windows User Collection Code"

Reference - Overview of the seccomp sandboxⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-OverviewOfTheSeccompSandbox

belongs to: Internet Article Reference^c
has facts: has-link^dp "https://code.google.com/archive/p/seccompsandbox/wikis/overview.wiki"^^any u r i; kb-reference-of^op System Call Filtering; kb-reference-title^dp "Overview of the seccomp sandbox"

Reference - Platform Firmware Resiliency Guidelines - NISTⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_PlatformFirmwareResiliencyGuidelines_NIST

belongs to: Guideline Reference^c
has facts: has-link^dp "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-193.pdf"^^any u r i; kb-reference-of^op Firmware Verification; kb-reference-title^dp "Platform Firmware Resiliency Guidelines"

Reference - Pointer Authentication on ARMv8.3ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-PointerAuthenticationOnARMv8.3

belongs to: Specification Reference^c
has facts: has-link^dp "https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf"^^any u r i; kb-reference-of^op Pointer Authentication; kb-reference-title^dp "Pointer Authentication on ARMv8.3"

Reference - Pointer Authentication Project Zeroⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-PointerAuthenticationProjectZero

belongs to: Internet Article Reference^c
has facts: has-link^dp "https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html"^^any u r i; kb-reference-of^op Pointer Authentication; kb-reference-title^dp "Examining Pointer Authentication on the iPhone XS"

Reference - Post sandbox methods and systems for detecting and blocking zero-day exploits via api call validation - K2 Cyber Security Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_PostSandboxMethodsAndSystemsForDetectingAndBlockingZero-dayExploitsViaApiCallValidation_K2CyberSecurityInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20190138715A1/"^^any u r i; kb-reference-of^op System Call Analysis; kb-reference-title^dp "Post sandbox methods and systems for detecting and blocking zero-day exploits via api call validation"

Reference - Predicting Domain Generation Algorithms with Long Short-Term Memory Networks -ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_PredictingDomainGenerationAlgorithmsWithLongShort-TermMemoryNetworks_

belongs to: Academic Paper Reference^c
has facts: has-link^dp "https://arxiv.org/abs/1611.007911"^^any u r i; kb-reference-of^op DNS Traffic Analysis; kb-reference-title^dp "Predicting Domain Generation Algorithms with Long Short-Term Memory Networks"

Reference - Preventing execution of task scheduled malware - McAfee LLCⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_PreventingExecutionOfTaskScheduledMalware_McAfeeLLC

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20160105450A1"^^any u r i; kb-reference-of^op Scheduled Job Analysis; kb-reference-title^dp "Preventing execution of task scheduled malware"

Reference - Private virtual local area network isolation - Cisco Technology Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_PrivateVirtualLocalAreaNetworkIsolation_CiscoTechnologyInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20120331142A1"^^any u r i; kb-reference-of^op Broadcast Domain Isolation; kb-reference-title^dp "Private virtual local area network isolation"

Reference - Protected computing environment - Microsoft Technology Licensing LLCⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ProtectedComputingEnvironment_MicrosoftTechnologyLicensingLLC

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20060242406A1"^^any u r i; kb-reference-of^op Driver Load Integrity Checking; kb-reference-title^dp "Protected computing environment"

Reference - Protecting against distributed denial of service attacks - Cisco Technology Inc.ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-ProtectingAgainstDistributedDenialOfServiceAttacks-CiscoTechnologyInc.

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US7171683B2"^^any u r i; kb-reference-of^op Inbound Session Volume Analysis; kb-reference-title^dp "Protecting against distributed denial of service attacks"

Reference - Protecting against distributed network flood attacks - Juniper Networks Inc.ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-ProtectingAgainstDistributedNetworkFloodAttacks-JuniperNetworksInc.

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US8789173B2"^^any u r i; kb-reference-of^op Inbound Session Volume Analysis; kb-reference-title^dp "Protecting against distributed network flood attacks"

Reference - Red Hat Enterprise Linux 8 Security Technical Implementation Guideⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-RedHatEnterpriseLinux8SecurityTechnicalImplementationGuide

belongs to: Guideline Reference^c
has facts: has-link^dp "https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/"^^any u r i; kb-reference-of^op Application Configuration Hardening; kb-reference-title^dp "Red Hat Enterprise Linux 8 Security Technical Implementation Guide"

Reference - Registry Key Security and Access Rightsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-RegistryKeySecurityAndAccessRights

belongs to: User Manual^c
has facts: has-link^dp "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights"^^any u r i; kb-reference-of^op User Session Init Config Analysis; kb-reference-title^dp "Registry Key Security and Access Rights"

Reference - Reverse DNS Blocking - Barracuda Networksⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#'Reference_ReverseDNSBlocking_BarracudaNetworks

belongs to: User Manual Reference^c
has facts: has-link^dp "https://campus.barracuda.com/product/emailsecuritygateway/doc/39819732/reverse-dns-blocking/"^^any u r i; kb-reference-of^op Reverse Resolution Domain Denylisting; kb-reference-title^dp "Reverse DNS Blocking"

Reference - RFC 2289 - A One-Time Password Systemⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-RFC2289-AOne-TimePasswordSystem

belongs to: Specification Reference^c
has facts: has-link^dp "https://tools.ietf.org/html/rfc2289"^^any u r i; kb-reference-of^op One-time Password; kb-reference-title^dp "A One-Time Password System"

Reference - RFC 6376: DomainKeys Identified Mail (DKIM) Signatures - IETFⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-DomainKeysIdentifiedMail-Signatures-IETF

belongs to: Specification Reference^c
has facts: has-link^dp "https://tools.ietf.org/html/rfc6376"^^any u r i; kb-reference-of^op Transfer Agent Authentication; kb-reference-title^dp "RFC 6376: DomainKeys Identified Mail (DKIM) Signatures"

Reference - RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email - IETFⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-RFC7208-SenderPolicyFramework-SPF-ForAuthorizingUseOfDomainsInEmail-IETF

belongs to: Specification Reference^c
has facts: has-link^dp "https://tools.ietf.org/html/rfc7208"^^any u r i; kb-reference-of^op Transfer Agent Authentication; kb-reference-title^dp "RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email"

Reference - RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC) - IETFⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-RFC7489-Domain-basedMessageAuthentication-Reporting-AndConformance-DMARC

belongs to: Specification Reference^c
has facts: has-link^dp "https://tools.ietf.org/html/rfc7489"^^any u r i; kb-reference-of^op Transfer Agent Authentication; kb-reference-title^dp "RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC)"

Reference - RPC call interception - Crowdstrike Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_RPCCallInterception_CrowdstrikeInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20150163109"^^any u r i; kb-reference-of^op RPC Traffic Analysis; kb-reference-title^dp "RPC call interception"

Reference - Secure caching of server credentials - Dell Products LPⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SecureCachingOfServerCredentials_DellProductsLP

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20100107241A1"^^any u r i; kb-reference-of^op Authentication Cache Invalidation; kb-reference-title^dp "Secure caching of server credentials"

Reference - Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-SecureMultipurposeInternetMailExtensionsMIME-Version3.1

belongs to: Specification Reference^c
has facts: has-link^dp "https://tools.ietf.org/html/rfc3851"^^any u r i; kb-reference-title^dp "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification"

Reference - Securing Web Transactionsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-SecuringWebTransactions

belongs to: Guideline Reference^c
has facts: has-link^dp "https://www.nccoe.nist.gov/sites/default/files/library/sp1800/tls-serv-cert-mgt-nist-sp1800-16b-final.pdf"^^any u r i; kb-reference-of^op Active Certificate Analysis; kb-reference-title^dp "Securing Web Transactions"

Reference - Securing Web Transactions TLS Server Certificate Management - Appendix A Passive Inspectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_-_Securing_Web_Transactions__TLS_Server_Certificate_Management_Appendix_A_Passive_Inspection

has facts: has-link^dp "https://www.nccoe.nist.gov/publication/1800-16/VolD/vol-d-appendix.html"^^any u r i; kb-reference-of^op Passive Certificate Analysis; kb-reference-title^dp "Securing Web Transactions TLS Server Certificate Management - Appendix A Passive Inspection"

Reference - Security Architecture for the Internet Protocolⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-SecurityArchitectureForTheInternetProtocol

belongs to: Specification Reference^c
has facts: has-link^dp "https://datatracker.ietf.org/doc/html/rfc1825"^^any u r i; kb-reference-of^op Encrypted Tunnels; kb-reference-title^dp "Security Architecture for the Internet Protocol"

Reference - Security System with Methodology for Interprocess Communication Control - Check Point Software Tech Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SecuritySystemWithMethodologyForInterprocessCommunicationControl_CheckPointSoftwareTechInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20040199763"^^any u r i; kb-reference-of^op IPC Traffic Analysis; kb-reference-title^dp "Security System with Methodology for Interprocess Communication Control"

Reference - Security Technologies: Stack Smashing Protection (StackGuard) - Red Hatⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StackSmashingProtection_StackGuard_RedHat

belongs to: Internet Article Reference^c
has facts: has-link^dp "https://access.redhat.com/blogs/766093/posts/3548631"^^any u r i; kb-reference-of^op Stack Frame Canary Validation; kb-reference-title^dp "Security Technologies: Stack Smashing Protection (StackGuard)"

Reference - Sinkholing bad network domains by registering the bad network domains on the internet - Palo Alto Networks Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SinkholingBadNetworkDomainsByRegisteringTheBadNetworkDomainsOnTheInternet_PaloAltoNetworksInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20160381065A1"^^any u r i; kb-reference-of^op DNS Traffic Analysis; kb-reference-title^dp "Sinkholing bad network domains by registering the bad network domains on the internet"

Reference - StreamingPhishⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-StreamingPhish

belongs to: Technique Reference^c
has facts: has-link^dp "https://github.com/wesleyraptor/streamingphish"^^any u r i; kb-reference-of^op Passive Certificate Analysis; kb-reference-title^dp "StreamingPhish"

Reference - Supply chain cyber-deception - Cymmetria, Inc.ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SupplyChainCyber-deception_Cymmetria,Inc.

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/WO2017187379A1"^^any u r i; kb-reference-of^op Decoy File; kb-reference-title^dp "Supply chain cyber-deception"

Reference - Synchronizing a honey network configuration to reflect a target network environment - Palo Alto Networks Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SynchronizingAHoneyNetworkConfigurationToReflectATargetNetworkEnvironment_PaloAltoNetworksInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170019425A1"^^any u r i; kb-reference-of^op Integrated Honeynet; kb-reference-title^dp "Synchronizing a honey network configuration to reflect a target network environment"

Reference - System and a method for identifying the presence of malware and ransomware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndAMethodForIdentifyingThePresenceOfMalwareAndRansomwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US9807115B2/en?oq=US-9807115-B2"^^any u r i; kb-reference-of^op Decoy File; kb-reference-title^dp "System and a method for identifying the presence of malware and ransomware using mini-traps set at network endpoints"

Reference - System and method for detecting homoglyph attacks with a siamese convolutional neural network - Endgame Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodForDetectingHomoglyphAttacksWithASiameseConvolutionalNeuralNetwork_EndgameInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20190019058A1/"^^any u r i; kb-reference-of^op Homoglyph Detection; kb-reference-title^dp "System and method for detecting homoglyph attacks with a siamese convolutional neural network"

Reference - System and method for detecting malware injected into memory of a computing device - Endgame Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodForDetectingMalwareInjectedIntoMemoryOfAComputingDevice_EndgameInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20190018958A1/en?oq=US20190018958-A1"^^any u r i; kb-reference-of^op Process Code Segment Verification; kb-reference-title^dp "System and method for detecting malware injected into memory of a computing device"

Reference - System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis - Silver Tail Systemsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodForDetectionOfAChangeInBehaviorInTheUseOfAWebsiteThroughVectorVelocityAnalysis_SilverTailSystems

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20100235909A1/en?oq=US+20100235909+A1"^^any u r i; kb-reference-of^op Web Session Activity Analysis; kb-reference-title^dp "System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis"

Reference - System and method for identifying the presence of malware using mini-traps set at network endpoints - Fidelis Cybersecurity Solutions Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodForIdentifyingThePresenceOfMalwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US9807114B2/en?oq=US-9807114-B2"^^any u r i; kb-reference-of^op Decoy Network Resource; kb-reference-of^op Decoy User Credential; kb-reference-title^dp "System and method for identifying the presence of malware using mini-traps set at network endpoints"

Reference - System and method for internet security - Cylance Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodForInternetSecurity_CylanceInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20120117644A1"^^any u r i; kb-reference-of^op Database Query String Analysis; kb-reference-title^dp "System and method for internet security"

Reference - System and Method for Network Security Including Detection of Attacks Through Partner Websites - EMC IP Holding Co LLCⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodForNetworkSecurityIncludingDetectionOfAttacksThroughPartnerWebsites_EMCIPHoldingCoLLC

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20110302653A1/en?oq=US+20110302653+A1"^^any u r i; kb-reference-of^op Web Session Activity Analysis; kb-reference-title^dp "System and Method for Network Security Including Detection of Attacks Through Partner Websites"

Reference - System and Method for Process Hollowing Detection - Carbon Black Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodForProcessHollowingDetection_CarbonBlackInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170272462A1"^^any u r i; kb-reference-of^op Process Self-Modification Detection; kb-reference-title^dp "System and Method for Process Hollowing Detection"

Reference - System and method for providing an actively invalidated client-side network resource cache - IMVUⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodForProvidingAnActivelyInvalidatedClient-sideNetworkResourceCache_IMVU

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US9578081B2/en"^^any u r i; kb-reference-of^op Authentication Cache Invalidation; kb-reference-title^dp "System and method for providing an actively invalidated client-side network resource cache"

Reference - System and method for validating in-memory integrity of executable files to identify malicious activity - Endgame Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodForValidatingIn-memoryIntegrityOfExecutableFilesToIdentifyMaliciousActivity_EndgameInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20190018962A1/en?oq=15648887"^^any u r i; kb-reference-of^op Process Code Segment Verification; kb-reference-title^dp "System and method for validating in-memory integrity of executable files to identify malicious activity"

Reference - System and method thereof for identifying and responding to security incidents based on preemptive forensics - Palo Alto Networks Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20160142424A1"^^any u r i; kb-reference-of^op Resource Access Pattern Analysis; kb-reference-of^op User Data Transfer Analysis; kb-reference-of^op Web Session Activity Analysis; kb-reference-title^dp "System and method thereof for identifying and responding to security incidents based on preemptive forensics"

Reference - System and methods thereof for causality identification and attributions determination of processes in a network - Palo Alto Networks IncCyber Secdo Ltdⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodsThereofForCausalityIdentificationAndAttributionsDeterminationOfProcessesInANetwork_PaloAltoNetworksIncCyberSecdoLtd

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170195350A1/en?oq=US-2017195350-A1"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "System and methods thereof for causality identification and attributions determination of processes in a network"

Reference - System and methods thereof for detection of persistent threats in a computerized environment background - Palo Alto Networks IncCyber Secdo Ltdⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodsThereofForDetectionOfPersistentThreatsInAComputerizedEnvironmentBackground_PaloAltoNetworksIncCyberSecdoLtd

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170206358A1/en?oq=US-2017206358-A1"^^any u r i; kb-reference-title^dp "System and methods thereof for detection of persistent threats in a computerized environment background"

Reference - System and methods thereof for identification of suspicious system processes - Palo Alto Networks Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodsThereofForIdentificationOfSuspiciousSystemProcesses_PaloAltoNetworksInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170286683A1/en?oq=US-2017286683-A1"^^any u r i; kb-reference-of^op Process Lineage Analysis; kb-reference-title^dp "System and methods thereof for identification of suspicious system processes"

Reference - System and methods thereof for logical identification of malicious threats across a plurality of end-point devices (epd) communicatively connected by a network - Palo Alto Networks IncCyber Secdo Ltdⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodsThereofForLogicalIdentificationOfMaliciousThreatsAcrossAPluralityOfEnd-pointDevicesCommunicativelyConnectedByANetwork_PaloAltoNetworksIncCyberSecdoLtd

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20180373870A1/en?oq=US-2018373870-A1"^^any u r i; kb-reference-of^op File Content Rules; kb-reference-title^dp "System and methods thereof for logical identification of malicious threats across a plurality of end-point devices (epd) communicatively connected by a network"

Reference - System and methods thereof for preventing ransomware from encrypting data elements stored in a memory of a computer-based system - Palo Alto Networks Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemAndMethodsThereofForPreventingRansomwareFromEncryptingDataElementsStoredInAMemoryOfAComputer-basedSystem_PaloAltoNetworksInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170308711A1/en?oq=US-2017308711-A1"^^any u r i; kb-reference-of^op Decoy File; kb-reference-title^dp "System and methods thereof for preventing ransomware from encrypting data elements stored in a memory of a computer-based system"

Reference - System for detecting threats using scenario-based tracking of internal and external network traffic - VECTRA NETWORKS Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemForDetectingThreatsUsingScenario-basedTrackingOfInternalAndExternalNetworkTraffic_VECTRANETWORKSInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20160191563A1"^^any u r i; kb-reference-of^op Per Host Download-Upload Ratio Analysis; kb-reference-title^dp "System for detecting threats using scenario-based tracking of internal and external network traffic"

Reference - System for implementing threat detection using daily network traffic community outliers - VECTRA NETWORKS Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemForImplementingThreatDetectionUsingDailyNetworkTrafficCommunityOutliers_VECTRANETWORKSInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20160191560A1"^^any u r i; kb-reference-of^op Network Traffic Community Deviation; kb-reference-of^op Protocol Metadata Anomaly Detection; kb-reference-title^dp "System for implementing threat detection using daily network traffic community outliers"

Reference - System for implementing threat detection using threat and risk assessment of asset-actor interactions - VECTRA NETWORKS Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemForImplementingThreatDetectionUsingThreatAndRiskAssessmentOfAsset-actorInteractions_VECTRANETWORKSInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20160191559A1"^^any u r i; kb-reference-of^op User Data Transfer Analysis; kb-reference-title^dp "System for implementing threat detection using threat and risk assessment of asset-actor interactions"

Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_System,Method,AndComputerProgramProductForDetectingAndAssessingSecurityRisksInANetwork_ExabeamInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20190034641A1"^^any u r i; kb-reference-of^op Authentication Event Thresholding; kb-reference-of^op Authorization Event Thresholding; kb-reference-of^op Resource Access Pattern Analysis; kb-reference-of^op Session Duration Analysis; kb-reference-of^op User Geolocation Logon Pattern Analysis; kb-reference-title^dp "System, method, and computer program product for detecting and assessing security risks in a network"

Reference - Systems and methods for detecting and/or handling targeted attacks in the email channel - Graphus Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemsAndMethodsForDetectingAnd_orHandlingTargetedAttacksInTheEmailChannel_GraphusInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20170324767A1"^^any u r i; kb-reference-of^op Sender MTA Reputation Analysis; kb-reference-of^op Sender Reputation Analysis; kb-reference-title^dp "Systems and methods for detecting and/or handling targeted attacks in the email channel"

Reference - Systems and methods for detecting credential theft - Symantec Corpⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_SystemsAndMethodsForDetectingCredentialTheft_SymantecCorp

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US10162962B1"^^any u r i; kb-reference-of^op Credential Compromise Scope Analysis; kb-reference-title^dp "Systems and methods for detecting credential theft"

Reference - Tamper proof mutating software - ARXAN TECHNOLOGIES Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_TamperProofMutatingSoftware_ARXANTECHNOLOGIESInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US9262600B2/en?oq=US9262600B2"^^any u r i; kb-reference-of^op Process Code Segment Verification; kb-reference-title^dp "Tamper proof mutating software"

Reference - Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilitiesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_-_Technical_Specifications_for_Construction_and_Management_of_Sensitive_Compartmented_Information_Facilities

belongs to: Specification Reference^c
has facts: has-link^dp "https://www.dni.gov/files/Governance/IC-Tech-Specs-for-Const-and-Mgmt-of-SCIFs-v15.pdf"^^any u r i; kb-reference-of^op RF Shielding; kb-reference-title^dp "Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities"

Reference - Techniques for impeding and detecting network threats - Verisign Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_TechniquesForImpedingAndDetectingNetworkThreats_VerisignInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US10904273B1/"^^any u r i; kb-reference-of^op Decoy Network Resource; kb-reference-title^dp "Techniques for impeding and detecting network threats"

Reference - Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwordsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_-_Testing_Metrics_for_Password_Creation_Policies_by_Attacking_Large_Sets_of_Revealed_Passwords

belongs to: Academic Paper Reference^c
has facts: has-link^dp "https://www.cs.umd.edu/~jkatz/security/downloads/passwords_revealed-weir.pdf"^^any u r i; kb-reference-of^op Strong Password Policy; kb-reference-title^dp "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords"

Reference - Threat detection for return oriented programming - Crowdstrike Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ThreatDetectionForReturnOrientedProgramming_CrowdstrikeInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20140075556A1"^^any u r i; kb-reference-of^op Shadow Stack Comparisons; kb-reference-title^dp "Threat detection for return oriented programming"

Reference - Threat detection through the accumulated detection of threat characteristics - Sophos Ltdⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_ThreatDetectionThroughTheAccumulatedDetectionOfThreatCharacteristics_SophosLtd

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US9104864B2/en?oq=US-9104864-B2"^^any u r i; kb-reference-of^op Process Code Segment Verification; kb-reference-title^dp "Threat detection through the accumulated detection of threat characteristics"

Reference - TPM 2.0 Library Specification - Trusted Computing Group, Incorporatedⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_TPM2.0LibrarySpecification_TrustedComputingGroup,Incorporated

belongs to: Specification Reference^c
has facts: has-link^dp "https://trustedcomputinggroup.org/resource/tpm-library-specification/"^^any u r i; kb-reference-of^op TPM Boot Integrity; kb-reference-title^dp "TPM 2.0 Library Specification"

Reference - Trusted Communications With Child Processes - Microsoft Technology Licensing LLCⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_TrustedCommunicationsWithChildProcesses_MicrosoftTechnologyLicensingLLC

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20120174210A1"^^any u r i; kb-reference-title^dp "Trusted Communications With Child Processes"

Reference - UEFI Platform Initialization (PI) Specificationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-UEFIPlatformInitialization-Specification

belongs to: Specification Reference^c
has facts: has-link^dp "https://uefi.org/sites/default/files/resources/PI_Spec_1_7_A_final_May1.pdf"^^any u r i; kb-reference-of^op Bootloader Authentication; kb-reference-title^dp "UEFI Platform Initialization (PI) Specification"

Reference - USB filter for hub malicious code prevention systemⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-USBFilterForHubMaliciousCodePreventionSystem

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US9990325B2/en"^^any u r i; kb-reference-of^op IO Port Restriction; kb-reference-title^dp "Universal serial bus (USB) filter hub malicious code prevention system"

Reference - Use DNS Policy for Applying Filters on DNS Queriesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries

belongs to: User Manual Reference^c
has facts: has-link^dp "https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/apply-filters-on-dns-queries"^^any u r i; kb-reference-title^dp "Use DNS Policy for Applying Filters on DNS Queries"

Reference - Use of an application controller to monitor and control software file and application environments - Sophos Ltdⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_UseOfAnApplicationControllerToMonitorAndControlSoftwareFileAndApplicationEnvironments_SophosLtd

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20180032727A1"^^any u r i; kb-reference-of^op Dynamic Analysis; kb-reference-title^dp "Use of an application controller to monitor and control software file and application environments"

Reference - Use Rkill to Stop Malware Processes - ghacks.netⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-UseRkillToStopMalwareProcesses-Ghacks.net

belongs to: Technique Reference^c
has facts: has-link^dp "https://www.ghacks.net/2011/07/29/use-rkill-to-stop-malware-processes/"^^any u r i; kb-reference-of^op Process Termination; kb-reference-title^dp "Use Rkill to Stop Malware Processes"

Reference - Virtualized process isolation - Advanced Micro Devices Incⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_VirtualizedProcessIsolation_AdvancedMicroDevicesInc

belongs to: Patent Reference^c
has facts: has-link^dp "https://patents.google.com/patent/US20180081829A1"^^any u r i; kb-reference-of^op Hardware-based Process Isolation; kb-reference-title^dp "Virtualized process isolation"

Reference - What is NX/XD feature?ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference_WhatIsNX_XDFeature_RedHat

belongs to: Internet Article Reference^c
has facts: has-link^dp "https://access.redhat.com/solutions/2936741"^^any u r i; kb-reference-of^op Process Segment Execution Prevention; kb-reference-title^dp "What is NX/XD feature?"

Reference - Windows 10 STIGⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Reference-Windows10STIG

belongs to: Guideline Reference^c
has facts: has-link^dp "https://www.stigviewer.com/stig/windows_10/"^^any u r i; kb-reference-of^op Application Configuration Hardening; kb-reference-title^dp "Windows 10 Security Technical Implementation Guide"

Reflection Amplificationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1498.002

has facts: produces^op Inbound Internet Network Traffic
is also defined as: class

Reflective Code Loadingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1620

has facts: modifies^op Process Segment
is also defined as: class

Registry Run Keys / Startup Folderⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.001

has facts: may-modify^op System Configuration Init Database Record; may-modify^op User Startup Script File
is also defined as: class

Relay Pattern Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RelayPatternAnalysis

belongs to: Network Traffic Analysis^c
has facts: analyzes^op Outbound Internet Network Traffic; d3fend-id^dp "D3-RPA"; kb-reference^op Reference - Malicious relay detection on networks - VECTRA NETWORKS Inc
is also defined as: class

Remote Access Softwareⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1219

has facts: produces^op Outbound Internet Network Traffic
is also defined as: class

Remote Data Stagingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1074.002

has facts: modifies^op Network Resource
is also defined as: class

Remote Data Storageⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1029

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp "IT disaster recovery plans are outside the current scope of D3FEND."

Remote Desktop Protocolⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1021.001

has facts: creates^op RDP Session; produces^op Administrative Network Traffic
is also defined as: class

Remote Email Collectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1114.002

has facts: accesses^op Mail Server
is also defined as: class

Remote Service Session Hijackingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1563

has facts: accesses^op Remote Session; produces^op Administrative Network Traffic
is also defined as: class

Remote Servicesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1021

has facts: produces^op Intranet Network Traffic
is also defined as: class

Remote Terminal Session Detectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RemoteTerminalSessionDetection

belongs to: Network Traffic Analysis^c
has facts: analyzes^op Network Traffic; d3fend-id^dp "D3-RTSD"; kb-reference^op Reference - CAR-2013-07-002: RDP Connection Detection - MITRE; kb-reference^op Reference - Method and system for detecting external control of compromised hosts - VECTRA NETWORKS Inc; kb-reference^op Reference - CAR-2016-04-005: Remote Desktop Logon - MITRE
is also defined as: class

Rename System Utilitiesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.003

has facts: may-create^op Executable File; may-modify^op Operating System Executable File
is also defined as: class

Replication Through Removable Mediaⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1091

has facts: executes^op Removable Media Device
is also defined as: class

Resource Access Pattern Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ResourceAccessPatternAnalysis

belongs to: User Behavior Analysis^c
has facts: analyzes^op Authentication; analyzes^op Authorization; d3fend-id^dp "D3-RAPA"; kb-reference^op Reference - Host intrusion prevention system using software and user behavior analysis - Sophos Ltd; kb-reference^op Reference - Method and Apparatus for Network Fraud Detection and Remediation Through Analytics - Idaptive LLC; kb-reference^op Reference - Modeling user access to computer resources - Daedalus Group LLC (formerly IBM); kb-reference^op Reference - System and method thereof for identifying and responding to security incidents based on preemptive forensics - Palo Alto Networks Inc; kb-reference^op Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Inc
is also defined as: class

Resource Forkingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.009

has facts: may-create^op Resource Fork; may-modify^op Resource Fork
is also defined as: class

Restrict File and Directory Permissionsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1022

belongs to: ATTACK Mitigation^c
has facts: related^op Local File Permissions

Restrict Library Loadingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1044

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp "D3-SCF is one possible way to filter library loading."; related^op System Call Filtering

Restrict Registry Permissionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1024

belongs to: ATTACK Mitigation^c
has facts: related^op System Configuration Permissions

Restrict Web-Based Contentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1021

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp "M1021 scope is broad, touches on an wide variety of techniques in d3fend."; related^op DNS Allowlisting; related^op DNS Denylisting; related^op File Analysis; related^op Inbound Traffic Filtering; related^op Network Traffic Analysis; related^op Outbound Traffic Filtering; related^op URL Analysis

Reverse Resolution Domain Denylistingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ReverseResolutionDomainDenylisting

belongs to: DNS Denylisting^c
has facts: blocks^op Inbound Internet DNS Response Traffic; d3fend-id^dp "D3-RRDD"
is also defined as: class

Reverse Resolution IP Denylistingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ReverseResolutionIPDenylisting

belongs to: DNS Denylisting^c
has facts: blocks^op Outbound Internet DNS Lookup Traffic; d3fend-id^dp "D3-RRID"; kb-reference^op Reference - Use DNS Policy for Applying Filters on DNS Queries
is also defined as: class

RF Shieldingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RFShielding

belongs to: Platform Hardening^c
has facts: d3fend-id^dp "D3-RFS"; kb-reference^op Reference - Privacy and security systems and methods of use; kb-reference^op Reference - Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities
is also defined as: class

Right-to-Left Overrideⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.002

has facts: modifies^op File System Metadata
is also defined as: class

Rogue Domain Controllerⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1207

has facts: modifies^op System Configuration Database; produces^op Intranet Administrative Network Traffic
is also defined as: class

Rootkitⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1014

has facts: may-modify^op Boot Sector; may-modify^op Firmware; may-modify^op Kernel; may-modify^op Kernel Module; may-modify^op Shared Library File
is also defined as: class

RPC Traffic Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RPCTrafficAnalysis

belongs to: Network Traffic Analysis^c
has facts: analyzes^op RPC Network Traffic; d3fend-id^dp "D3-RTA"; kb-reference^op Reference - CAR-2016-03-002: Create Remote Process via WMIC - MITRE; kb-reference^op Reference - CAR-2014-11-007: Remote Windows Management Instrumentation (WMI) over RPC - MITRE; kb-reference^op Reference - RPC call interception - Crowdstrike Inc; kb-reference^op Reference - CAR-2014-03-005: Remotely Launched Executables via Services - MITRE; kb-reference^op Reference - CAR-2014-12-001: Remotely Launched Executables via WMI - MITRE; kb-reference^op Reference - CAR-2015-04-002: Remotely Scheduled Tasks via Schtasks - MITRE; kb-reference^op Reference - CAR-2014-03-001: SMB Write Request - NamedPipes - MITRE; kb-reference^op Reference - CAR-2014-05-001: RPC Activity - MITRE
is also defined as: class

Ruby Script Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#RubyScriptFile

belongs to: Executable Script^c

Run Virtual Instanceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.006

has facts: creates^op File; executes^op Virtualization Software; may-add^op Virtualization Software; may-create^op Directory
is also defined as: class

Rundll32 Executionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.011

has facts: invokes^op Create Process; loads^op Shared Library File
is also defined as: class

Runtime Data Manipulationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1565.003

has facts: may-modify^op Executable File
is also defined as: class

Safe Mode Bootⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1562.009

has facts: disables^op Endpoint Sensor; disables^op System Configuration Init Database Record; may-modify^op Endpoint Health Beacon
is also defined as: class

Scanⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Scan

belongs to: Defensive Tactic^c
has facts: display-order^dp "0"^^integer
is also defined as: class

Scheduled Job Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ScheduledJobAnalysis

belongs to: Operating System Monitoring^c
has facts: analyzes^op Task Schedule; d3fend-id^dp "D3-SJA"; kb-reference^op Reference - CAR-2013-05-004: Execution with AT -; kb-reference^op Reference - CAR-2013-08-001: Execution with schtasks -; kb-reference^op Reference - Preventing execution of task scheduled malware - McAfee LLC
is also defined as: class

Scheduled Task/Job Executionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1053

has facts: invokes^op Create Process; modifies^op Task Schedule
is also defined as: class

Scheduled Transferⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1029

has facts: produces^op Internet Network Traffic
is also defined as: class

Screen Captureⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1113

has facts: accesses^op Display Server
is also defined as: class

Screensaverⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.002

has facts: creates^op Executable File; modifies^op System Configuration Database Record
is also defined as: class

Script Application Processⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ScriptApplicationProcess

has facts: interprets^op Executable Script
is also defined as: class

Script Execution Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ScriptExecutionAnalysis

belongs to: Process Analysis^c
has facts: analyzes^op Script Application Process; d3fend-id^dp "D3-SEA"; kb-reference^op Reference - Detecting script-based malware - Crowdstrike Inc
is also defined as: class

Security Account Managerⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1003.002

has facts: may-access^op Authentication Service; may-access^op Process; may-access^op System Password Database
is also defined as: class

Security Software Discoveryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1518.001

has facts: may-access^op File System Metadata; may-access^op Kernel Process Table; may-access^op System Configuration Database Record; may-access^op System Firewall Configuration
is also defined as: class

Security Support Providerⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.005

has facts: modifies^op System Configuration Database Record
is also defined as: class

Security Tokenⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SecurityToken

has facts: contains^op Access Token
is also defined as: class

Securityd Memoryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1555.002

has facts: accesses^op In-memory Password Store
is also defined as: class

Segment Address Offset Randomizationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SegmentAddressOffsetRandomization

belongs to: Application Hardening^c
has facts: d3fend-id^dp "D3-SAOR"; kb-reference^op Reference - /DYNAMICBASE (Use address space layout randomization) - Microsoft Docs; kb-reference^op Reference - How ASLR protects Linux systems from buffer overflow attacks - Network World; obfuscates^op Process Segment
is also defined as: class

Sender MTA Reputation Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SenderMTAReputationAnalysis

belongs to: Message Analysis^c
has facts: analyzes^op Email; d3fend-id^dp "D3-SMRA"; kb-reference^op Reference - Systems and methods for detecting and/or handling targeted attacks in the email channel - Graphus Inc
is also defined as: class

Sender Reputation Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SenderReputationAnalysis

belongs to: Message Analysis^c
has facts: analyzes^op Email; d3fend-id^dp "D3-SRA"; kb-reference^op Reference - Systems and methods for detecting and/or handling targeted attacks in the email channel - Graphus Inc
is also defined as: class

Service Binary Verificationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ServiceBinaryVerification

belongs to: System File Analysis^c
has facts: d3fend-id^dp "D3-SBV"; kb-reference^op Reference - CAR-2014-02-001: Service Binary Modifications - MITRE; verifies^op Service Application
is also defined as: class

Service Exhaustion Floodⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1499.002

has facts: produces^op Inbound Internet Network Traffic
is also defined as: class

Services File Permissions Weaknessⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.010

has facts: modifies^op Service Application
is also defined as: class

Services Registry Permissions Weaknessⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1574.011

has facts: modifies^op System Configuration Init Database Record
is also defined as: class

Session Duration Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SessionDurationAnalysis

belongs to: User Behavior Analysis^c
has facts: analyzes^op Authentication; analyzes^op Authorization; d3fend-id^dp "D3-SDA"; kb-reference^op Reference - Method and Apparatus for Network Fraud Detection and Remediation Through Analytics - Idaptive LLC; kb-reference^op Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Inc
is also defined as: class

Setuid and Setgidⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1548.001

has facts: modifies^op Access Control Configuration
is also defined as: class

Shadow Stack Comparisonsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#ShadowStackComparisons

belongs to: Process Analysis^c
has facts: analyzes^op Stack Frame; d3fend-id^dp "D3-SSC"; kb-reference^op Reference - Threat detection for return oriented programming - Crowdstrike Inc
is also defined as: class

Sharepointⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1213.002

has facts: accesses^op Web File Resource
is also defined as: class

Shortcut Modificationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.009

has facts: may-modify^op Symbolic Link; may-modify^op User Startup Script File
is also defined as: class

SID-History Injectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1134.005

has facts: modifies^op Access Control Configuration
is also defined as: class

SIP and Trust Provider Hijackingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1553.003

has facts: modifies^op System Configuration Database Record
is also defined as: class

Softwareⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Software

has facts: contains^op Executable File
is also defined as: class

Software Configurationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1054

belongs to: ATTACK Mitigation^c
has facts: related^op Application Configuration Hardening; related^op Certificate Pinning

Software Deployment Tools Executionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1072

has facts: adds^op File; executes^op Software Deployment Tool; installs^op Software
is also defined as: class

Software Packingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1027.002

has facts: obfuscates^op Executable File
is also defined as: class

Software Updateⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SoftwareUpdate

belongs to: Platform Hardening^c
has facts: d3fend-id^dp "D3-SU"; kb-reference^op Reference - Method and system for providing software updates to local machines; updates^op Software
is also defined as: class

Source Codeⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SourceCode

belongs to: Reference Type^c
is also defined as: class

Space after Filenameⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1036.006

has facts: creates^op File
is also defined as: class

Spearphishing Attachmentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1566.001

has facts: produces^op Email; produces^op Inbound Internet Mail Traffic
is also defined as: class

Spearphishing Linkⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1566.002

has facts: produces^op Email; produces^op Inbound Internet Mail Traffic; produces^op URL
is also defined as: class

Spearphishing Via Serviceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1566.003

has facts: produces^op File; produces^op URL
is also defined as: class

SQL Stored Proceduresⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1505.001

has facts: creates^op Stored Procedure; invokes^op Create Process
is also defined as: class

SSHⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1021.004

has facts: creates^op SSH Session; produces^op Administrative Network Traffic
is also defined as: class

SSH Hijackingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1563.001

has facts: accesses^op SSH Session
is also defined as: class

SSL/TLS Inspectionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1020

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp "D3FEND models this as an infrastructure dependency to support D3-NTA."; related^op Network Traffic Analysis

Stack Frameⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StackFrame

has facts: may-contain^op Pointer; may-contain^op Stack Frame Canary
is also defined as: class

Stack Frame Canary Validationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StackFrameCanaryValidation

belongs to: Application Hardening^c
has facts: d3fend-id^dp "D3-SFCV"; kb-reference^op Reference - /GS (Buffer Security Check) - Microsoft Docs; kb-reference^op Reference - Security Technologies: Stack Smashing Protection (StackGuard) - Red Hat; validates^op Stack Frame
is also defined as: class

Stack Segmentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StackSegment

has facts: contains^op Stack Frame
is also defined as: class

Standalone Honeynetⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StandaloneHoneynet

belongs to: Decoy Environment^c
has facts: d3fend-id^dp "D3-SHN"; kb-reference^op Reference - Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network - Palo Alto Networks Inc; spoofs^op Intranet Network
is also defined as: class

Startup Itemsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1037.005

has facts: modifies^op System Startup Directory
is also defined as: class

Steal Application Access Tokenⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1528

has facts: accesses^op Access Token
is also defined as: class

Steal or Forge Kerberos Ticketsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1558

has facts: may-access^op Kerberos TIcket; may-create^op Kerberos TIcket
is also defined as: class

Steal Web Session Cookieⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1539

has facts: accesses^op Session Cookie
is also defined as: class

Step 1 - Copy Tokenⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#step-1

belongs to: step^c
has facts: invokes^op Copy Token; next^op Step 2 - Impersonate User

Step 2 - Impersonate Userⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#step-2

belongs to: step^c
has facts: creates^op Authentication; invokes^op Impersonate User

Storageⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#Storage

has facts: may-contain^op File System
is also defined as: class

Stored Data Manipulationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1565.001

has facts: modifies^op File
is also defined as: class

Strong Password Policyⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#StrongPasswordPolicy

belongs to: Credential Hardening^c
has facts: d3fend-id^dp "D3-SPP"; kb-reference^op Reference - Digital Identity Guidelines 800-63-3; kb-reference^op Reference - Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords; strengthens^op Password; strengthens^op User Account
is also defined as: class

Sudo and Sudo Cachingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1548.003

has facts: may-modify^op Event Log; modifies^op Operating System Configuration File
is also defined as: class

Supply Chain Compromiseⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1195

has facts: modifies^op Digital Artifact
is also defined as: class

Symbolic Linkⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SymbolicLink

has facts: addresses^op File
is also defined as: class

Symmetric Cryptographyⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1573.001

has facts: creates^op Outbound Internet Encrypted Traffic
is also defined as: class

System Callⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemCall

has facts: executes^op Subroutine
is also defined as: class

System Call Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemCallAnalysis

belongs to: Process Analysis^c
has facts: analyzes^op System Call; d3fend-id^dp "D3-SCA"; kb-reference^op Reference - CAR-2019-08-001: Credential Dumping via Windows Task Manager - MITRE; kb-reference^op Reference - CAR-2013-10-002: DLL Injection via Load Library - MITRE; kb-reference^op Reference - Deterministic method for detecting and blocking of exploits on interpreted code - K2 Cyber Security Inc; kb-reference^op Reference - Hardware-assisted system and method for detecting and analyzing system calls made to an operting system kernel - Endgame Inc; kb-reference^op Reference - Malware detection in event loops - Crowdstrike Inc; kb-reference^op Reference - Post sandbox methods and systems for detecting and blocking zero-day exploits via api call validation - K2 Cyber Security Inc; kb-reference^op Reference - CAR-2020-05-001: MiniDump of LSASS - MITRE; kb-reference^op Reference - CAR-2021-05-011: Create Remote Thread into LSASS - MITRE
is also defined as: class

System Call Filteringⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemCallFiltering

belongs to: Kernel-based Process Isolation^c
has facts: d3fend-id^dp "D3-SCF"; filters^op System Call; kb-reference^op Reference - Overview of the seccomp sandbox
is also defined as: class

System Configuration Databaseⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemConfigurationDatabase

has facts: contains^op System Configuration Database Record
is also defined as: class

System Configuration Permissionsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemConfigurationPermissions

belongs to: Platform Hardening^c
has facts: d3fend-id^dp "D3-SCP"; kb-reference^op Reference - How to change registry values or permissions from a command line or a script
is also defined as: class

System Daemon Monitoringⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemDaemonMonitoring

belongs to: Operating System Monitoring^c
has facts: d3fend-id^dp "D3-SDM"; kb-reference^op Reference - Host intrusion prevention system using software and user behavior analysis - Sophos Ltd; kb-reference^op Reference - Method using kernel mode assistance for the detection and removal of threats which are actively preventing detection and removal from a running system - Symantec Corporation; kb-reference^op Reference - CAR-2016-04-003: User Activity from Stopping Windows Defensive Services - MITRE; monitors^op Operating System Process
is also defined as: class

System File Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemFileAnalysis

belongs to: Operating System Monitoring^c
has facts: analyzes^op Operating System File; d3fend-id^dp "D3-SFA"; kb-reference^op Reference - CAR-2019-07-001: Access Permission Modification - MITRE; kb-reference^op Reference - CAR-2013-01-002: Autorun Differences -; kb-reference^op Reference - CAR-2016-04-002: User Activity from Clearing Event Logs - MITRE
is also defined as: class

System Firewall Configurationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemFirewallConfiguration

has facts: configures^op Host-based Firewall
is also defined as: class

System Firmwareⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1542.001

has facts: modifies^op System Firmware
is also defined as: class

System Firmware Verificationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemFirmwareVerification

belongs to: Firmware Verification^c
has facts: d3fend-id^dp "D3-SFV"; kb-reference^op Reference - Firmware Verification Eclypsium; kb-reference^op Reference - Platform Firmware Resiliency Guidelines - NIST; verifies^op System Firmware
is also defined as: class

System Init Config Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemInitConfigAnalysis

belongs to: Operating System Monitoring^c
has facts: analyzes^op System Init Configuration; d3fend-id^dp "D3-SICA"; kb-reference^op Reference - CAR-2013-01-002: Autorun Differences -; kb-reference^op Reference - CAR-2020-09-005: AppInit DLLs - MITRE; kb-reference^op Reference - CAR-2020-11-001: Boot or Logon Initialization Scripts - MITRE
is also defined as: class

System Language Discoveryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1614.001

has facts: queries^op System Configuration Database
is also defined as: class

System Location Discoveryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1614

has facts: accesses^op Configuration Bearing Entity
is also defined as: class

System Service Softwareⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#SystemServiceSoftware

has facts: contains^op Operating System File
is also defined as: class

Systemd Serviceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1543.002

has facts: may-create^op Operating System Configuration File; may-modify^op Operating System Configuration File
is also defined as: class

Taint Shared Contentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1080

has facts: modifies^op Network Resource
is also defined as: class

TCG Trusted Attestation Protocol Use Cases for TPM Families 1.2 and 2.0 and DICEⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TCGTrustedAttestationProtocolUseCasesForTPMFamilies1.2And2.0AndDICE

belongs to: Specification Reference^c
has facts: has-link^dp "https://trustedcomputinggroup.org/wp-content/uploads/TCG_TNC_TAP_Use_Cases_v1r0p35_published.pdf"^^any u r i; kb-reference-title^dp "TCG Trusted Attestation Protocol Use Cases for TPM Families 1.2 and 2.0 and DICE"

Thread Execution Hijackingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.003

has facts: invokes^op System Call; may-add^op Executable Binary
is also defined as: class

Thread Local Storageⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.005

has facts: invokes^op System Call
is also defined as: class

Threat Intelligence Programⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1019

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp "Establishing and running a Threat Intelligence Program is outside the scope of D3FEND."

Time Based Evasionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1497.003

has facts: may-invoke^op Get System Time; may-run^op System Time Application
is also defined as: class

Time Providersⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.003

has facts: modifies^op System Configuration Database Record
is also defined as: class

Timestompⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1070.006

has facts: forges^op File System Metadata
is also defined as: class

Token Impersonation/Theftⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1134.001

has facts: copies^op Access Token
is also defined as: class

TPM Boot Integrityⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TPMBootIntegrity

belongs to: Platform Hardening^c
has facts: d3fend-id^dp "D3-TBI"; kb-reference^op TCG Trusted Attestation Protocol Use Cases for TPM Families 1.2 and 2.0 and DICE; kb-reference^op Trusted Attestation Protocol Use Cases; kb-reference^op Reference - TPM 2.0 Library Specification - Trusted Computing Group, Incorporated
is also defined as: class

Traffic Signalingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1205

has facts: produces^op Network Traffic
is also defined as: class

Transfer Agent Authenticationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TransferAgentAuthentication

belongs to: Message Hardening^c
has facts: d3fend-id^dp "D3-TAAN"; kb-reference^op Reference - RFC 6376: DomainKeys Identified Mail (DKIM) Signatures - IETF; kb-reference^op Reference - RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email - IETF; kb-reference^op Reference - RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC) - IETF
is also defined as: class

Transmitted Data Manipulationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1565.002

has facts: may-modify^op Network Traffic
is also defined as: class

Transport Agentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1505.002

has facts: adds^op Message Transfer Agent; modifies^op Mail Server
is also defined as: class

Trapⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.005

has facts: executes^op Command; may-create^op Executable Script; may-modify^op Executable Script; modifies^op Event Log
is also defined as: class

Trusted Attestation Protocol Use Casesⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#TrustedAttestationProtocolUseCases

belongs to: Specification Reference^c
has facts: has-link^dp "https://trustedcomputinggroup.org/wp-content/uploads/TCG_TNC_TAP_Use_Cases_v1r0p35_published.pdf"^^any u r i; kb-reference-title^dp "Trusted Attestation Protocol Use Cases"

Trusted Relationshipⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1199

has facts: creates^op Login Session; produces^op Intranet Network Traffic
is also defined as: class

Two-Factor Authentication Interceptionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1111

has facts: may-access^op Security Token
is also defined as: class

Unsecured Credentialsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1552

has facts: accesses^op Credential
is also defined as: class

Update Softwareⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1051

belongs to: ATTACK Mitigation^c
has facts: related^op Software Update

URLⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#URL

has facts: addresses^op Resource
is also defined as: class

URL Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#URLAnalysis

belongs to: Identifier Analysis^c
has facts: analyzes^op URL; d3fend-id^dp "D3-UA"; kb-reference^op Reference - Method and Apparatus for Detecting Malicious Websites - Endgame Inc; kb-reference^op Reference - Method and system for detecting restricted content associated with retrieved content - Sophos Ltd
is also defined as: class

Use Alternate Authentication Materialⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1550

has facts: accesses^op Authentication Service
is also defined as: class

Userⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#User

has facts: has-account^op User Account
is also defined as: class

User Account Controlⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1052

belongs to: ATTACK Mitigation^c
has facts: related^op Mandatory Access Control

User Account Managementⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1018

belongs to: ATTACK Mitigation^c
has facts: related^op Local File Permissions; related^op Mandatory Access Control; related^op System Configuration Permissions

User Account Permissionsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserAccountPermissions

belongs to: Credential Hardening^c
has facts: d3fend-id^dp "D3-UAP"; kb-reference^op Reference - Configure User Access Control and Permissions; restricts^op User Account
is also defined as: class

User Behaviorⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserBehavior

has facts: contains^op User Action
is also defined as: class

User Behavior Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserBehaviorAnalysis

belongs to: Defensive Technique^c
has facts: d3fend-id^dp "D3-UBA"; enables^op Detect
is also defined as: class

User Data Transfer Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserDataTransferAnalysis

belongs to: User Behavior Analysis^c
has facts: analyzes^op Resource Access; d3fend-id^dp "D3-UDTA"; kb-reference^op Reference - System and method thereof for identifying and responding to security incidents based on preemptive forensics - Palo Alto Networks Inc; kb-reference^op Reference - System for implementing threat detection using threat and risk assessment of asset-actor interactions - VECTRA NETWORKS Inc
is also defined as: class

User Geolocation Logon Pattern Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserGeolocationLogonPatternAnalysis

belongs to: User Behavior Analysis^c
has facts: analyzes^op Network Traffic; d3fend-id^dp "D3-UGLPA"; kb-reference^op Reference - Method and Apparatus for Network Fraud Detection and Remediation Through Analytics - Idaptive LLC; kb-reference^op Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Inc
is also defined as: class

User Manualⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserManual

belongs to: Reference Type^c
is also defined as: class

User Session Init Config Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserSessionInitConfigAnalysis

belongs to: Operating System Monitoring^c
has facts: analyzes^op User Init Configuration File; d3fend-id^dp "D3-USICA"; kb-reference^op Reference - Identification and extraction of key forensics indicators of compromise using subject-specific filesystem views; kb-reference^op Reference - Registry Key Security and Access Rights; kb-reference^op Reference - CAR-2020-09-002: Component Object Model Hijacking - MITRE; kb-reference^op Reference - CAR-2020-11-011: Registry Edit from Screensaver
is also defined as: class

User Startup Directoryⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserStartupDirectory

has facts: contains^op User Startup Script File
is also defined as: class

User to User Messageⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#UserToUserMessage

has facts: has-recipient^op User Account; has-sender^op User Account
is also defined as: class

User Trainingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1017

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp "Modeling user training is outside the scope of D3FEND."

Valid Accountsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1078

has facts: produces^op Authentication; produces^op Authorization; uses^op User Account
is also defined as: class

VBA Stompingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1564.007

has facts: modifies^op Office Application File
is also defined as: class

VDSO Hijackingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1055.014

has facts: accesses^op Shared Library File; invokes^op System Call
is also defined as: class

Video Captureⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1125

has facts: accesses^op Video Input Device
is also defined as: class

Vulnerability Scanningⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#M1016

belongs to: ATTACK Mitigation^c
has facts: d3fend-comment^dp "Future D3FEND releases will model the scanning and inventory domains."

Web Authenticationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebAuthentication

has facts: may-create^op Session Cookie
is also defined as: class

Web Authentication: An API for accessing Public Key Credentials Level 2ⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebAuthentication_AnAPIForAccessingPublicKeyCredentials%0ALevel2

belongs to: Specification Reference^c
has facts: has-link^dp "https://www.w3.org/TR/webauthn-2/"^^any u r i; kb-reference-of^op Credential Transmission Scoping; kb-reference-title^dp "Web Authentication: An API for accessing Public Key Credentials Level 2"

Web File Resourceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebFileResource

has facts: addressed-by^op URL
is also defined as: class

Web Portal Captureⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1056.003

has facts: modifies^op Web Server Application
is also defined as: class

Web Protocolsⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1071.001

has facts: may-transfer^op Certificate File; produces^op Outbound Internet Web Traffic
is also defined as: class

Web Serviceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1102

has facts: produces^op Outbound Internet Web Traffic
is also defined as: class

Web Session Activity Analysisⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebSessionActivityAnalysis

belongs to: User Behavior Analysis^c
has facts: analyzes^op Web Resource Access; d3fend-id^dp "D3-WSAA"; kb-reference^op Reference - Host intrusion prevention system using software and user behavior analysis - Sophos Ltd; kb-reference^op Reference - System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis - Silver Tail Systems; kb-reference^op Reference - System and Method for Network Security Including Detection of Attacks Through Partner Websites - EMC IP Holding Co LLC; kb-reference^op Reference - System and method thereof for identifying and responding to security incidents based on preemptive forensics - Palo Alto Networks Inc
is also defined as: class

Web Session Cookieⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1550.004

has facts: adds^op Session Cookie; produces^op Web Network Traffic
is also defined as: class

Web Shellⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1505.003

has facts: adds^op Web Script File; modifies^op Web Server; produces^op Process
is also defined as: class

Web Socket URLⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WebSocketURL

belongs to: URL^c

WHOIS Compatible Domain Registrationⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WHOISCompatibleDomainRegistration

belongs to: Domain Registration^c

Windows Batch Fileⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WindowsBatchFile

belongs to: Executable Script^c

Windows Management Instrumentation Event Subscriptionⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1546.003

has facts: modifies^op Event Log; produces^op Intranet Administrative Network Traffic
is also defined as: class

Windows Processⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#WindowsProcess

belongs to: Process^c

Windows Serviceⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1543.003

has facts: modifies^op System Configuration Database
is also defined as: class

Winlogon Helper DLLⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1547.004

has facts: modifies^op System Configuration Database Record
is also defined as: class

X86 Code Segmentⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#X86CodeSegment

belongs to: Image Code Segment^c; Process Code Segment^c

XSL Script Processingⁿⁱ back to ToC or Named Individual ToC

IRI: http://d3fend.mitre.org/ontologies/d3fend.owl#T1220

has facts: adds^op File; interprets^op Executable Script; invokes^op Create Process
is also defined as: class

This HTML document was obtained by processing the OWL ontology source code through LODE, Live OWL Documentation Environment, developed by Silvio Peroni .

D3FEND™ - A knowledge graph of cybersecurity countermeasures

Abstract

Table of Content

Classes

.bash_profile and .bashrcc back to ToC or Class ToC

/etc/passwd and /etc/shadowc back to ToC or Class ToC

Abuse Elevation Control Mechanismc back to ToC or Class ToC

Academic Articlec back to ToC or Class ToC

Academic Paper Referencec back to ToC or Class ToC

Access Control Configurationc back to ToC or Class ToC

Access Control Listc back to ToC or Class ToC

Access Tokenc back to ToC or Class ToC

Access Token Manipulationc back to ToC or Class ToC

Accessibility Featuresc back to ToC or Class ToC

Account Access Removalc back to ToC or Class ToC

Account Discoveryc back to ToC or Class ToC

Account Lockingc back to ToC or Class ToC

Account Manipulationc back to ToC or Class ToC

Active Certificate Analysisc back to ToC or Class ToC

Add Office 365 Global Administrator Rolec back to ToC or Class ToC

Add-insc back to ToC or Class ToC

Additional Azure Service Principal Credentialsc back to ToC or Class ToC

Admin Feature Assessmentc back to ToC or Class ToC

Admin Feature Claimc back to ToC or Class ToC

Administrative Featurec back to ToC or Class ToC

Administrative Network Activity Analysisc back to ToC or Class ToC

Administrative Network Trafficc back to ToC or Class ToC

Agentc back to ToC or Class ToC

Aliasc back to ToC or Class ToC

Analysis of Alternativesc back to ToC or Class ToC

Analytic Latencyc back to ToC or Class ToC

AppCert DLLsc back to ToC or Class ToC

AppInit DLLsc back to ToC or Class ToC

AppleScript Executionc back to ToC or Class ToC

Appliancec back to ToC or Class ToC

Applicationc back to ToC or Class ToC

Application Access Tokenc back to ToC or Class ToC

Application Configurationc back to ToC or Class ToC

Application Configuration Databasec back to ToC or Class ToC

Application Configuration Database Recordc back to ToC or Class ToC

Application Configuration Filec back to ToC or Class ToC

Application Configuration Hardeningc back to ToC or Class ToC

Application Hardeningc back to ToC or Class ToC

Application Inventory Sensorc back to ToC or Class ToC

Application Layer Firewallc back to ToC or Class ToC

Application Layer Protocolc back to ToC or Class ToC

Application Processc back to ToC or Class ToC

Application Process Configurationc back to ToC or Class ToC

Application Rulec back to ToC or Class ToC

Application Shimc back to ToC or Class ToC

Application Shimmingc back to ToC or Class ToC

Application Window Discoveryc back to ToC or Class ToC

Archive Collected Datac back to ToC or Class ToC

Archive Filec back to ToC or Class ToC

Archive via Custom Methodc back to ToC or Class ToC

Archive via Libraryc back to ToC or Class ToC

Archive via Utilityc back to ToC or Class ToC

Articlec back to ToC or Class ToC

Artifactc back to ToC or Class ToC

Artifact Serverc back to ToC or Class ToC

Assessmentc back to ToC or Class ToC

Asymmetric Cryptographyc back to ToC or Class ToC

Asymmetric Keyc back to ToC or Class ToC

Asynchronous Procedure Callc back to ToC or Class ToC

At (Linux) Executionc back to ToC or Class ToC

At (Windows) Executionc back to ToC or Class ToC

ATTACK Mitigationc back to ToC or Class ToC

ATTACK Thingc back to ToC or Class ToC

Audio Capturec back to ToC or Class ToC

Audio Input Devicec back to ToC or Class ToC

Authenticate Userc back to ToC or Class ToC

Authenticationc back to ToC or Class ToC

Authentication Cache Invalidationc back to ToC or Class ToC

Authentication Event Thresholdingc back to ToC or Class ToC

Authentication Logc back to ToC or Class ToC

Authentication Packagec back to ToC or Class ToC

Authentication Serverc back to ToC or Class ToC

Authentication Servicec back to ToC or Class ToC

Authorizationc back to ToC or Class ToC

Authorization Event Thresholdingc back to ToC or Class ToC

.bash_profile and .bashrc^c back to ToC or Class ToC

/etc/passwd and /etc/shadow^c back to ToC or Class ToC

Abuse Elevation Control Mechanism^c back to ToC or Class ToC

Academic Article^c back to ToC or Class ToC

Academic Paper Reference^c back to ToC or Class ToC

Access Control Configuration^c back to ToC or Class ToC

Access Control List^c back to ToC or Class ToC

Access Token^c back to ToC or Class ToC

Access Token Manipulation^c back to ToC or Class ToC

Accessibility Features^c back to ToC or Class ToC

Account Access Removal^c back to ToC or Class ToC

Account Discovery^c back to ToC or Class ToC

Account Locking^c back to ToC or Class ToC

Account Manipulation^c back to ToC or Class ToC

Active Certificate Analysis^c back to ToC or Class ToC

Add Office 365 Global Administrator Role^c back to ToC or Class ToC

Add-ins^c back to ToC or Class ToC

Additional Azure Service Principal Credentials^c back to ToC or Class ToC

Admin Feature Assessment^c back to ToC or Class ToC

Admin Feature Claim^c back to ToC or Class ToC

Administrative Feature^c back to ToC or Class ToC

Administrative Network Activity Analysis^c back to ToC or Class ToC

Administrative Network Traffic^c back to ToC or Class ToC

Agent^c back to ToC or Class ToC

Alias^c back to ToC or Class ToC